{"report_id":"c6e8d4ab-57ea-499e-80c6-baa889f91735","version":6,"status":"done","tags":[],"date":"2024-09-27T05:23:54Z","url":{"schema":"http","addr":"github.com/Neo23x0/signature-base/archive/master.zip","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.3","port":0,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-12-07T07:16:25Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"r10.o.lencr.org","ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-06 21:45:11","last_seen":"2024-09-26 18:37:25","alert_count":0,"request_count":4,"received_data":3550,"sent_data":1308,"comment":"","tags":null,"fingerprints":null},{"fqdn":"github.com","ip":{"addr":"140.82.121.3","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"domain_registered":"2007-10-09","domain_rank":1423,"first_seen":"2016-07-13 12:28:22","last_seen":"2024-09-26 20:14:00","alert_count":0,"request_count":1,"received_data":3908,"sent_data":506,"comment":"","tags":null,"fingerprints":null},{"fqdn":"codeload.github.com","ip":{"addr":"140.82.121.9","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"domain_registered":"2007-10-09","domain_rank":62359,"first_seen":"2013-04-18 13:49:11","last_seen":"2024-09-26 18:37:03","alert_count":1,"request_count":1,"received_data":3929603,"sent_data":518,"comment":"","tags":null,"fingerprints":null},{"fqdn":"r11.o.lencr.org","ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-07 07:43:57","last_seen":"2024-09-26 18:37:24","alert_count":0,"request_count":3,"received_data":2664,"sent_data":981,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"371d71a5a44a0481e55774ad78511670","sha1":"b765576b2804762629f56b89cbd9642b8c4dae03","sha256":"37595927254a7e153b423b3848b2fdc83d2530aaeafed8dc9f6b2c0e8ff76708","sha512":"7e5257219e6d6812c419b46267e6db4bd79ab9dcc418361579a1c1a46a8b7750f69eddb6756a314a3de2e12f0583714b1026d3c83a5572aa94574e2750effe5c","magic":"Zip archive data, at least v1.0 to extract, compression method=store","size":3928906,"url":{"schema":"https","addr":"codeload.github.com/Neo23x0/signature-base/zip/refs/heads/master","fqdn":"codeload.github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.9","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"archive":[{"path":"signature-base-master/.github/workflows/yara-assemble.yml","filename":"yara-assemble.yml","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (602)","size":1334,"md5":"ca59011f565f728fd5ed629e5e21aa96","sha1":"3753864b8e906165ee850f93fa861b5623373e01","sha256":"185751bd3365612aab8a3bcda989756d132e59062545885a53927547fce13b6e","sha512":"1119d305e7089a697cd865f15be83ddcf9fab1740fe2c945a5030ac407fd44a5078672751bb4a925a247cc9e61c81a8a1a78994987792281c5c07d3d17e109d9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/.gitignore","filename":".gitignore","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":168,"md5":"23e8e43cbac7375e0504e9af7a59debd","sha1":"b125027fd9b6f38697b7dc7d039de3596e914463","sha256":"0f08577012f4364590587bff4e660cfc98578cff278e513018619d0ad717e554","sha512":"82cba2982a7b35e3a77146e51efd64f653e6849ad76c1b9ec9c5ac84cce8aeead1d7abf6234a8c07c037b8aa281f107397af148287ddafc6e00528d6d300ccff","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/.travis.yml","filename":".travis.yml","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":244,"md5":"2ecaa9bf3d4888ff5a3ab8de82e84016","sha1":"8f914981227e1e510119bb5af0d68ddd0334a9d1","sha256":"cf9a8b8006f11bf6f69f08f76ac6987f2b76b2240d2db39a42e20997152a658b","sha512":"c8fe724fde9ad7a0a92e86bd6429a47cc4dad53d6c4c88cf89afd29534bc60990b1d2f7545b2328cac3f4629a4aa00f75cee0f18ac54a9b9adea5d6a3a089856","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/.yara-ci.yml","filename":".yara-ci.yml","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":117,"md5":"f1648849722b9603690c6a236f7beab9","sha1":"cac7d63cb32f352f09ff87d23957bfaa8714ff9b","sha256":"4ac691b99d952de043c8a566be60fbb2f1357f2b0dc3d3587b01814e2b90cadf","sha512":"7742b7350cca5883b7d63fce69219093b2514b3c60d35a6f46398d5ec7b700d95f276b57c58c2180078625f6f4c2da396ba0d0cbabb8778d290faded3becc34c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/Code_of_Conduct.md","filename":"Code_of_Conduct.md","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with no line terminators","size":37,"md5":"595504f41396af1d281f2c3bc3b171f9","sha1":"a96dff1af9f31665b6b132fe3ef090cb5efc01b6","sha256":"4b41c6f85be99ebec4f18b78beca07d3572b951065cdc3746441d6706bcead56","sha512":"bd91278f5a9276307e8aed2a6898e403e6ab089cc1c0eaa0b0261012208be06495932ea7cd694d52cb41ee95f89778b72679523a90d6cc615dd6f6c63ecbeb12","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/LICENSE","filename":"LICENSE","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1939,"md5":"466ef9c54721c9d829b515cdd5393e23","sha1":"e4bf6e00a55b4b76fd85d113d149e100226c9ba6","sha256":"8a959b2413d0c83ca1b3ce9153076c649abf2e4bbfebbb493fb24c2074a1eb8a","sha512":"9022a534dbcc96848b64ef69fc0ba946ea84641bd32b7868a0fa1ce14353fa83880e4942819d407e3b70d6ea2a49b0d76b53223adcbff083c195588c3d8e4212","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/README.md","filename":"README.md","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"exported SGML document, ASCII text, with very long lines (390)","size":3175,"md5":"5fd9823707149c8f0549d2e32c3b2034","sha1":"fd9824bb08934cfaff00656e65165ed25341e331","sha256":"cdc0e5c2200f455927cf5e33b302b513491beac087cef53b312ea62161d41c72","sha512":"a488b8576b45319f09b9b0227f00953d6fb1ea11d509a318eca0709359d8d6e62a90256ce3b288cec3455ebcf9cd36ad5320ea04945c1f2a00b68378e1d84e93","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/_config.yml","filename":"_config.yml","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with no line terminators","size":25,"md5":"932865e374757d33e321eeb2d5e88b6b","sha1":"3a3ae19f881fc23776ba9026e69dee194309a094","sha256":"89500f4d9d2bb727f973ace596b9ea2e58553acd80c41d95c3c2658f45095560","sha512":"e44bf13b24e6d06a320ce7ff9f7e388fc9f985f01ee68f4f65144750aa17af199209448ec337e2d0a5a7290860e7b0db90aeefa1ebf32994e1921e2e85d92147","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/apt_unc2891_tinyshell_slapstick.yar","filename":"apt_unc2891_tinyshell_slapstick.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2659,"md5":"9dddbc8ab1874cff1a7905c96270db88","sha1":"715e8f3a86b73fc067732f6ed206a34b38b84d06","sha256":"1d83f26c3434fed1ccf43a1b833651cc9c695c291fef71f9990255f32dcd70b9","sha512":"9806efb7bfbc9fc0f125919731a13c3210607b41a9a8f51469fec26dc1b03dce96079951989e6b507b6af6d20fa25c65bd87e254a344a75851bcf6a1cbc34271","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/build-rules.py","filename":"build-rules.py","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"Python script, ASCII text executable","size":8530,"md5":"74b84aeeec1fb6041a89283205c91c5d","sha1":"264b9d37c18682b624a1636f3ff79d2132d28995","sha256":"0f9f2f7b2c27a1ab89d49d75e8f9400a3566b6014b0bf092a2424435f2358443","sha512":"0b2c83ba6d99fcd724ebf9c2bc4c8e2d2525b5f269352e8536085e05c500fc22a15f5977a4c4140a01bb541ad31576d55c671bdedf92ecc9f6758d28752dee4f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/iocs/README.txt","filename":"README.txt","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":328,"md5":"e45d596eb974c222497a0aea9bac3ee5","sha1":"8842ec79851f99f1bfcc8dd42727cc45d17b5355","sha256":"880485e705021163ea735c91e9af71be244933d1248e5e7fb78509fd0feeb953","sha512":"3a1537213b5f8f1596a5f986d80feb7a7b6015a751bcbdc45c99e96cca9eb7a363803126dc9cd433cba6cdc16b1f45d6bac4cebb980197d54c1baeb589fa7f0d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/iocs/c2-iocs.txt","filename":"c2-iocs.txt","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":42760,"md5":"48153c4fa0d4c0ba282422b41e39ae54","sha1":"6e2aec54bdc7b7ff078d79215f99ed1df4a26487","sha256":"7a086dd5ca9a3f3fb11118db99aee2e6c3ffa2e7f697ba0a26747d36797c8a6d","sha512":"2b6ef61c0d327394bf660bf52b79906505ae7449c5894d653a68c1df419764f35da6cbf2b3dae6fa2f46f90f21771c04d6ed2e2c51deb899ce818ea32c410619","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"APT 10 / Cloud Hopper malware campaign","trigger":"signature-base-master/iocs/c2-iocs.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-06","description":"APT 10 / Cloud Hopper malware campaign","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html","rule":"APT10_Malware_Sample_Gen","score":"80"}}]}},{"path":"signature-base-master/iocs/filename-iocs.txt","filename":"filename-iocs.txt","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"Unicode text, UTF-8 text, with very long lines (314)","size":131414,"md5":"b2b6981d6d14a59dc039f5806ecfb786","sha1":"01c4a8a64c7e2cd1bbccf36f8cd9e5f78b47e76f","sha256":"a04153fb0998843ebe91cfd34444502ee97289bf5b5fd9ea8d6f237405955afc","sha512":"23fc18edff9c1911f9fd596f86828b405c1218012927374997f92169848a4efa00927e00e66a6568862e5d185d8bd758a2582d5c1a00f0271713f483256d5f39","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"signature-base-master/iocs/filename-iocs.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","trigger":"signature-base-master/iocs/filename-iocs.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Socket_Path","score":"80"}}]}},{"path":"signature-base-master/iocs/hash-iocs.txt","filename":"hash-iocs.txt","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"Unicode text, UTF-8 text","size":1230587,"md5":"b916f02921f08e3fd1e61633c98f61ea","sha1":"2de952fd4ff8aaab7a27d716f90c12259d2b342a","sha256":"34a90828fef15aa88acbd4273c5e2b4370e284fafec87c4a197970301ea8b72d","sha512":"f78f3624d84fc7d6b8acda4b4585a6c8b2bc6f789431e49baace99c88a7f434ba0c91f88522f18df7da64521ff7554c92a62854d6837640145e62080c7eb6e27","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","trigger":"signature-base-master/iocs/hash-iocs.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems) @4nc4p","date":"2015/03/11","description":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","hash":"ff2b50f371eb26f22eb8a2118e9ab0e015081500","reference":"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/","rule":"EquationDrug_HDDSSD_Op"}}]}},{"path":"signature-base-master/iocs/keywords.txt","filename":"keywords.txt","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":584,"md5":"080eb19e508e6f7bcd4281c783e0dbbd","sha1":"1ac345a3654543cbde8d5dc3fdc29c15a69ddc2b","sha256":"220c6a1d01235bf65fcf458dddd35ad5e76e2ab0f0b5093f40bac339137c99cb","sha512":"2be9bdfaefd6ebadea665adb09af831e355c0b02c2d7170a64de3555e37d5738c971b90739244927d615b9a649b9881c0e3c6f62677ef75b930dc2dd2703f74f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/iocs/keywords.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}}]}},{"path":"signature-base-master/iocs/otx-hash-iocs.txt","filename":"otx-hash-iocs.txt","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7883795,"md5":"4815f03192a2b69af73fd66b246fab5d","sha1":"2cb798f437857d5e7c6b945d7d984583f01711a7","sha256":"3fd5d237c911c29019dbc879eedfa818bf3d1a5934ed855ad9a83124b8cd5dd9","sha512":"79bf703427ad122241bdb3f26288ef9816a0b656ebe4caa2a87583135f7d19e38886184ba69c16acf99d7948d4d28da478b08a9dba776ef68f8ffa2ecf567400","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/makefile","filename":"makefile","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"makefile script, ASCII text","size":1270,"md5":"2686b9fbff6f01a806dc29abdd46dca6","sha1":"2f0b795f44d0a5b404d16cb8ea514d513a5a57f0","sha256":"09d86a8f27af57b9af2e2f3bd53a2723af5a51e20781e86a5f36a9c1e4b13a19","sha512":"9e587f52caa083715cdcc26bf8cec1801759553b4d16b800990c07dce1dd38dd386b266d87903e9eb4dbc8c009ef01c0f11ecc53f144e773f7b4d282dce6c8b5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/misc/file-type-signatures.txt","filename":"file-type-signatures.txt","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2082,"md5":"4b7f2e6876be946791962bab4a4023c6","sha1":"1f79ea0b4ffe7582409c8b614e9e7b7f0d046fed","sha256":"05e00369bc07176ff731a74c6f9e6004d2bdbfda2efa480cde50e422681f64de","sha512":"91a7b21881c8b62256d54be9f179499c52409860ac8f91e3cd690017807eb7bb202d4d0793a87b7ff8f5b26aa9b28d3b5513e3ff94eb7e05e6d17733b88bcb6a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/sig-base-rules.csv","filename":"sig-base-rules.csv","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (347)","size":615495,"md5":"d475ed019e8ec258d650f8a0be362545","sha1":"fc888374384a2582d15f006dc7952f8bca312783","sha256":"d2992b353090963bdc7065fb00e6e6f3e552d3d17aa6d089ed9871fc271ef7cc","sha512":"631697b4cff29441a559cc796b15d0bf2a81ffb98cc6463858211295d8d745e6c56d42361584fe5e0f3ecc049041419b249c74eec4828a8f71582d0a292166a8","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-27","description":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","hash1":"19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Invoke_OSiRis"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems) @4nc4p","date":"2015/03/11","description":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","hash":"ff2b50f371eb26f22eb8a2118e9ab0e015081500","reference":"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/","rule":"EquationDrug_HDDSSD_Op"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file readme.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file readme.txt","hash":"a52545ae62ddb0ea52905cbb61d895a51bfe9bcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer_zip_Folder_readme","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","hash":"c6eeacbe779518ea78b8f7ed5f63fc11","rule":"Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file shankar.php.php.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file shankar.php.php.txt","hash":"6eb9db6a3974e511b7951b8f7e7136bb","rule":"shankar_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file STNC.php.php.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file STNC.php.php.txt","hash":"2e56cfd5b5014cbbf1c1e3f082531815","rule":"STNC_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","hash":"6163b30600f1e80d2bb5afaa753490b6","rule":"Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt","hash":"06ed0b2398f8096f1bebf092d0526137","rule":"h4ntu_shell__powered_by_tsoi_"}}]}},{"path":"signature-base-master/vendor/yara/airbnb_binaryalert.yar","filename":"airbnb_binaryalert.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":25762,"md5":"62ee0fde275685493cc28ee515cc47db","sha1":"b03951fc41d35e6f0f7876b67aa9bb1078f93c9b","sha256":"30491d350a9ffb0731c2ec4d682e39749f206d931464ecc2b6332b1231894010","sha512":"15f3db2acb361de75d7326a6d4d7ca581be32a771e9928f2700ba658ffbe1c9860e1f8e19b6b24d393218970ffc22bc4c3d43bf23ad73d95791b8469f63584c1","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_aa19_024a.yar","filename":"apt_aa19_024a.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":917,"md5":"4cf3a32cb2b93be356f04e0025bfd6c0","sha1":"e33afc272228567b06fee6e6a62a4f6f970d1236","sha256":"bdf26bde7835be3336f6ac237a4ad051d2f498ff9d3802b2008cbcfec93bf8b2","sha512":"0fcaf548965cf46a8ff4705f9c063170644e2130032e60d7f2c82b0c2548f02ab56aa2684bad339485f9051bc07c9c0a5d3a59cf383f5db36bd10f2443d87106","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_agent_btz.yar","filename":"apt_agent_btz.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4653,"md5":"f2e577141d977809eb610e2ae191665f","sha1":"8ec109ee753800b0ff62d94df15a29d5f0d7fb8d","sha256":"80d496458c0dace2917d0bdc40d1ffc21db78d1d238989056dabe7ac7effa86a","sha512":"1c88701f07f374835fbe428f1bf3c79e651b57ff6260156e948a89dfb23b183108eb45e93fb538bf1d4a078bfe791996b42884af81c449c24fd9828b2dbc3b28","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Turla Agent.BTZ","trigger":"signature-base-master/yara/apt_agent_btz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-06-16","description":"Detects Turla Agent.BTZ","hash1":"c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615","reference":"Internal Research","rule":"APT_Turla_Agent_BTZ_Gen_1","score":"80"}}]}},{"path":"signature-base-master/yara/apt_alienspy_rat.yar","filename":"apt_alienspy_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1690,"md5":"31a40ba0a14256f4a53f311f08cb03bb","sha1":"7aae0229f94bfe04e81ae4953e6ae2ce3a433eff","sha256":"9f23ad164c2c802b96dedcf1df3230423fba0d76a1f4b53a1e999cdcb2092644","sha512":"fb49a664c532ed7c1b1415e7983a0567e61836db00b758b415ac35bd590328647838719c01a41b55ae27e13e06c422c61e71c8f8a0e0f17baafeec679f12e1fa","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JavaDropper RAT","trigger":"signature-base-master/yara/apt_alienspy_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.10.2015","description":"Detects JavaDropper RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/JavaDropper","rule":"RAT_JavaDropper"}}]}},{"path":"signature-base-master/yara/apt_apt10.yar","filename":"apt_apt10.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":65418,"md5":"bb26f038a6e7c8dcd21295ec3d098942","sha1":"f33a60826d0821868a332ee739b814eb0a4aa42e","sha256":"c81dbfb56436110d3a900f4b516c4ea722f90bc101dde28e2f49f1818292dbd1","sha512":"dd0d7a1d6723ddb5b44ec540bcec61bd5ec2b424d8fcec7418d00d058d7048812ec92770579d12db05d735e5eff97f805eb4a09173b71b4cd9696de8fc9e6404","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"APT 10 / Cloud Hopper malware campaign","trigger":"signature-base-master/yara/apt_apt10.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-06","description":"APT 10 / Cloud Hopper malware campaign","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html","rule":"APT10_Malware_Sample_Gen","score":"80"}}]}},{"path":"signature-base-master/yara/apt_apt10_redleaves.yar","filename":"apt_apt10_redleaves.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2040,"md5":"70d292fa55d5e8975e78ebd7365740fe","sha1":"43f98ddd2e266e98b5765e1141a39a97e8e058c6","sha256":"7096ab3e5ee61ce272158519410c02ffc45c6d38088f5811e3d8cac11a7f1767","sha512":"12b37299469d710e14e264de237b54cf88a3427c16f807cc2824b3d196d5e3914b3ab27ae2b935fe8bdf8980e185ddebac14ac87b8b0c064053f88e01c8e4675","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt12_malware.yar","filename":"apt_apt12_malware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":916,"md5":"d9f5223060ebd3d647fd932338e35e81","sha1":"68842053eea48766392f73bdb4a2eefc29f5b551","sha256":"f98d1e5e6beae814e38eecd7b103152d8c23147da92409e9d1e135077d26e753","sha512":"c3bc1e22b275eaacb27085326e21438eb4d0ed322576af9351dfa4aba270c9f8a33a0edfcd2243695227d31c9002a8e2568005b2038f89a80b6dcef79f8b2392","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt15.yar","filename":"apt_apt15.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":10980,"md5":"7ff37613cab0bf009251e6d54f504cc1","sha1":"7d08c4372ee9ca719f1ad4e8301fedbe02a94cd1","sha256":"83719c007aeb76698997b44add763c01556b6da33d29738ffd0354ddc49c4cd5","sha512":"47af4c6e47783ec36c1c8c0da4c54c1a147fe2f1fa89f34889dd677c02910d2ced6c5c531cb029320fda22f06a2830c77b141b9a5b10dbed16ee254a5b31d299","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Find generic data potentially relating to AP15 tools","trigger":"signature-base-master/yara/apt_apt15.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"David Cannings","description":"Find generic data potentially relating to AP15 tools","rule":"malware_apt15_generic"}}]}},{"path":"signature-base-master/yara/apt_apt17_mal_sep17.yar","filename":"apt_apt17_mal_sep17.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4414,"md5":"beb1b18794192df54eaa75a6c5e1c3f3","sha1":"4ed1a907b2b43a2b891f102a04081696c906ad03","sha256":"7fba4e133e937ea4e95881efe4bef40d959aeaac2eeed14ab40257cf29f17590","sha512":"204929952e5c82123f42be56f7ebfa459c7730af583b017dec1633886218601f3c7dc72c9e54ddc3f08c5d1add1fe479776164b29c5b6772fd3a5348edea9634","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt17_malware.yar","filename":"apt_apt17_malware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1045,"md5":"d162f9b663eb807751e62fa0461b86e7","sha1":"5aeba327f98a6531676ef9e47905adc28c299ce3","sha256":"2a1d5bb8d6ec799a003a505c44f877fce92dbc4d948b6ec20aafc22ade0f558b","sha512":"096d21412d8ac353a397a0a255a6ab29ebd23e73ac8e18b076ff434494bb554b881d19d8efb9c8b0ced4a1e7510a82fa4f62952fe4690fa8efd66d5380665fee","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt19.yar","filename":"apt_apt19.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2902,"md5":"9c8ebb7bde7aeb5742bf00fe0e9e8b45","sha1":"298ccb1caf742313d257a68905f40dfdc5e427c4","sha256":"cc4cb3b369cbf128de38a085bafa02789c142e6e1d469808265bfe644aad0f14","sha512":"770517de669d149d18fede629e47353e31efa593d8e4ad2cf235f904241a23b78a22c4ebfe5c758997c8e49a4c8419613a816acebef3ddaa7d3a2d1dd89d84c1","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_apt19.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/apt_apt19.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Attempts to detect Cobalt Strike based on strings found in BEACON","fingerprint":"e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71","id":"ee756db7-e177-41f0-af99-c44646d334f7","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_ee756db7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}}]}},{"path":"signature-base-master/yara/apt_apt27_hyperbro.yar","filename":"apt_apt27_hyperbro.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":30623,"md5":"c4ee5387005f432bdc9e1ccc319004f1","sha1":"6c787f1f80c116210bb6a9830b04692d9a479fd3","sha256":"285b20dec691b581c792c94e5977accbcca0b8a732833ce74f2dbd5b4abd89ab","sha512":"7bb8d133f5cb4c087b714603481ddda41cc6718dfad59140e7fd8e44eeb77f77956f7e38d69041fcb864e61e8f2ee707b13d00bdb55a30212309bc63fb249865","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"HyperBro Stage 3 C2 path and user agent detection - also tested in memory","trigger":"signature-base-master/yara/apt_apt27_hyperbro.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Marc Stroebel","date":"2022-02-07","description":"HyperBro Stage 3 C2 path and user agent detection - also tested in memory","hash1":"624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8","license":"https://creativecommons.org/licenses/by-nc/4.0/","reference":"https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27","rule":"HvS_APT27_HyperBro_Stage3_C2"}}]}},{"path":"signature-base-master/yara/apt_apt27_rshell.yar","filename":"apt_apt27_rshell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1895,"md5":"9376404427b901de1369822100239e96","sha1":"214359c2e95f3d19c26e415566b5ec2bb66ad7f6","sha256":"45bb5f02d19183166bba24ff765322d265037cefec17ee8cacf56791ca5230d7","sha512":"ff72e0c4a2e8d019f32686e7f5b8b59ba2a93a17978e9e4d6e7b85dd0262ef5e69937895c062838cd9ef4ed4a331f8c8e1b873f06b27ed903d941dbc5341ce7e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt28.yar","filename":"apt_apt28.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7349,"md5":"fa433543cd28759561003c0b26a1fdef","sha1":"86439201920ecc01f502772eb49d7ba4906f7bd9","sha256":"2bfeefef5c26ebc9f91fa167b9b898db21f461da0b59a633b04925bb5289997a","sha512":"4a1a253be1b9bbba66a184c8ae00455f63bcb31c3e63651de6d6455d4347adee4addae9716451c434181db75b5b21bda27cd1928fae71689d289831bcb9e0f94","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt28_drovorub.yar","filename":"apt_apt28_drovorub.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4763,"md5":"5a15b33d88e68f2a8c726d63a10347b1","sha1":"5318ff9514a2999156134795e10ef83c7d484f42","sha256":"36a2c759e8937ce1ad74799a5e38e6474f35bfac64ce2ce8f3a71c075b88c31a","sha512":"e8f405f21633fb021bec39592deb9b5531a6ffd135072c7340515f8ef21f80a4b52df7415f9d5aa26b2edf01b0d9ad0a53d2788e1c1f04d3dd6b11b0c07f0d55","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based","trigger":"signature-base-master/yara/apt_apt28_drovorub.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NSA / FBI","date":"2020-08-13","description":"Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based","reference":"https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/","rule":"APT_APT28_drovorub_unique_network_comms_strings","score":"75"}}]}},{"path":"signature-base-master/yara/apt_apt29_grizzly_steppe.yar","filename":"apt_apt29_grizzly_steppe.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":12702,"md5":"dac2929aa90c584e5e33e8b58761038d","sha1":"96390ccce837af7f054e4fec99190238fe8cff70","sha256":"c44fb9e32de11306fd0b993ff57d033146e02f783aed7c4ec59f826266a5aea5","sha512":"21b97f999aaf7aaf5ca492ea7af9a5396ef0f054a29fed4d879f042378bc40895f72bc41eff41cdf2af435c485e57002328d618374724e4631fbc5513d3ea313","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_apt29_grizzly_steppe.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-29","description":"Auto-generated rule","hash1":"9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0","hash2":"55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/WVflzO","rule":"GRIZZLY_STEPPE_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/apt_apt29_grizzly_steppe.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic PHP webshell which uses any eval/exec function in the same line with user input","trigger":"signature-base-master/yara/apt_apt29_grizzly_steppe.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic PHP webshell which uses any eval/exec function in the same line with user input","hash":"90c5cc724ec9cf838e4229e5e08955eec4d7bf95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2021-10-29","rule":"webshell_php_generic_eval"}}]}},{"path":"signature-base-master/yara/apt_apt29_nobelium_apr22.yar","filename":"apt_apt29_nobelium_apr22.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1460,"md5":"b0c08ded6c934785821cec7358f97f91","sha1":"1d128f0b7528d3a187443fda28eaa38eb15973b1","sha256":"7ddb5ce74c4cb142f7ef6ab0ca51ff2bbd7f080daa6d4d5b418b28a6e0ea7a3d","sha512":"50a693f2dafec4294718626f44990a494fff9dcd9c1d48b9d60348edcb02998ec6ff3e6b7b4bc01ca7c910787bec3e0fd20a381b986f971c63d95710c88b91a7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","filename":"apt_apt29_nobelium_may21.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":12703,"md5":"668df62d0c9d1cb839e82330e088ba3c","sha1":"bc0ca5509f81a22731e495a5123f132bb33d4ebc","sha256":"a3d9ab1a8509b90c07ba5997df9e13163bcda39c3f01d09e68fccb807ce1f490","sha512":"3173aaf21516e91e1ce7fc494c87bff81a419d16a85a20994ca1c655c2b05d4447e7ecae34992098ba3f72e716fb13866e3665aa125d5c2eca3950670c086542","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-05-25","description":"A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.","hash":"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330","reference":"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/","rule":"APT_APT29_Win_FlipFlop_LDR"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-05-27","description":"The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.","hash":"ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c","reference":"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/","rule":"APT_APT28_Win_FreshFire"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EnvyScout deobfuscator code as used by NOBELIUM group","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-29","description":"Detects EnvyScout deobfuscator code as used by NOBELIUM group","reference":"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/","rule":"APT_APT29_NOBELIUM_JS_EnvyScout_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects NV Link as used by NOBELIUM group","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-29","description":"Detects NV Link as used by NOBELIUM group","reference":"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/","rule":"APT_APT29_NOBELIUM_LNK_NV_Link_May21_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BoomBox malware as described in APT29 NOBELIUM report","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-27","description":"Detects BoomBox malware as described in APT29 NOBELIUM report","reference":"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/","rule":"APT_APT29_NOBELIUM_BoomBox_May21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects stageless loader as used by APT29 / NOBELIUM","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-29","description":"Detects stageless loader as used by APT29 / NOBELIUM","hash1":"a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf","hash2":"c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78","reference":"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/","rule":"APT_APT29_NOBELIUM_Stageless_Loader_May21_2"}}]}},{"path":"signature-base-master/yara/apt_apt30_backspace.yar","filename":"apt_apt30_backspace.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":47081,"md5":"2877e1e7a90d183ebb06c0e52493fabc","sha1":"84e95f99f1ccb0edd32838aee469a1e333d59627","sha256":"83b163673faff34942f02bc5e853e59bed1b9e67e85b3cf62f595d55632337ba","sha512":"fce5c06ef19e3102c9e7f05afe7ad174625d70ad595440b58e842ccd4e2b2d74844a9769470466faae2f94c954d155e92db9fc7794c18ba37e2f1cb50a511151","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt32.yar","filename":"apt_apt32.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2040,"md5":"3fa67f89d3e98edd8a272a347a15be93","sha1":"4c1fc377ed60784af6ee72018321b51d0f53c48b","sha256":"d7c99fbec3bfb60ed70aa0a59704aeece2a38429e00e85af361151fa85dea790","sha512":"e15082a639276ea95ce70ad8ebd558e0ad071f43a6db662ed894db87e0eb39a2da046062a0b30f38f650f96359c0e4b2faa9f0f8b32ad5a12fb2a930cd8bf1fe","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt34.yar","filename":"apt_apt34.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":2767,"md5":"8d18276a77676c1ddd536dab0ee4b26d","sha1":"4fde6e01f905df4fe204a52f01b0089f64de95fc","sha256":"3f123991bdee054f047c4a172517997cda71ceda34f19ce05503d17a6c0eb3c3","sha512":"cd81e35d4e350e1a5bcf636c39e1a54aaac8e6e3bf349d55d18f859d4e981146c0bd92563c187c29db51262cca0d33d9831c750e654ecf1942eb4661003d0d55","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects APT 34 malware","trigger":"signature-base-master/yara/apt_apt34.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-07","description":"Detects APT 34 malware","hash1":"f6fa94cc8efea0dbd7d4d4ca4cf85ac6da97ee5cf0c59d16a6aafccd2b9d8b9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html","rule":"APT34_Malware_HTA"}}]}},{"path":"signature-base-master/yara/apt_apt37.yar","filename":"apt_apt37.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":872,"md5":"239d6216bfc8edcd303f6401d72aee5e","sha1":"8ffb3e76999217d8b3240649c34c738b851ee3b7","sha256":"de78f343f494345138befb2bb301d712fcf7f6f56e4f5e5802ceb5a3904beba5","sha512":"214d93e9eb2eb09c777a6ef5855b736469f49f3ad0528a05d3487f18b700ddba20cd3c52071c78a534d1a254951cbe3532e5da75d9678337814fc07f510d31fb","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt37_bluelight.yar","filename":"apt_apt37_bluelight.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (755)","size":7228,"md5":"619df67982c6f636288944edc5e6a2d7","sha1":"36a6e4cae5db433c0a0b7967f2a0a55a37eac8b9","sha256":"fce731a04dcff1450bc5df7da50eab81bf08f17379a7dde546020bc8977c7cea","sha512":"152ccf30ff3861cb398fd1e2db1622d7f0ad621b5f3bd8ece35e6f618aa1f0fb5b8a2ddb6a49115b6b614af616318f15f557f4f7d594d4036a0f271318a635df","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"North Korean origin malware which uses a custom Google App for c2 communications.","trigger":"signature-base-master/yara/apt_apt37_bluelight.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-06-21","description":"North Korean origin malware which uses a custom Google App for c2 communications.","hash1":"837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed","license":"See license at https://github.com/volexity/threat-intel/LICENSE.txt","reference":"https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/","rule":"APT_MAL_Win_BlueLight_B"}}]}},{"path":"signature-base-master/yara/apt_apt3_bemstour.yar","filename":"apt_apt3_bemstour.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":10523,"md5":"09949c6b9b0b1fff07ff049bc5cf7b6b","sha1":"e3c4afaa7506c9a93d07aca4eb897fa050c41aaa","sha256":"86d8926d959aaba8e76c476d787dc09368f9a827b9f8cfb83f235df35101f0d7","sha512":"b24b9d3342189d3f84064230d8ba85684e69dd20b9efddd4768a93e3f74980728a1f575f015e1efef1e8e0beac5f3ab9ae064c3934660367ab4abab156b0e358","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_apt41.yar","filename":"apt_apt41.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":11888,"md5":"bcdbdc70503cf7e2794091d15677eda9","sha1":"7943c544a9d8267f1c0a4d1df170c0a6118db43e","sha256":"7b7b2973895e875a1b74944fc7c402efcc283cf0a7a46d65029091a0f115965b","sha512":"a3304599640dbc354867285c09934f693aba038333bc88693304a1c08bd8757fcddd5247c05d8c99c83cf586efd7f1905ee243cfad3c1c9f01d07d9bbcc1c61b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Speculoos Backdoor used by APT41","trigger":"signature-base-master/yara/apt_apt41.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-14","description":"Detects Speculoos Backdoor used by APT41","hash1":"6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167","hash2":"99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28","reference":"https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/","rule":"APT_APT41_CN_ELF_Speculoos_Backdoor","score":"90"}}]}},{"path":"signature-base-master/yara/apt_apt6_malware.yar","filename":"apt_apt6_malware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2179,"md5":"718215659ed2f99b5b0d0bd5362c9201","sha1":"d508f719d72ef37659ea2be732ccae03dc99df60","sha256":"bd327eebfe988fa8fdc2f9d02880fac08dc04c6fddada637f08d90f51e1ee8cd","sha512":"4da7321077fb92a314d5bf51254583f0f731cebd27e878e67bf81231df3052b18f15e2926f6d079fcf66f7ed1a9cb1c1e2e2e6ffc077e1556fcbfca9a010c4a1","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule written for 2 malware samples that communicated to APT6 C2 servers","trigger":"signature-base-master/yara/apt_apt6_malware.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-09","description":"Rule written for 2 malware samples that communicated to APT6 C2 servers","hash1":"321ec239bfa6927d39155ef5f10741ed786219489bbbb1dc8fee66e22f9f8e80","hash2":"7aef130b19d1f940e4c4cee6efe0f190f1402d2e0f741ee605c77518a04cb6d7","modified":"2023-01-06","reference":"https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/","rule":"APT6_Malware_Sample_Gen","score":"80"}}]}},{"path":"signature-base-master/yara/apt_ar18_165a.yar","filename":"apt_ar18_165a.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3145,"md5":"a87fa2c7293a08484a9c0ecea9785c59","sha1":"ebbde1d27132d7158d7fac8c970156589eb7ae20","sha256":"2c456124ab93e6531efca714ee53706a0c31bff77f19e11db0aad1416abc3d16","sha512":"c4b8483c0233e6abbe90f45c87aa255cc894e901833ebd839e1efe9f29a082d84f30210a9582094f9106b6ee2ec17fe53470f3f0c45ff08dd40bc0a491427fdd","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_area1_phishing_diplomacy.yar","filename":"apt_area1_phishing_diplomacy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2257,"md5":"f523f2676931a8f54ccb38f010169062","sha1":"af4ec8dc596ea9d17b2c3cdb9c738b6b0bd8cba8","sha256":"1d46dafebac1a77532669d88e9a8f814b49b087729d12ae46a65eb3ea80ee803","sha512":"5babc9aaf5fa847e21ccfa0a89c4f39d804bc0448a99924716c7694d485942efa6d20cf7ad29c836ab307c4a09983b5d3afb79953b6de0f9aef09301a682013d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_aus_parl_compromise.yar","filename":"apt_aus_parl_compromise.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7619,"md5":"d3c81982cb8bf693afdade34262e0fcf","sha1":"7c95f0ca2629a024192f7dfca9a964e375247fd6","sha256":"089cb0db38080f8e5f00dfac7454f02163d1d07753162b37dbc41858867f2ded","sha512":"67da03ecae036bd81ade4860f3aefd7b6e44d8265a5f7ab353c80d5d9070cc4ce16f0e6bc4a366a043cfa3833849bfa8ae308bd7a871176534547f024e4b5333","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"signature-base-master/yara/apt_aus_parl_compromise.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","hash1":"1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b","hash2":"510375f8142b3651df67d42c3eff8d2d880987c0e057fc75a5583f36de34bf0e","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_LazyCat_LogEraser"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"signature-base-master/yara/apt_aus_parl_compromise.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_PowerKatz_Feb19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"signature-base-master/yara/apt_aus_parl_compromise.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_Unknown_Feb19_1"}}]}},{"path":"signature-base-master/yara/apt_babyshark.yar","filename":"apt_babyshark.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2340,"md5":"7870f39b3a565310423ebd0d8c617c2a","sha1":"2bb75725c015d51eb38ce5c54cd0641838fb38c9","sha256":"e245d8f5c92adaf758c1ce400bc6c836c5b4b0a97654cff03771e0e4d0d93bc0","sha512":"1c036a421b24146eb50ed2b8a92c9b756df7497729d598dc73d0955045ff1e1d516d6a8fa01efbe443133163590194b0ab537f505772170385caf2cd46cddfb6","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_backdoor_ssh_python.yar","filename":"apt_backdoor_ssh_python.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":680,"md5":"ec5380bc70890c24755748e7b44f0c06","sha1":"de08266176e5dc1b0beecf9fc75d98d3c5beed54","sha256":"2227508d808aae7bdd9896cdb2c29cecfc0e07e1e4522a4c8cbd05ab58ec5cff","sha512":"ec8a69c133cacbbfcb6799e75c98a83de7424ccd66238c45ca33ef18437ac1ca0f32127bcfc0f260cce2c52e7e863e15640ec9f58b8af6201f676fe66ed3ede9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Custome SSH backdoor based on python and paramiko - file server.py","trigger":"signature-base-master/yara/apt_backdoor_ssh_python.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-05-14","description":"Custome SSH backdoor based on python and paramiko - file server.py","hash":"0953b6c2181249b94282ca5736471f85d80d41c9","modified":"2022-08-18","reference":"https://goo.gl/S46L3o","rule":"custom_ssh_backdoor_server"}}]}},{"path":"signature-base-master/yara/apt_backdoor_sunburst_fnv1a_experimental.yar","filename":"apt_backdoor_sunburst_fnv1a_experimental.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (400)","size":2806,"md5":"54af49250a677584fd1a2be7f14b27dd","sha1":"e4d31de465fdf54e1eb4b3d53aa5681a20c6207e","sha256":"bfd67059e90271382f9f52df2c30cfe2e3e7e4edec4195318132ae5fdb33547e","sha512":"748757bee8f45cdc06960d4282050711d9562d548da965a0b49b7a69b13edbb63598d685d3d73502af2beeac25ce48dd62772ce6a63206ffbf0dd77ae004d7c5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_backspace.yar","filename":"apt_backspace.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":512,"md5":"eb80ebdd63a69c68e5149002ee08d3ad","sha1":"f08cf81715e8460aa15e134f0152066244929b13","sha256":"39e336215d4b46a3b55bb4ad2d1ec91ca9f4990c32e0f4e95fc2ca5ba19f23b1","sha512":"dc949c5bae286cf55a3908ff00681381673cb0645806bc0a93923f500be0427dff8c62fc0779f301ce07c73469669fa9454a7619f089073feeda8cc5db173222","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_barracuda_esg_unc4841_jun23.yar","filename":"apt_barracuda_esg_unc4841_jun23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":9044,"md5":"a4d69e1642fdc5456618a95a4c53b59e","sha1":"538cdca81690218a166b994785a7cbb10b057f9c","sha256":"551eac2d6ffe02676ddc68bd44864fa116b7a444cedcbdf8ee18f6ca58cc957a","sha512":"00ce35be02e2eac6b6188f0596ed618725eb02d8bc35a2c519fe5541ff05c4e4b722378cd6e2a54a484f570cc4d00a0bb52a4abe8c8ff2ee819d5d54d95cb946","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_beepservice.yar","filename":"apt_beepservice.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1095,"md5":"8c086ad5c99743ea3f23be277737dc96","sha1":"1dac6b881069add337624ff9a299c3d65477eb52","sha256":"2a4810d95fb39c4b54e5c647ef663df4c0bab0cab8704503cebf6ae4c0259eca","sha512":"eda76504478539deb2fe30afa62ce48cb22ed243c8363ceda3e1139c19bfe59b34bc4bcafe84369d03b0ee6b992edfff8b2f97c92867c43ff8fd41311c9f1f04","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_between-hk-and-burma.yar","filename":"apt_between-hk-and-burma.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4429,"md5":"416e7f5b8af2a5f4ed775de3711f43b8","sha1":"2a32f1de37fd667cf3b607ed8238321764a6bfb8","sha256":"45822da6f787d895ac7f7dde8ea50fea1a677031973b0ab70204e7c61234f615","sha512":"9a6746d7ef15d082278c50f859586c80d299da2267658f84d331e983d9ad5fc4911cd0f6979009b9a4683c9d70173f55b6c9a29c4bc4d494ed8655dd01059681","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_bigbang.yar","filename":"apt_bigbang.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2864,"md5":"88e1d7949fab17d03129ca29d5700b3f","sha1":"8361e5d46d0ab22921940a987e7dac69d9060747","sha256":"f326245650edbae8dd0c7cd32958d087ebd0fe5c393ba5006c1b13473e2990ad","sha512":"e01e8e18bb4b73f4e2954483694264b4ac62082bf76fad97913e3409eead2940658e965d03e47169d28a1864f6ab7afb4f15b1e4a6d67961371293a2fdd8c7fa","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_bitter.yar","filename":"apt_bitter.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":856,"md5":"e4fe0e5634f1f3b0b9a64c374ab61e09","sha1":"45055038c92ff8c0d2be958b692c4182b752005f","sha256":"90b07682488b43c6a1972a37c47c6c68e470ed13c117370187450974c3c5ef9e","sha512":"db790e495b6158cb742732870e8a9a8183ba7d3b0092ded687b9f5f81bf8f181603aa9f09a7ef305d8aa774a1bd4cc1156beac06b46a5db0eda2126557c32efd","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_blackenergy.yar","filename":"apt_blackenergy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":8319,"md5":"a4915d2e27d12ac344f73345af3aa2d4","sha1":"5b773f16b793202ac7598cd2fe62d425468b0a01","sha256":"1e1be897a5070c5e25802ad253680166aa8ca7dc4a0e8644ee4717f99b4a6416","sha512":"343489c4380007a073e26a67d3648ec5cca66ef49229d1315ab425753de6e653073cacbba9875743132bf4ee6c822d04e67eef0bac284f10255bb9811968912a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_blackenergy_installer.yar","filename":"apt_blackenergy_installer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (960)","size":1395,"md5":"af6c380b3322d0abfd55f79b4f8d8a8e","sha1":"dd63c255ba927e98f4fb03b06be71ced0e73f95d","sha256":"69436be9ff84ccd2d262802428709c3fe2b5e0547d7b74d194953b8f6ce8d418","sha512":"43ec2b790bf09cd03911abb7087dbd5aea9aca0d2f8cf66226ce9e3a45a0a1e200fe3f3248711498cf034cf0bdd9a50ec4eb2d19847acf547770c028b0280217","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_bluetermite_emdivi.yar","filename":"apt_bluetermite_emdivi.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5547,"md5":"bcdbb7910004f906170d4c26aa13fd90","sha1":"505d36821c50a2f8df301f69adaa0c6841ddf111","sha256":"71e9b60903c6e6d3702b9d008e27342885571ee0a881af048b0108b7483b6c87","sha512":"3c7c124e9fb895d78e4d88feaec0cfdea8049d659c0b63e1cc2e0c3ababb8461dcdaa891ca984442720ab4b785e8c9f0b5d9053125544189b05e81e027cbd354","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_bronze_butler.yar","filename":"apt_bronze_butler.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":8743,"md5":"4f45725e32091293511b9cc542dcff28","sha1":"05288634917f0ee4d06b81d4623a31946430e9eb","sha256":"39f4d6f9c56c44439d59d19ff76d576f04c714cd36cd78d9370df591d8fc9ad9","sha512":"7f0b9517d988b8da513a3a9e6d7c0475b5aaa02c349964c085e4900aacf149feb910ae9b35cfe8edcb32d7c3b728a703fb932f2fb53f342bcdbcc0d778db4037","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_buckeye.yar","filename":"apt_buckeye.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3288,"md5":"1e8d5dd1db6b6850e553ea314e228ae5","sha1":"1ae8f719420bd241047f2c97cbf4a7e34812fb46","sha256":"9dd8f247a5b6be5c60e20f850d500ba3f45dfc42c5a5f8a503b662e82d933d1d","sha512":"71fe64b9334adf603f38cb03400671af1578d7c393b0eb627a9128eb23fdebe947eef8b64a78a43a554afd1517cb641d49569438b7b9aab2c32977930fe7e532","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_camaro_dragon_oct23.yar","filename":"apt_camaro_dragon_oct23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2168,"md5":"699ca55827a90cdd14099f77290c3bac","sha1":"eaf05d0988447239a508e526dae4aba39bc20011","sha256":"1ee352bb38a5abafc1845bbfa0b89fc2e1f7742a9f356ab79192751abebfbfd3","sha512":"9761bc7424d774213fb6d1c031e2957501fb6afedbb980842e3989b9721ebd6f91799c66e7d7cbf84e1c615e44b5d3f563ece1654c1ab1e9bc393a0413ffa2c6","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_candiru.yar","filename":"apt_candiru.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1850,"md5":"d61c3b45bbbcb12ae929b65c5e5af0b9","sha1":"add3b84f263296325078cc947e61d2e2a77ef15e","sha256":"1a298e8d5cd766334da384ab4b06bccec2c8020c3d8dbb68eba159cab755307d","sha512":"a91fe223f582151b8efc87362c32ce8f8c62e72ba179447db93f41bb45c8ee3a0e1b4d58c85cc468c5ac54058df55919fb219c4657dc28072f4f87f61e5cb34f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_carbon_paper_turla.yar","filename":"apt_carbon_paper_turla.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2826,"md5":"5547a5f84ab13222eea2af2bff521de2","sha1":"bbcaf369dfd7240b34a95084672d22533865e470","sha256":"5dbab50a9828df070b2f1a4f59938cd28f100b596d0e06861a9478e96302462b","sha512":"aa70a2ad3257b03479f9f728ea4470f0723b3ad4148fd354f5fce9f0f40c0a86de04016976adf1ae7a6bd856b5d8525896078b2ae57928a51a6d7ee136b6a75f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_casper.yar","filename":"apt_casper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3769,"md5":"24b5efd0b1495565b3d02219851c896b","sha1":"0c5fdcb9b4a701facf83444670ee260ea8ab9779","sha256":"16c089772291dcc2f024a47a8e85216f46929aa8ad768f2cce31336ef59d93a1","sha512":"2e51614865b530d160335ac9b91bb0e42fdef39fe9331794100912a44b917547c9e460d9396711b6ce68d855f854b204d971abbe5bf4a20a8d0197a984ae8a2b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo","trigger":"signature-base-master/yara/apt_casper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/06","description":"Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/VRJNLo","rule":"Casper_Included_Strings","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo","trigger":"signature-base-master/yara/apt_casper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/06","description":"Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/VRJNLo","rule":"Casper_SystemInformation_Output","score":"70"}}]}},{"path":"signature-base-master/yara/apt_cheshirecat.yar","filename":"apt_cheshirecat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4305,"md5":"cdbf68815cc1bb4ba46f731fe974963c","sha1":"7c4e1038455856d1b49a397416e3ebca461747d9","sha256":"85ace8fb1b0421c0eda5c74e7a7543de880475908586c95a7373c091d5cdda08","sha512":"412c826b61f79d7e62ecf291ec3b7f6232858706e6635ec7a63cdae2dcb6c6398677ee90689bd3378a5531fbb911b9408cd73f021a0acc024e121181666cfb65","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_cisco_asa_line_dancer_apr24.yar","filename":"apt_cisco_asa_line_dancer_apr24.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":613,"md5":"3b2dcdfa03f90f8e4b3ca31e2fd271b5","sha1":"9c770201f97d7627accd742e5d5d32af4b6b8825","sha256":"3ae9b04c2cacd959ed5c28bc6ff88db92aba25dd4e05a883b055016907737d08","sha512":"1ce73aa249dd5223125a2c685d14dbde14877802fbc8c93dd6d7f15bfe1fb5da4a2d0398bf40664f887cf66c5f310cbf44d741f9371bbe1f95cabae0b5b530a7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_cloudatlas.yar","filename":"apt_cloudatlas.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1407,"md5":"ba34df95ee7b7da1d415d6b2b253517f","sha1":"e19a4e250a4b84d0eac3fe4dac89923d033e3b90","sha256":"e0a46fca45fe2e7b5f4fbfd0829a264392f2fc707cb7b730743cbf0ca456799c","sha512":"6a5397e6a42c92b3f92c21568231e67c2908b4bedfa34da6c391d7fa680e7aa8b5c77bfcce51d9719fde142759310c63300447d2171a69d22fd9df155bc1ce85","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/apt_cloudatlas.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Contains_Shortcut_OtherURIhandlers","score":"35"}}]}},{"path":"signature-base-master/yara/apt_cloudduke.yar","filename":"apt_cloudduke.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2608,"md5":"d6ba11514f674ad821ed6f405f83bbad","sha1":"151e8a293f7d4c00f456c7e5a6ca1f414fcf2ee6","sha256":"4efc19d3e6a076d00a74c82dbbbc6533bf622103a785d64840c1f5c9c6b01905","sha512":"a86cef74af79045f1837970360dffb5a36b37a067a401e8c5ad33bc0eb274211220e294dd2927e06534a2665f2e5cc54d8ed88cea3be9f5c2e19f466449148b6","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_cmstar.yar","filename":"apt_cmstar.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":977,"md5":"935cce46be461371b8068cad3343ea59","sha1":"dfb6ace9d9a11d1e2f5afab5f2ea70e34bf58f29","sha256":"ce41f484a0e3052bf7d0b90313c4cb7f747c9de4d12827c24f6c85afb7bc9ac3","sha512":"6a8c2d53d499b4e6b969e72bcdf35123fb3f396086f8ab3327a71efd8634ec708bf0c20bce0034d564b87333a77e4fa7964577c10130a0b9188e128727507846","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_cn_netfilter.yar","filename":"apt_cn_netfilter.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (1395)","size":5407,"md5":"254caf01adc5820299c697cf3dca88b4","sha1":"a47c713e17156eead9cdba0503b95a8a264364eb","sha256":"1006b9054d120ed96555d773910591d3ebd109baa371663483f9efe4d0c0a75e","sha512":"69f26355e015056cf3332c3c879974c73334e9e87f36ca8c409beee8c57b74dfad8d0698b326c949713917943213e7829466aec940c4cd51af3a56fccb1a8bc9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_cn_pp_zerot.yar","filename":"apt_cn_pp_zerot.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":10626,"md5":"1609e4c969d72dcb3912f2143081ef7d","sha1":"f2410e267c63310e6fd2cf0085c1ad750649d8dd","sha256":"063dc2600d8f5b7094672d65c5a4e6cda34727ee072156e62fec7eec73bbdbcb","sha512":"844b564f0cc54b3b37790bfb7b4e4abbbca8789854c09161828e24951384058f42d236d1fdf6b4608d8d1b5a980f29248c881136ee1ed08275392808bd5006d0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from the Proofpoint CN APT ZeroT incident","trigger":"signature-base-master/yara/apt_cn_pp_zerot.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-03","description":"Detects malware from the Proofpoint CN APT ZeroT incident","hash1":"ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"PP_CN_APT_ZeroT_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from the Proofpoint CN APT ZeroT incident","trigger":"signature-base-master/yara/apt_cn_pp_zerot.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-03","description":"Detects malware from the Proofpoint CN APT ZeroT incident","hash1":"74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"PP_CN_APT_ZeroT_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll","trigger":"signature-base-master/yara/apt_cn_pp_zerot.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll","hash1":"266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"CN_APT_ZeroT_extracted_Mcutil"}}]}},{"path":"signature-base-master/yara/apt_cn_reddelta.yar","filename":"apt_cn_reddelta.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3124,"md5":"38089b0383e03a81d72c6a2ec620d0ad","sha1":"6ba7613118dd41e2ff64d86cf614e5eac295a972","sha256":"a7def6ad6440b09f65c00304b0503a46f29e038e9d70ea975582765cebc2226f","sha512":"1876fe308e22f3298d32b4f519efdf7d0c3c37d0a7e0661407d48b0d31f6a2659538462a3b4eef61192e7a9a4782e8d695543aca685987449c923f1625146b83","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Red Delta samples","trigger":"signature-base-master/yara/apt_cn_reddelta.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-10-14","description":"Detects Red Delta samples","hash1":"30b2bbce0ca4cb066721c94a64e2c37b7825dd72fc19c20eb0ab156bea0f8efc","hash2":"42ed73b1d5cc49e09136ec05befabe0860002c97eb94e9bad145e4ea5b8be2e2","hash3":"480a8c883006232361c5812af85de9799b1182f1b52145ccfced4fa21b6daafa","hash4":"7ea7c6406c5a80d3c15511c4d97ec1e45813e9c58431f386710d0486c4898b98","reference":"https://twitter.com/JAMESWT_MHT/status/1316387482708119556","rule":"APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Red Delta samples","trigger":"signature-base-master/yara/apt_cn_reddelta.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-10-14","description":"Detects Red Delta samples","hash1":"260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b","hash2":"9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5","hash3":"b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429","reference":"https://twitter.com/JAMESWT_MHT/status/1316387482708119556","rule":"APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2"}}]}},{"path":"signature-base-master/yara/apt_cn_twisted_panda.yar","filename":"apt_cn_twisted_panda.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":10278,"md5":"7526cfc69bc65a3be0c23abd2cd79c29","sha1":"86f9eaf217d8c0da234d6f09fa4a8ccea2ab5530","sha256":"86180a27056ed3f744172c1df152f3ec843092520681a052a4627f8d60b38c71","sha512":"5a7263afcbab098c418b23b424a36d11383fbf92b212798c28a4e8045a3bc4052eb2fa1693071639f52463f5535a224f8176a6250dadbb57759a7552f4f1feeb","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_cobaltstrike.yar","filename":"apt_cobaltstrike.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5268,"md5":"2edd65bfa780b1a39a8cde439aeea4e6","sha1":"48261574c8fdabe1bcd7a6babd91332fec244caf","sha256":"f6ddb81b698eca5a76336b90e1f340f5ed74cae33f3296bae2ebd669333708b0","sha512":"6da2842aed60f62429b02f624be2d46f3d44bfb1bef658f779d5202927d4efbc4008c51a8b9e4959c2183438f50c256cc85585a02427f7dc7bb2192009eb941f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Identifies strings used in Cobalt Strike Beacon DLL","trigger":"signature-base-master/yara/apt_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Elastic","date":"2021-03-16","description":"Identifies strings used in Cobalt Strike Beacon DLL","reference":"https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures","rule":"HKTL_CobaltStrike_Beacon_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-09-27","alert":"Cobalt Strike Beacon Payload","trigger":"signature-base-master/yara/apt_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"ditekshen, enzo \u0026 Elastic","cape_type":"CobaltStrikeBeacon Payload","description":"Cobalt Strike Beacon Payload","rule":"CobaltStrikeBeacon"}}]}},{"path":"signature-base-master/yara/apt_cobaltstrike_evasive.yar","filename":"apt_cobaltstrike_evasive.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":39159,"md5":"41a83a96bdaf6b60f0fafee950a44c00","sha1":"319f05f270dbef320eaaf80df5d6ef6eae849350","sha256":"4aebf7f8a318c2ef76780f2dbaebf56925d6e101b5545a53e40be77942b98728","sha512":"83dc5213329c180554b26b375283a5ce3f33711e638dbabab4a1c679a954823b809c2b43bf50137dc367d2889973dc26f17b6043da7523e9aa65564008b9b213","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unmodified CobaltStrike beacon DLL","trigger":"signature-base-master/yara/apt_cobaltstrike_evasive.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yara@s3c.za.net","date":"2019-08-16","description":"Detects unmodified CobaltStrike beacon DLL","rule":"CobaltStrike_Unmodifed_Beacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CobaltStrike payloads","trigger":"signature-base-master/yara/apt_cobaltstrike_evasive.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Beacon_Encoded"}}]}},{"path":"signature-base-master/yara/apt_codoso.yar","filename":"apt_codoso.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":16668,"md5":"2ba160fd7eee5c07795f679d7ead7f2a","sha1":"03e6642d47f779c248958e18db4b525eb6d86e3f","sha256":"bf60bfbf97dc4af23ccbe460a377f89a521c14fd28d6b6b014a58ab0dd074641","sha512":"9ff9d83712ad39e447b63ae505c59885ed16407a9199e7f5e9da6fdb9b6231e402d4351a4b23d6848151d709cbcaaaa033f5aab50084e99cbc2e4568799d97f5","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Codoso APT CustomTCP Malware","trigger":"signature-base-master/yara/apt_codoso.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT CustomTCP Malware","hash1":"ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0","hash2":"130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8","hash3":"3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa","hash4":"02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_CustomTCP_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Codoso APT Gh0st Malware","trigger":"signature-base-master/yara/apt_codoso.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT Gh0st Malware","hash":"bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_Gh0st_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Codoso APT Gh0st Malware","trigger":"signature-base-master/yara/apt_codoso.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT Gh0st Malware","hash1":"5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841","hash2":"7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8","hash3":"d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_Gh0st_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Codoso APT PGV PVID Malware","trigger":"signature-base-master/yara/apt_codoso.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT PGV PVID Malware","hash1":"41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824","hash2":"58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3","hash3":"934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7","hash4":"ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266","hash5":"e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_PGV_PVID_1","super_rule":"1"}}]}},{"path":"signature-base-master/yara/apt_coreimpact_agent.yar","filename":"apt_coreimpact_agent.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":840,"md5":"0356132016052a39fceef1b16af581f9","sha1":"97c748628a827fe29c62a8f56a8d28006079ef71","sha256":"0a37feda0807116e69e609843c0e9302c6cd8497b93171d1ee3334b59687efa0","sha512":"8755cc8a942b878c3f71bb827b568350d097a20fcd28e4d2bd393ac2291b4eeede3dd81846dcce20dc6dea1880ce7639adafb8d473a1ebed084be8e6c21e8cac","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a malware sysdll.exe from the Rocket Kitten APT","trigger":"signature-base-master/yara/apt_coreimpact_agent.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"27.12.2014","description":"Detects a malware sysdll.exe from the Rocket Kitten APT","hash":"f89a4d4ae5cca6d69a5256c96111e707","modified":"2023-01-06","rule":"CoreImpact_sysdll_exe","score":"70"}}]}},{"path":"signature-base-master/yara/apt_danti_svcmondr.yar","filename":"apt_danti_svcmondr.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"data","size":2922,"md5":"df6ddc46ee69ea8677360cf4dd5be37f","sha1":"58a86a0a4f1be1a6b04df050e0fae9102788a43f","sha256":"ecb73d42e2f14afbfadb97710390b41e2875efa68eec41904791ccd611ff8ca0","sha512":"832dc67e50d305e1e794ee796472108efebfa67b9e58d042d8733ebc132f6920d32e3a935f207d3ac831387fee73225a8c16cf5f0bc0f5634aa1ac8e94849332","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects trojan from APT report named http.exe","trigger":"signature-base-master/yara/apt_danti_svcmondr.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-25","description":"Detects trojan from APT report named http.exe","hash1":"ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://goo.gl/13Wgy1","rule":"Mal_http_EXE","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a malicious PotPlayer.dll","trigger":"signature-base-master/yara/apt_danti_svcmondr.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-25","description":"Detects a malicious PotPlayer.dll","hash1":"705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/13Wgy1","rule":"Mal_PotPlayer_DLL","score":"70"}}]}},{"path":"signature-base-master/yara/apt_darkcaracal.yar","filename":"apt_darkcaracal.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1257,"md5":"b222cc9f8b6d975d262454ddb8625b4f","sha1":"13a67c4d3c82fbb1a68a05ee5c7f95a60eaaaccc","sha256":"ce43b9c29d94a90f8b0cd1c5e36c5ee6a1a48d3ec5999b197684240d0642e23d","sha512":"be422317882bf2a4970281d1f9cd946eb63619bfa02876a18d7193cfed65bab3fd859a3115b4693a268f4dd35d78382a61b015ed989557904e6d9d3bc8c8b208","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_darkhydrus.yar","filename":"apt_darkhydrus.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (494)","size":4591,"md5":"b353e329ada5fa693e55b967d042f497","sha1":"1d0c1cbbf327b59ebd52e3c425c3ff2a16b47e87","sha256":"63b4c5ce0008b825bf77e53d447c4090d75089eaca3de579db37d030fe8835e7","sha512":"8942244a87bb8adb1f856379c95f1c36d29e6738a9bdcedad0a65936953388dad90202633db10c5ebf9c384a4465ba28c4305236e5435c9b85519feffcec0eb5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_deeppanda.yar","filename":"apt_deeppanda.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3692,"md5":"886729c3007c2b7854b776b6b6221d77","sha1":"8774d6367e39b15569786744d9213faa372c17c5","sha256":"86d6f5ad9ac6d85516a9bb76a8b7a8d0a4f3a244cd3297d45006591ab0e386fe","sha512":"ebe5440d7b69f0533965ff2c7e8d4956b9f29d2815931085a84269c4667ce3ddd667ca6a4f267c696ed4123b8ead57a710a658defa6997ba68dc9d2ba133eed7","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - lot1.tmp-pwdump","trigger":"signature-base-master/yara/apt_deeppanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - lot1.tmp-pwdump","hash":"5d201a0fb0f4a96cefc5f73effb61acff9c818e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_lot1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - htran-exe","trigger":"signature-base-master/yara/apt_deeppanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hacktool","trigger":"signature-base-master/yara/apt_deeppanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Hacktool","rule":"HackTool_Samples","score":"50"}}]}},{"path":"signature-base-master/yara/apt_derusbi.yar","filename":"apt_derusbi.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5200,"md5":"a7541712fa2d95f34fc5985cecc9d313","sha1":"6a6e392526dfe97aa67a3f3837841a40335c26c9","sha256":"00c09951598e2354aea149f3e2bf73e122321556dd67e4d959fdae47ac1864ce","sha512":"74218a07d381633eb54c91a52116555c075159d7741e71a137cd157a39d9658f7b33d99c88f45a0f9a20eaffa840e88ea748d1cd1577d9ffeff48ddafb2329f7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_dnspionage.yar","filename":"apt_dnspionage.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2009,"md5":"adf569c539555a8f62a17b2ce43382dc","sha1":"be8fba11397322015a56cd2b11af297a92757f5f","sha256":"41d23fbf2e6417e9598000d0345ed40a2f67c5ea26a21af62686a32a13634b51","sha512":"5050e373df4e687ff605b58deba2bba2c33eb253d86754cddac0560f392543385afc7e828ab23b125c471deefb5c5ba9e616134a64f37876bb95923d3016f4ea","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_donotteam_ytyframework.yar","filename":"apt_donotteam_ytyframework.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1742,"md5":"787bdb22ecc63683b8705a5f7a202f13","sha1":"34930bd0b0342234aaf76f3e5c32cd4b7536d30a","sha256":"8d5578751e806d51ab48b2b2a9e3399b02f7859fcafc849ff6e7caf91d021405","sha512":"498d1cab856934b63f8adcbd517d8f6d5b81ce8c7aa84aac39fde007cdf161ad65801070f8ae5257f5226657bfeb011f4f92df08a54fa945654b9594f93b2054","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_dragonfly.yar","filename":"apt_dragonfly.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4785,"md5":"0823214d8125022db9be786c3dea226a","sha1":"b060f618553600e0a99d6031a45a922013a97e0d","sha256":"ef213e8bd36f73f43a4cfb22674742f54e73e9209f6d0db257b314b504c555e5","sha512":"25413376af1f853b5880905416a7ff83ce6274dff905f668a867457145c80dd01a45eea4f929abc8900da68e22369287ce4de6ccfd1e87155d7e1cafb9f6ca36","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_dtrack.yar","filename":"apt_dtrack.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2232,"md5":"e71cbf535e1cab99806dd0684143d6d4","sha1":"fee931f8ab76837510ea817c8300f4c56a75c960","sha256":"fa0207020224f97b84bd8de1555ec991ef479983e43b8b23f12ddc147b8a9857","sha512":"0a4376f0accb83fd8dab85ad52b0c125a87f660cdba33d12a3939e4994e8afc13b5a7fec464dc81b3d5ac34891fe900cec9613d49c782afc56f3e9fd84b742d1","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DTRACK malware","trigger":"signature-base-master/yara/apt_dtrack.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects DTRACK malware","hash1":"c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c","hash2":"a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68","hash3":"93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9","hash4":"3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682","hash5":"bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364","hash6":"58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb","hash7":"9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21","rule":"APT_MAL_DTRACK_Oct19_1"}}]}},{"path":"signature-base-master/yara/apt_dubnium.yar","filename":"apt_dubnium.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6961,"md5":"34a0c7869cd3fce490fac7a099306287","sha1":"0c2b7bf8a22ad4b43d8d983bb05796204dada74a","sha256":"f22ee3d864f1a7a0c2a3252e36e6fc66f2f628ff1bc9a6c551380b7776350fff","sha512":"fceb47f904edbca8474b15f8b0553e3cc058eca480a557a83893853f11f319253cfdd63d02060c0cc59568e9180b11477c4ff6fc6e362d97d1b1f43c7ab4c64b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_duqu1_5_modules.yar","filename":"apt_duqu1_5_modules.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":586,"md5":"43d3317ccdd8b28a3fe9d52e5bb3b384","sha1":"8006e79b6859908004b01ad8234d2ec16446294c","sha256":"78fa2c11f85eef81d63035330b3a55757a20728bc6022658ebe08132a42b8858","sha512":"2db345c6d33db42900ee9923914638418e361a18b50c6c10dd6594ceb67f255a6732ca4a79e3a62b546254a570a86210ac545106a16383d606bb4ac559b5a1ac","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_duqu2.yar","filename":"apt_duqu2.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4910,"md5":"64ddde07b0e135bd0b11a738e8bde1fa","sha1":"49e18716ac9c35449ae061f2db9c1882a8132600","sha256":"ece37b7bb86047533fb362cafff59d627c58a322f847c262cddce2408b4c9f05","sha512":"4d064f121af238d1af0cea98a0af95411ddeb742abda60a8bdd9cf50f628c3f8d8c5e0fb594b36012c5d39dadcb362b72f6a64a64133d6bf97ea131d60a3ab1b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_dustman.yar","filename":"apt_dustman.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2004,"md5":"0f138242449e12c607e9c6f9c66ca334","sha1":"d05cf7c654b987b4d1d1bbce33356bf9dad01ec1","sha256":"bd83f1428aea5f185675bafa7214d91e7199ac35ba7384149dc5bf1d00b06e59","sha512":"4fda18b7f58c84a34fea6354b791d7a3c4a5db9ef67c9886ac6a6227f0026834481df62d7052e3cb66e560086a4087621da50241e42d283e4f7aaf12d645ef99","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_emissary.yar","filename":"apt_emissary.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2147,"md5":"0b761d2973de3cacfee0ca6594565aa0","sha1":"f61b2354fa7cfb7add783122c5f1eae616795f67","sha256":"62b981fc31c7a9c5564d5129473e7bd9c63b076fb5f999f6d9d640bf0315f363","sha512":"4bf5455806c144ed90260ccc0b1fabf4bd7b2afbeb4eb3a9f4c1a836072ee237ccad0ff456812a1187593ea2f09c05bca9a99466e9038629bbdb7a5b027c27b2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_eqgrp.yar","filename":"apt_eqgrp.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":82170,"md5":"37cd4b764d393b4820388c018d01987c","sha1":"ed538fd74f1d08d507745e4e0101f89657cfa870","sha256":"c08459e5c299a6964114db796b37f5eaf1f0e7be20c5ca911ff9e15ceb1a2a0d","sha512":"fcc87e0760ef8f870e01ca1847c6290b9cfb0bfa58ac220bb83554f34cacc3d18a818c237d08766207572512a63371321d678ce3fde52ffac412aaca522ce614","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file create_dns_injection.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file create_dns_injection.py","hash1":"488f3cc21db0688d09e13eb85a197a1d37902612c3e302132c84e07bc42b1c32","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_create_dns_injection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file screamingplow.sh","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file screamingplow.sh","hash1":"c7f4104c4607a03a1d27c832e1ebfc6ab252a27a1709015b5f1617b534f0090a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_screamingplow"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file MixText.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file MixText.py","hash1":"e4d24e30e6cc3a0aa0032dbbd2b68c60bac216bef524eaf56296430aa05b3795","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_MixText"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file tunnel_state_reader","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file tunnel_state_reader","hash1":"49d48ca1ec741f462fde80da68b64dfa5090855647520d29e345ef563113616c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_tunnel_state_reader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file payload.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file payload.py","hash1":"21bed6d699b1fbde74cbcec93575c9694d5bea832cd191f59eb3e4140e5c5e07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_payload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file eligiblecandidate.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file eligiblecandidate.py","hash1":"c4567c00734dedf1c875ecbbd56c1561a1610bedb4621d9c8899acec57353d86","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_eligiblecandidate"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BUSURPER-2211-724.exe","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BUSURPER-2211-724.exe","hash1":"d809d6ff23a9eee53d2132d2c13a9ac5d0cb3037c60e229373fc59a4f14bc744","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BUSURPER_2211_724"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file networkProfiler_orderScans.sh","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file networkProfiler_orderScans.sh","hash1":"ea986ddee09352f342ac160e805312e3a901e58d2beddf79cd421443ba8c9898","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_networkProfiler_orderScans"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py","hash1":"4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_epicbanana_2_1_0_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file sniffer_xml2pcap","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file sniffer_xml2pcap","hash1":"f5e5d75cfcd86e5c94b0e6f21bbac886c7e540698b1556d88a83cc58165b8e42","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sniffer_xml2pcap"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BananaAid","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BananaAid","hash1":"7a4fb825e63dc612de81bc83313acf5eccaa7285afc05941ac1fef199279519f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BananaAid"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file config_jp1_UA.pl","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file config_jp1_UA.pl","hash1":"2f50b6e9891e4d7fd24cc467e7f5cfe348f56f6248929fec4bbee42a5001ae56","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_config_jp1_UA"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file userscript.FW","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file userscript.FW","hash1":"5098ff110d1af56115e2c32f332ff6e3973fb7ceccbd317637c9a72a3baa43d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_userscript"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BUSURPER-3001-724.exe","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BUSURPER-3001-724.exe","hash1":"6b558a6b8bf3735a869365256f9f2ad2ed75ccaa0eefdc61d6274df4705e978b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BUSURPER_3001_724"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file workit.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file workit.py","hash1":"fb533b4d255b4e6072a4fa2e1794e38a165f9aa66033340c2f4f8fd1da155fac","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"Research","rule":"EQGRP_workit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file tinyhttp_setup.sh","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file tinyhttp_setup.sh","hash1":"3d12c83067a9f40f2f5558d3cf3434bbc9a4c3bb9d66d0e3c0b09b9841c766a0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_tinyhttp_setup"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file EPBA.script","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file EPBA.script","hash1":"53e1af1b410ace0934c152b5df717d8a5a8f5fdd8b9eb329a44d94c39b066ff7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_EPBA"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file jetplow.sh","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file jetplow.sh","hash1":"ee266f84a1a4ccf2e789a73b0a11242223ed6eba6868875b5922aea931a2199c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_jetplow_SH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py","hash1":"59d60835fe200515ece36a6e87e642ee8059a40cb04ba5f4b9cce7374a3e7735","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_extrabacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file sploit.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file sploit.py","hash1":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sploit_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file uninstallPBD.bat","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file uninstallPBD.bat","hash1":"692fdb449f10057a114cf2963000f52ce118d9a40682194838006c66af159bd0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_uninstallPBD"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BICECREAM-2140","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BICECREAM-2140","hash1":"4842076af9ba49e6dfae21cf39847b4172c06a0bd3d2f1ca6f30622e14b77210","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BICECREAM"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BFLEA-2201.exe","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BFLEA-2201.exe","hash1":"15e8c743770e44314496c5f27b6297c5d7a4af09404c4aa507757e0cc8edc79e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BFLEA_2201"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file StoreFc.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file StoreFc.py","hash1":"f155cce4eecff8598243a721389046ae2b6ca8ba6cb7b4ac00fd724601a56108","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_StoreFc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe","hash1":"498fc9f20b938b8111adfa3ca215325f265a08092eefd5300c4168876deb7bf6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BBALL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100","hash1":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash2":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BARPUNCH_BPICKER","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash3":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash4":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash5":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash6":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash7":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","hash8":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen5","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit","hash1":"1214e282ac7258e616ebd76f912d4b2455d1b415b7216823caa3fc0d09045a5f","hash2":"c8a151df7605cb48feb8be2ab43ec965b561d2b6e2a837d645fdf6a6191ab5fe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_pandarock","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BananaUsurper_writeJetPlow","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120","hash1":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash2":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash3":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash4":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash2":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash3":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash4":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash5":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash6":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230","hash1":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash2":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BLIAR_BLIQUER","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files sploit.py, sploit.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files sploit.py, sploit.py","hash1":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","hash2":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sploit","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash3":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash4":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash5":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash6":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash3":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash4":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash5":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash6":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash7":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","hash8":"ee3e3487a9582181892e27b4078c5a3cb47bb31fc607634468cc67753f7e61d7","hash9":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files ssh.py, telnet.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files ssh.py, telnet.py","hash1":"630d464b1d08c4dfd0bd50552bee2d6a591fb0b5597ecebaa556a3c3d4e0aa4e","hash2":"07f4c60505f4d5fb5c4a76a8c899d9b63291444a3980d94c06e1d5889ae85482","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_ssh_telnet_29","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - Callback addresses","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Callback addresses","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_callbacks"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - Extrabacon exploit output","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Extrabacon exploit output","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Extrabacon_Output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - Unique strings","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Unique strings","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Unique_Strings"}}]}},{"path":"signature-base-master/yara/apt_eqgrp_apr17.yar","filename":"apt_eqgrp_apr17.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":175720,"md5":"21056e1da85930df04b3d776b1d0bc48","sha1":"eb37bec07f3fec51bc2e59f49f957c311e931daa","sha256":"40767acc209d32ad1d8b16423725efbcaae086dcf26206e58b9895bdce11b3ab","sha512":"213f5907b94e595cbbd75d0cf86df70d5445aac89892d5b96329c48c3d819a8b97706fd893fa346dc3c7ab1361a75a76bfdaf856d1ea12c89499aa1f0121b255","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner","hash1":"8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_Auditcleaner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file elgingamble","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file elgingamble","hash1":"0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_elgingamble"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file cmsd","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file cmsd","hash1":"634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_cmsd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5","hash1":"eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ebbshave"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file eggbasket","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file eggbasket","hash1":"b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_eggbasket"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file sambal","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file sambal","hash1":"2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_sambal"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file cmsex","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file cmsex","hash1":"2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_cmsex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file DUL","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file DUL","hash1":"24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_DUL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file slugger2","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file slugger2","hash1":"a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_slugger2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file ebbisland","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ebbisland","hash1":"eba07c98c7e960bb6c71dafde85f5da9f74fd61bc87793c87e04b1ae2d77e977","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ebbisland"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file jackpop","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file jackpop","hash1":"0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_jackpop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file parsescan","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file parsescan","hash1":"942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_parsescan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1","hash1":"eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_epoxyresin_v1_0_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit","hash1":"707ecc234ed07c16119644742ebf563b319b515bf57fd43b669d3791a1c5e220","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_estopmoonlit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file envoytomato","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file envoytomato","hash1":"9bd001057cc97b81fdf2450be7bf3b34f1941379e588a7173ab7fffca41d4ad5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_envoytomato"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file smash","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file smash","hash1":"1dc94b46aaff06d65a3bf724c8701e5f095c1c9c131b65b2f667e11b1f0129a6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_smash"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file ratload","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ratload","hash1":"4a4a8f2f90529bee081ce2188131bac4e658a374a270007399f80af74c16f398","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ratload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file ys.auto","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ys.auto","hash1":"a6387307d64778f8d9cfc60382fdcf0627cde886e952b8d73cc61755ed9fde15","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ys"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file estesfox","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file estesfox","hash1":"33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_estesfox"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file scanner","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file scanner","hash1":"dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_scanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","hash1":"9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893","hash2":"0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ftshell_ftshell_v3_10_3_0","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2","hash1":"dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222","hash2":"9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__scanner_scanner_v2_1_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86","hash1":"d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1","hash2":"82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ghost_sparc_ghost_x86_3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan","hash1":"8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984","hash2":"942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__jparsescan_parsescan_5","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","hash1":"9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893","hash4":"0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ftshell","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool set","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-09","description":"Equation Group hack tool set","hash1":"3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_noclient_3_3_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EquationGroup Tool - April Leak","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d","hash2":"b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17_Eternalromance","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EquationGroup Tool - April Leak","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5","hash2":"561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e","hash3":"f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b","hash4":"8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EquationGroup Tool - April Leak","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927","hash2":"5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EquationGroup Tool - April Leak","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6","hash2":"c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd","hash3":"9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556","hash4":"c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674","hash5":"5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects output generated by EQGRP scanner.exe","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-17","description":"Detects output generated by EQGRP scanner.exe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"EquationGroup_scanner_output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings derived from the ShadowBroker's leak of Windows tools/exploits","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-08","description":"Detects strings derived from the ShadowBroker's leak of Windows tools/exploits","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message7/","rule":"FVEY_ShadowBrokers_Jan17_Screen_Strings"}}]}},{"path":"signature-base-master/yara/apt_eqgrp_sparc_sbz_apr23.yar","filename":"apt_eqgrp_sparc_sbz_apr23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1943,"md5":"af0e8a69552f432846d224113c635812","sha1":"b7a35743655dc52cfaa1725b06a236170b5adf18","sha256":"a12d55c3170120b4f4828d6741460041e1209e24edbc5b418b34c2be58e556fa","sha512":"aef60b0b887530ff16ab1013f5a231c4a10a672316e133daa3d0990003e4b3c32c00b28de1c0d5f58e7a85a75fcae5897d21bb30485178ce09d6216eb1596c96","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This rule is UNTESTED against a large dataset and is for hunting purposes only.","trigger":"signature-base-master/yara/apt_eqgrp_sparc_sbz_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"netadr, modified by Florian Roth for performance reasons","date":"2023-04-02","description":"This rule is UNTESTED against a large dataset and is for hunting purposes only.","modified":"2023-05-08","reference":"https://netadr.github.io/blog/a-quick-glimpse-sbz/","rule":"SUSP_ELF_SPARC_Hunting_SBZ_UniqueStrings","score":"60"}}]}},{"path":"signature-base-master/yara/apt_eqgrp_triangulation_jun23.yar","filename":"apt_eqgrp_triangulation_jun23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":725,"md5":"5491c68bbd0fc24d8b962ec5774e92a0","sha1":"c716989bfafddb4efb852d4f52c39e1814d43aac","sha256":"28a9969e8defe637ad6e87b73dbfde4776ac80ce54864ff19b7b0cbbcf985830","sha512":"fa18f3e172650c648fce47654e9c2729dca9177f07fcaa5e4a9220b07e62a9c01e06ae8e43892f37efb286dea1b7156e3093f9012f10b40936de16ed4960f907","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_eternalblue_non_wannacry.yar","filename":"apt_eternalblue_non_wannacry.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2808,"md5":"ec69348fcc06e6fd29b4b1bc08bf568a","sha1":"d88fd8bd004beffd2645e44584f7e351214a9c21","sha256":"a22e53f519288f59f641a3d13fdfd23c70b530ca1498a278f1cf79f60714a0fe","sha512":"82fd094b8156d9b36207bde09790c6bb6aaa6a0486c297ec24fa9a4bc65e81d6c492d2c486cee86dc2dcccfbb2d81c2e819adffb9dcce871c7f3c04dea1f14aa","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware Redosdru - file systemHome.exe","trigger":"signature-base-master/yara/apt_eternalblue_non_wannacry.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-04","description":"Detects malware Redosdru - file systemHome.exe","hash1":"4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/OOB3mH","rule":"Backdoor_Redosdru_Jun17"}}]}},{"path":"signature-base-master/yara/apt_exile_rat.yar","filename":"apt_exile_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":928,"md5":"2f24b48c08ba65af6edf0e71509fcdf8","sha1":"289e543277f18eaff29c5dbc41c6663872d8b905","sha256":"7b805a3af04f4e64d924349c44ef28df64c69e19dec7e44166e22ad64b0e158a","sha512":"1b00a35b3446f10d564a90cd70d2af9f72b903c838eea2495702dd897b7d9d305526db16f4dddff3776e18a1f45004aef78bd10837dc526a445c4e49167582f4","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_f5_bigip_expl_payloads.yar","filename":"apt_f5_bigip_expl_payloads.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":892,"md5":"fafe43ec939bf8dbf0bf3adf231a8440","sha1":"cf5aef85d69b70764b57d9414eb16667245aa89b","sha256":"f5dde81962bbe2aae1769fb18a62f68b85369a09c0f828aa0636c68d8f878b05","sha512":"faa53f92142af28ce9c69ec09bdcc183830a040d4f6e32fa74d5c9b1e2e0a38d679d935b53fe3902ec9916d2e9db1bde7ac338674b888b31dc59e3fbde7c71b0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group","trigger":"signature-base-master/yara/apt_f5_bigip_expl_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-07","description":"Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group","reference":"https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/","rule":"MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1","score":"75"}}]}},{"path":"signature-base-master/yara/apt_fakem_backdoor.yar","filename":"apt_fakem_backdoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2027,"md5":"529b94e6928b90742d6128ec1db9fbb8","sha1":"58ddd6932c1511befdcffbaa9f87d0a9d6f97d63","sha256":"5615a594f4f1702a08bda38b3118d89067ee684649f665d64a379f1a9555f9f9","sha512":"25ab1247292977ac9f3d7ec99d793090f50572f488ac1a4a8d564f31e6cd7bdd15a9cc65bbdaea4674c17d4eefb2037a51de2adbd6bb835c8ba83646a89c47d9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_fancybear_computrace_agent.yar","filename":"apt_fancybear_computrace_agent.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":603,"md5":"71d058ead6190765a041cdd60662873c","sha1":"e1f5bce0aa36d9fd7c24587d2f9fed1b1bfad83b","sha256":"905a156814f33a2068ecbe619d3e763ea8a1e015038b470372e3e1703399e7c3","sha512":"10ccd560009a4d16141d25efbbaeaa31e4099d964af9ecbc217f5a7e6d02d90f2d9e0e98d5a867e6f3ce8d532f73925e48cd7719e3e71b2372366514a0680b09","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_fancybear_dnc.yar","filename":"apt_fancybear_dnc.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1520,"md5":"8d5dc9180e33de25c141dad3a222c114","sha1":"722e9ccb389cbec67c0648efb90e404f0dff82a5","sha256":"753ff07fe8f8078a3c8906a09833ee772cf5d72c82ccf521246b233946c4c0f9","sha512":"ce627fbc8efe06799c870fa2cfc78248243a74adce1c44404a5854d19d306bd07e74e35c5d048f2d9645610ed7026a818a260204f3e3130e278ae95a3957ad6e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_fancybear_osxagent.yar","filename":"apt_fancybear_osxagent.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":998,"md5":"a5ca0ca11304791afe1cb2a4237a085a","sha1":"7248af3bbdc3a56d1d2cde304a9b060eccdbccfd","sha256":"d906199b9bdbf8d23428746642039064ffae68c1b80f61858865d1eb680891bd","sha512":"b7262a4c5e617619ae70f100aabed4b382c38603ee8ee292f9d0f84945484a39dc46c6cc65dd99179c218dc7d82debdf1536e3ce86741fe398807ce5d60586b7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_fidelis_phishing_plain_sight.yar","filename":"apt_fidelis_phishing_plain_sight.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1063,"md5":"182027e818541281294bcf4c6dbda554","sha1":"17b48599a408842ac1d8f1f6e359edd1990fc724","sha256":"3fde585dcc56489134420c2bc9449665a0eb9a22475286b51bbf2e8a45a4d1e8","sha512":"f24379cfd0d22556abf5a9467f82ad54a182fde7cc71bc2e25d3835b323428d4be8f1b4b63028e323f8df7412ffdd011c03283d4d40bd744afa55fff5949cffc","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a string found in memory of malware cedt370r(3).exe","trigger":"signature-base-master/yara/apt_fidelis_phishing_plain_sight.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-09","description":"Detects a string found in memory of malware cedt370r(3).exe","reference":"http://goo.gl/ZjJyti","rule":"Fidelis_Advisory_cedt370"}}]}},{"path":"signature-base-master/yara/apt_fin7.yar","filename":"apt_fin7.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":16035,"md5":"42940f152c8b151d27dbfbae2a6da316","sha1":"9264e6e19ce31e8e11224586510dc1a84f3aa047","sha256":"7544b8077a0a8427b707d7ac8a286e3359a2f04cb7c342ca2ae440f35eb2874a","sha512":"e68c18df6e562aaa2a8f9600cea0f2b291bb08c085912493f8e210c34e8ae70d1b19c71e5c6ad0c1672f052d02e5817bb4e3bc2733c5bdc0bb60ba23f6f1e045","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from FIN7 report in August 2018","trigger":"signature-base-master/yara/apt_fin7.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-08-01","description":"Detects strings from FIN7 report in August 2018","hash1":"b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html","rule":"APT_FIN7_Strings_Aug18_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JavaScript obfuscation as used in MalDocs by FIN7 group","trigger":"signature-base-master/yara/apt_fin7.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-07","description":"Detects JavaScript obfuscation as used in MalDocs by FIN7 group","reference":"https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor","rule":"SUSP_OBFUSC_JS_Sept21_2","score":"65"}}]}},{"path":"signature-base-master/yara/apt_fin7_backdoor.yar","filename":"apt_fin7_backdoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2930,"md5":"e785903ae8660bfab92de01d77749f3d","sha1":"763e131d717392c37237ee3bb83304ff0e89d4a6","sha256":"5bb000fca4cd23b3c00d91601b334b47bd73f20dcd7d1db4ba902111e9edf5b8","sha512":"86b7970f821cabf8157d1797b541af11a62e486ebed698cbb18e91fbe2927f02d6d71025771c51a85d57401ca24cc2f35df7405d5f5bf89a5781c4ff027fe1d2","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Word Dropper from Proofpoint FIN7 Report","trigger":"signature-base-master/yara/apt_fin7_backdoor.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-04","description":"Detects Word Dropper from Proofpoint FIN7 Report","reference":"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor","rule":"FIN7_Backdoor_Aug17"}}]}},{"path":"signature-base-master/yara/apt_fin8.yar","filename":"apt_fin8.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":751,"md5":"f710f1f0ea22c98656eebe5a010d861e","sha1":"184da0f196ab6a824675728a036df8b14710c4ba","sha256":"2f4aa2cc168f0e22ecc5dc64e2d59fa14a658ccd6ad12cbff298f09536579904","sha512":"3f88a097f932646bb32767e34fc429fe620e86af9c365369d21ba90f1a981baafbe170eaf6cd36797e4a434dabd2224a8fc7d5730c55eb3073f0d462077138ba","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_flame2_orchestrator.yar","filename":"apt_flame2_orchestrator.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2279,"md5":"11f3e953c9cc6858064239624ffa3104","sha1":"54554220e147f38bbe66ba03630e8a58efb87137","sha256":"d54f310931aa859c7022790b0d98ac9c3070eda97b12012605545473fe962c12","sha512":"f755e8f68245147a13e3b8435c9c29d5c36e274c4ea3b0ceb6444fb4d9e489fdf36d96c2a689cb2c101379016f050127e95665057bb4af021856fb44bf34f5b5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_foudre.yar","filename":"apt_foudre.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3754,"md5":"3b4c0c4c0b3dda42897d08828a916e8d","sha1":"5e625cc93c1345d07998fa87c4f6050ef2f2a23e","sha256":"888051eca60245ada90846549c6e209f7eb2ab7f9ae374f5123ad0189a3ebcfe","sha512":"3f6ae69a6577a6c855f9fa4db6e85e6c8a66023ce7ddb9d2c96208abd00f572c031601934e29198bd64fcdf0e4e7b66e1b5445c5eec17b0cf5c368b403cae43d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_four_element_sword.yar","filename":"apt_four_element_sword.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7190,"md5":"73625fbeab902a983435e833a1f80ff6","sha1":"743fc63487010990c9b1cf4ec4554120c837f924","sha256":"b405dacd786e1ea4ad046a0fd9e0e3abd8e908c59a59d9e91ab3bb4f48e5df45","sha512":"0469a5d1844b1aa53caa9c0f52485b57454ac24b7f8afe7df2e388bcacccf21f7177588e6219a871405548c789ba519a7d0a35aefbe30bd030cb70fc3f6c7bc5","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects FourElementSword Malware","trigger":"signature-base-master/yara/apt_four_element_sword.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-18","description":"Detects FourElementSword Malware","hash":"f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/","rule":"FourElementSword_Config_File"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects FourElementSword Malware","trigger":"signature-base-master/yara/apt_four_element_sword.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-18","description":"Detects FourElementSword Malware","hash":"9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/","rule":"FourElementSword_ElevateDLL_2"}}]}},{"path":"signature-base-master/yara/apt_freemilk.yar","filename":"apt_freemilk.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4533,"md5":"0334aed8dc00110bda582416f2e41a5b","sha1":"37d7de53770733db88fb0e4b382d4b521c03dd1e","sha256":"ba5818c27a026ff45526714a916f1c64c69875ec92fea7474af96cb49cf9a1b6","sha512":"7ab35f5c820492cc4702ed30e1e329e49c8473bdf0010303d370304b12b10e438f2863c46ffd825bb910954d355b29eac3f47a046dd5bdb25437f5e529cc5325","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_fujinama_rat.yar","filename":"apt_fujinama_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":974,"md5":"0892ef8c1a97b4b4cc94239263c94f3d","sha1":"b36292b07ea8918008dd86643c2a16c1181b655a","sha256":"e0b0eed5ae908cad8278e563dda98221bbc7c84e9ef4e60b43575177258610b0","sha512":"29df08c6d4fffb68f4ce414cdca79108f7e1fa1e0c791b72ae154f911a6f1dd731b5c016882252e96567ca6885d4fd6bced40eebb1fce52e0198b9e5b2a68b34","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_furtim.yar","filename":"apt_furtim.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1845,"md5":"70be08f16cf285bbbfe58d881692256e","sha1":"a41fdd96c0dd97e04008939fa46f526de6739231","sha256":"b66a81df8f6c3965c277808416d9ecb1c294443c3ff95b0d8453bbfca21daad2","sha512":"4c9ab0ccc9506e091c936e617cafcb2171eae921859937e92743e9da5aed0ecf0fface81a497c5a14018cf140025e02a977f4c9732e5003584473a1f7d3cc59c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","filename":"apt_fvey_shadowbroker_dec16.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":18456,"md5":"df2b078a315febd553929882437c8aeb","sha1":"4bc002eda3aaf08d0370da7ceab550bad6e34e6b","sha256":"fe83dc1978a85b324c5ba243902938c7be1a5e7ea76b77cbe20c7828c1e5912d","sha512":"d91f1fa30b86c07c0ff398109a312743370b744bdb68e883afcd47953d57dc616a9d8f77889fab23187defc5d48efcc270289be41cc6209d8b751f6a172668fe","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file violetspirit.README","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file violetspirit.README","hash1":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_violetspirit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file gr.notes","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file gr.notes","hash1":"b2b60dce7a4cfdddbd3d3f1825f1885728956bae009de3a307342fbdeeafcb79","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_gr_gr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.yellowspirit.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.yellowspirit.COMMON","hash1":"a7c4b718fa92934a9182567288146ffa3312d9f3edc3872478c90e0e2814078c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_yellowspirit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file opscript.se","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file opscript.se","hash1":"275c91531a9ac5a240336714093b6aa146b8d7463cb2780cfeeceaea4c789682","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_opscript"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.epichero.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.epichero.COMMON","hash1":"679d194c32cbaead7281df9afd17bca536ee9d28df917b422083ae8ed5b5c484","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_epichero"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.elatedmonkey","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.elatedmonkey","hash1":"98ae935dd9515529a34478cb82644828d94a2d273816d50485665535454e37cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.dubmoat.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.dubmoat.COMMON","hash1":"bcd4ee336050488f5ffeb850d8eaa11eec34d8ba099b370d94d2c83f08a4d881","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_dubmoat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file strifeworld.1","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file strifeworld.1","hash1":"222b00235bf143645ad0d55b2b6839febc5b570e3def00b77699915a7c9cb670","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_strifeworld"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.pork.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.pork.COMMON","hash1":"9c400aab74e75be8770387d35ca219285e2cedc0c7895225bbe567ce9c9dc078","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_pork"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.ebbisland.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.ebbisland.COMMON","hash1":"390e776ae15fadad2e3825a5e2e06c4f8de6d71813bef42052c7fd8494146222","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_ebbisland"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.elgingamble.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.elgingamble.COMMON","hash1":"4130284727ddef4610d63bfa8330cdafcb6524d3d2e7e8e0cb34fde8864c8118","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_elgingamble"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file README.cup.NOPEN","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file README.cup.NOPEN","hash1":"98aaad31663b89120eb781b25d6f061037aecaeb20cf5e32c36c68f34807e271","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_README_cup"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file oneshot.example","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file oneshot.example","hash1":"a85b260d6a53ceec63ad5f09e1308b158da31062047dc0e4d562d2683a82bf9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_nopen_oneshot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.earlyshovel.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.earlyshovel.COMMON","hash1":"504e7a376c21ffbfb375353c5451dc69a35a10d7e2a5d0358f9ce2df34edf256","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_earlyshovel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.envisioncollision.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.envisioncollision.COMMON","hash1":"2f04f078a8f0fdfc864d3d2e37d123f55ecc1d5e401a87eccd0c3846770f9e02","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_envisioncollision"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule","hash1":"4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de","hash2":"64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7","hash3":"a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON","hash1":"18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728","hash2":"f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule","hash1":"18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728","hash2":"4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de","hash3":"3fe78949a9f3068db953b475177bcad3c76d16169469afd72791b4312f60cfb3","hash4":"64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7","hash5":"a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619","hash6":"89748906d1c574a75fe030645c7572d7d4145b143025aa74c9b5e2be69df8773","hash7":"f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files violetspirit.README, violetspirit.README","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - from files violetspirit.README, violetspirit.README","hash1":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","hash2":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme4","super_rule":"1"}}]}},{"path":"signature-base-master/yara/apt_fvey_shadowbroker_jan17.yar","filename":"apt_fvey_shadowbroker_jan17.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1642,"md5":"397e3fefc239dc240452ce1fd1ea48b0","sha1":"3d4b25536a1b39e1bbc1d1a9fd453fff66ed4cba","sha256":"9fabbd84859f3d17daeaa68cb143dbdc83779fb5508a42527763653c204499cf","sha512":"790c7fcc67d23dfa437cf45ff3f87593fc70f5f654466488ba69ed2e1ff4c815da693cebe7c774987d5b1f26691e631209e626860caf30709aad112dda79ef1a","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings derived from the ShadowBroker's leak of Windows tools/exploits","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_jan17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-08","description":"Detects strings derived from the ShadowBroker's leak of Windows tools/exploits","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message7/","rule":"FVEY_ShadowBrokers_Jan17_Screen_Strings"}}]}},{"path":"signature-base-master/yara/apt_ghostdragon_gh0st_rat.yar","filename":"apt_ghostdragon_gh0st_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3457,"md5":"f2e49b0c8f65ff62358c3bdf8cef6228","sha1":"70ee5ceb051e68719926c8d9bf78a6423c1ede42","sha256":"7f2b2665d2d00101f4c3537a242ca0a907039e45a2394354b9bd6967480a3a53","sha512":"240fe83a7bbd8078bbbc9d5f262ec4e38ce00ad777c694340268aab523d69cb4ac7fcf8857d05e28936344a887750d535c3955b48ee2b4bb917210ddf2855b86","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","trigger":"signature-base-master/yara/apt_ghostdragon_gh0st_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-23","description":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","hash1":"f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197","hash2":"99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2","hash3":"6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df","hash4":"b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/the-ghost-dragon","rule":"GhostDragon_Gh0stRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","trigger":"signature-base-master/yara/apt_ghostdragon_gh0st_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-23","description":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","hash1":"71a52058f6b5cef66302c19169f67cf304507b4454cca83e2c36151da8da1d97","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/the-ghost-dragon","rule":"GhostDragon_Gh0stRAT_Sample2"}}]}},{"path":"signature-base-master/yara/apt_glassRAT.yar","filename":"apt_glassRAT.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2828,"md5":"359b1559dc029b4a455a74fa10a2433f","sha1":"274fd9f7f2a607e5ec4e5d027fd26b3dd2a62cbd","sha256":"b9e7790133306ef9a92808f87e1ff96026bf3e026e79d2b5b7b097d6ec23ab90","sha512":"1dbd82954c8326bb9e092c833482a19f4bf590e94af0b898ae7f6e46544bb3f68c09bbae58562fd426df0ad8d94bbc7287eab7e788ae23c7c4917d3eddf70cef","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_golddragon.yar","filename":"apt_golddragon.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6871,"md5":"7c86bc6091f2a81310f775c5f186e373","sha1":"7456a469e8db925ba00e56c6377cb6ce58621bb0","sha256":"83ce345ea6afb065fc240e939a1e31ade960b635371cb6727d9f8172439cfa91","sha512":"52ac1121583ceb5ebe7cb64514f998ba1e0a8374d6875c52824527159c4161d4aefd78960635f375b665ee83d6a0565973f56d26ed11aaa0d61fe6b4bd397ac1","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects export from Gold Dragon - February 2018","trigger":"signature-base-master/yara/apt_golddragon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-02-03","description":"Detects export from Gold Dragon - February 2018","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/","rule":"GoldDragon_Aux_File","score":"90"}}]}},{"path":"signature-base-master/yara/apt_goldenspy.yar","filename":"apt_goldenspy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":879,"md5":"6eb7735cb20ac73423642106dfb104f5","sha1":"3be2337e293fd71a3ea8bfd621d2f9854f9ba922","sha256":"eaf2046051c2bcf2bd5e0ef4f849cfab5be9f8931aeef92cb604c33b50870f1f","sha512":"f92b161a39f381f5b11e04759804820bd5d2c21d4da960b0a321c5937a16fe576900310ca9cc45ca9b13a3ebcd573f20bf4992727b89ffe7c79edbf91f03f5df","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_greenbug.yar","filename":"apt_greenbug.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7126,"md5":"a07227c25bb2dc1460a9baa0ac150aa1","sha1":"33fffaf5c31f82f6dcd530ff9ab67e0b12e91f2e","sha256":"2a1231de101c9249297b1338b0de1278bda939fc198bac07ffa66ba80d427c42","sha512":"b98865ba387984df21edbed71208fdbd4b0ae17276363bb4491e88b06c409d6cb78f363b3c0aafab0e970282120145bb7ff80e8fcd214f9f2f047ec575691a43","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ISMDoor Backdoor","trigger":"signature-base-master/yara/apt_greenbug.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Detects ISMDoor Backdoor","hash1":"308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f","hash2":"82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/urp4CD","rule":"Greenbug_Malware_4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_greenbug.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Auto-generated rule","hash1":"308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f","hash2":"44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49","hash3":"7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c","hash4":"82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://goo.gl/urp4CD","rule":"Greenbug_Malware_5","super_rule":"1"}}]}},{"path":"signature-base-master/yara/apt_greyenergy.yar","filename":"apt_greyenergy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4324,"md5":"b0fb797975ac75562e485c9b187dcf2c","sha1":"b17eab98512396660bd402ff1c8a7d7efbecdff3","sha256":"b9bcf8405953a736beb4ee7a71b47345bb88ddc3a5d54142acebfc927b3c3770","sha512":"a42c189c1b7785eb89027060263667e0b6d7cee8addc95d39e817777a95104952bfe678bd17e05dc980ade787111ce7ba6e363f928f4e3cb5b7b78ad2b196ca9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_grizzlybear_uscert.yar","filename":"apt_grizzlybear_uscert.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (306)","size":76183,"md5":"a0786e6d46706e012608ef8a3f1efafa","sha1":"bb6bfa5304e513ed833673c818f63ca367c2985d","sha256":"a91a66462987899ef0b7ae6efa20009f556e895d0ed23861b23b0f36bc5667a1","sha512":"14d207d4f6d6c45afc76f81996a4ac1776f445544c4d0e28b09c141abd5f821040a3019cb76129a1790e6013617ffa1980ff6fa258a8211837d6ab03186b8c25","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"X-Agent/CHOPSTICK Implant by APT28","trigger":"signature-base-master/yara/apt_grizzlybear_uscert.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"X-Agent/CHOPSTICK Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_3_v1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"BlackEnergy / Voodoo Bear Implant by APT28","trigger":"signature-base-master/yara/apt_grizzlybear_uscert.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"BlackEnergy / Voodoo Bear Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_4_v9","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Unidentified Implant by APT29","trigger":"signature-base-master/yara/apt_grizzlybear_uscert.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"Unidentified Implant by APT29","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"Unidentified_Malware_Two","score":"85"}}]}},{"path":"signature-base-master/yara/apt_hackingteam_rules.yar","filename":"apt_hackingteam_rules.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3711,"md5":"a9d6a6368664df02cf214a0e063444fc","sha1":"7cefc15dec08d29ff04e6ee2ec8ed1707c4dbbbc","sha256":"7c9cc138ebf1fed63e13b97ba375363a5248ea67c6c58b0ba3d75ed650051b63","sha512":"726bba374f29b7b942b597bd090bfff259ebc436283d96519c183d31ceefe7791dd3dd5d7ffe63ff585ef17b6244ce1fddd74a04d7f2d5d562e12c4747e23c40","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_hafnium.yar","filename":"apt_hafnium.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text, with very long lines (337)","size":17835,"md5":"445bfd837108456e4ff0207e43144e05","sha1":"cd1b1eaa8970719e921014f5ddcde86a53fd9af3","sha256":"f88c1792e04c4164395a49c088369743101584c7fecd1dc654c34e6d9e14129b","sha512":"a8f6f0c211b01524fc4d3584254e453cab08933405e72dac76b5638e5d4e899dc170af3a7d25aa6fff35bbc4b0a059c76bfa62556d02692b91fd3ca9089ce648","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artefacts found in HAFNIUM intrusions","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects forensic artefacts found in HAFNIUM intrusions","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","rule":"APT_HAFNIUM_Forensic_Artefacts_Mar21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PowerCat hacktool","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects PowerCat hacktool","hash1":"c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2","reference":"https://github.com/besimorhino/powercat","rule":"HKTL_PS1_PowerCat_Mar21"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PowerShell Oneliner in Nishang's repository","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-03","description":"Detects PowerShell Oneliner in Nishang's repository","hash1":"2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32","reference":"https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1","rule":"HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"variation on reGeorgtunnel","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-03-01","description":"variation on reGeorgtunnel","hash":"406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928","reference":"https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx","rule":"WEBSHELL_ASPX_reGeorgTunnel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-03-01","description":"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.","hash":"2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a","reference":"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/","rule":"WEBSHELL_ASPX_SportsBall"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Joe Hannon, Microsoft Threat Intelligence Center (MSTIC)","date":"2021-03-05","description":"Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","rule":"WEBSHELL_CVE_2021_27065_Webshells"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CVE-2021-27065 Webshellz","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"CISA Code \u0026 Media Analysis","date":"2021-03-17","description":"Detects CVE-2021-27065 Webshellz","hash":"c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5","reference":"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a","rule":"WEBSHELL_HAFNIUM_CISA_10328929_01"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Chopper like ASPX Webshells","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-31","description":"Detects Chopper like ASPX Webshells","hash1":"a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75","reference":"Internal Research","rule":"WEBSHELL_ASPX_FileExplorer_Mar21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Chopper like ASPX Webshells","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-31","description":"Detects Chopper like ASPX Webshells","hash1":"ac44513e5ef93d8cbc17219350682c2246af6d5eb85c1b4302141d94c3b06c90","reference":"Internal Research","rule":"WEBSHELL_ASPX_Chopper_Like_Mar21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}}]}},{"path":"signature-base-master/yara/apt_hafnium_log_sigs.yar","filename":"apt_hafnium_log_sigs.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (909)","size":5949,"md5":"f190c9677ce744f484ec90e1cba4925f","sha1":"806468b603decd12856567e2b8147723cb4c81f1","sha256":"ef85deacab566f4313b3d6d5b51764b8cdb3d49fc1363eb3d65417fcb75ed27b","sha512":"214509dcac44cd924fba11c80c50c1b3c419c76f7891de5b5e903dc005645d38a66bee10221ca432365a3135d123d607d17ed06f12d4827f4bf428cde89822fc","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065","trigger":"signature-base-master/yara/apt_hafnium_log_sigs.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065","reference":"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/","rule":"EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting","trigger":"signature-base-master/yara/apt_hafnium_log_sigs.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-08","description":"Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting","reference":"https://twitter.com/jdferrell3/status/1368626281970024448","rule":"LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity","trigger":"signature-base-master/yara/apt_hafnium_log_sigs.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Zach Stanford - @svch0st, Florian Roth","date":"2021-03-10","description":"Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity","modified":"2021-03-15","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log","reference_2":"https://www.praetorian.com/blog/reproducing-proxylogon-exploit/","rule":"EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts","score":"65"}}]}},{"path":"signature-base-master/yara/apt_ham_tofu_chches.yar","filename":"apt_ham_tofu_chches.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":650,"md5":"1dd37c95081f5b372d9eb9c719f5d8fd","sha1":"9bffc08b962f071470ef0b92484bc12d8e59e0b1","sha256":"6a1778a35ac0e99ebe8a020ed8c6dedace4fac1e8d7db69dfc847793b7c25550","sha512":"f92bd6a3b6d728569ef03c50cf30a9425fa4d1bff81587c59a9e75db07cf161f25ffec3ee9a2a39faa14b05610e09d8d61a2636b027dd53f50145db607128018","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Tofu Trojan","trigger":"signature-base-master/yara/apt_ham_tofu_chches.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance","date":"2017-02-28","description":"Detects Tofu Trojan","reference":"https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html","rule":"Tofu_Backdoor"}}]}},{"path":"signature-base-master/yara/apt_hatman.yar","filename":"apt_hatman.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4174,"md5":"18991a795af99297f3931961e6e948cf","sha1":"d0f6c9fecfe9c47292a7bccdc00001cb4d07f857","sha256":"9368dc9be9b46960249c57e5556696a52526037c6da002bc331c819d4782ec6b","sha512":"7eb3dcb43ca8b830c3baac86b51767bc804aac691d7be98a8704963687f389ffb31dd79578ff0ad0988f707076b2e803da1d526b066a6465c92ea2919cc71350","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_hellsing_kaspersky.yar","filename":"apt_hellsing_kaspersky.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4704,"md5":"41b75b29eb3ef266e9046ebefc9d417d","sha1":"ccc83c6b902072b0b098d9a7ec586440c7dac04b","sha256":"8a99528d2f0c408e1b24cbbc208f3852c4f725c5e0cd896256a938fc297a6ffe","sha512":"b42b9262d4ad12b7da2b9a5c410b736353075a3799fdf45c98e0372886f41aa312403853caa916d4c10899e7166c6a15791009e08e6aeef33a63028458ee452d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"detection for Hellsing implants","trigger":"signature-base-master/yara/apt_hellsing_kaspersky.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Costin Raiu, Kaspersky Lab","copyright":"Kaspersky Lab","date":"2015-04-07","description":"detection for Hellsing implants","filetype":"PE","rule":"apt_hellsing_implantstrings","version":"1.0"}}]}},{"path":"signature-base-master/yara/apt_hidden_cobra.yar","filename":"apt_hidden_cobra.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7578,"md5":"8225a3cf8545872576e60133eb44caef","sha1":"c4d4b611fd09b7469960536567b35a906477cd64","sha256":"9d583a5833e3a5e9516feb40cba0ecb7753d1ad23d90e2a494ccbbd10835db1d","sha512":"b812ca4515a4753168ccdf7ac703c88014a111f220c763f3d8952b40906445f95d399e136897c1822929cc4d821f15a2ac2bf653c681087de8d92da8c3803d6c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects HOPLIGHT malware used by HiddenCobra APT group","trigger":"signature-base-master/yara/apt_hidden_cobra.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-13","description":"Detects HOPLIGHT malware used by HiddenCobra APT group","hash1":"d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39","reference":"https://www.us-cert.gov/ncas/analysis-reports/AR19-100A","rule":"APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1"}}]}},{"path":"signature-base-master/yara/apt_hiddencobra_bankshot.yar","filename":"apt_hiddencobra_bankshot.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4473,"md5":"e4f8c7c1ee0f46e158d13eda9b576b0d","sha1":"7e2212830af0ecebccf4a62296a858456b83e31c","sha256":"c13ff39268a692189f012dc95d09b512849ae8ed954a80ddafc42704d329ced8","sha512":"db9c9080595cb0f16820e6ad3de9a378d5444ee3dee2cf85eb0b8c36082727d3d18621727fce1f64be2277fe56d7b2664570c20c4d2f8603ad46131844cecb21","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_hiddencobra_wiper.yar","filename":"apt_hiddencobra_wiper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (338)","size":1701,"md5":"9f750a9cd63bff765f04af95f5e76c2f","sha1":"d1eb061e4c5c9f9968adf6631082fd7066b8a4e2","sha256":"10f2532dda22034429d8dabc12d1b5bc184961d967f3f2cc8e230fca206f68e5","sha512":"410db08c1683ce56693cb1f552907411da7bab134455aab6696f069111d402b12b78760cc286ba9ee20960cff1a95f09fec7f3bf4d1e13bd502d5618525884ee","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_hizor_rat.yar","filename":"apt_hizor_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1034,"md5":"0fb51d04ca9ac3621deec97bb9e6623e","sha1":"a5fd833d3ffa7daf16f2f43dc21b95ecb335c68a","sha256":"e80ed338fcb94b941beebc7c35faad4224e40800bdcbe8b0535417e0fe20544a","sha512":"49fff3d6121c7d947c0259b093e9868436c721d6e71d4deb1681a20d6ee36f6cf05cab658c8585fcb510f3f189287e3936ce24524129ccf11f195691a226a585","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_hkdoor.yar","filename":"apt_hkdoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3866,"md5":"3a53cf452814260b9612a45af4024b11","sha1":"8d1a5cb0d6e0dc29280133ab19e85870d6869fde","sha256":"d3510bae1d6b18aaf80b1d9ee1f69c0ead86d4eae780e9bc51ee8d2a8a6a6938","sha512":"bb0e846f5bd9433c8a0a80cb2329051ea992bed1d6033bf9c647a8d28e1f4bca548cd1b2c003d3ba6361c13ea37b697fa9ba842dfc81b5bc6a0f0add2e37201d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_iamtheking.yar","filename":"apt_iamtheking.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2514,"md5":"95d2aad80d8b76be6788adac6733c906","sha1":"6daaed40231800152707d0e369841791b32b33a0","sha256":"d39be0115b62151c68da56f7b89a94b21494833c7ba7f4e83e448120bba10b9a","sha512":"3aea6a6aab891c3c1a34d267ed9877be25b676fba80229202a122eb00abbf7d3352c4ce100c1084d87db072c39710e8a69e047add33a25596aa91cf0d5cff219","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_icefog.yar","filename":"apt_icefog.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1125,"md5":"6de4b28ea6da80bef83830f8e99949bb","sha1":"ec0d86153ebe4b853f6c597808ab97f36e76977b","sha256":"77e6cc3e32fdc7fe9b2c6227c0dcd8a98ead262d75f11eeaf5f9b425f7581207","sha512":"ea752a2a8a9ba5084b01d8b5d0fbe87a0d8a8896abb3bd4fb88707146949b123c5b1ff84f49bb3d636d6af1bcb3e716bd6b0c9deb755505340a4970c4055f49a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_indetectables_rat.yar","filename":"apt_indetectables_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2424,"md5":"eca8b6eaed0c6408b273f11784043db8","sha1":"b09e83251f3872c91eea059fd96d2714b3e2f787","sha256":"ff5561cb3e9cfb619949b64daf1f6f74a6e0d6ee072115a67ab754c3e9bba2bc","sha512":"f272674e2562919d67e0e5fa44e52bc820e3fcdc1c3293936b97fe6cac30ac97457e2a20c31a30117bccd8c3acdeda2dde56d858e3f4751fa2211b756196a166","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_industroyer.yar","filename":"apt_industroyer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6652,"md5":"d6fcd4019887aed86e9d5a504618ef84","sha1":"8cd248fbf869e93686f8cf8c812db892a84212fd","sha256":"c4a78071a467b5623351c02a7fb9ce307afcf87ac2285518939d1f354ea5cb6d","sha512":"bb0754bf137d8a8cdd815415e0e3fc44bdf4af1af7cc92de5b8169d602a6e3a1af2d6489f134e0025717238d617c9d890fc0283132893cc12abb25793c2c738f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Industroyer related custom port scaner output file","trigger":"signature-base-master/yara/apt_industroyer.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-13","description":"Detects Industroyer related custom port scaner output file","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/x81cSy","rule":"Industroyer_Portscan_3_Output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Industroyer related malware","trigger":"signature-base-master/yara/apt_industroyer.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-13","description":"Detects Industroyer related malware","hash1":"7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/x81cSy","rule":"Industroyer_Malware_5"}}]}},{"path":"signature-base-master/yara/apt_inocnation.yar","filename":"apt_inocnation.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (555)","size":2298,"md5":"0259c50d0ad5bf1819f79af1445f781f","sha1":"bab9074c831fdd1c2eaf7b7810905cc41826b9bd","sha256":"86b0797606dff2eb30695c57ff1df45e2c77ed3ed2683278e9822c8792227285","sha512":"ed19ae41571d367f47b4ca62c34bad5d48338f67d055bb21a4c2a09a11188d0910e488466d79b5d9df214e43456daf0266a09808e290899972f3be4904134cb2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_irongate.yar","filename":"apt_irongate.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3131,"md5":"1e1b980617feec8db081415a8e6dc264","sha1":"95433bde65166013a089e1e4a1efa302a12f9047","sha256":"cb94a427347069f5b0ee4ed33534ce1cc1840e55ee9c096f8e1c99cdf0dab382","sha512":"9273c840c3496f15e54c419fdbb48fa90b559a7e6a1e852e24cebcf264a10244d31c4c7d3919d9ab822e9aaebdf916187212a57664a5842ad34787ed96b68621","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects IronGate APT Malware - Step7ProSim DLL","trigger":"signature-base-master/yara/apt_irongate.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-04","description":"Detects IronGate APT Malware - Step7ProSim DLL","hash1":"0539af1a0cc7f231af8f135920a990321529479f6534c3b64e571d490e1514c3","hash2":"fa8400422f3161206814590768fc1a27cf6420fc5d322d52e82899ac9f49e14f","hash3":"5ab1672b15de9bda84298e0bb226265af09b70a9f0b26d6dfb7bdd6cbaed192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/Mr6M2J","rule":"IronGate_APT_Step7ProSim_Gen","score":"90"}}]}},{"path":"signature-base-master/yara/apt_irontiger.yar","filename":"apt_irontiger.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":6814,"md5":"f4452747ed90bea6c76513ed0d35767a","sha1":"a1b1bcc7a00ff1086be02c6132e050478ef076ed","sha256":"9ab99bfce0bb234c2fd41d939d3ca27fc7ab3abc5b8acfccb2bcf9e3bdd86072","sha512":"a4f5c2d7a6a78e324ed4c16901c606a9da0f05db392ab12249fbf71e534e00bf14b5b0949b0c7624301d2afdd5af486c0d57d291e79a18f3aa5205fe9b31c54c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - htran-exe","trigger":"signature-base-master/yara/apt_irontiger.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Iron Panda malware DnsTunClient - file named.exe","trigger":"signature-base-master/yara/apt_irontiger.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-16","description":"Iron Panda malware DnsTunClient - file named.exe","hash":"a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/E4qia9","rule":"IronPanda_DNSTunClient","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Iron Panda Malware Htran","trigger":"signature-base-master/yara/apt_irontiger.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-16","description":"Iron Panda Malware Htran","hash":"7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/E4qia9","rule":"IronPanda_Malware_Htran"}}]}},{"path":"signature-base-master/yara/apt_irontiger_trendmicro.yar","filename":"apt_irontiger_trendmicro.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":8795,"md5":"c5e8305fd01fce4d4a134e393f2a3333","sha1":"637a3f2fa11ad911baadb410736270dee628b79d","sha256":"4ad5e2d32c6be8b89f7493507c7c02342d65b24e1b8a1faa9541eaa9e3a6a74c","sha512":"17b0578d75533cf392ee76983cc8fedf40de2dc9824ca0a0f6b7ce2b15255a37b39e3508c858067d373182b1f788153ad607909304f6c47029a8b77f5d33d693","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"ASPXSpy detection. It might be used by other fraudsters","trigger":"signature-base-master/yara/apt_irontiger_trendmicro.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cyber Safety Solutions, Trend Micro","description":"ASPXSpy detection. It might be used by other fraudsters","reference":"http://goo.gl/T5fSJC","rule":"IronTiger_ASPXSpy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Iron Tiger Tool - wmi.vbs detection","trigger":"signature-base-master/yara/apt_irontiger_trendmicro.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cyber Safety Solutions, Trend Micro","description":"Iron Tiger Tool - wmi.vbs detection","reference":"http://goo.gl/T5fSJC","rule":"IronTiger_wmiexec"}}]}},{"path":"signature-base-master/yara/apt_ism_rat.yar","filename":"apt_ism_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":864,"md5":"5f8a4abf1efbe50950c863594230bbcc","sha1":"2a50e3a2287f8ad7d5f648d2c612b774f5aed81f","sha256":"f3467f1309e316cb04f8b726f6bc17f59c0f9fd1b7a83416703d953d4bda44ed","sha512":"142ed55586c34a980c1b4cf0c4a0ba3ee6b5d81257bf92192b95ce25fee9b54b54a5b2fdd1be77bc54f59425ef9b327266c64fe82f5878ffc587b7462ca66a1f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_kaspersky_duqu2.yar","filename":"apt_kaspersky_duqu2.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6850,"md5":"97044e99eae89440f6430fd297ec0900","sha1":"52d9927b9ade312672e42daed26f0f39a83fe959","sha256":"2213cf8c76ff5bc4a32b1928123b28ace8e2dd01a568311f2cf210234cb98a8c","sha512":"bb80a1df4582bde71ca83266a874bc142fd8092637f3f8f5f7687214a15d214e6754875f35cbf5ba796c9c1a8969d1b726655a779fc9c98dad812d3796984364","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ke3chang.yar","filename":"apt_ke3chang.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1830,"md5":"58f39ff193ea639f767c5b21512c6d62","sha1":"65772b04471b67f7df077f8d05c0850ac2450ea8","sha256":"ec3ef0b69139bc3c01d062d38195d451e8dfc3e8407fa27e029546ed043f627c","sha512":"b26a1683818461bb4b1d974b7ca6b8d9bd3ead24c5de001503b06970be94c7c633f499c2883b2caed000d8480c9934432613a46e774fff311f349f3ab845f2cb","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_keyboys.yar","filename":"apt_keyboys.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6999,"md5":"2165fbc72cec6cb221f0eb9e212d0851","sha1":"190d8a5c2762c034f316cec040abdf56bad6daa4","sha256":"57d18942200fb3a79e24cb5f5354a3d317688b9fbe725103198480ce8813d5f2","sha512":"db79eb43a653bbc132b84c78b1e2fc3b714f73139f30fa749a09b39209eea57784b25a6e29d31564ff602d8a9e8ac07cbbfcf51d07a2ce2b58ad4ac48f1c3e15","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_keylogger_cn.yar","filename":"apt_keylogger_cn.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1286,"md5":"09606451c6f8a60ee33e289e0cc7ae8e","sha1":"d451768dfe5e723a1ccf8d2d43a9c9f7d1da1ef7","sha256":"c519a53c2ab67a572bef705b70e4d2181bccccd2f69697f70cbdb0f2e0ab9641","sha512":"2c03db414eeda02994d948e7a630b8a22fdd68255e3207a61cb9bbfe58503f0da67820390e05d5f273ecb156ba5ea3b1222f41d3c13a1d5fde671eb58fb4fff3","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Keylogger - generic rule for a Chinese variant","trigger":"signature-base-master/yara/apt_keylogger_cn.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Keylogger - generic rule for a Chinese variant","hash":"3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Keylogger_CN_APT","score":"75"}}]}},{"path":"signature-base-master/yara/apt_khrat.yar","filename":"apt_khrat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3035,"md5":"a28678cd26486c1834f608ce1d13af44","sha1":"cff4e0dbad99f671c7d32a8902ea5f8e079b6b51","sha256":"1a75bfa1559f542e14aae79b9ab55a7370fd346e01dc1eb787a43e6e2e3af370","sha512":"74083360efee53d387b5f1b95907c7f3765d451701f255abc948eaf3dbf7a9e744e8ac29ef75a41846d5cf73932c2b3694a217a4deec684ecffde0e1c737e365","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_korplug_fast.yar","filename":"apt_korplug_fast.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":987,"md5":"96e1cb5999c3a51ec82f2fbccc1abf9a","sha1":"31713a9f590112a171db84377bff8654e25a056d","sha256":"f6d2ea55a15c516b889debfe0c1e8f08f003f0cd4bb4169bb5d2cf7718523b43","sha512":"0f93ef21f4f355b9e8c9f6e2a22f887e812fda3414c5e96a7a44cba35474af380768004379022bf30d504aff12392cc8bae770c57300fb9087b4cdf49c5b0fb3","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_kwampirs.yar","filename":"apt_kwampirs.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3289,"md5":"0a62fb0d66815b3cc0c3cd1f52191b9d","sha1":"b1e555d64f02578e38ad5362af9e134d105e5810","sha256":"24b5014ab701f70485f9eb6533a2e3883d3d7b797c01627ec0aca19279bf03a8","sha512":"a8bd05368163ecb1d65b345e46cb266225ddc9ca471469a37533cc9782d12e6f48530d93ba85692ccc777e869c2c28caafdaed6dc16e32594cbf3e9fc3b8a93d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_laudanum_webshells.yar","filename":"apt_laudanum_webshells.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":15783,"md5":"24e7e12b92ff20644cc09e4f013e9153","sha1":"0f0d178c48508c359d4a35f373d8e4d1c4f253c2","sha256":"ab895af093afec02cb46582fc06fab320427759dbc43aeefea60499ed28d62cc","sha512":"7bd2d354fd65b41e6f0af64f373def48adfa88bbe92d277bd15fc7d8e27ae97333d69407108583e641a93210c6a24f48283a68b69f09046f9897b2734240206f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Laudanum Injector Tools - file shell.php","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-22","description":"Laudanum Injector Tools - file shell.php","hash":"dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://laudanum.inguardians.com/","rule":"php_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Laudanum Injector Tools","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-22","description":"Laudanum Injector Tools","hash0":"076aa781a004ecb2bf545357fd36dcbafdd68b1a","hash1":"885e1783b07c73e7d47d3283be303c9719419b92","hash10":"5570d10244d90ef53b74e2ac287fc657e38200f0","hash11":"42bcb491a11b4703c125daf1747cf2a40a1b36f3","hash12":"83e4eaaa2cf6898d7f83ab80158b64b1d48096f4","hash13":"dec7ea322898690a7f91db9377f035ad7072b8d7","hash14":"a2272b8a4221c6cc373915f0cc555fe55d65ac4d","hash15":"588739b9e4ef2dbb0b4cf630b73295d8134cc801","hash16":"43320dc23fb2ed26b882512e7c0bfdc64e2c1849","hash2":"01d5d16d876c55d77e094ce2b9c237de43b21a16","hash3":"7421d33e8007c92c8642a36cba7351c7f95a4335","hash4":"f49291aef9165ee4904d2d8c3cf5a6515ca0794f","hash5":"c0dee56ee68719d5ec39e773621ffe40b144fda5","hash6":"f32b9c2cc3a61fa326e9caebce28ef94a7a00c9a","hash7":"dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6","hash8":"fd498c8b195967db01f68776ff5e36a06c9dfbfe","hash9":"b50ae35fcf767466f6ca25984cc008b7629676b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://laudanum.inguardians.com/","rule":"Laudanum_Tools_Generic","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/09","description":"JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","hash":"06b42d4707e7326aff402ecbb585884863c6351a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_by_string"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files Dive Shell 1.0","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/04/06","description":"PHP Webshells Github Archive - from files Dive Shell 1.0","hash0":"3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b","hash1":"2558e728184b8efcdb57cfab918d95b06d45de04","hash2":"203a8021192531d454efbc98a3bbb8cabe09c85c","hash3":"b79709eb7801a28d02919c41cc75ac695884db27","modified":"2022-12-06","rule":"WebShell_Generic_PHP_1","score":"70","super_rule":"1"}}]}},{"path":"signature-base-master/yara/apt_lazarus_applejeus.yar","filename":"apt_lazarus_applejeus.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3908,"md5":"e701f5e820958f54a007e48f04850d86","sha1":"f86209457d33aaeaadec35ede77e6fe02bf536ce","sha256":"42abb5602d0df0854e132826635489834b02104e95e51ec84b6cbbdfbbfe11b9","sha512":"f4776f4a44817a5599aacbfe8022ae8f0a46261acd1079519007eb65ed1794f01c477f8ca18af76801df1b5e61664c78d6c597b5f885316895f5ebbcc12c993d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_lazarus_aug20.yar","filename":"apt_lazarus_aug20.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1716,"md5":"feeebb189fce8e64ecb22f8c084f7549","sha1":"bca3b1076063e86d1c9d4031c96d71aa017eff10","sha256":"725326e5dc19a87011d4446bbf7797f3553c63608ace4f1b68d3d2177c6129ee","sha512":"50ff73c6d120ff4dfdc92bdc1d0bc5fc2abab855996be8dcbf1ca1b3ce4da8a664a5b4ae18436cf9725ca74491a4dd9c9bd5667468da3783b80cfedd7d3ec324","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_lazarus_dec17.yar","filename":"apt_lazarus_dec17.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3961,"md5":"4234420eb844cd66214db1b013a72db8","sha1":"94828c5e1aba027581e2854f31f64c69577d993f","sha256":"0311cd0d40ce532c52cb2017d990971ae7e268b0ad0ec88f102f6bffe38e2302","sha512":"fa8bb3411452fe179681a2eba984446fd965dce8de95f042cb774fba92f8ee433007ef34f53e5b8e94f118f6b4293fe1d0fd99612c0e3375fa9c576377d87080","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Lazarus malware from incident in Dec 2017","trigger":"signature-base-master/yara/apt_lazarus_dec17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-20","description":"Detects Lazarus malware from incident in Dec 2017","hash1":"db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8U6fY2","rule":"Lazarus_Dec_17_5"}}]}},{"path":"signature-base-master/yara/apt_lazarus_dec20.yar","filename":"apt_lazarus_dec20.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":12001,"md5":"0ace9d15a844f1771d2813abb5504568","sha1":"462b2a2cc9e2e94e91c591cbcf85901363d187ef","sha256":"697b1d04ad63ba19cc3186e50aa6c543be615bcfcd85e17496a02c396d5263f2","sha512":"c3b8f8dc19c9b8a90de7ae6c5821f1d8c016c3b883531edde2b5917c8535d8590d7633ca35f7410f45f16022d5847e900a3db8251f37e4df04ee0e8dbe0f4d13","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_lazarus_gopuram.yar","filename":"apt_lazarus_gopuram.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":807,"md5":"20c98f607ffd30dd3f7ae45e6cec0772","sha1":"178ddc90025a6fc8d5d79ad814be9ef019b565e1","sha256":"1c8402c10cdfaa79b42447a14d65ee4fffebcd9a213c9d1b174270eaad2edce1","sha512":"a59030136e912fc38d18f75017fff683bd08284e6488bf0f8517ef610d23b5ba371ed09d30b5e9c5614c76b18bbb1771f1c82ebb106ca49075eba2ca6cf4cfc7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_lazarus_jan21.yar","filename":"apt_lazarus_jan21.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1169,"md5":"f7318c9de900fb01cc4794d6cf33fb64","sha1":"20d851e721f647b0567f3e1acaffd0584c939d41","sha256":"3a2ad3a0a7a0fc5403a1af29a1aa2633b7277a785d38b4cf1e90f7a1e3401b61","sha512":"2f4d298b33cc8f2954ad32ba48e4fb5bbdf29ed5b90856f5c5433f478531ab54c541ed1b7c9d37ae875fc92b20d8d819c36eccce02736ec6534f677ca8202f37","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_lazarus_jun18.yar","filename":"apt_lazarus_jun18.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3549,"md5":"a77e59e994058a0ac088259dd949be11","sha1":"cf2fc62c13cd5dfa94838f1d03c44df19d56f050","sha256":"075e18e786c88e7533ebe5e789db24c5a5c6e799d51d7ad9b621754f60400c8f","sha512":"9b4460352a462a9e23fb309e2d09a50153dfc6ccb9cdce06914e08cc4cd5bed834f928d953e9d0c78325d8f7961899bb7180b9f502c840c3a30a9daa5c64d794","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_lazarus_vhd_ransomware.yar","filename":"apt_lazarus_vhd_ransomware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1799,"md5":"e5ce352f6218abccb52d64b4c01edc82","sha1":"4e2abbde214329ffb0dfbeddec12fba5117626b6","sha256":"d3105bd218c9c701dfc7fabbb6e163b55651ee9a401bc43a9b068c252c396e9d","sha512":"d0d998e6236fc03a7b7f718c9b291607f319dcd4d890a6c22427de34710be272ebea4d9feba080d2358e1a8444d5ce0ca9f819d60fb29df189dcbe169ba99728","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_leviathan.yar","filename":"apt_leviathan.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":4130,"md5":"9cecc251f591eb8af348d9fe86606550","sha1":"4c96f139697994b5a140aec29354e085ca05ba28","sha256":"07c23fb8dbdc64e54f7c5bd88726345528e2d85c663600cc699c6cdb8af3e1c4","sha512":"7e556aacaf864125f05f743a2713e88740b800cb4bccdb04afc3fd5bc011d71cccb1fd7484be779d6b95edd135a854e644f1d61eb84f2bfa8bc31a1c15f9e76f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_leviathan.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.","trigger":"signature-base-master/yara/apt_leviathan.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-12-01","description":"Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.","fingerprint":"6c78cbc1250afb36970d87d8ee2fe8409f57c9d34251d6e3908454e6643f92e3","first_imported":"2021-12-30","id":"3xg5wneq3ZntsMg61ltshS","last_modified":"2021-12-30","rule":"MalScript_Tricks","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/apt_leviathan.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Attempts to detect Cobalt Strike based on strings found in BEACON","fingerprint":"e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71","id":"ee756db7-e177-41f0-af99-c44646d334f7","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_ee756db7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}}]}},{"path":"signature-base-master/yara/apt_lnx_kobalos.yar","filename":"apt_lnx_kobalos.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3357,"md5":"099b7723176d862f8a38d5d9bec638d2","sha1":"49efb519249e14423b9a6a00efbc4dd108fefa53","sha256":"35402caeeca7e3d772387d01f2673e51f8f1ad18ab17cc351ba797ad277b2563","sha512":"a941d9ac2aa8e6f497c4e9c10206bd7479510f557411bead1359e8a9c57a7d92f0d3678ae64470fc170c4cf9a275373d1f2129f3bba573daac5a8295f95f4588","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_lnx_linadoor_rootkit.yar","filename":"apt_lnx_linadoor_rootkit.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1643,"md5":"ad6127ca92fb5e860ba70d8e162fd962","sha1":"e1967ed5ff85c69a8aa80b5cde78fff63c800b56","sha256":"67b7f8a00211018a51e663bc770e3832d98cc3e1f9067d725caaba955e426ba0","sha512":"a8eda9fcd395a3cf09a1b8cd79bac60c295156453717d68252621ebee41ee39c8c85fc18ccaea4e102b8771123cefd8215c75dce8d58a949a797ad408b922de6","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects LinaDoor Linux Rootkit","trigger":"signature-base-master/yara/apt_lnx_linadoor_rootkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-05-19","description":"Detects LinaDoor Linux Rootkit","hash1":"25ff1efe36eb15f8e19411886217d4c9ec30b42dca072b1bf22f041a04049cd9","hash2":"4792e22d4c9996af1cb58ed54fee921a7a9fdd19f7a5e7f268b6793cdd1ab4e7","hash3":"9067230a0be61347c0cf5c676580fc4f7c8580fc87c932078ad0c3f425300fb7","hash4":"940b79dc25d1988dabd643e879d18e5e47e25d0bb61c1f382f9c7a6c545bfcff","hash5":"a1df5b7e4181c8c1c39de976bbf6601a91cde23134deda25703bc6d9cb499044","hash6":"c4eea99658cd82d48aaddaec4781ce0c893de42b33376b6c60a949008a3efb27","hash7":"c5651add0c7db3bbfe0bbffe4eafe9cd5aa254d99be7e3404a2054d6e07d20e7","modified":"2023-05-16","reference":"Internal Research","rule":"MAL_LNX_LinaDoor_Rootkit_May22","score":"85"}}]}},{"path":"signature-base-master/yara/apt_lotusblossom_elise.yar","filename":"apt_lotusblossom_elise.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1140,"md5":"c984ad471874246b49061c8dd0a8e03f","sha1":"484ff75d50841d751929c2d3049676af52ccf3df","sha256":"851b0357ac55b77f4ac7194d9229289f19c723010ee05d51955718f3cf6da0e8","sha512":"50b4ff8a2d6e211694a051efbab4070d9794582a457fb5084f5f7089e5dff9b5ffeae2c4b57f6b0260002619191990a31f19762901d4749df34925857d14636a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_magichound.yar","filename":"apt_magichound.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2210,"md5":"828415aff2361fe245e40821e9b6530f","sha1":"44175c27212874613cef9ca13721d0b8b148f6c0","sha256":"358d543a19294cfdf968fddfb91cbb56d0f6b55956e2fff81a70a84ef2774b1f","sha512":"f724d553c650f3d578bf00a07f6b972fdaacce754ffe326fbd9f0e01c0b3486ca9a638acace6f9b3712cea4bd82a6025d5da66f700f449c90951a4841502b980","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pupy RAT","trigger":"signature-base-master/yara/apt_magichound.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-17","description":"Detects Pupy RAT","hash1":"8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations","rule":"APT_PupyRAT_PY"}}]}},{"path":"signature-base-master/yara/apt_mal_gopuram_apr23.yar","filename":"apt_mal_gopuram_apr23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (342)","size":4638,"md5":"77d630b2977e73c4de4cdb3f13fd41f4","sha1":"1daf7a2ac8b1a8e65c22eabc05303db2f0c758c2","sha256":"146ffd982c6b04f664084d8942b700752215a54dd14d7d78e3641ce0319ce916","sha512":"46022d30510e327952a0b94973dc4a3d68c631ac81a826901ab475b713a42d79e89612fa2fa17b953bc04c2c94676b46739922f71da15864483bccbed0dc5f2b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)","trigger":"signature-base-master/yara/apt_mal_gopuram_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-04-03","description":"Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)","hash1":"69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf","hash3":"bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9","hash4":"dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9","hash5":"fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e","reference":"https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/","rule":"APT_NK_MAL_DLL_Apr23_1","score":"75"}}]}},{"path":"signature-base-master/yara/apt_mal_ilo_board_elf.yar","filename":"apt_mal_ilo_board_elf.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":679,"md5":"d38bdb7e6db9107231a29ab2bab5a3af","sha1":"adf42247b391455396a88457ed568d1168c88605","sha256":"bb92d093e190318f713a178cde62c88df5ba0546c100e541f5bb888bb237f6bc","sha512":"d26358d844a5a7dd465660479a3420819542fdc86c1a8c3b5a956f926ba98f49edd869c6ed5fd5d8db9a6adfb0d2c611077ee2417ec95124c00e69f7c64d177c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021","trigger":"signature-base-master/yara/apt_mal_ilo_board_elf.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-28","description":"Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021","reference":"https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/","rule":"APT_MAL_HP_iLO_Firmware_Dec21_1","score":"80"}}]}},{"path":"signature-base-master/yara/apt_mal_ru_snake_may23.yar","filename":"apt_mal_ru_snake_may23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3405,"md5":"8c7de190d8ff6e4d4750216bb5572186","sha1":"90331af333f6e444d042e28bed59a218e91c4280","sha256":"63bc766dd779b6bcb55a79af4f7a597938d9da6fa717038dc4df8c94bfccdf1b","sha512":"69c2db5a86cc8c45045224057b575dcd5d4ff4353c721891f5c6cd0490e9dd3cf76f3301277d109a1a88f4bdd36cb35b08a428060d5106dac0c40562ec8b7b13","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_microcin.yar","filename":"apt_microcin.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5802,"md5":"36f97fc35041a80bdbecb59fa2f3a74e","sha1":"d474ee59c4519a91ff271133041f2146e811aa3b","sha256":"2b8e53ef5d2a5d3638be8785310db2ecebf399a59c0c47342f724d44e1b51601","sha512":"3976014c01e59a0c375bdd9166561e95c08440d5710f760739059182478b0e26fe04c2cdc9299bc4806d404fbb392464bd5186f8e6e2644778b526a349d79d90","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware sample mentioned in Microcin technical report by Kaspersky","trigger":"signature-base-master/yara/apt_microcin.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-26","description":"Malware sample mentioned in Microcin technical report by Kaspersky","hash1":"b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf","rule":"Microcin_Sample_5"}}]}},{"path":"signature-base-master/yara/apt_middle_east_talosreport.yar","filename":"apt_middle_east_talosreport.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4606,"md5":"7596cf10b3562cc46ede67c07a89ba19","sha1":"64fd5817e7c9c273f4741cdd42db23c35d825996","sha256":"59e601ae8b7bdc7c9fbbcf1ae377d19d2a6c68a0a4af06a68a6e36c7bbb1ff7e","sha512":"311b9ad9a30ca5557d9774a045bf0b2a8a15b4db9a2fe39d3e2d11f66952db8a5f00538270e97ab0d099931a5cd828a9b96519a7a21906ceae2e26cdf4a2b6a1","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_miniasp.yar","filename":"apt_miniasp.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2353,"md5":"86de676896833ba5be06ba61c98ceb41","sha1":"8003933ca0bd24b1f4e4baa81f9f94f4d031cda8","sha256":"f8f21caa743025a2a2756f0a12ceeaad4e6134e58f708e1d23b21b0259839e48","sha512":"3893827553f330de0edfd8d58a963fa476b971cd399d141246711386f27be38ddbccff4d4899409c697ac33603a4349bc2a314eb24403299f9419df0d00c02ce","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"CommentCrew Malware MiniASP APT","trigger":"signature-base-master/yara/apt_miniasp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"CommentCrew Malware MiniASP APT","hash0":"0af4360a5ae54d789a8814bf7791d5c77136d625","hash1":"777bf8def279942a25750feffc11d8a36cc0acf9","hash2":"173f20b126cb57fc8ab04d01ae223071e2345f97","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_CommentCrew_MiniASP","super_rule":"1"}}]}},{"path":"signature-base-master/yara/apt_minidionis.yar","filename":"apt_minidionis.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3868,"md5":"94d4314afa53fea74db165d505238e77","sha1":"a4adf6736648d1443375934c4759a574ab12280d","sha256":"83dd5e74432051abcc94a40d857fce8988758b5b9cb9c39e8e35fccb58a222f1","sha512":"28c34147a613d8f68a78de7a73b995fa30e5891b28834f412b79e0e82c636fbe959181d086fe770c936ed86cc60f055b52e2f637e76c315a2c51750b5689662b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_mofang.yar","filename":"apt_mofang.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1668,"md5":"26f0a3e36cace2e5c265037679e6d6da","sha1":"d5cdc7bb587373cda46f86ddfc06c1b1d7a075d6","sha256":"6b4b21d9c6f1748a78994cb3358131c42ff700e0c608a75d25f4402fdd986f40","sha512":"993b19c87527459749505088195ce5e8eaf7d49fb50127f75ed8082eed2826bfb7c219816b518a4970ebf1d1d4aebc1467c1f03843ac6e407f5db00db8f292fd","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ShimRat and the ShimRat loader","trigger":"signature-base-master/yara/apt_mofang.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)","date":"20/11/2015","description":"Detects ShimRat and the ShimRat loader","rule":"shimrat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ShimRatReporter","trigger":"signature-base-master/yara/apt_mofang.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)","date":"20/11/2015","description":"Detects ShimRatReporter","rule":"shimratreporter"}}]}},{"path":"signature-base-master/yara/apt_molerats_jul17.yar","filename":"apt_molerats_jul17.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5008,"md5":"25ddf9d11803fcfb6ee1c7095b965c7a","sha1":"7eb8f5370200d72c6fdcd85e1a678f482efa7815","sha256":"f99ca06a4b8b9c6f6135ff5185538b30db9e5a5cbcf1bf5681172b8bc07608da","sha512":"886a88bd993f7f71f701a5bb93c15b5c288126ce64ae695540879ae7176b4f8437c5af18e0fe5b78ad09f1175fb5c6fb7021c5bcd746b2f2d22c0deb267e8fc4","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Molerats sample - July 2017","trigger":"signature-base-master/yara/apt_molerats_jul17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-07","description":"Detects Molerats sample - July 2017","hash1":"ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html","rule":"Molerats_Jul17_Sample_5"}}]}},{"path":"signature-base-master/yara/apt_monsoon.yar","filename":"apt_monsoon.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2418,"md5":"04f0dba77e76a300dc4b317e989cc133","sha1":"2f4c9a747111fd79eba93ff7e65e968587d6c972","sha256":"f04d72dd0608ef8d408dddb03e0e4064997f7e3ee065c1c342f7e97b60b23fcc","sha512":"b18d09272458a9365c0f42567c5b9742e0f04a67fd0bdad6854595bcd83ddbe08a94960ad9e4973aaf85e513dc0fdcc63188d3c38efc98b2344a924ccdeb6ed8","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_moonlightmaze.yar","filename":"apt_moonlightmaze.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7151,"md5":"06c58747b5f1607118c01de9d6821171","sha1":"856478e10651a9f4fad6a3dea477e8fc565b41ce","sha256":"69f53f6b0d8aef67d380b1049108ae80db4853c777c6d3912da36d0990881961","sha512":"77bcf99c0a007328a585eefde2eda011b02f83a41942fcbc59d383b478b9f634a01874cd034a0429e5878c08183aaffd16afc2f9136c2bc19bf4641eeea75516","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-15","description":"Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings","hash":"e59f92aadb6505f29a9f368ab803082e","last_modified":"2017-03-22","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_customlokitools","version":"1.1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze sniffer tools","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-15","description":"Rule to detect Moonlight Maze sniffer tools","hash":"927426b558888ad680829bd34b0ad0e7","original_filename":"ora;tdn","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_customsniffer","version":"1.1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool","hash":"8b56e8552a74133da4bc5939b5f74243","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_de_tool","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze 'cle' log cleaning tool","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'cle' log cleaning tool","hash":"647d7b711f7b4434145ea30d0ef207b0","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_cle_tool","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze 'xk' keylogger","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'xk' keylogger","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_xk_keylogger","version":"1.0"}}]}},{"path":"signature-base-master/yara/apt_ms_platinum.yara","filename":"apt_ms_platinum.yara","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":11436,"md5":"065745fdd9e1f439ab22ea1e59b46696","sha1":"1c2c3d005e80e88b9a8fd080a0c536d4cf751de2","sha256":"fc65af9b77ce399fd70a43c0650af93474a85dd5c5bc04d5a9a09e5bbcdb904d","sha512":"b40d9a0303f5c50475efb8f9c7afc970ea432f1c2bc4d6f514aad561d54c20ce568cce43e3eff7c86e7ce99f11cf7882b1b6564910a28a753f58c39836bdb63e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_muddywater.yar","filename":"apt_muddywater.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3208,"md5":"3cfac7eee7b5ae133aff43732dbfa65d","sha1":"208bd92ffbadce7fab49ad4e777462775c3475bf","sha256":"6fa35c1026f116f1d3e68e1ac1b451b922b69280ddeb5f750a4168ebeb51aed9","sha512":"aa161685beda5b572581df4d4a97e1fe825f0e91caeb4a566ea85a48499325befc7dd95bb3718e92a91404e3f0b36890bd10b2d1e089dc339b8239c954564b70","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_naikon.yar","filename":"apt_naikon.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1434,"md5":"4a251cde5c63c4c297bb07ca8a8fa5a7","sha1":"8e33c4f64b1f1c1d9c2a162b5c9e5e91bb4f38dd","sha256":"944327707e2cc294dd447bb5ce3f939d5b040158772a4d698d11c19fc3e0d215","sha512":"b972349c5150c15c0d5716cb3f7a0addfea08df9caebd05229628ce26eb6c6391a950bebcbc2bdaf1e8e85deb11154a3ed131af311e1026852f4a6a4d53f7973","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_nanocore_rat.yar","filename":"apt_nanocore_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5447,"md5":"e6ddc897c7e800c012e3b9931b877c4e","sha1":"8b80372407aa0324e7f70245ce91967f7f46682f","sha256":"4c4f77d06fecc64faa5ebcd466fc9f7ee38ef6bad2c67bbb5a48100bd5ca2e6c","sha512":"58db64be947ddf071b081c0b5aa0393f56e308fca3d606417313a1c767899094261d53a3a7783e17ab25772e3d6295acf405d187752b062e214afc60dc7094df","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs the Nanocore RAT and similar malware","trigger":"signature-base-master/yara/apt_nanocore_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-22","description":"Detetcs the Nanocore RAT and similar malware","hash1":"e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/","rule":"Nanocore_RAT_Gen_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs the Nanocore RAT","trigger":"signature-base-master/yara/apt_nanocore_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-22","description":"Detetcs the Nanocore RAT","hash1":"755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/","rule":"Nanocore_RAT_Gen_2","score":"100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.Nanocore","trigger":"signature-base-master/yara/apt_nanocore_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-13","fingerprint":"e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4","id":"d8c4e3c5-8bcc-43d2-9104-fa3774282da5","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd","rule":"Windows_Trojan_Nanocore_d8c4e3c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Nanocore"}}]}},{"path":"signature-base-master/yara/apt_nazar.yar","filename":"apt_nazar.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2839,"md5":"d2cd52f30748b55a2de6ba49679a3082","sha1":"b9d2abe44dc48f563377003fc5951960b51497ef","sha256":"1717957416f1ccb3bd2f790917dc7d6584d23a58917970da9b36e6ec7f3a1170","sha512":"cb58961e82933a47cfb0286066cdfe6a3dcb06af9db660d26367024f5a6f92ffb192d44e294406d706f1ca31218a72717766c638d7fd66aa55313b480314da0b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","filename":"apt_ncsc_report_04_2018.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7488,"md5":"e69810e2d5a7fa5361be0e62dbe707cd","sha1":"93f9f3612c8f2b0aac93d26d97a5e90936a2f5fb","sha256":"e38377f6ee5218738c75f24b189eaf88af72ff116d3ee67c74e8a95164ddbb6a","sha512":"146c62e4d679bff3daa2c49aff955ba36b007c061f0db4612c4c17bd77e7018de395d0bd617dfeae18bf811a301bfb3916074a60b966b04221b39acae0dcc2e6","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects user function string from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects user function string from NCSC report","hash":"b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"User_Function_String"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious batch file from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects malicious batch file from NCSC report","hash":"b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Batch_Script_To_Run_PsExec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious batch file from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects malicious batch file from NCSC report","hash":"0a6b1b29496d4514f6485e78680ec4cd0296ef4d21862d8bf363900a4f8e3fd2","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Batch_Powershell_Invoke_Inveigh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects RDP brute forcer from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects RDP brute forcer from NCSC report","hash":"8234bf8a1b53efd2a452780a69666d1aedcec9eb1bb714769283ccc2c2bdcc65","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"RDP_Brute_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Z Webshell from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects Z Webshell from NCSC report","hash":"ace12552f3a980f1eed4cadb02afe1bfb851cafc8e58fb130e1329719a07dbf0","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Z_WebShell"}}]}},{"path":"signature-base-master/yara/apt_netwire_rat.yar","filename":"apt_netwire_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2153,"md5":"934e7c875979c134dd902f5d161a07ce","sha1":"58ffc53a03d345ae58e4c430d1b82a2972acbd0f","sha256":"c4e27768c1f1724af66008e9abe338f75d0d6c2d1009f40e0060c9c072a6427c","sha512":"28152e1ba7abbee23e556fade45fd920c0b0b6de4a72a402c71de7e108feb0b3c6143b9e39e0ac58f0849a73361b00c91210d64c5673f324c0badeaf2420563d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a string also used in Netwire RAT auxilliary","trigger":"signature-base-master/yara/apt_netwire_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-05","description":"Detects a string also used in Netwire RAT auxilliary","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://pastebin.com/8qaiyPxs","rule":"Suspicious_BAT_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a string also used in Netwire RAT auxilliary","trigger":"signature-base-master/yara/apt_netwire_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-05","description":"Detects a string also used in Netwire RAT auxilliary","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://pastebin.com/8qaiyPxs","rule":"Malicious_BAT_Strings","score":"60"}}]}},{"path":"signature-base-master/yara/apt_nk_andariel_jul24.yar","filename":"apt_nk_andariel_jul24.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (487)","size":30897,"md5":"d6488d21ba09c292075c29edc1ff17f3","sha1":"8e2f04c4ca54f37d5d0a205831710b2d931c0059","sha256":"8d347ab257d5e8410a1cd92db4b6a0413bdfe481deca010e736c17fd8084bda3","sha512":"fe259fc9522b975c16f2cc8efca8c33f6f84118aed57b7ac7951d0e2faeff81c61b39b5620fceac2a9ac5e0d17c568251632b4ff92ab1488b2ff73ea2c31f617","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_nk_gen.yar","filename":"apt_nk_gen.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1764,"md5":"58c61ed0776035db1611fcac0a20cdef","sha1":"c63e662f5fb217f22998a5e19fb0c96a2f22baed","sha256":"cec319f3e51c337fb8f584c624e03a439486a5be8b0c913e030c2528f0997599","sha512":"877f906c170b22f9795a8ff193556bc5cbb37cde0d69069d4a3dd562a7001cba4c1280acc5559163891f0e72cc8dc681d3361b1b7df029a07dcfa349c4118c03","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_nk_goldbackdoor.yar","filename":"apt_nk_goldbackdoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2658,"md5":"c85acd473234a25c41fc40d77f2f106a","sha1":"1fe32d150dae0540fe281591f4c883d39902922c","sha256":"ec27035918f8f82a641b21afa5650cb6ea2a45f1dbefde31736ec55e3d8aa164","sha512":"311b49f14fd3aca3d947d7eeff8eb6121f0f9399a6d52983b96aeac93b837955ff234aa4b507bb22f55881dabc3e526b91563d4ac71a93525676382c27137e6b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_nk_inkysquid.yar","filename":"apt_nk_inkysquid.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (755)","size":8122,"md5":"210431bbb7ce02ae689b6a1e4beaac07","sha1":"1d724660ab0ae42aae59f7f872bc2e720373aa98","sha256":"084cd8fb43dc89a80508fa49c538d36435232453002082937f439d2f2dd18d52","sha512":"5023da0c5b7eaf512423a5dc12c478415f845d91fd7da7dfeb4313c9f158a156586812cdb2e5d9e757dcccf14894110716539868457f3cbf34595c37414c8788","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Ruby loader seen loading the ROKRAT malware family.","trigger":"signature-base-master/yara/apt_nk_inkysquid.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-06-22","description":"Ruby loader seen loading the ROKRAT malware family.","hash1":"5bc52f6c1c0d0131cee30b4f192ce738ad70bcb56e84180f464a5125d1a784b2","license":"See license at https://github.com/volexity/threat-intel/LICENSE.txt","reference":"https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/","rule":"APT_RUBY_RokRat_Loader"}}]}},{"path":"signature-base-master/yara/apt_nk_tradingtech_apr23.yar","filename":"apt_nk_tradingtech_apr23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (376)","size":12433,"md5":"f8f17871784ca670f600b2ecbcd2b425","sha1":"693319a0de35b9f51919f9fe6031e972ff490b5b","sha256":"dbe912950f882f3d29de0a21efa22fbeb1a15c6fa95d732cbfca6e3b62542a78","sha512":"2e590cbe2d302b3cc20f66f015bf02cd54bf7b0185775a514dcb3f33f2722bef0eaa47ca144930872f1b485b3991a3b2a0149e1429d7537f15bb104172a8cd95","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in POOLRAT malware","trigger":"signature-base-master/yara/apt_nk_tradingtech_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Mandiant","date":"2023-04-20","description":"Detects strings found in POOLRAT malware","disclaimer":"This rule is meant for hunting and is not tested to run in a production environment","hash1":"451c23709ecd5a8461ad060f6346930c","old_rule_name":"APT_NK_MAL_M_Hunting_POOLRAT","reference":"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise","rule":"SUSP_NK_MAL_M_Hunting_POOLRAT","score":"70"}}]}},{"path":"signature-base-master/yara/apt_oilrig.yar","filename":"apt_oilrig.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":15025,"md5":"f612165261f1a5be27780dbba550fe62","sha1":"237f8b863fec94e09b746b677e318c093c373f0a","sha256":"2957a8e94f1123e82d2514b08d56fc2c27f57ddd6963a0d792d063e1a04bd72d","sha512":"9574140c97fa25cd8111d50414038bd7e479da7f6bb60d6a4134b7b11d1b08f318db459a93cc8b5e609356c76649bb117d05d6ecbe1605aea479f9327f3d7e28","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Oilrig malware samples","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-12","description":"Detects Oilrig malware samples","hash1":"c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d","hash2":"293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb","modified":"2023-01-07","reference":"https://goo.gl/QMRZ8K","rule":"OilRig_Malware_Campaign_Gen2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects OilRig malware","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Eyal Sela (slightly modified by Florian Roth)","date":"2018-01-19","description":"Detects OilRig malware","reference":"Internal Research","rule":"Oilrig_IntelSecurityManager_macro"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects OilRig malware","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Eyal Sela","date":"2018-01-19","description":"Detects OilRig malware","reference":"Internal Research","rule":"Oilrig_IntelSecurityManager"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects APT34 PowerShell malware","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-17","description":"Detects APT34 PowerShell malware","hash1":"b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768","reference":"https://twitter.com/0xffff0800/status/1118406371165126656","rule":"APT_APT34_PS_Malware_Apr19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects APT34 PowerShell malware","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-17","description":"Detects APT34 PowerShell malware","hash1":"27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed","modified":"2023-01-06","reference":"https://twitter.com/0xffff0800/status/1118406371165126656","rule":"APT_APT34_PS_Malware_Apr19_3"}}]}},{"path":"signature-base-master/yara/apt_oilrig_chafer_mar18.yar","filename":"apt_oilrig_chafer_mar18.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4426,"md5":"9804234457c6b8a32ffff0c72e083026","sha1":"07e009cc74dbd25e63620b3e6c4d30842805a554","sha256":"8e5b4f9ae25f9ff024b3f79d54ba28085e3bb8698a55e543a4eb8e39a77040ab","sha512":"63c8ff628e2536f5d02a10792619548a4b94d189527e6e2e46afea0201d5279841416d8206644b1f65e60081cde52504a5a1735c33e1bbbd28ffd1f29daf1cd7","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Powershell CnC using DNS queries","trigger":"signature-base-master/yara/apt_oilrig_chafer_mar18.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Markus Neis","date":"2018-03-22","description":"Powershell CnC using DNS queries","hash1":"9198c29a26f9c55317b4a7a722bf084036e93a41ba4466cbb61ea23d21289cfa","reference":"https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf","rule":"Oilrig_PS_CnC"}}]}},{"path":"signature-base-master/yara/apt_oilrig_oct17.yar","filename":"apt_oilrig_oct17.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5202,"md5":"66b22e0df32f46603f43d3e122bbaaec","sha1":"348c1ff78545bfba434080397a70b6a93628dbfd","sha256":"50a5c54be6c39b08b22cf6531b62432c27095330543de2098486b1dc621123b9","sha512":"5322983c4a3b4db156772fb8febd6b00710d828b45aa1883e58ca96ee360073d23da6e03d283bdeef591b020a9fa946613b544fc8c581c3b5a03c02929fd7bfd","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_oilrig_rgdoor.yar","filename":"apt_oilrig_rgdoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1473,"md5":"07a864da54724e3e8911b23294b19cfa","sha1":"a8878cae4441e542f9f9d0cc0034681c1e01eb3a","sha256":"387cc881b489e0aa85029e085834938fb3d60c22ad1f4c4625c93e05425a1621","sha512":"bc76c32c78d253fdf8f8a13d6e079721dfa99a0fd23956b5b93f19db65f45d67650be2e701d103c38ddc485291ddbc9563ca9c04493555443fbb71e5924b8619","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_olympic_destroyer.yar","filename":"apt_olympic_destroyer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2727,"md5":"d06c7ffc8692e457eb724959e47f30c6","sha1":"ed7f0fbddfa4197cf36ecbe0ac3c02e5ee853904","sha256":"90fe5b490a7aaf96b6cba58dfb0b627c8b3905888141f3abc3ca0177f986bbf2","sha512":"6532d6a3b283d5d698320061f3f61d52bf2c8c9f3f2b5e350b106e6b54cb1a7321ef6d4895893a5cbe66c292babbc3db4a40fd352436ae52926a61dd0f3ab9bf","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_onhat_proxy.yar","filename":"apt_onhat_proxy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1436,"md5":"86364590524acedc2b358cc138111393","sha1":"5eceeb394aec461c603031bf3084c728ad7dea1f","sha256":"a2a0277723f6fddea4afd63b6a693fd211189ff7d23980ad1336049d9250bd7a","sha512":"b4baf7fc8bf7de7308d94d07c4f396f90b9c10306d010f353001111791a2745e818844da0cb1019ac50aa15f70b7398ac46331eb1cdd733d1bf8c7ae1a510a18","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups","trigger":"signature-base-master/yara/apt_onhat_proxy.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-12","description":"Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups","hash1":"30b2de0a802a65b4db3a14593126301e6949c1249e68056158b2cc74798bac97","hash2":"94bda24559713c7b8be91368c5016fc7679121fea5d565d3d11b2bb5d5529340","hash3":"a26e75fec3b9f7d5a1c3d0ce1e89e4b0befb7a601da0c69a4cf96301921771dd","hash4":"c202e9d5b99f6137c7c07305c7314e55f52bae832d460c44efc8f2a90ff03615","hash5":"dded62ad85c0bdd68bcc96f88d8ba42d5ad0ef999911ebdea3f561a4491ebbc6","hash6":"f0954774c91603fc2595f0ba0727b9af4e80f6f9be7bb629e7fb6ba4309ed4ea","hash7":"f3906be01d51e2e1ae9b03cd09702b6e0794b9c9fd7dc04024f897e96bb13232","hash8":"f65ae9ccf988a06a152f27a4c0d7992100a2d9d23d80efe8d8c2a5c9bd78a3a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/p32Ozf","rule":"ONHAT_Proxy_Hacktool","score":"100"}}]}},{"path":"signature-base-master/yara/apt_op_cleaver.yar","filename":"apt_op_cleaver.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":9390,"md5":"352bcb00ad367d8904ee4a9dd1abb2dc","sha1":"b75060974daf4ffbf38943ecd6352ca8aac82112","sha256":"c65067e7e243e5fbaf64bc29a4b5fcda0f02c2d446f94dd4ab0812361ec55ccd","sha512":"13a1723f7d6ec7e9cb0e59dd5487ca5fc553fcbb7fd2f7d8a8169dacfdd6b930d98b6551632d589bb173857707abbe090c4e997b01891fe034bf9b605ebe40d9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Keylogger used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Keylogger used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_BackDoorLogger","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"ARP cache poisoner used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"ARP cache poisoner used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_Jasus","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Shell Creator used by attackers in Operation Cleaver to create ASPX web shells","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Shell Creator used by attackers in Operation Cleaver to create ASPX web shells","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_ShellCreator2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware or hack tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Malware or hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_SmartCopy2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware or hack tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Malware or hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_SynFlooder","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Tiny Bot used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Tiny Bot used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_TinyZBot","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Keywords used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Keywords used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_ZhoupinExploitCrew","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_antivirusdetector","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Backdoor used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Backdoor used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_csext","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Backdoor used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Backdoor used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_kagent","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Mimikatz Wrapper used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Mimikatz Wrapper used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_mimikatzWrapper","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Parviz tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Parviz tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_pvz_in","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_zhLookUp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Mimikatz wrapper used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Mimikatz wrapper used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_zhmimikatz","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"CCProxy config known from Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/12/02","description":"CCProxy config known from Operation Cleaver","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_CCProxy_Config","score":"70"}}]}},{"path":"signature-base-master/yara/apt_op_cloudhopper.yar","filename":"apt_op_cloudhopper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":14173,"md5":"555adddc661ed3396a09ce14a99e39da","sha1":"8f1f01fca7870b556247be39f58816f3e65ab6de","sha256":"069c51feabc27e37e566fa2f0a32f124acd3cf5d136d72694119bab2584f29c6","sha512":"444cdb6776a17c7f6f7d215008423d00fe84ec7b59bd83780584390283d53ec6786d066aa8ba44f6f246d93b93aaa06d28c33cd90183378ce6293b61ee453387","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from Operation Cloud Hopper","trigger":"signature-base-master/yara/apt_op_cloudhopper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-03","description":"Detects malware from Operation Cloud Hopper","hash1":"beb1bc03bb0fba7b0624f8b2330226f8a7da6344afd68c5bc526f9d43838ef01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html","rule":"OpCloudHopper_Malware_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware related to Operation Cloud Hopper - Page 25","trigger":"signature-base-master/yara/apt_op_cloudhopper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Malware related to Operation Cloud Hopper - Page 25","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf","rule":"OpCloudHopper_WmiDLL_inMemory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Tools related to Operation Cloud Hopper","trigger":"signature-base-master/yara/apt_op_cloudhopper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Tools related to Operation Cloud Hopper","hash1":"21bc328ed8ae81151e7537c27c0d6df6d47ba8909aebd61333e32155d01f3b11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/maaaaz/impacket-examples-windows","rule":"VBS_WMIExec_Tool_Apr17_1"}}]}},{"path":"signature-base-master/yara/apt_op_honeybee.yar","filename":"apt_op_honeybee.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3485,"md5":"ef837020784aec698fa3d370073821f1","sha1":"9a45092a0b9a19545d14b1f8f43ac5244e8534b9","sha256":"59984b145990c8bcb508bd4ef5a13dd6bfa6f2205ac003aba07c60eabd0910ee","sha512":"453ccf10e5558dbe3e5c2e998bd0aa8fb939c9ebb958e4292da5d33111c62c7bc7f2173d0ef4ec92f5db16b634c706a0a851db0f52874d6b5bcc965ecca7a38a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_op_shadowhammer.yar","filename":"apt_op_shadowhammer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1108,"md5":"18cedbec78c65ac4fcf7dcdbe4142e63","sha1":"03d212baac3e169d3b18a7b6ad82235691848e5b","sha256":"ef13616dbcf9a6956c4c74f90db910e830c81b3ad3f1106108a09d57edcf984c","sha512":"429d2d7b8a3e88a8782c45b0effb6f2b0d036306fb6ea220b0444ac940bfd1b363e27698905b097a8df22e16dbf3523dfdae8a2f9cd2421ecc99dba3f988bab4","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_op_wocao.yar","filename":"apt_op_wocao.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (972)","size":16146,"md5":"a9e7c4346add439ce1432d69f4646830","sha1":"7bba1bd471c990c26628195e1c7c8c66d00b55ea","sha256":"aaf3803f2e5ee592ed4fccbe29ba07683caa8a83862d8772f6129db318add9d0","sha512":"97a555f8da982d8fb33727213dc07c0a02950aef9aee8f656cdf565fe5c6b045fdda7f78b2502115c7dd9093c91dc1f104f03158a0b889a55b0f81f796f10998","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from CSharp version of Agent","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from CSharp version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_Agent_Csharp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from PowerShell dropper of CSharp version of Agent","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from PowerShell dropper of CSharp version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_powershell_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Piece of Base64 encoded data from Agent CSharp version","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from Agent CSharp version","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_powershell_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from Python version of Agent","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from Python version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Piece of Base64 encoded data from Agent Python version","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from Agent Python version","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_py_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from Python keylogger","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from Python keylogger","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_keylogger_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the CSharp version of XServer","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the CSharp version of XServer","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_csharp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Piece of Base64 encoded data from the XServer PowerShell dropper","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from the XServer PowerShell dropper","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_powershell_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the PowerShell dropper of XServer","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the PowerShell dropper of XServer","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_powershell_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Process injector/launcher","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Process injector/launcher","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_injector_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Timeliner utility","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Timeliner utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_timeliner_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Checkadmin utility","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Checkadmin utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_checkadmin_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Python getos utility","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Python getos utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_getos_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the information grabber VBS","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the information grabber VBS","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_info_vbs"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the console.jsp webshell","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the console.jsp webshell","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_console_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the ver.jsp webshell","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the ver.jsp webshell","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_ver_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic strings from webinfo.war webshells","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Generic strings from webinfo.war webshells","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_webinfo"}}]}},{"path":"signature-base-master/yara/apt_passcv.yar","filename":"apt_passcv.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"data","size":7871,"md5":"ee1042e84410bf36535b23d19f8eda7e","sha1":"90bd4f987213621efbebf2e4f141ed78ec87bbec","sha256":"752553556dd5015bad954906dbe3cf393b553ea71b3c78e33591fc525f90639a","sha512":"7e2e0153bf8bf73acceebf33bbe9e16f8ca74e6ec5a53fa74b97e77c42899a9fdc6fb0fee780b932e2a2f2e2b38faf6d81d3113c6a223e4e434a9bb5c49bd2cd","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PassCV Malware mentioned in Cylance Report","trigger":"signature-base-master/yara/apt_passcv.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-20","description":"PassCV Malware mentioned in Cylance Report","hash1":"475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4","hash2":"009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78","hash3":"92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b","hash4":"0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies","rule":"PassCV_Sabre_Malware_2"}}]}},{"path":"signature-base-master/yara/apt_passthehashtoolkit.yar","filename":"apt_passthehashtoolkit.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":9021,"md5":"b8449d8431a48aef5a74b9f377424ef2","sha1":"fae953a5a31e6eb2beb257cf68ccc24f1f40f7e0","sha256":"940cebd82e375a4d4fb4ab6db1f3af10d71feddeff45ce995189efea24335aed","sha512":"2270ca8759ed067fed9a2283310476f13ac5043bcb3477df5c530dc48bac6ba74becfa7fb7f18339c4103b73b4c312928f82f399cef71e81294c4bab164b8b3f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_patchwork.yar","filename":"apt_patchwork.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1476,"md5":"1b17757b1088bc2832a74b045f36bc7a","sha1":"b7a6b8fc83e35778b02f5d1d1a359fe7d462bc0f","sha256":"b660571fd07979402dbafe5dbc25e91d18c186d67ff2da5e7d5e929a7fda2e9a","sha512":"3227d4cd3de14b28b393e9a1eb4bd9f44a8cb81d14e3b9b9860ba6bde16616e790057eb622f363c039580a1cd4b6f2e42ae3dc4df066585e9805d283ce679816","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_peach_sandstorm.yar","filename":"apt_peach_sandstorm.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1082,"md5":"61da0148de9d3745b4e7c85f367e6bbb","sha1":"1719ee5228701310243fe4d6445057a029969501","sha256":"053fab2b7b478b523fa461b817c3f3297a44b0ae59283409bd597195799b4ad9","sha512":"a3e2d2ddc2d22216c67e147503a2a10230ad9de34d0fd4257015322b7b06d4b061ae003e077ed4ba86f32834d0c8ad35dec25dfc4b45e7c39f97d16834ddeafc","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_plead_downloader.yar","filename":"apt_plead_downloader.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":880,"md5":"8905ae537f613c21d60e3c67b7831e28","sha1":"b55ad37cea7018eee76c33ea6d1b0b124d8d4738","sha256":"abf1939b9d28e5f5cf46478b65fd2f292fc20260b07516dec4e235615a64d589","sha512":"6e816f3c3676ff5469cb6d351c5c4bcfce88c95071c4565d82759ef00dc5308565a52ba4ba8a1672c90497deb8239bc1713610c446879239c846c9708dad076d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_plugx.yar","filename":"apt_plugx.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1744,"md5":"6b3b0993232be250fefcede016df1e89","sha1":"05cbec08e7dd534ab4e3406b947ee5029d70a8d6","sha256":"9978c83c0c5d3603e508fe1aaf9888d0c4063f78a79d22637bd7cd23e886b705","sha512":"61f971640348941174cf498bc20abdd94258e74ba28a93160ee75a36a7275198a26983731e30f287cf8b9dbeaec38657e8f6f1efd32e7cc0dbd18ac9ce7ace3f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_poisonivy.yar","filename":"apt_poisonivy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":12355,"md5":"c6acb23b26ff9ec62a2f4b16624c0650","sha1":"3f5a7cd0a053aff5867ace97a20b21d00be7c216","sha256":"42c73131f0ad5adb94cb2dcf23a79843afd6b708b680dc0e9f90109ece81614d","sha512":"e1a07b3beefac123a33d1b172b831f8a63947671fa94eda356710aa4fa1153b551caf5d51ef290a9d4f1c9fc1542d10c4671ab9c60c9970f58e5ec43a0346ccf","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PoisonIvy RAT sample set","trigger":"signature-base-master/yara/apt_poisonivy.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects PoisonIvy RAT sample set","hash1":"8c2630ab9b56c00fd748a631098fa4339f46d42b","hash2":"36b4cbc834b2f93a8856ff0e03b7a6897fb59bd3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"PoisonIvy_Sample_6","score":"70"}}]}},{"path":"signature-base-master/yara/apt_poisonivy_gen3.yar","filename":"apt_poisonivy_gen3.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":825,"md5":"388acabf7d9051c84ecfa57ce7965c45","sha1":"5b490189e98100e469ed9c7dbe5e9cd8eda5e7cc","sha256":"7002139690bcef3e89a9b63dcb9e5d15bddf85fa537cced69633b53316404c46","sha512":"eb5e42fc86479afde4453cbab08c7a9c99a29db7f837a69d5c1f2cb7b6b0fcda78e1e7402ce0b1314b49451c0d380c6bacaf345467aa1fdb88ca2d9f4c6fd16c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_poseidon_group.yar","filename":"apt_poseidon_group.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4076,"md5":"8b1664fd78cb85d52861f47a080906cb","sha1":"a5f98f68ae04d1dde0d1bbaa30b3290127964dc1","sha256":"4256715c4be7dd6934db2d5607636b099fe66beaab52d270eae00d80fdabfca2","sha512":"05a3780c42c1be5cb1861cf7d5d00404643b75a33ec61b9228d673501e5455596d8798664ec0dc48cbef8f0da7a405963717433416c2f4d5aa853a596edabaa1","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Poseidon Group Malware","trigger":"signature-base-master/yara/apt_poseidon_group.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-09","description":"Detects Poseidon Group Malware","hash1":"337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4","hash2":"344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3","hash3":"432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61","hash4":"8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47","hash5":"d090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f","hash6":"d7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb","hash7":"ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/","rule":"PoseidonGroup_Malware","score":"85"}}]}},{"path":"signature-base-master/yara/apt_poshspy.yar","filename":"apt_poshspy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1065,"md5":"a4892e24acfffb794a2a278c8ffbbdcf","sha1":"ebd9510851e926222aa512eadca6378c54c965e0","sha256":"dbbee40c6a9a767dad1809ccf8166ab4273b237b7887f65c519de62407055dcf","sha512":"ff149a7d9a4460029950f3f34214e55d59aa1816b6560d36712806a85b314d97c6be28f89d3968497dab373bd5dd0ed282263cb9afbef8da9684977eb377d203","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects","trigger":"signature-base-master/yara/apt_poshspy.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-15","description":"Detects","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html","rule":"POSHSPY_Malware"}}]}},{"path":"signature-base-master/yara/apt_prikormka.yar","filename":"apt_prikormka.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5271,"md5":"d3d7030a45612abbd6bb0e60558de1fe","sha1":"ab88a7562fc7f3923c8a42874c0a7da1c29b7423","sha256":"2e0e63db2f33904be3bae665c7df09f3ab2636d5d091f1ca0743dd8c4a2cda0e","sha512":"ba281b4b110bb230bfed0b4f6a07cb31b3c8da4a8196d4e491f09ee8728acfcc5ed676c51ccf4c0e0ae0cabaf6c0bc7657324e28d62775a9dc268f5b9e78ae2e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_project_m.yar","filename":"apt_project_m.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1966,"md5":"5e91fe7e43fe6c21c9b548e91fcdc818","sha1":"77fa5cfcc002b00c5d8011d05fbee009a5f19b4e","sha256":"927d3db090261cb65168583206a709ab42b4b9764edf1f8179848f4c4d1af2d7","sha512":"574ab53f03e08daa13c1a1c94b2e67393b98c5e61776ab62c05df33667553a11cd3e5c6170710518f58e082729a58486c2f8cc3d8ea1d40cef6305202035425a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_project_sauron.yara","filename":"apt_project_sauron.yara","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4167,"md5":"a9c83fed1d295560a3536d3b3b4940f8","sha1":"cbd8cb8d2f0ea4b4239682368502224dfca137ab","sha256":"854249333425ffd813ff7eb0c4d3c4987e1b7105ff9ec106689e298e828a1b61","sha512":"b54e0c1804fab3064a5d3a8186da5d9258d4c13822f8a66b95015c8e831e77fafff3e1dafeb2d1c3332b284af6d2418f4f2d24da8173f60739ec79d0ee59c785","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_project_sauron_extras.yar","filename":"apt_project_sauron_extras.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":9960,"md5":"da3391602cd01466e6ad58ccba91f03a","sha1":"4d8d7178dd21daa77a24464bdfe8295a790f4527","sha256":"6be79714da2360b8bfd3445074a2337ccc34135ca2e47c5de3a7aa32578d34d1","sha512":"57db2f87c2091d8c728239e5ce46f795a6c6c77ede67d58fc9aa3e46ed22f303be201ddebd24aa460f91dc39d894d164fb59b27e072ab9e654b3a26cf02bc5ec","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects scripts (mostly LUA) from Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects scripts (mostly LUA) from Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_Scripts"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Dsniff hack tool","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-19","description":"Detects Dsniff hack tool","reference":"https://goo.gl/eFoP4A","rule":"HKTL_Dsniff","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from arping module - Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from arping module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_arping_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from kblogi module - Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from kblogi module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_kblogi_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from basex module - Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from basex module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_basex_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from dext module - Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from dext module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_dext_module"}}]}},{"path":"signature-base-master/yara/apt_promethium_neodymium.yar","filename":"apt_promethium_neodymium.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5317,"md5":"92f8fac3780b73e97cad455b9e6bcb4f","sha1":"73b3cd9b3903abc48089d5127c736f1b2f5c55e6","sha256":"7d1ca61eb7baa5d87b8fcf9b649c84901c24b1be2cf4a1bca211f0520c6a5235","sha512":"55d3537c1e08ae8e5d87fa04a0786db14634f3cb0616bd4e5ee0c661ed24034c5bbddc0608f92a1c8a2eba3d54bdf0d743157f77b7e4b63f2a43c1abc7566a66","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PROMETHIUM and NEODYMIUM malware","trigger":"signature-base-master/yara/apt_promethium_neodymium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects PROMETHIUM and NEODYMIUM malware","hash1":"1aef507c385a234e8b10db12852ad1bd66a04730451547b2dcb26f7fae16e01f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8abDE6","rule":"PROMETHIUM_NEODYMIUM_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PROMETHIUM and NEODYMIUM malware","trigger":"signature-base-master/yara/apt_promethium_neodymium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects PROMETHIUM and NEODYMIUM malware","hash1":"2f98ac11c78ad1b4c5c5c10a88857baf7af43acb9162e8077709db9d563bcf02","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8abDE6","rule":"PROMETHIUM_NEODYMIUM_Malware_3"}}]}},{"path":"signature-base-master/yara/apt_pulsesecure.yar","filename":"apt_pulsesecure.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (759)","size":15321,"md5":"d55c7713b6d333c8013f5a3924d15eb1","sha1":"72fd86a22fd6675698db9114c301ad4376ea08ce","sha256":"3194bb929347343eba86f3514876e8daf6aa726b03243b652d2e4412c8e4250f","sha512":"ee794e13d146b48d77c9b8b0c5e63206ec7134c388808ea5b6128ec2ec93c05fe4202812fdd1f3f386d34799bbe9c11a7d83c94268887b471680d9f5f33360c0","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_putterpanda.yar","filename":"apt_putterpanda.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":16176,"md5":"2f17c7fb930a8214f908f1a886beaeed","sha1":"cc1bb16ea62fd68fd6a5f44703953cef5577e294","sha256":"30395702e8dedc00cf02be19951e5f234333ad5d59644fe2d1b105f992a32372","sha512":"14051205d6e428bc9583e615f3451c923a95f348b52278dd20b8aa01d162fb7678381991c1f8e788dc273b82e667051a51d25c0889958f88623f534f88ef477b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an APT malware related to PutterPanda","trigger":"signature-base-master/yara/apt_putterpanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects an APT malware related to PutterPanda","hash":"5367e183df155e3133d916f7080ef973f7741d34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_PutterPanda_Rel","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Malware related to PutterPanda","trigger":"signature-base-master/yara/apt_putterpanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects Malware related to PutterPanda","hash0":"71a8378fa8e06bcf8ee9f019c807c6bfc58dca0c","hash1":"8fdd6e5ed9d69d560b6fdd5910f80e0914893552","hash2":"3c4a762175326b37035a9192a981f7f4cc2aa5f0","hash3":"598430b3a9b5576f03cc4aed6dc2cd8a43324e1e","hash4":"6522b81b38747f4aa09c98fdaedaed4b00b21689","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_PutterPanda_Gen4","score":"70","super_rule":"1"}}]}},{"path":"signature-base-master/yara/apt_quarkspwdump.yar","filename":"apt_quarkspwdump.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1074,"md5":"8bad22fedef6ac7ceb10d9bb51194058","sha1":"f3f755e651787324fd83fa73765dcea06415db87","sha256":"5a711bb90f0796ecaa6f66f4a5cf085527d4054784e4a73bb64720bc535a679a","sha512":"31b4f52a16945c6cf27c06887fdfc6b3a60f28be1bcdf6d1f58076d520bc216ce4880e6a86983b86c65e61513741be178ac9513a71cba18af32c4c830899b05b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects all QuarksPWDump versions","trigger":"signature-base-master/yara/apt_quarkspwdump.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-29","description":"Detects all QuarksPWDump versions","hash1":"2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa","hash2":"87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f","hash3":"a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9","hash4":"c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab","hash5":"677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa","hash6":"d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674","hash7":"8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"QuarksPwDump_Gen","score":"80"}}]}},{"path":"signature-base-master/yara/apt_quasar_rat.yar","filename":"apt_quasar_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3797,"md5":"725c6162a3e821238e34e99b2e6b2ea2","sha1":"97d0fa718046962b04c5219c8a7fcd6f9e83cda9","sha256":"cf22dad8af57426685f69c630052cd45eb8ac0f52b8b5c8bad280c32b228ecf9","sha512":"28b75924bf0c5e90d2be3d4fa303b8b98f66f0baf64afe9ad9526390d3f5ac58c880d377290fc6bf581cd1764ec0697a60956755d54dba146e54c55a32b4a633","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Quasar RAT","trigger":"signature-base-master/yara/apt_quasar_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Detects Quasar RAT","hash1":"0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740","hash2":"515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89","hash3":"f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf","rule":"Quasar_RAT_2","super_rule":"1"}}]}},{"path":"signature-base-master/yara/apt_quasar_vermin.yar","filename":"apt_quasar_vermin.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3248,"md5":"6c04d759040edf4e9a748f36b98297fd","sha1":"38023078b911f124620301daa3abc3f93dc2646d","sha256":"fc0f0c4d4d31643eade5a68d83391ffd758b1b25fe6596d09a48e7d7629b2775","sha512":"f19d6bf229300aa0ee8c84586856a3d0b9b666a72bd8067951b1d422772d572a7fafce32507bd724dddd8de13f05c39f1bde3399ce07f91491deb7d3d599f015","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_rancor.yar","filename":"apt_rancor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3724,"md5":"b5ed300ba643765dc88ed0f0ab2d5e58","sha1":"62c3e592d0d31ab765155a2d1336b41504a21879","sha256":"982cbb5672936cd54082513c74ceaa8e4ad4bf1615df9158db2894d5b3c10a0e","sha512":"5280b486e60d50523ed4c1817c735674eb30d18d53b19c55fd9e0cf9da0cd12c1c30c24fcefc61b23bd5452f6cc49a2b4c5ccfa5aabbb2fa953a1e61a4975923","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ransom_darkbit_feb23.yar","filename":"apt_ransom_darkbit_feb23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1771,"md5":"d1b71a36be331e1af313c8ed886274b5","sha1":"f0bb517017d2e32e77c111e0bda6b051163aaa22","sha256":"558bdabfa12d544b19060c49b2f73338ebe82f839c06adc04af8488533388c5a","sha512":"475580b6bf0791c80bb8a3816e076890e418bfaf3e6ff5601ee70ff6f12e63f9116e98c62e6fd3573f8eaec40b737ff08df1d36c9c26bc0af0640eb4121dd7db","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators found in DarkBit ransomware","trigger":"signature-base-master/yara/apt_ransom_darkbit_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-13","description":"Detects indicators found in DarkBit ransomware","reference":"https://twitter.com/idonaor1/status/1624703255770005506?s=12\u0026t=mxHaauzwR6YOj5Px8cIeIw","rule":"MAL_RANSOM_DarkBit_Feb23_1","score":"75"}}]}},{"path":"signature-base-master/yara/apt_ransom_lockbit_citrixbleed_nov23.yar","filename":"apt_ransom_lockbit_citrixbleed_nov23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4292,"md5":"550c8a986b44686f63341849308fec31","sha1":"2210de98adb0f6b8301b97cb3591ab6a5fe7bb88","sha256":"162d8614cc453ad218136347a5ef8a66d96ca7cc112faa12d7ff913d20795d0d","sha512":"ceb7e30724109deaa876ad6112013a2c94ba1c0a3abb9c3e72fbfa1ad7c039602a7dcce2a0fc4ff04396734023ff17f0da8c8ca9ad44f395fa847545fe57b435","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ransom_vicesociety_dec22.yar","filename":"apt_ransom_vicesociety_dec22.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2983,"md5":"66759b68bdffad6010ec6c8a5a8fe31a","sha1":"3e73f1f9b7f2d296580baab5c92be844496fb5a9","sha256":"3acbb3cdb52b03716168b2207b73c1cec5b32656ec1e4fe106282bcaf9425e41","sha512":"e08a9daa645aa90e434f1a64869c6ab7daa7e6c2e93c7dc172d6793077ba863d6b1601b28578d08492eb94e06d3005d9e6b88f6d330ed74dd68d65f9e6bb4ce0","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_reaver_sunorcal.yar","filename":"apt_reaver_sunorcal.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4627,"md5":"aa50bf8c5579c9752ed00f5261329837","sha1":"fb55f3cdbe1004d9d75f0c2b70569e83798e411c","sha256":"d44387e62e906026a68f890d9cca72298770ee23222ce90f792e84e9d984ddae","sha512":"f6e1148570b840e4fed18d05eccfbfe935b7c7a996dabb5712d74f605ef869185c7a46868d2eea949a85c28cd9b4fe482f7f294e49045c6ea9f6e43b67be658c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_rehashed_rat.yar","filename":"apt_rehashed_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3709,"md5":"13a9b0d5ec42f6f1381f8c1c17976534","sha1":"4e023945f10090fd03a531bb81a721c59af67c6c","sha256":"94a2e2950b2f47b60518101e388f5b0291e00c3217b14e8ff9caae5e3a0a0ac1","sha512":"36c1b658d5ba585d036d27c7121d705ef82f5cf2183438b29ed1980fbfcad24794663451339d2935c214de0070525155ef1df9b99403c512e296e83a16a98362","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from Rehashed RAT incident","trigger":"signature-base-master/yara/apt_rehashed_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-08","description":"Detects malware from Rehashed RAT incident","hash1":"49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations","rule":"Rehashed_RAT_2"}}]}},{"path":"signature-base-master/yara/apt_report_ivanti_mandiant_jan24.yar","filename":"apt_report_ivanti_mandiant_jan24.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4827,"md5":"35562f90951f3d7ab615f3dbbb008974","sha1":"331d81e78a1edc902f1ab49863e57a0ab8a54211","sha256":"fca362021bab9a578d872867d1578548d8c7f5ca2b78353f804c31df7bd8634c","sha512":"221734b72dd267ab708e6b8d578ff8cf785c6e4d76966b046651f3bb1ea427348181d6caf27f32c86e78b6791c4365db62a7b4dafd80f04d13f8ea47a076509a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_revenge_rat.yar","filename":"apt_revenge_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1321,"md5":"cd574682f5972086ec8302c01ce2e691","sha1":"eaee7acc5022402995429ca58e8a68bc7d67bca5","sha256":"edbdbbd9bf59946b7fbfe58bb3c3a631c59c2352f174bb956a3ffd741f0033e7","sha512":"350360cebdf6fa7144e0b9051c8a27b388dafb5768e44b5fc479f86059fd7ff1f09c422899ffe30ed7d4f5950a5ff985ff3e651a0d29e145c58930f1925cfe53","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects RevengeRAT malware","trigger":"signature-base-master/yara/apt_revenge_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-04","description":"Detects RevengeRAT malware","hash1":"2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a","hash2":"7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213","hash3":"fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2020-07-27","reference":"Internal Research","rule":"RevengeRAT_Sep17"}}]}},{"path":"signature-base-master/yara/apt_rocketkitten_keylogger.yar","filename":"apt_rocketkitten_keylogger.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1159,"md5":"8d12ccdea797a5b9fb67ef32d843e403","sha1":"0412c912abbd90a0c1b7ed30771341f93698da6a","sha256":"0cabec7ee98cb9e238755ea6a0a05cd7bd212fd7b081bfac51fdba1262fc57b6","sha512":"6cb887e02cb5e75d4b3b6477d740e8c6e55f6bf79a1152fb344c55ad0d05e6e58257bcaac7dfae367b22625e1301723bc6fd398dcaa70c3dba30c30366ca535c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_rokrat.yar","filename":"apt_rokrat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4961,"md5":"d90a5ca3ae7e38eee733b83c5e166c2d","sha1":"b73c79123bfc4d79f51e8bf1870996e817afe384","sha256":"3b9f91888862f6c1a9db77716c6a654fc964cc1d7924d9979b3e23ae406d4bb1","sha512":"6451de7ee0a625796cdf8e4551f46d7366ffb99b99d8c45426b721c99081344842fccb7a348e6b7f9a356b5dcc52b394824cd3879c52da324665d25cba0c9baa","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_royalroad.yar","filename":"apt_royalroad.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5708,"md5":"debee858b6631330b1b42d438b6ad340","sha1":"1b4331a48b6a69daeb6e66a70b4294b93059e778","sha256":"f4abc0e0b1b993bc008553024f40629a64d7961496c6402514b0fe612b3ae8d0","sha512":"67e0e5caeeeddb6d51915e0b4926aaa210055a0fe779afb4cd8a1d03f68157c0a47aef185f026648a91455b38bacfe5d46f53af2eb05e2201bd6378c44792c86","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ru_crywiper.yar","filename":"apt_ru_crywiper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":632,"md5":"d19a7938d888e27d175de18d165af78e","sha1":"7539bd8753745fba9cdb4ff8ebdf8916ca223fa2","sha256":"232a542f3e345ec1eef27d9f6f8c839210d87debed3a4af261ff817f274d7df4","sha512":"52b6c096d2415864f4f29585b828262d7aad76d8066953db0956f39d17128bf099b3a10593e0851f87d0844bcf53d7f89872bd882eb648db36adf1f62054c535","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ruag.yar","filename":"apt_ruag.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2719,"md5":"7c8b0358bfeb26c2b8a504a3a0241252","sha1":"72909faa79726427c4206121a09b23e21735850b","sha256":"b41496c3df5f775167e73d2fe04979852da0d3579dea06590d13ee2be5634165","sha512":"63aa1fb7b864de0a33690b013f3f4d057a053a7e498d50eda26adf597af734080ad03054daa1cefe942117f73e9f6a8f3c8ff76dbeb133a286d271ab176170d2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_rwmc_powershell_creddump.yar","filename":"apt_rwmc_powershell_creddump.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1783,"md5":"8529cf79fbf67a2bb1c5702fe570d848","sha1":"85443409f2cb68993a337937b0cb51b80114b05b","sha256":"2cc3ba7d204ef17b5fb21a2504c1e75d9b32a3efc2024643ad8d1e9ac6e7fa86","sha512":"a7ffdb214207881bd6ace2d11ea683bd325cf59b62c4819aff5259b1ae63686d70ca37b2a0fb0a33f215f928da03ae26fa7ccc9702a9bab5e63601dd0700b1fb","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Reveal-MemoryCredentials.ps1","trigger":"signature-base-master/yara/apt_rwmc_powershell_creddump.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-31","description":"Auto-generated rule - file Reveal-MemoryCredentials.ps1","hash":"893c26818c424d0ff549c1fbfa11429f36eecd16ee69330c442c59a82ce6adea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/giMini/RWMC/","rule":"Reveal_MemoryCredentials"}}]}},{"path":"signature-base-master/yara/apt_sakula.yar","filename":"apt_sakula.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2954,"md5":"dccdb8fe2cc30b876fa29c3978d68052","sha1":"2161395b54d1366073e552c9137d153ae6e0b370","sha256":"96261a01d9402e5160f3f480e568874a00f9391b213d0196eabf8868b6645536","sha512":"09235d1744e4411fe0209ff8b51662a325f36d11b4f765268a0be9a3d32c21fabdfb7c6732a304d20cfb52f19a4a46db06fa2ed52aa6f034a52c992159d99359","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Sakula malware - strings after unpacking (memory rule)","trigger":"signature-base-master/yara/apt_sakula.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"David Cannings","description":"Sakula malware - strings after unpacking (memory rule)","md5":"b3852b9e7f2b8954be447121bb6b65c3","rule":"malware_sakula_memory"}}]}},{"path":"signature-base-master/yara/apt_sandworm_centreon.yar","filename":"apt_sandworm_centreon.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":8181,"md5":"0e5ff2f72a92341b7365e774bea7f214","sha1":"cab36ea351892ad6baa63cd34d7baa919560c72a","sha256":"0c968e50cdea704bf37b56d26f63f44e10b513109785a0c110a5f8968dd65844","sha512":"009526e0a21d66a2b9379ab85e1e85e40d81bfdd62a2fa334983ccfc714665c7b4a2c9908c062cf87d7fbb8ad25fc097f85dcdbb053f3c198f325f2a94f806d3","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an archive file created by P.A.S. for download operation","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO (modified by Florian Roth)","date":"2021-02-15","description":"Detects an archive file created by P.A.S. for download operation","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"WEBSHELL_PAS_webshell_ZIPArchiveFile","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SQL dump file created by P.A.S. webshell","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects SQL dump file created by P.A.S. webshell","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"WEBSHELL_PAS_webshell_SQLDumpFile","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Configuration_Key","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Socket_Path","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects names of the tasks received from the CC server in Exaramel malware","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects names of the tasks received from the CC server in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Task_Names","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Strings used by Exaramel malware","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO (composed from 4 saparate rules by Florian Roth)","date":"2021-02-15","description":"Detects Strings used by Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Strings","score":"80"}}]}},{"path":"signature-base-master/yara/apt_sandworm_cyclops_blink.yar","filename":"apt_sandworm_cyclops_blink.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":8920,"md5":"28c364e39492c065dca83f22b042cb42","sha1":"6601a0966df0c891ede2508e852bf387e2aa975b","sha256":"8222fddc34ac0b1f81787d5ab8b924b87138916198c50c4aac944323771d54c3","sha512":"21bad82d15872bef27092a40e9b163e0e1f09615eb2ae71b75785c543ca8db6e764038f726c90cf1a345d1b6db4a3ebb52a657d3d868b58eb5c5aae147f42f51","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sandworm_exim_expl.yar","filename":"apt_sandworm_exim_expl.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7596,"md5":"f8eaf587daa675c087c53195f9f2fd84","sha1":"10fb89be828af42232658b81d68751e7cf8a9c0b","sha256":"ffa62fe768858fad0989ea0a22033b971346b07cb29bf4da4c65346d106284bb","sha512":"d52d1f23e2d78bc399fbaf2022feae629c8a6d45cbe044d06e38ccfd37873039bda2be26151eff71d3286e9d70848998ea39303e081b71ffac2a52911f0aabbc","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects commands used by Sandworm group to exploit critical vulernability CVE-2019-10149 in Exim","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects commands used by Sandworm group to exploit critical vulernability CVE-2019-10149 in Exim","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_Sandworm_Keywords_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SSH key used by Sandworm on exploited machines","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects SSH key used by Sandworm on exploited machines","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_Sandworm_SSH_Key_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ssh config entry inserted by Sandworm on compromised machines","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects ssh config entry inserted by Sandworm on compromised machines","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_Sandworm_SSHD_Config_Modification_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects mysql init script used by Sandworm on compromised machines","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects mysql init script used by Sandworm on compromised machines","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_Sandworm_InitFile_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects shell script used by Sandworm in attack against Exim mail server","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects shell script used by Sandworm in attack against Exim mail server","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_SH_Sandworm_Shell_Script_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Sandworm Python loader","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects Sandworm Python loader","hash1":"c025008463fdbf44b2f845f2d82702805d931771aea4b506573b83c8f58bccca","reference":"https://twitter.com/billyleonard/status/1266054881225236482","rule":"APT_RU_Sandworm_PY_May20_1"}}]}},{"path":"signature-base-master/yara/apt_saudi_aramco_phish.yar","filename":"apt_saudi_aramco_phish.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1022,"md5":"c489d8e18a6ca02ed2cd3ddf2de959d9","sha1":"15f69a068f5c4d2036fd81c883caf5242b6d8ab8","sha256":"6922f7d38c627b5abbdf8b6d12ea3d3f4ae9a57fd00e3a5ac044a05bf8999733","sha512":"ea2b17ffcdf7322243de65a786e9339d151e068380c4a5a2d4dd339ae2a6bd43219df2036be24c66c00fb658469ea1ffbbab3bf176ad8a1ed689dfcde4d7130a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_scanbox_deeppanda.yar","filename":"apt_scanbox_deeppanda.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1271,"md5":"62599736e4e2b3c9bb4938a85de8c4d8","sha1":"8d8197232970978c98f7ff41b58b33e0d76e660f","sha256":"5d0588653387f3b6deb3adc2a9cbcda5d8ff310351d6e6668d347f123733b1da","sha512":"cba70d213e29db380244fd095854ef894cb0abbbdf933989a38261a2d4ded803cc48600b807604837a5b77b9168b1f2c1fa1a125b30452393f6125d90e77a720","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP","trigger":"signature-base-master/yara/apt_scanbox_deeppanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/28","description":"Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP","hash1":"8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9","hash2":"d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d","hash3":"3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference1":"http://goo.gl/MUUfjv","reference2":"http://goo.gl/WXUQcP","rule":"ScanBox_Malware_Generic"}}]}},{"path":"signature-base-master/yara/apt_scarcruft.yar","filename":"apt_scarcruft.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":500,"md5":"f137684a5f59106f796251fe87ce8aee","sha1":"1b19e3d190cbffef93dae05c8e3bf4542ab36f57","sha256":"86554aee714979f6144b69b0165761dc0b1389182f5d5409bdfabe0f72d6bb9c","sha512":"f603d54d41616f833d394e0f34eca46bdb8dab7d5e54c6c3fc7a0627c3be7f256f3bd3ba936ea334a2152f21d32101ccb275d0b4113b143d794639b7bdafa17e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_seaduke_unit42.yar","filename":"apt_seaduke_unit42.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":937,"md5":"b76cdf517ff2d559ac975aabaf1e2342","sha1":"670523014409c9434eb0f8b15e057cc9a53a696b","sha256":"c402de0ee50b891e57b9becf0bd33b73726303b0aa3b581d237f53595484920f","sha512":"7c3c31c6dd149b30a175faed5c22da54cbea669ee63fa967f3f441e964a16b9c9df8aba97ec7b03231ac527dc72b62994030c7c3b2e55da62c3c224513246965","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sednit_delphidownloader.yar","filename":"apt_sednit_delphidownloader.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3592,"md5":"0615b9babae2b84fb9693375375965ff","sha1":"42b59ebeacbaa99e0a46c8a19bfcb69db2d90ca6","sha256":"e86719548290e6477c1517220fc33f232a94d35d54e8d21a96ed525f718f347f","sha512":"6b810f92eda6b154bbb23bf58adf6e7a53240e69c557d7c32879aa67e8d77938e63398a0fa0b61d53e8ba9011672fdf96370bc27f3ca386265b324915e330425","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from Sednit Delphi Downloader report","trigger":"signature-base-master/yara/apt_sednit_delphidownloader.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-24","description":"Detects malware from Sednit Delphi Downloader report","hash1":"53aef1e8b281a00dea41387a24664655986b58d61d39cfbde7e58d8c2ca3efda","hash2":"657c83297cfcc5809e89098adf69c206df95aee77bfc1292898bbbe1c44c9dc4","hash3":"5427ecf4fa37e05a4fbab8a31436f2e94283a832b4e60a3475182001b9739182","hash4":"0458317893575568681c86b83e7f9c916540f0f58073b386d4419517c57dcb8f","hash5":"72aa4905598c9fb5a1e3222ba8daa3efb52bbff09d89603ab0911e43e15201f3","reference":"https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/","rule":"MAL_Sednit_DelphiDownloader_Apr18_2"}}]}},{"path":"signature-base-master/yara/apt_servantshell.yar","filename":"apt_servantshell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":500,"md5":"5423dbb35393bf6ac3b68e326f82e9fe","sha1":"853f2f63c0c6347393ba286eb378bcb523731577","sha256":"c0f2882cef9e1204c36e056797346ba050ff6a10e4a308e523297782a15746a2","sha512":"39b22ff151ec7c8d5ea95af802beee6454203c80da1d84d3f1f3dae17bb0e5782060f4a293661d1dc0b95f7d0fc387b2911039d80b77245fd410680cb63f443b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_shadowpad.yar","filename":"apt_shadowpad.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1424,"md5":"41fc14f3f03d32eabd36f4c74314df22","sha1":"e98bd78184c81376e2ff1e73e9a7a7d19608e68b","sha256":"a3ec7b3b6821759cf0d1beb7cd24d8bdf830ce40e1b6533efaf3c4d93a11a113","sha512":"13b2d4223f05a9fef5b3eab36db6e648b5fbc878f255febcc567826bfdd239ce7f57aaae484cf61534ac81a57cbe2706efa44d5bcc750e2d7abc0b7020c637e6","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_shamoon.yar","filename":"apt_shamoon.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":532,"md5":"c310cc3d194c4da44e376c46252401fe","sha1":"72d06ce7f5d60ee048ffcbf089ebb9a411323c36","sha256":"be6cdc80902c1cdd3de7bb2b29cc16bfbad5a7eec47708b283b27a1dbf2a30f4","sha512":"b58f1a10edec136f150f22c7d5d0acddb3bb4df2bd1fc423942623ac951ed190469b773dc22817c3a6eaa0456a32fd304aecd96c24bd88e970928f42f284402b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_shamoon2.yar","filename":"apt_shamoon2.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2899,"md5":"b965ec733d0df7148a254ad20b4a95ea","sha1":"9f4b01c5ed37267ee2c0c86906999c927fcdb686","sha256":"869915e0d599211595baf6c0e44ee528c1037f268e3dcd65311c6cf1812f50bb","sha512":"a229c9390800c3312079362f710a992afed1bc91a6b323d9528a5e34f6f5598ddcc97a18c0a16191676237868d3cca4e59907b3e2d141a2291d8f984fc856c8e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sharptongue.yar","filename":"apt_sharptongue.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1940,"md5":"8664ea5e01656b0e57b43b8eb0df4d78","sha1":"228f1803d6421e36834dded336b2d9be97557e75","sha256":"0f3c29236f41a109674280f65ddfb54fd50dd07390fbe931e790c2b52dd68e2c","sha512":"fb803da1c8fe7bb72ceed6145830ea8bfbde6b167c44c4d6ef5999b747d231f2dac10356392d2aca5f447ad50830d495ade9ad6e98913e9b720bc775ab31289a","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim","trigger":"signature-base-master/yara/apt_sharptongue.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-09-14","description":"A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim","hash1":"1c9664513fe226beb53268b58b11dacc35b80a12c50c22b76382304badf4eb00","hash2":"6025c66c2eaae30c0349731beb8a95f8a5ba1180c5481e9a49d474f4e1bb76a4","hash3":"6594b75939bcdab4253172f0fa9066c8aee2fa4911bd5a03421aeb7edcd9c90c","license":"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt","memory_suitable":"1","reference":"https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/","rule":"APT_SharpTongue_JS_SharpExt_Chrome_Extension","score":"85"}}]}},{"path":"signature-base-master/yara/apt_shellcrew_streamex.yar","filename":"apt_shellcrew_streamex.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3788,"md5":"b3c570217f54b9fc153d43f8e8497d42","sha1":"1d12dc985d80b7f0769ee0427bf094f9071595de","sha256":"26b8bb8ffa044e09d80475e2ef137c347904d4b3dcdb3a7141d16391a1d1d087","sha512":"2d28964adf70b1d1897e14a216de9b7e132fca5dec6fbc87e3c71a497d0b5c4bce22eafdc326e539b4e19613328b6996dae07e8443b11e456e58055e80eecc22","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a ","trigger":"signature-base-master/yara/apt_shellcrew_streamex.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance","date":"2017-02-09","description":"Detects a ","reference":"https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar","rule":"StreamEx_ShellCrew","score":"80"}}]}},{"path":"signature-base-master/yara/apt_sidewinder.yar","filename":"apt_sidewinder.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2084,"md5":"2a0c4b885d153e44dd1952e57cddcc24","sha1":"b88bf01c6f0063a1491b39eaf16e7a02c396da19","sha256":"bb4b146f444ec039ea7d137c2211b207d5d9a470de0b595dd5efd4b7793170f0","sha512":"62d55b81e4add499cdcf43bd18d50cfaf669b3cb2fbbcb080015f879c65653ac33481486cf5b3bb8e06111ea3b8bf25571f57349b8b714b48f312d7fd9fd33a2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_silence.yar","filename":"apt_silence.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2452,"md5":"085ca77569c8f5aeb628b97547a2ceca","sha1":"8606bdcdd1a1f675466aebf53e62e1301a85b407","sha256":"7fb5bf0fd24f4a9eb62b4dbb0c0ad445fab714cc34469cca6b0cb6b5d29a4182","sha512":"be4599481af059699f1d14e5d66f5d913217f50bc67b03d3e6708fde21fc0c44e22719cc684f84cd6118c37476cf5e7f8577b1c6bb68c904ee3d209d7f59fc99","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware sample mentioned in the Silence report on Securelist","trigger":"signature-base-master/yara/apt_silence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-11-01","description":"Detects malware sample mentioned in the Silence report on Securelist","hash1":"75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securelist.com/the-silence/83009/","rule":"Silence_malware_2"}}]}},{"path":"signature-base-master/yara/apt_skeletonkey.yar","filename":"apt_skeletonkey.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (404)","size":2228,"md5":"a4f125974a1c0820e29add28da195e6f","sha1":"67390c79ca8cb324ca5311201419a1d1f5c8d1f1","sha256":"b5c8fa0de4eee2a53a2889ef0e5f5fdec7cef924bf943e68c0980eaf4cd19704","sha512":"da863de9d66665369f14878f37c488138486c365835c401e128b4ebe778bbcb70002fb7cebb529776b7f35d3c64407e4035b07449754bf863d9f353c6b6d9f68","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_slingshot.yar","filename":"apt_slingshot.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5929,"md5":"56e407a515ce4c756471e40232c32f97","sha1":"c1cefecfc4a5f83f1546e4be1148722cb197678c","sha256":"77b4e3193d73e05ba14f40e4c034ceab4f26ecc45ebea81a18439eb99fd18d15","sha512":"706ddd32666a0987e6913d0b2a58486dd1a35a6e632f1aec441eb0038e52dce78aec2d0443f5e4d74f3e451e535e2d5707ae6e515148646120b3133bd442f3a1","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_snaketurla_osx.yar","filename":"apt_snaketurla_osx.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3346,"md5":"bfa547f342be70aca83990df596a3d6d","sha1":"8d737ed2b6051301be50e605e5df65912eda2283","sha256":"6b442bf00669952612595b7b6f3fd43ce5c492096126fe847f87752c1fc2fdbd","sha512":"6f708a092f09a4916029b6d76f19e8c40ac8e2a677b0100e688ff41a9c6ec824490a9e58fbe261e22161a462b193b088f782adae1018a160592283aa884eb80b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_snowglobe_babar.yar","filename":"apt_snowglobe_babar.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1470,"md5":"4eb0b652e4bcfe8d17df621ef7b1fd6b","sha1":"2bd2f5316be07bad2b096d0c98f3b2be754f5f9a","sha256":"7857a3af174493c5d51ef37ff295afc98c3c6e8767cb2268625d729f1206e9cb","sha512":"8b3da8b3b343e7084b2d6451f0cb8038b4a23c727bba8cb9e5034e2cc2aefa364db7232b869e9c75ab79f81ae06cfa5d0a5211ef3ac7c704b1428285aef2f280","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sofacy.yar","filename":"apt_sofacy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3052,"md5":"b8e40f138423b9a1355c2151a935026a","sha1":"a3644c58be746dc71904ed00ff918b6fe94de551","sha256":"3dc67a9a26e98b38603e885b1198b0c5bf4e581984e4bbe9c895ce98faee7243","sha512":"5394c104326d05377db9db3d142122adce6dd0b416621a99a3ccd004a4386d9bcdee3e39dca8b1a485bb628c97f777677c24bf12e626e14248037cf02b8d2d3e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sofacy_cannon.yar","filename":"apt_sofacy_cannon.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1618,"md5":"df27ed7296280eae15036b38e0af5afe","sha1":"60bfb5898aa027568d25d3dee0f6bcf941602703","sha256":"f1b0d529d2bdd833d6b893c0c4893a51d2e25f07fd00c85233e32ec0f5dc2b3d","sha512":"2ea52bf26e266b8283541d334d76332733c86269c77c23ae02b0c8c7e969163163f0a6018db10592dcf1ec498534ad12d8f5a37e76c293f37b2f5548e9fd087d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sofacy_dec15.yar","filename":"apt_sofacy_dec15.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6064,"md5":"216268bd1c2e43d76480c5398d9177d3","sha1":"fb4a0b38169a0461956d7e6ff0d59cb4872f8bf7","sha256":"88ec324be88ccf93b549435ebb3184cec18d363e1a695c44463430807dd7cd5d","sha512":"e076c57f896e9af771d8c487d8e75f071c6c700b6d07ce565fe985f104acc0c6d0fd4c5145bcf0da3c1ba0b348c2a8655193c098ed54205d0767ce18f896f381","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sofacy_fysbis.yar","filename":"apt_sofacy_fysbis.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":2362,"md5":"86ba3bc15461bfa1180ec37bddde65d5","sha1":"6c98e0b1d3457f52c2ecc5a820d9e946f683ee1d","sha256":"fdfaa29d892c3fc7c42ebf27981eeb762f3ccfd0e44e3946821092e236f8b081","sha512":"e8894f5d99abb643227d25d0ed664a07f5b2eeb37fad8fccd4f5c779f60d30668d1af52ea2bbfd1f472c0e77f15ad23798016d781406b361d68d0e08f34963b1","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Sofacy Fysbis Linux Backdoor","trigger":"signature-base-master/yara/apt_sofacy_fysbis.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-13","description":"Detects Sofacy Fysbis Linux Backdoor","hash1":"02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592","hash2":"8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/","rule":"Sofacy_Fybis_ELF_Backdoor_Gen1","score":"80"}}]}},{"path":"signature-base-master/yara/apt_sofacy_hospitality.yar","filename":"apt_sofacy_hospitality.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1269,"md5":"ab0349426283b85013db10b36fddfa65","sha1":"14165cdcac6ef8361d651cfc3d509d6017d986ac","sha256":"e27665697869a00fa77b5e41217b4dada907fa294441d99e64f44218857ea56b","sha512":"006e3e46ea0f359a3d1f1bdfc2bbca7ca25958a8a19448e3ac874720775f175a719fb0639fb3296beb3958b35f4d8a73f1fd3fdd31d039a620f95582e1957b35","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sofacy_jun16.yar","filename":"apt_sofacy_jun16.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2441,"md5":"0018a7c379b8bee139bd5ea45a0cb233","sha1":"ec38380e894dd71e9c71ec7b6862fa88ee210164","sha256":"4e0114e7d9e9576f4fa122ece4b9ff1b98f76a32d8e2496e501eb257bef43643","sha512":"0d8b48dd81be620cfaadd926eba951b8f3e7b4f14df122805341658db9c324fc27ef5da18e50ecad562f6bcaabdabdde364e22dd5e02b7865eb218d7c0ac618f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sofacy_oct17_camp.yar","filename":"apt_sofacy_oct17_camp.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2628,"md5":"629de02ab70ca3ae095d40e0e83fb1d7","sha1":"04ddc00cb6d095e155c71474a7057962e1906c94","sha256":"502520e5a064176fbfc73df34a0d3cd97fe0b189a3db7f6bd7f9a627486419dd","sha512":"98e4903ea68d8553ad1be30ee8c072c1f090263c0db195965f0112f53ad808e0e1fba45f42fa88132853e398036987ada6fd7f11f56d6810cf75690e33015cfa","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sofacy_xtunnel_bundestag.yar","filename":"apt_sofacy_xtunnel_bundestag.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4804,"md5":"f81cc98517bca0d2d79d67bd8f064884","sha1":"d9c8dd5dd38126d42781efc18da235407acf80a7","sha256":"b352d13f782fa69dbb3fd7969256b766d351122bc07da19054423b9bac1a56d8","sha512":"847d11428b105e89f84d9adf9fc925eea393341030708d39971e1cacba402e215c9e49bbb617489630a95636508c3a6f1a0364fd2838559c9e21e904879906c1","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"X-Agent/CHOPSTICK Implant by APT28","trigger":"signature-base-master/yara/apt_sofacy_xtunnel_bundestag.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"X-Agent/CHOPSTICK Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_3_v1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Sofacy Bundestags APT Batch Script","trigger":"signature-base-master/yara/apt_sofacy_xtunnel_bundestag.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-19","description":"Sofacy Bundestags APT Batch Script","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://dokumente.linksfraktion.de/inhalt/report-orig.pdf","rule":"Sofacy_Bundestag_Batch","score":"70"}}]}},{"path":"signature-base-master/yara/apt_sofacy_zebrocy.yar","filename":"apt_sofacy_zebrocy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":975,"md5":"a77c14502942c211c47c991739da0390","sha1":"ff4e2e3547cbe9f511d32a703ab1f51281c95cd0","sha256":"49bb7b85f2129420a1fe5244e96d66a095475e42d32805955b9ebb1fe9179cb2","sha512":"236ef0edf2cb427da86670b6835fb292924f23c75d702348f67f418f121189cc3f753ebceaf861609174f7cb814ae671817aa359a44c9634b33fa202640e0bca","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_solarwinds_sunburst.yar","filename":"apt_solarwinds_sunburst.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (668)","size":11706,"md5":"d9dfeb6ab287db6faf4ff3e715f8a392","sha1":"5c5d57d26e0e0c3a5c64cdfa4dc566b0e658c7f2","sha256":"b5f4cf111be44a28485367af7eb09931b75d44668a1c2cdd6e549b87fff72e5b","sha512":"cda8c8b1d5a9ae6ef10af11e607a124db4e5c6eea0bdad161f4c6a9a7b8e0b7f934d5978f1dbb442afe6862943879ed9475b002d609164000c203a777f8def10","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_solarwinds_susp_sunburst.yar","filename":"apt_solarwinds_susp_sunburst.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1222,"md5":"495f9a1f717676732fecedc8f92e91af","sha1":"94d84e388bb69e4a02b99ca66feb5580c52f110f","sha256":"56ccaea6d23ae9898bbf2e6b38939b95221169e9cc7e2ca5a04f4d2d54321965","sha512":"28891d7bf7e36bac04cdd91791e38b26f2c460d01da734898d9d5a524ca9c3c503ded3f082684a32158e0e81e541620e4820a3e06b7ba9f02d73a9ee8b10f0c6","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects webshell access mentioned in FireEye's SUNBURST report","trigger":"signature-base-master/yara/apt_solarwinds_susp_sunburst.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-12-21","description":"Detects webshell access mentioned in FireEye's SUNBURST report","reference":"https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/","rule":"LOG_APT_WEBSHELL_Solarwinds_SUNBURST_Report_Webshell_Dec20_2"}}]}},{"path":"signature-base-master/yara/apt_sphinx_moth.yar","filename":"apt_sphinx_moth.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5164,"md5":"483a5ee4435221ae585f4c562c00bc3d","sha1":"58fadaf5e5beae5183df8b5c3968f7f448cd67c4","sha256":"ed0651b8a0ed948cfa6549ffb521e39eaeaf9f1ea1a11c554f385724172bfeb6","sha512":"83dc3fc0417f4a4b321d66d0d50f96d5cbf664abf2be1e8fe393671a660c85c8f0ac793b2e10143eb520f8e4012e1aa7fc67da2069aa985062276630356df57c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_stealer_cisa_ar22_277a.yar","filename":"apt_stealer_cisa_ar22_277a.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2474,"md5":"83926ac5d33f584e99713442e99cf653","sha1":"6cd5fd78922736ada5ca02547b323102ecf0b894","sha256":"0665d2b9cd0c60ff1d089b90454ca99068c6bc42a63f7d993276d30b51ba0a6f","sha512":"594a0bfb3060392e6028bcf70bc1df7dead2739abc5116aa8e84bf7a5e216172e394b7752d13948fb1f2a87ad45199e154ad48b75f7af7a0967d5ad870a5bfa3","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_stonedrill.yar","filename":"apt_stonedrill.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7986,"md5":"03a88e2961da0e0b0f18979f5f0efc3c","sha1":"771889b5e21085881ed6a5abf4c826d664496ef5","sha256":"4cc521dbe75a9c7c4efe8bd25973ad1f09008fab2a4946da3cefd6147774f6f7","sha512":"02423b0e18e027003650e3088767ac4f9ac7a59f4d53a87a0d7fa00cef7b59889d7d805e9ed77e581fb013305aa9adb8cd47ffc5778dc1e0e8a8dd5f0e9b920c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_strider.yara","filename":"apt_strider.yara","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (353)","size":3483,"md5":"70f11a2a07c5b0b0d599b2af86586f3f","sha1":"6c75fa6a360cbed671ea7df398facf62faa6f73a","sha256":"359aecfcc1f8343893d86d5985a19c5b474cfa96ef0b765137e512f3d9e19a5b","sha512":"821e968240d9e9a5fab380cf6f0443411059609dfe98adbea1ba16bbb57f2105216b9b6578a9e83dfba009d0fc31b6bdca7ad6d09ffe0bb75e75e113e7402e14","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_stuxnet.yar","filename":"apt_stuxnet.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7896,"md5":"316dcc8abf5d5ce486d9590756b4d468","sha1":"758e0ff46abeabf6213a850c233a4cbcfe4494ff","sha256":"37460ad4ae442e0ee60f6cb1ee1574aeeb87fe6ab768d4de33e42a280b705f3c","sha512":"a3835ff700587e35b6d7690fbfd33d0b479f9ffa13e89cdc46c364f2b8878c421f5b77a163e2306717fc149e5e533fe69decdd46580622d29f023b3e88567712","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_stuxshop.yar","filename":"apt_stuxshop.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2207,"md5":"93715d9b35892246df1b25582ece6100","sha1":"3caa6b40654e77f1790986d63631441c074ca818","sha256":"322a165340b0c6bbd5780a8a2804ae175dd0c9c4d160681d7eb8d3cef18807f9","sha512":"00c00481fbeb48a353f577e5b471196bf0695ba43e5e310388965bb3455080731ca03331fc833c3dceb9daad34ba602f19eaf4bf17bc10a3b10315c4e0577184","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"STUXSHOP_config","trigger":"signature-base-master/yara/apt_stuxshop.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"JAG-S (turla@chronicle.security)","desc":"Stuxshop standalone sample configuration","hash":"c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579","reference":"https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0","rule":"STUXSHOP_config"}}]}},{"path":"signature-base-master/yara/apt_suckfly.yar","filename":"apt_suckfly.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3736,"md5":"3a5b6679b2b3081faa1dae468aa86e5f","sha1":"99c1fae8782584c96c5e7150d9e672d556af13e4","sha256":"fc287903877796e9f679f0d44b3afc474d63c9b5fe74d6d9277ea1f0757c895d","sha512":"04eb7c8688e0baaf3e52457c21bc17c9323cd2f85503ccffc8128adeabae321cd5cae96a06818f9f969a3e1a2ff6a1620afaaad62a2b81f519563b9fc18469ad","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_sunspot.yar","filename":"apt_sunspot.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3279,"md5":"d257b4f9216ff627a2f7f1c43766c2f9","sha1":"b93fe3a6e9ae37289337878967ff976d4ba96951","sha256":"f3423d6b561316ab6d1b908a06e86119a7b6033169bc65f8abb512c8c0b6f71a","sha512":"7a004310cb3333ef8bd0cdb3616df0168c488bd0417f14899f4274df465e27eebab3d65b6620909ae991c668c673aa1549150682f2613a4d01fa99a920d25501","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects mutex names in SUNSPOT","trigger":"signature-base-master/yara/apt_sunspot.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"actor":"StellarParticle","copyright":"(c) 2021 CrowdStrike Inc.","date":"2021-01-08","description":"Detects mutex names in SUNSPOT","malware_family":"SUNSPOT","reference":"https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/","rule":"CrowdStrike_SUNSPOT_02","version":"202101081448"}}]}},{"path":"signature-base-master/yara/apt_sysscan.yar","filename":"apt_sysscan.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1476,"md5":"0499912e2debb2527f91c5462092cca9","sha1":"a087423b2540a6fe573522105d9297f0b9cabd26","sha256":"b5dcb8009f1f833bd2558d480d870ce42526b1e6066cf1daa18bbbfb9dcb25d3","sha512":"4840f8a859bada0170eeac9fe29a23d278f2694b55c49c361b95b6f58f3af5091f174e0145113cc8980fce747202552ea48bb7c9aff53bea2855f0b8bde5a658","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ta17_293A.yar","filename":"apt_ta17_293A.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (326)","size":10546,"md5":"5b6e9b5e88d517cd3e8a6a201c82a563","sha1":"342e6485c9f450858bd6fba320ba05d8dc3fa176","sha256":"b3b27b48cc4ac9588519b861ef195e55753df364dbc7f6f01ab2e27598f16a9d","sha512":"2b8fd8c916c40a61354f0e2139e5813d39cb239c7514349615cd513e16066df92cfdf26eb234f986008214b493469d181753120d333f47f768115baf7d23a87d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"inveigh pen testing tools \u0026 related artifacts","trigger":"signature-base-master/yara/apt_ta17_293A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US-CERT Code Analysis Team (modified by Florian Roth)","date":"2017/07/17","description":"inveigh pen testing tools \u0026 related artifacts","hash0":"61C909D2F625223DB2FB858BBDF42A76","hash1":"A07AA521E7CAFB360294E56969EDA5D6","hash10":"4595DBE00A538DF127E0079294C87DA0","hash2":"BA756DD64C1147515BA2298B6A760260","hash3":"8943E71A8C73B5E343AA9D2E19002373","hash4":"04738CA02F59A5CD394998A99FCD9613","hash5":"038A97B4E2F37F34B255F0643E49FC9D","hash6":"65A1A73253F04354886F375B59550B46","hash7":"AA905A3508D9309A93AD5C0EC26EBC9B","hash8":"5DBEF7BDDAF50624E840CCBCE2816594","hash9":"722154A36F32BA10E98020A8AD758A7A","reference":"https://www.us-cert.gov/ncas/alerts/TA17-293A","rule":"TA17_293A_malware_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_ta17_293A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-10-21","description":"Auto-generated rule","hash1":"72a28efb6e32e653b656ca32ccd44b3111145a695f6f6161965deebbdc437076","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.us-cert.gov/ncas/alerts/TA17-293A","rule":"TA17_293A_Hacktool_PS_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_ta17_293A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-10-21","description":"Auto-generated rule","hash1":"9b97290300abb68fb48480718e6318ee2cdd4f099aa6438010fb2f44803e0b58","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.us-cert.gov/ncas/alerts/TA17-293A","rule":"TA17_293A_Hacktool_Exploit_MS16_032"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from scripts in the PowerShell-Suite repo","trigger":"signature-base-master/yara/apt_ta17_293A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-27","description":"Detects strings from scripts in the PowerShell-Suite repo","hash1":"79071ba5a984ee05903d566130467483c197cbc2537f25c1e3d7ae4772211fe0","hash10":"5608f25930f99d78804be8c9c39bd33f4f8d14360dd1e4cc88139aa34c27376d","hash11":"68b6c0b5479ecede3050a2f44f8bb8783a22beeef4a258c4ff00974f5909b714","hash12":"da25010a22460bbaabff0f7004204aae7d830348e8a4543177b1f3383b2c3100","hash2":"db31367410d0a9ffc9ed37f423a4b082639591be7f46aca91f5be261b23212d5","hash3":"4f51e7676a4d54c1962760ca0ac81beb28008451511af96652c31f4f40e8eb8e","hash4":"17ac9bb0c46838c65303f42a4a346fcba838ebd5833b875e81dd65c82701d8a8","hash5":"fa33aef619e620a88ecccb990e71c1e11ce2445f799979d23be2d1ad4321b6c6","hash6":"5542bd89005819bc4eef8dfc8a158183e5fd7a1438c84da35102588f5813a225","hash7":"c6a99faeba098eb411f0a9fcb772abac2af438fc155131ebfc93a00e3dcfad50","hash8":"a8e06ecf5a8c25619ce85f8a23f2416832cabb5592547609cfea8bd7fcfcc93d","hash9":"6aa5abf58904d347d441ac8852bd64b2bad3b5b03b518bdd06510931a6564d08","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/FuzzySecurity/PowerShell-Suite","rule":"PowerShell_Suite_Hacktools_Gen_Strings"}}]}},{"path":"signature-base-master/yara/apt_ta17_318A.yar","filename":"apt_ta17_318A.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3406,"md5":"063ff4aab0c9558805cd3acaee03f5fe","sha1":"4e04d9d6675c54df13b493acf8a4c60ce16e28bc","sha256":"647bd731c10e8e97a66d25055615527cacf49aa3c41b09e82e9346187d126c6f","sha512":"47f8a57ea5f1aa1f7a9904bff74460c4369a53e00bff0a1e743c70bfbb4674769c7d84b75d0f3dd17d304091b1562de814782ba095eea98b4fcebf0713b9db45","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ta17_318B.yar","filename":"apt_ta17_318B.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2826,"md5":"d3e567e21d6f689a435efa7e5a87f57f","sha1":"2485716906712067bf40d62d4739a5463cdbe770","sha256":"5318e3e1f73332e38d530524c21c85105b79ce24c2fb36ef0130d5b4f88848bd","sha512":"2a288939c8efb5fd42753c5839d8dc431d8d576f0ba9b0644216de4ad3ae5e6faf3474626ab3355074bb1e91ee109106b31d518f2f4352ded48eef0b32d20d34","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Volgmer malware as reported in US CERT TA17-318B","trigger":"signature-base-master/yara/apt_ta17_318B.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-11-15","description":"Detects Volgmer malware as reported in US CERT TA17-318B","hash1":"ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd","hash2":"8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b","hash3":"eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5","hash4":"e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11","hash5":"6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1","hash6":"fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9","hash7":"53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d","hash8":"1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.us-cert.gov/ncas/alerts/TA17-318B","rule":"Volgmer_Malware"}}]}},{"path":"signature-base-master/yara/apt_ta18_074A.yar","filename":"apt_ta18_074A.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2400,"md5":"53078565c63963351346a3e32ae4f041","sha1":"561bf93c56a2e0365ff3e3a52d12ce5eab87e7cb","sha256":"2a770087cc10d79811d781ea97a0e12cb1ead27366bbb055a542882fa3e1387d","sha512":"f83f3d15a00746b8fc9dd7e0ca348153336aa8c91777ba2c943ff6199c34a1b7baa9f3b0a133b58610f8cc2cc36913b8a48d8c28748cd80f16fd729570772dc3","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware mentioned in TA18-074A","trigger":"signature-base-master/yara/apt_ta18_074A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-03-16","description":"Detects malware mentioned in TA18-074A","hash1":"2f159b71183a69928ba8f26b76772ec504aefeac71021b012bd006162e133731","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-18","reference":"https://www.us-cert.gov/ncas/alerts/TA18-074A","rule":"TA18_074A_scripts"}}]}},{"path":"signature-base-master/yara/apt_ta18_149A.yar","filename":"apt_ta18_149A.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3079,"md5":"1cfeece6b57118687f90a498d48f90a9","sha1":"24b251d31ef45a88ced73fdb75a5ab55b26f647a","sha256":"412a1bc3c303898596ec1e44a5cbce4743e4882076e66fb3a1f4cc5ce4cb4105","sha512":"07783134a5f817cf84dbbca334d9f79ed8d76ab38dd214ab2e3f56b04844fde5229e51a196e2d9952d0ef210f691b8084ec38b4a72b4b0977199341fccd6f099","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ta459.yar","filename":"apt_ta459.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1611,"md5":"f54cc24f8954eccc60fbdde5fba6f29f","sha1":"2242035a6edc1ae6293c0626099ece986eed1ed2","sha256":"008d3126db41185226921cb334ee471d832705925f6877e0f039055a70a36ea1","sha512":"e24b52d77bf547a0122a5a7e67856fbbf16ba0fe8b5614405b4def4a4908631ab8646d99b9e55812b37e3ec301009035575c468e0ea5d5ce2ec789ccdee0b666","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_telebots.yar","filename":"apt_telebots.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6483,"md5":"067219f8fd67449399d74e32f73c1f37","sha1":"8ccc6eb0a0cab86a591831d6e52521d31250982b","sha256":"74be69d1fc87cde777d2cc6cdb23b845640c1fdff6783240284afde6ba3abfe6","sha512":"3b569950f85f21f543a6f27ee887b11ce88ac60ee27abcaa88dda1df733998c264ee3ba3173b7239ee9589ef04b00523589b57e63ef18487d4100d5c20272f9f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects TeleBots malware - IntercepterNG","trigger":"signature-base-master/yara/apt_telebots.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects TeleBots malware - IntercepterNG","hash1":"5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/4if3HG","rule":"TeleBots_IntercepterNG"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Certutil Decode","trigger":"signature-base-master/yara/apt_telebots.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-29","description":"Certutil Decode","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Certutil_Decode_OR_Download","score":"40"}}]}},{"path":"signature-base-master/yara/apt_terracotta.yar","filename":"apt_terracotta.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4333,"md5":"d55e81e658a105ce64219475a1da6c56","sha1":"e5b73ade49ecbee15417fdc90473b9da6e95a407","sha256":"521f2a68eb5a5f0eccfaa91da8ee4f8ddd426157af015f8a450db50c71cf3096","sha512":"88c2b388a63d8fc90a620466b5c82a8bf9cecbe0add320890354cfee46de926669e7c8767b853c65dd0d136111fa4662a75e412c5538d37e108b8d0c61feb962","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_terracotta_liudoor.yar","filename":"apt_terracotta_liudoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":796,"md5":"406aa7ff17dd31a4d77e3e811c285db8","sha1":"1896edc236c222e5b994f6617c3bc86b45412c3f","sha256":"e689178aedc88bce1a597875fbbb5a91be0caa7ca8ed21fe07b320813f4364b6","sha512":"8977f2de78c579f35fc99f8822c805b642d4f114e662ca6d5de907398c98e7767c88349e5fb2a764b54c96afa1f3f08d9263b409cf1b21b062622319934b7a7c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Liudoor daemon backdoor","trigger":"signature-base-master/yara/apt_terracotta_liudoor.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"RSA FirstWatch","date":"2015-07-23","description":"Detects Liudoor daemon backdoor","hash0":"78b56bc3edbee3a425c96738760ee406","hash1":"5aa0510f6f1b0e48f0303b9a4bfc641e","hash2":"531d30c8ee27d62e6fbe855299d0e7de","hash3":"2be2ac65fd97ccc97027184f0310f2f3","hash4":"6093505c7f7ec25b1934d3657649ef07","rule":"APT_Liudoor","type":"Win32 DLL"}}]}},{"path":"signature-base-master/yara/apt_tetris.yar","filename":"apt_tetris.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"JavaScript source, ASCII text","size":4380,"md5":"bd2bc4d619681a17343ded2cc42fb3ff","sha1":"e4baa0563a0a7b299370d827f13369bf8497e738","sha256":"c4c53e4f2e2c0ee2b731acae28d234852a4ab3ca9b34e55ca1ba64cc9a79c374","sha512":"2b917cad657e23556263e0f67cf8b081506b5576917c2c30bc4b6e544468b10e221b12f71599ec913a65489f0a64722b36d163d62bed9905e5a233186ccfa71f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Unique code from Jetriz, Swid \u0026 Jeniva of the Tetris framework","trigger":"signature-base-master/yara/apt_tetris.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@imp0rtp3 (modified by Florian Roth)","date":"2020-09-06","description":"Unique code from Jetriz, Swid \u0026 Jeniva of the Tetris framework","reference":"https://imp0rtp3.wordpress.com/2021/08/12/tetris","rule":"apt_CN_Tetris_JS_advanced_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Code and strings of plugins from the Tetris framework loaded by Swid","trigger":"signature-base-master/yara/apt_tetris.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@imp0rtp3","date":"2020-09-06","description":"Code and strings of plugins from the Tetris framework loaded by Swid","reference":"https://imp0rtp3.wordpress.com/2021/08/12/tetris","rule":"apt_CN_Tetrisplugins_JS"}}]}},{"path":"signature-base-master/yara/apt_threatgroup_3390.yar","filename":"apt_threatgroup_3390.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":12676,"md5":"48db42b6dde92fa8b1214c06e3fc4fc3","sha1":"5721f3e10f7bb6d8f55b49e481aa0f5456c5757d","sha256":"6a028db5f38537aa0d47c5801845c846c41f4b77a4b47fc269a2683d96eb176a","sha512":"4a3794b2588d80fe524527854e931560ab49be7f99b0746df068ab9efc0a1a68d042812057b90fa5936d6c42fcec6ede3981bf2f87a85abb1d4fac08e3d853be","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Threat Group 3390 APT - Strings","trigger":"signature-base-master/yara/apt_threatgroup_3390.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Threat Group 3390 APT - Strings","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://snip.ly/giNB","rule":"ThreatGroup3390_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/apt_threatgroup_3390.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}}]}},{"path":"signature-base-master/yara/apt_thrip.yar","filename":"apt_thrip.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":17573,"md5":"003549c567c1da1ffb335713f1f5455f","sha1":"abcc39b4a07dfcfee001d6fe39182028b9417351","sha256":"b1e4745ec8e0eff4580062b793594d09f79d7cb20cff941200214a5b6373779e","sha512":"ed49731bc10cf1fd3558c19ce6b58fc521afced09a2d65089c34cd913439eae2b36fd679341433707abf0e16df37b34528326e2176a1fe0967576bcfa7f0c1fe","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_tick_datper.yar","filename":"apt_tick_datper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1786,"md5":"c6509a93d08aae617d576175a9078847","sha1":"ce0485581213367f515f21ec0554892fa2f43300","sha256":"29714abb934b400cdaffc2f313f60ace2e3ebce508712516299fd266d85653fc","sha512":"0eddcf9dce6edebb5da9017bcf9b116fc5771a1b59ea3355cfbbb2af36247203889ba2a96a96db0ccfb8860250d72dd2e019625ccb27fd8cfdbc85315832cf5b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_tick_weaponized_usb.yar","filename":"apt_tick_weaponized_usb.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2663,"md5":"ba9ca07f40600d4dc000a1d0f0cc73ec","sha1":"546e22d5b267e7b2a11ce3e352ad9dfd8058f3e2","sha256":"6db6f0ad4cd276ee714effcacc97291225ed0115ecce9249a936737e67b5b346","sha512":"cb0bb922c8bdbe525f081e9df0343c6384d64eaf3810833fbe87408601bf061ccdc4eeff82b1ab18d5916df21586ade18515cb30fd528bc1ed5f6ece52abaf03","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_tidepool.yar","filename":"apt_tidepool.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1400,"md5":"b7ed2abb2ad9a3ae5c846c92d316ce0e","sha1":"fe9c11b078f6a0c7e3264377e6282ac1b489226f","sha256":"01a6f41aa201f0ffff8b2a97d0d6c543bd344492f963367b9fada3e6a53e4901","sha512":"c29b05698390ec0c5dd2a5949130f39ed22773ee0670829d1d71dbf286c7cc78c6a7450dfce674d86ebf6634d4726d2576838aac89562da8c3515913c283b708","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_tophat.yar","filename":"apt_tophat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3617,"md5":"f23b90bb6c3a21febadfc77bd03932c9","sha1":"356b508a7f8cab35b3cd5746fba998c4eb3f13fd","sha256":"97876f4ca3402d046405d48ad64202574b50c9d1440b70e7668c6d9050c05451","sha512":"ceb197c941bf9bdf488d223c2003c8291a161fa3e551b824975a2fdff633b794a6f0ab5d01ed7ce50ea1f9f03debface5307a1548ff8736acb8bee142cb08e9a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_triton.yar","filename":"apt_triton.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3468,"md5":"e9fa47da12fb2b5a9b61c35d97a4b3b6","sha1":"c9e1535066ed5dd40b5bca3446eb367e2bc9ec9a","sha256":"99885dd22939d939ee60ed77ac57c71d4c3723c2b31195cdf80b3da0531cc8fa","sha512":"b65e4f223293d5fbb20a831ecdf9ffaafccdfbf4933bad797988de2ed9daafc45515d5fadfeb12ab8a9afd6b72edb3b20319f1aeb2df260d7be1d98f5940aba8","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"TRITON framework recovered during Mandiant ICS incident response","trigger":"signature-base-master/yara/apt_triton.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"nicholas.carr @itsreallynick","description":"TRITON framework recovered during Mandiant ICS incident response","hash":"0face841f7b2953e7c29c064d6886523","reference":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html","rule":"TRITON_ICS_FRAMEWORK"}}]}},{"path":"signature-base-master/yara/apt_triton_mal_sshdoor.yar","filename":"apt_triton_mal_sshdoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":8102,"md5":"cc02de26162d1aca2647e306ac9c2840","sha1":"8afd7b2dcf7d266da608dda5f396ac9d8f9d26a1","sha256":"7a52d71545928055c4e4f9faf0020c7d5128fd1439fddfe791ce36215cba70dc","sha512":"fb620fb8e88e4b90e924bfa152c4c29624af49d6e193e7ce58bbb10a4ce60dc1df6fcc6e0732a354aabbba97681703e1acb495ab676a704b82450ca56d272701","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_turbo_campaign.yar","filename":"apt_turbo_campaign.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5957,"md5":"10cae51e0b0a1706b543d6c10869b610","sha1":"89d5a02d6ea4af9b1a80288e42ec0f65278c7b72","sha256":"dcb6aa89494624a3d95f94a484301a224a4196e8da13e6f46d487d43456350c2","sha512":"805ea0b37f0a2f9f3d23e5670beba36373b01fb795c0405cc1110c2481227d36a52e144cc84dc83782c30e15ccaf4dd4ae819b556c30dd6dbee267d6eff9d2e3","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_turla.yar","filename":"apt_turla.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":13157,"md5":"958e3c3ce2dde4de94489ea29f1f3966","sha1":"2b367dbc50e91d73b240679f46e414f8b3200ba8","sha256":"345934ea73512fa852eacd6b31504605c587f21536d06fc01fdeafd01d3ecf5a","sha512":"b56049f046b74d8e4d8e1c6c48034a0d3d749d99b0b464e6d96bd5bb73b27ea61b92d18281379c7fd1a0aec5961ce1c023d3c25c582d4500d3bb54accce25c19","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Turla malware (based on sample used in the RUAG APT case)","trigger":"signature-base-master/yara/apt_turla.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects Turla malware (based on sample used in the RUAG APT case)","family":"Turla","hash1":"0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4","hash10":"2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2","hash2":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash3":"fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd","hash4":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","hash5":"b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4","hash6":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","hash7":"8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a","hash8":"8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98","hash9":"0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"Turla_APT_Malware_Gen1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware used in the RUAG APT case","trigger":"signature-base-master/yara/apt_turla.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects malware used in the RUAG APT case","hash1":"0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4","hash2":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash3":"fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd","hash4":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","modified":"2023-01-06","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"RUAG_APT_Malware_Gen2","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Turla malware (based on sample used in the RUAG APT case)","trigger":"signature-base-master/yara/apt_turla.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects Turla malware (based on sample used in the RUAG APT case)","family":"Turla","hash1":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","hash2":"b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4","hash3":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","hash4":"8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a","hash5":"8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98","hash6":"0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f","hash7":"2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2","hash8":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash9":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"Turla_APT_Malware_Gen3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Turla malicious script","trigger":"signature-base-master/yara/apt_turla.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-19","description":"Detects Turla malicious script","hash1":"180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://ghostbin.com/paste/jsph7","rule":"Turla_Mal_Script_Jan18_1"}}]}},{"path":"signature-base-master/yara/apt_turla_gazer.yar","filename":"apt_turla_gazer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1660,"md5":"956a421baf790c5db27c42cf0bb62467","sha1":"78ea87d66433601428a8f08325bb3ec0c3666666","sha256":"1dc99f919239bfe5ef80aa0f7aa4c92bdab8246453081d0e95abc173d6eb7cd2","sha512":"cb4a3d521e08dc4f9712be4505186e7df42b867ca2a5e96bd70bf29b6139544019f8632172e5788be785afcf46cea781123ffa270512d22b8d4f95741109c5b7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_turla_kazuar.yar","filename":"apt_turla_kazuar.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2209,"md5":"cf93f2d54ff7313997ca5fadd37d5943","sha1":"5f5a1497d76e894418628f466ce768916c36b1c5","sha256":"730ff93aaaa661a1988a1f54851d3500610902e9938b0583d0b943b130e6896e","sha512":"5cb2f8490278bfde189ce05d4ad8b6a6aa366da610aa564c4c02b72211db2fc03bf716ec256e7acb2cf4f2145c0e517bcc2ddf354de4876a8b29cbb6848ee429","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_turla_mosquito.yar","filename":"apt_turla_mosquito.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6651,"md5":"b36e129b7f94ba5e40e38e6f45f3a448","sha1":"72e3bbf13bde00af277ea84ddd831fe14eaf0710","sha256":"efef5e5ba399bf4f66715ee334ccfe4cae92d1529fb854fdca1d68bc07f7da0c","sha512":"1141b4fea7909d4fcfb703bc6079066537c4a3d1d8e48dfbc605da3a60e14d360a11ac4c4791dfb945a8dc12700f3b625e029ea811a89dc3175af56dee0f52ac","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_turla_neuron.yar","filename":"apt_turla_neuron.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (360)","size":6303,"md5":"942e0321a3beb3a968e0506b3c8127df","sha1":"812563d4fa38f6cc84323cda0c5734a6abe36121","sha256":"322b7dba621c03f3ae1aa5b336cdd974fd9a4ec4bc914909719a82b3ac2ca21b","sha512":"9d0ce26b2048cd6f827306edc672c1306d62a81cd4d9331abc37c6f4c3291106adcb14b97a10375425268d44e46e91fda741f4515dca9a49a7953003f1d2b578","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule for detection of Nautilus related strings","trigger":"signature-base-master/yara/apt_turla_neuron.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC UK / Florian Roth","date":"2017/11/23","description":"Rule for detection of Nautilus related strings","reference":"https://www.ncsc.gov.uk/alerts/turla-group-malware","rule":"Nautilus_forensic_artificats","score":"60"}}]}},{"path":"signature-base-master/yara/apt_turla_penquin.yar","filename":"apt_turla_penquin.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3654,"md5":"c37758ec9d4a50702171df50f3229662","sha1":"72871ef7eba500f4a9d378c53a5b49cdf5342887","sha256":"b8996077f670d946dfe9bf89f7d49d0329f2fc7d84b4070d2608e1500273104b","sha512":"f56bf072c2f8a2297ceb08f80ad3dcff1d76ea9bae49fe1e7061538f8ce9154458f6a0c52611cd8b91d74188672756ca921f96d195a4a9284f85971b28a8db5c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_turla_png_dropper_nov18.yar","filename":"apt_turla_png_dropper_nov18.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3479,"md5":"1e4c500ad73a992e2018b550f9026803","sha1":"266b2441e65fc29cca17c4130b1082bde0376e85","sha256":"4923b40ad9803d7886721091fcbe2f0a835abb9770d18d4fb1a8d0705635359e","sha512":"2cc7b5546bf7606c996a813c42fd0fa48da7dcfb0dc2c4981e8c9d626f93568bf07d872fd7c425a43fd2a61d6afcfe704fd3ad91f205165cad0f00d392c3db1a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ua_caddywiper.yar","filename":"apt_ua_caddywiper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1129,"md5":"0e2703ed5a15b56686ec28f1e217e36f","sha1":"ce0344c138baa378a932899d3e72261404842ce8","sha256":"6bb62e64ef24d26bc216d69e2d74e9b3ecc155797f0c64d49f3513f56d0e1717","sha512":"06fee78434259798d3dc54b0eb62877fb683636f6e3a0139b4ee29d2daf894bea0030524eae124a3c62ee76b7191b8c6e1a8fbf8629d3798bd86075d78d77c6b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ua_hermetic_wiper.yar","filename":"apt_ua_hermetic_wiper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4017,"md5":"f82e256cf47d4f96a9906c84620fb9d2","sha1":"b12cddcccc6d0b01dbb689add5d5ba72da6e3a3f","sha256":"284ddc919608053b8ee7941bf94a87829ce64da1fa7611363747ee9eb6cda618","sha512":"d401e2c383eb03ac6d8a1e85cd657e46508c7c90f02c844b3b5b93fcbf5258d3dac174d3dee3fcdbd955f97c0e30c488d56b30c780150a81ee006718c1027712","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects artefacts found in Hermetic Wiper malware related intrusions","trigger":"signature-base-master/yara/apt_ua_hermetic_wiper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-02-25","description":"Detects artefacts found in Hermetic Wiper malware related intrusions","reference":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia","rule":"APT_UA_Hermetic_Wiper_Artefacts_Feb22_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects scheduled task pattern found in Hermetic Wiper malware related intrusions","trigger":"signature-base-master/yara/apt_ua_hermetic_wiper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-02-25","description":"Detects scheduled task pattern found in Hermetic Wiper malware related intrusions","reference":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia","rule":"APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1","score":"85"}}]}},{"path":"signature-base-master/yara/apt_ua_isaacwiper.yar","filename":"apt_ua_isaacwiper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1171,"md5":"49469c40ffbb3243b06effa33973c7d0","sha1":"059169385d853b16c76a69d3767eefd2c19ebc3a","sha256":"516d1936b7d4a52a69db09459caead3e5987c9126c7e826ca79c26c36aed7af6","sha512":"f08569c124a11c56c88c95724aba505b5cd054ceb9ac66614621e73acadc1ab058e7029cdab106353eae78916a85918983ee757933c246d902d8c69fd1853568","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_ua_wiper_whispergate.yar","filename":"apt_ua_wiper_whispergate.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5250,"md5":"8fb6d79cfab3089e0db341471dbb8d3e","sha1":"b558af9cecb17f7e02dd2d75d0537134d09dd333","sha256":"caf90995f0ac4d95e20b17ec8805c670431f6b3ce9f6378a4e3a0a10c4e524ad","sha512":"aa5a1a6a386b41c9ad92d54e45b65da93b0fd4ecb0439d24f4eb3af1aebda20e8c0d9725853cebbaacb0fcc6f0fd891ef8c676eb683846078c85ef66ec81a46e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_uboat_rat.yar","filename":"apt_uboat_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2856,"md5":"4f54a198484095fec62897f5d725d335","sha1":"e85423f91b4cb0dafdf811d08a60a73b56d7cc4a","sha256":"eff32f68cb5ce325e67ce87198c1f88e98835a103750794eadbb30d5a2b59762","sha512":"b281ca749a0024368d192c555943a9a4e5c24505e27853372c7f1be979f9d7fb352352fd8aca1e24fd2a0ea180f7cfa8bfdeb5389c1971a141b40cf826d2bc0c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_unc1151_ua.yar","filename":"apt_unc1151_ua.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":773,"md5":"1b2960693c66f9b8b4c6e9f4144964de","sha1":"5410a0b5d8a4b1eb29f9bb2f05d2e0131bc0cabb","sha256":"2f013c287a1b34ccbacd590259b2443b686d74eb4d5a1abecff0501bb76ea938","sha512":"5aef59c078ea3be2a770e2c5bc06eb4a47e08ae598803d199831dceb25ab0b7e97e82b077101d440da84b9e50f2bcaad1bbed2d397cda2705da8234567ea7259","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_unc2447_sombrat.yar","filename":"apt_unc2447_sombrat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6833,"md5":"5626cb53f9e65313d8b8a9ccaf9d8fc1","sha1":"4c4303180665c2aa2b9eff38f7fc4693d5ae994b","sha256":"794b384fdcadbe59eafa48489ebfc2cb6b931c38214171bbe3b8c1a02668f75a","sha512":"88a52b2c9941790c320ef26ef84820becd8e4157a5fbf14f40304b704ec2f15271a80d1d9250e9bb1e715e180ad5a4ebd684a6b6873158b366476e6644352762","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SombRAT samples from UNC2447 campaign","trigger":"signature-base-master/yara/apt_unc2447_sombrat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-01","description":"Detects SombRAT samples from UNC2447 campaign","hash1":"61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9","hash2":"99baffcd7a6b939b72c99af7c1e88523a50053ab966a079d9bf268aff884426e","modified":"2023-01-07","reference":"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html","rule":"APT_UNC2447_MAL_SOMBRAT_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects WARPRISM PowerShell samples from UNC2447 campaign","trigger":"signature-base-master/yara/apt_unc2447_sombrat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-01","description":"Detects WARPRISM PowerShell samples from UNC2447 campaign","hash1":"3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80","hash2":"63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806","hash3":"b41a303a4caa71fa260dd601a796033d8bfebcaa6bd9dfd7ad956fac5229a735","reference":"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html","rule":"APT_UNC2447_PS1_WARPRISM_May21_1"}}]}},{"path":"signature-base-master/yara/apt_unc2546_dewmode.yar","filename":"apt_unc2546_dewmode.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1077,"md5":"caefdf83dcb1f5c14d23528650752010","sha1":"6694599d0b5ebc1b2521a229ab949b91bef173e8","sha256":"c80966e57b3d6e6bee285b04e2154520879ecbf4e64d324bdaaf5e9bbe44d23f","sha512":"b279ffdfd4acb57af466f9082fec7b4bb4c200df9c0f442a223ce44cbdd0cb1b39924461c05c4d86b283b98e131c66c4fd1c239a24670be51feb716e37140ce9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DEWMODE webshells","trigger":"signature-base-master/yara/apt_unc2546_dewmode.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-02-22","description":"Detects DEWMODE webshells","hash1":"2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7","hash2":"5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b","reference":"https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html","rule":"WEBSHELL_APT_PHP_DEWMODE_UNC2546_Feb21_1"}}]}},{"path":"signature-base-master/yara/apt_unc2891_mal_jan23.yar","filename":"apt_unc2891_mal_jan23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3309,"md5":"42350c0dd6390751e2cfff9ff8d4dc47","sha1":"4ab3532d5164ccf15b729052b018fc112489d0cf","sha256":"2474a3e9acb3cb74bb9a7e0bcf659cc84a5e1a69a0030be4d96b0a537c9f4f37","sha512":"cdb63fff766a1d5b7ee9dfea6d3ef2944e4a93ae3fff704b65bbf76e4bf6965d86baa5a617f605d550bb6246cffa8bd74d862e87587e75d9e29916e05ac14358","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_unc3886_virtualpita.yar","filename":"apt_unc3886_virtualpita.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (528)","size":3856,"md5":"86ea1dc35a09f7458b10750eceeb23bc","sha1":"03faaa12170c748c0f02760966d538e50bbfb44d","sha256":"08a05bb6dc4854889f74101ccb875bd5d0c40a7601488b780a7cbc777216c659","sha512":"d34773ba38ec3d559a38e528ce0db9d37ba7fc43fc148b2d94be21666bbb6ac5e7c0640bf7ceeece2cfeb0bee672b70efec64fc2db57a25f392910859cc5aacc","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_unit78020_malware.yar","filename":"apt_unit78020_malware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5636,"md5":"f15c2d6f2ee42fcde7229ead7610a6d6","sha1":"9ff615f3971708cc7f8f4c1c5e36f2b786c72b3a","sha256":"2d1988351dbc956cca1be46b49a46dc490c0a6cd8d2dac0fe3d4ee9727afa247","sha512":"363293a9b70abcb637fa74c46b870df708898a4825b4d6af2f69b0701881415968f8bb5feb129ea95f76a5808001547778c9d1a08ae3e8ac38b4a79a7e3fd4d4","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong","trigger":"signature-base-master/yara/apt_unit78020_malware.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-24","description":"Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong","hash1":"2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac","hash2":"5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://threatconnect.com/camerashy/?utm_campaign=CameraShy","rule":"Unit78020_Malware_Gen3","super_rule":"1"}}]}},{"path":"signature-base-master/yara/apt_uscert_ta17-1117a.yar","filename":"apt_uscert_ta17-1117a.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4343,"md5":"f17542e03c59edbd2b88c129640b0948","sha1":"5b1af5e686640e22ad302785373e53541895f509","sha256":"6fa20e1e49939873f511b62d104f4fff19b1617065d9fe2c017af2daad0ce0a3","sha512":"8bca48f9274dcbfc51b33f4a1b4e22cbc24c67b9781ed49a0ce35d4215d4fdab8eeb77496e101322b9084913d0a8f1f1c02465e88df27c1b6540bee2b8891ef5","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES \u0026 PlugX","trigger":"signature-base-master/yara/apt_uscert_ta17-1117a.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"USG","description":"Detects a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES \u0026 PlugX","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"Dropper_DeploysMalwareViaSideLoading","true_positive":"5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. "}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings identifying the core REDLEAVES RAT in its deobfuscated state","trigger":"signature-base-master/yara/apt_uscert_ta17-1117a.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"USG","description":"Strings identifying the core REDLEAVES RAT in its deobfuscated state","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"REDLEAVES_CoreImplant_UniqueStrings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects specific RedLeaves and PlugX binaries","trigger":"signature-base-master/yara/apt_uscert_ta17-1117a.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"MD5_1":"598FF82EA4FB52717ACAFB227C83D474","MD5_2":"7D10708A518B26CC8C3CBFBAA224E032","MD5_3":"AF406D35C77B1E0DF17F839E36BCE630","MD5_4":"6EB9E889B091A5647F6095DCD4DE7C83","MD5_5":"566291B277534B63EAFC938CDAAB8A399E41AF7D","author":"US-CERT Code Analysis Team","date":"2017-04-03","description":"Detects specific RedLeaves and PlugX binaries","incident":"10118538","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"PLUGX_RedLeaves"}}]}},{"path":"signature-base-master/yara/apt_venom_linux_rootkit.yar","filename":"apt_venom_linux_rootkit.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1181,"md5":"7b7fb1bebe134c7b2fd7988340b8758a","sha1":"6553d394f86238c2f6710670b4b485b3bc19c570","sha256":"75649e7170ace01986ee1f6d8f1bdcf8f8af194bd71530ef94cf42a77c8706c0","sha512":"f0b36bb3bead12b0adaf14f9529ca13a2197eefb13f5d7ee6fc616326574909476167f4d3a28e4fe475b46715fc38abdfed76bd519f5a9def8570edd70ca27b2","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Venom Linux Rootkit","trigger":"signature-base-master/yara/apt_venom_linux_rootkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-12","description":"Venom Linux Rootkit","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://security.web.cern.ch/security/venom.shtml","rule":"Venom_Rootkit"}}]}},{"path":"signature-base-master/yara/apt_volatile_cedar.yar","filename":"apt_volatile_cedar.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4680,"md5":"77b5ee69fd504d92d9f8a59d74cc1303","sha1":"679710c4271199ef7ee410070b03f1ecaa3927f8","sha256":"07a1a7af1f6315646738800fa075f7b37e57cd3ab89a6fc3c2f31f636380083d","sha512":"935434fd12b1ac4290a366efe23dae6df94e2de924bfd6e5055b3cc12ab8302be1a330a537d0321649adc5dcce673c49553211f9bcd8a520c3b6418d91aaba32","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_volttyphoon_versamem.yar","filename":"apt_volttyphoon_versamem.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1487,"md5":"14e1339b122752e596302ee442366c31","sha1":"58be5281e9e82af9fd4f0da5aa3dbcce2696218c","sha256":"80e94c65fbf098ef21bcd59ca247e90e62a62607587f0a872b370a98ef514d5c","sha512":"f34370a56d31155e3ec647e16fab2ef98d266825b47a8af32126f567685aa6676263ec8041a4459c90e05cf3f72b0a0d1c8a4fe15b05345f80bff38a0e52b9f9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_vpnfilter.yar","filename":"apt_vpnfilter.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4476,"md5":"579d202ebdcc244e7eac14bb65ef90ae","sha1":"e86d1f897ba59b29ab2e9714f7fdb87f85501fc9","sha256":"b272f4698a4f57d753938f195e9d878b096bde43143a6c6c78d6d85f85b7b478","sha512":"c8061065fbd6f58d98dede2a99e40e2cb60d5e3f5c598733d1918a31364ba81850edb5547ede02bb5dc5ac7e29ed641d5283208962ddfc6f87b425d551e9de50","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_waterbear.yar","filename":"apt_waterbear.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":10427,"md5":"00b9b51a17477cc259efa39dbc96e728","sha1":"5f0dc03606ad035b6b63aaf7fab8fcae68effc88","sha256":"f9bdb61b99161f3d317b2cb7c7f60e36e61842b291d1ff35341047c56f0e4513","sha512":"a9e9afe840b351512a05eccb26110ac6c059c4de7e4f6e10dec9a043b38cf3b95974f1a95fc0a78a5eee7ef9744036c297bb8570a2565c9df1925d9d313e7ebd","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_waterbug.yar","filename":"apt_waterbug.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (324)","size":4985,"md5":"3ba609e1f515063ab11efde594d666ae","sha1":"3ed8b93f9cdfe8effbd9e1d2960d4a4c5fa13895","sha256":"cf2679ea0e971e25ba61157d6dbcab56f7fee8dd100d03525ffa420a835e3fea","sha512":"28669aacbeab731eab5c8e8df62ee9fe7ff53a73080f5c6d3622f67382b88a3a54fb3cae3fe98282933b9bb15741cd38df26a8a099d3c2eadb8ff3d1486064ac","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component","trigger":"signature-base-master/yara/apt_waterbug.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Symantec Security Response","date":"22.01.2015","description":"Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component","reference":"http://t.co/rF35OaAXrl","rule":"WaterBug_wipbot_2013_dll"}}]}},{"path":"signature-base-master/yara/apt_webmonitor_rat.yar","filename":"apt_webmonitor_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1562,"md5":"3904df357071bd1a1298e79ed09bf8bd","sha1":"654d1eb886d1a51a75a00211693650932014b948","sha256":"234d12246949ffe93bf2fa7c1792a0db06b045bf2a0ab1564e358ed72dce1a18","sha512":"f85ba3967ff2fd1df053e26e0e5feed6793b8547840a19e22d8077d020e30632d1c91444bcfefacba642a2afd650cd8fd816fb7e151fb1e21b541640b7f7d41d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_webshell_chinachopper.yar","filename":"apt_webshell_chinachopper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":672,"md5":"af038e1f18b088dfe3fdd0ec7763b10a","sha1":"d777d3e8629865cceb7dc2c1ea82bc71b24593de","sha256":"22da4bfc1eeb2728a7826643ebaa86cd082af6c950752c4c962a3b9f479f909e","sha512":"cb7a94c612d49a3031b38a7d4f592bc078f10571686ab11da3d4be39f1e84b02aba938123ff3a81d71afe95c7b11a202b9eb4314a01d13d3bda58f9803407f28","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_wildneutron.yar","filename":"apt_wildneutron.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":16087,"md5":"092a21fe74c3bdefe5d83cc87674f131","sha1":"ce04918b2bb193397b07cd4dda99d29583cd9551","sha256":"116b9e8f648707e5b1ff3f1478b4db80a3b8af979d327cf63eb14cdff0e6d706","sha512":"4c0caaa9c3f1b29275e17331902f9b381d7ea39d3d177a462c9686367415282adde8aee1bdb5a8ad9d681957640416a0572ebf0c6f78e1a5561351e028870f11","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_wilted_tulip.yar","filename":"apt_wilted_tulip.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":13394,"md5":"75e69b656b7721202aefe59455584de6","sha1":"06279af2be16c0b7f7a0cd79b4f8f57f2c2a6427","sha256":"7e4db5ff36968e94bda0b33099d4a158a4fcc6de9c642bd32cc56f27de7e1bc3","sha512":"e99996f4a2ceb008ff24f6901d004acf037daeec98be67c36a1abc50c6896a90a52e40c3c1c2a753128df3d6cb9879dec1cf97182e1b4c92df879db65e822988","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects powershell script used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects powershell script used in Operation Wilted Tulip","hash1":"e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_powershell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Windows scheduled task as used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects a Windows scheduled task as used in Operation Wilted Tulip","hash1":"4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_Windows_UM_Task"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects hack tool used in Operation Wilted Tulip - Windows Tasks","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects hack tool used in Operation Wilted Tulip - Windows Tasks","hash1":"c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c","hash2":"340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d","hash3":"b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01","hash4":"5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a","hash5":"984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_WindowsTask"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects powershell tool call Get_AD_Users_Logon_History used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects powershell tool call Get_AD_Users_Logon_History used in Operation Wilted Tulip","hash1":"c75906dbc3078ff81092f6a799c31afc79b1dece29db696b2ecf27951a86a1b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_SilverlightMSI"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-10","description":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","reference":"Internal Research","rule":"SUSP_PS1_JAB_Pattern_Jun22_1","score":"70"}}]}},{"path":"signature-base-master/yara/apt_win_plugx.yar","filename":"apt_win_plugx.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2494,"md5":"d0ba76c444c227e3f92921ec90d51cd2","sha1":"84e9c200ea7093e2bb9b1cfe364f9dce61eacbb2","sha256":"517e83d12fb083ec1e1f8a8d5dc36017e91f903011e22881ebe236e0522f15b0","sha512":"b6998613bd5e47481c474d07404b061e7d6acfb3cfff1cb25c0e5035a665e4eb56cbe70c1cd269e2ee69204d9a2303df3125fef85e87c759ad8b24aab1351d62","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PlugX Malware Samples from June 2016","trigger":"signature-base-master/yara/apt_win_plugx.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-08","description":"Detects PlugX Malware Samples from June 2016","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Research","rule":"PlugX_J16_Gen2"}}]}},{"path":"signature-base-master/yara/apt_winnti.yar","filename":"apt_winnti.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":17222,"md5":"2b779320cb5677c512d26129332e9138","sha1":"c6e9eafcc01478eb00a51d8779dd22138ec5344f","sha256":"bba14961de335c58a86a247d338599c18f00c089bd70ee7b4c2dbc3b32868bb9","sha512":"6259e9282f3245cb986b12fd45675d9477a3b281d9caf9bba8442baf6ccca350c9e2577fca2b292c4600e19e351c396b1054a867c5c03f97a68504d351cfbd37","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_winnti_br.yar","filename":"apt_winnti_br.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1460,"md5":"898b7854959b06588969e92ba900a89a","sha1":"0d9fe6f3124ac309f66c89484cf3702f8203d9b9","sha256":"1c7c81badeee07f09a3551b98015b9fe34c7dd05b8b90a6a0fad190a3caa514b","sha512":"1070b3803b7607e55528c7a95b67b00435e3a230dc4704f365e2b383c4932179ce6b304187392c7887fee55ca7aa5a3a8a3f5db3e264e737c7fdde46ca356901","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_winnti_burning_umbrella.yar","filename":"apt_winnti_burning_umbrella.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":20137,"md5":"51528ce3fb9709073e79293b0a078307","sha1":"875f687f6e3b802c37c470bb90b5fb2e9a241b0a","sha256":"21e762c501dde308835c9ceb96976109cae58470242ee12e86cec5e9488d1371","sha512":"f78a67a26b0fb70348a23610a4b91ce2e7b810ecaa92aefb18ac81a7d10d59698e512f60d8337e09e95d243c583c53facbb895624e9a99321b2f57abbff6d348","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_winnti_hdroot.yar","filename":"apt_winnti_hdroot.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3633,"md5":"3d04a8b56ac82bb772d82bd2d8a9781f","sha1":"62bc997c97f870f283ca91a4421278f59ce8dd7e","sha256":"0bda8b9c165cf4e86116411dc7fe86d306806a0ba99661dd46da5436bfc7c7bc","sha512":"4e8e7875647b716b013bbbdc8bd9b4f27a73ff44f78366577724d64bf1525f80f2bf216a54890a5e53049845472d59d88559a4115c1730669e6a5c0b6bbd1130","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_winnti_linux.yar","filename":"apt_winnti_linux.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1778,"md5":"ce48966c793be850ccf1c046fc428939","sha1":"755c4f265a77d05651635dcaf08ff90dc00c5d46","sha256":"d73609e9a51afa0a1afd482b24a65ac51c438ef5ddf827ac5058c0408ded3c59","sha512":"590ba0b72dc84c68373388970ac39ff8d51de910f8efd5bd003cba859ae2c47b2abfb62d9bb7e39928d2f7dad2d1b9d706624f1f471f63191892787854c04891","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_winnti_ms_report_201701.yar","filename":"apt_winnti_ms_report_201701.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1473,"md5":"ae36a84366280d42f1eee9e0d3012b43","sha1":"9ecdd8e5fe0e3097572e0595a0aa56ce6d8bf184","sha256":"eda44109cd3d10223eae335fbcb20c9607d5e9697101f6d9db87aa2033748324","sha512":"8a0a5dd756f1ac157e0f0d1416cdae9ee2d676352f76303ee465eb4a37360d1ac54eb493e6f734cb3674195336ab4e14cc2361b4d874eaf9a4be3fc7f86569e0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Winnti sample - file NlaifSvc.dll","trigger":"signature-base-master/yara/apt_winnti_ms_report_201701.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Winnti sample - file NlaifSvc.dll","hash1":"964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/VbvJtL","rule":"Winnti_NlaifSvc"}}]}},{"path":"signature-base-master/yara/apt_woolengoldfish.yar","filename":"apt_woolengoldfish.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4277,"md5":"0799bbc69560b0047beb384255e15080","sha1":"be6b58daf3c4b1c3e9f6a8b990996bfa24259b77","sha256":"8754424da3a5ff168a5196d3bec5081f0bad1301c8b26682351699c25494a18b","sha512":"e821533dba96c6ed4f9ddb709ccf8fae276b653b3b4b284bd4151a8860399373cac1d9ff883d18c4464ff6e4e475e8f1af429b550e4da29d1612e08ce0af3c7e","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","trigger":"signature-base-master/yara/apt_woolengoldfish.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/25","description":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","hash":"7ad0eb113bc575363a058f4bf21dbab8c8f7073a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/NpJpVZ","rule":"WoolenGoldfish_Sample_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","trigger":"signature-base-master/yara/apt_woolengoldfish.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/25","description":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","hash1":"86222ef166474e53f1eb6d7e6701713834e6fee7","hash2":"e8dbcde49c7f760165ebb0cb3452e4f1c24981f5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/NpJpVZ","rule":"WoolenGoldfish_Generic_3","score":"90"}}]}},{"path":"signature-base-master/yara/apt_xrat.yar","filename":"apt_xrat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1612,"md5":"8d964d730991c6b0c9d5fb049dc2e3a0","sha1":"a40df3f1e68a09649e0a0caf9b2a6fab95ff8370","sha256":"4a71225ee15ff1909bbfdb8963925a7f9ef7d7ef4141adae2b0b4b09dfffdd7b","sha512":"adb48f7074f5bc077dbe5cc53c087237f1ac4bc57148eaf30aaca7075dfb63267e56f6bc72a1b48c7bb40889a2bf1ad2d18378553af4ea6c1c22981bd7566fc4","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/apt_zxshell.yar","filename":"apt_zxshell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5885,"md5":"b6111cf955778ebd41a044c2378e8143","sha1":"3258e6c3e65b45e0830159744111cbc17a02de78","sha256":"d1cad2f1c8e907a139c0e7f41406af5f3b038794f73d9124a292d7c3ca04095d","sha512":"b71002d42c1946fdd16ef2c931c1f9c83197ad8d1dc37e7811f7380d0b274a1fe26bb6493c7142e5e13f5c95f3a97ca3b9b20f1680984bf4325cbf866ed4dca5","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a ZxShell - CN threat group","trigger":"signature-base-master/yara/apt_zxshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-08","description":"Detects a ZxShell - CN threat group","hash1":"5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blogs.rsa.com/cat-phishing/","rule":"ZxShell_Jul17"}}]}},{"path":"signature-base-master/yara/bkdr_xz_util_cve_2024_3094.yar","filename":"bkdr_xz_util_cve_2024_3094.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3256,"md5":"703ec87122e13cd755a8da1a2d916c7f","sha1":"cede83c3c39bcf1d531c54ed20162a4896e01745","sha256":"cfdb96beeac02bf203ab1d3392b432bccab3d3c42b23ff18ba75085441f28671","sha512":"ed293b92cac4868f9bfad8932889fc1c9c0f9f6f1a8e45616f6b1808a7e4c2b55b812b8d3a99a028bb3f3fff7d64514b3cd36490b5b9d47d11078921606612bc","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/cn_pentestset_scripts.yar","filename":"cn_pentestset_scripts.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":17600,"md5":"1512cc922dc76dbf3c7fe2a0ccecd686","sha1":"278807f5f5559822d2bc4de81c85e7c5f86bbfff","sha256":"8fc22baa75895cddaa8877b1fea4bfcc8ac2fa17fbd025a896095563e32ed8ee","sha512":"adf89599a0e0a341dd97d9b9c4c6d46e4f881f5bdc6e6d37b0d6011c470b13182321c4d046aaf13885a202fd820842ba90d6b29c9de5bb8a73f6f79f755b9d41","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Script from disclosed CN Honker Pentest Toolset - file pr","trigger":"signature-base-master/yara/cn_pentestset_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Script from disclosed CN Honker Pentest Toolset - file pr","hash":"583cf6dc2304121d835f2879803a22fea76930f3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_portRecall_pr","score":"70"}}]}},{"path":"signature-base-master/yara/cn_pentestset_tools.yar","filename":"cn_pentestset_tools.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":103756,"md5":"f43c373d5d7d622c90c63b954176c186","sha1":"882e8903093e2c19625bd95d20d7ef3590f4646d","sha256":"eb01ed4e03a207dc1846f47b05ece3fbcf31186d25763da2a69ea182e4ae05f0","sha512":"b16bd53b2ace1e3e8bbfe974b5d96e2580dd5abcfb14905c875ceb485155e9cb6fff6c03836f449df908db9866de12b06faa385e09f366ed104c92d1271cc735","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - htran-exe","trigger":"signature-base-master/yara/cn_pentestset_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}}]}},{"path":"signature-base-master/yara/cn_pentestset_webshells.yar","filename":"cn_pentestset_webshells.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":52220,"md5":"7c21cb114bd59b362dff97ecf23ab15e","sha1":"2450b804913a9621d84fc3756434e89d7817185d","sha256":"a7bf6e7b31636833a8388fe7ad65a2a895ab7b16148ce33866c31f48e3dd1e88","sha512":"90d070344dca090602f9698ecdcb6acda0e7ad9c0c230ed92722015979dd8e56fd0d784fc2f95a14b08d2c4d7fa7f31c2aee09853fe570cdf2ed2390a2075b87","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file php6.txt","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file php6.txt","hash":"a60a599c6c8b6a6c0d9da93201d116af257636d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_PHP_BlackSky","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file sniff.txt","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file sniff.txt","hash":"e246256696be90189e6d50a4ebc880e6d9e28dfd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_ASPX_sniff","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file udf.php","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file udf.php","hash":"df63372ccab190f2f1d852f709f6b97a8d9d22b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_udf_udf","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file 2.6.9","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file 2.6.9","hash":"ec22fac0510d0dc2c29d56c55ff7135239b0aeee","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_Linux_2_6_Exploit","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file php7.txt","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file php7.txt","hash":"05a3f93dbb6c3705fd5151b6ffb64b53bc555575","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_PHP_php7","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file asp1.txt","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file asp1.txt","hash":"78b5889b363043ed8a60bed939744b4b19503552","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_ASP_asp1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Chinese Hacktool Set - file templatr.php","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-13","description":"Chinese Hacktool Set - file templatr.php","hash":"759df470103d36a12c7d8cf4883b0c58fe98156b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://tools.zjqhr.com/","rule":"templatr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic PHP webshell which uses any eval/exec function in the same line with user input","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic PHP webshell which uses any eval/exec function in the same line with user input","hash":"90c5cc724ec9cf838e4229e5e08955eec4d7bf95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2021-10-29","rule":"webshell_php_generic_eval"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell which directly eval()s obfuscated string","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/12","description":"PHP webshell which directly eval()s obfuscated string","hash":"49e5bc75a1ec36beeff4fbaeb16b322b08cf192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_gzinflated"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}}]}},{"path":"signature-base-master/yara/configured_vulns_ext_vars.yar","filename":"configured_vulns_ext_vars.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":8878,"md5":"bbba2e197221bb67351af6fc512b4bf9","sha1":"a6b4152a51636d5e4049c62e11df4e861212bd88","sha256":"6f0c7837baa9b7b81d06fc857e9ed58a1a885b61ce8b2efec1b19413392e21a3","sha512":"4dc9f6f1af54c9a6f801aca75b428eb6bc18ae2d2bc288a7444125414626fa40ed740233dea8b519e5691130f11c55eed4fdd4419ac44b2fee3d050395a34935","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_academic_data_centers_camp_may20.yar","filename":"crime_academic_data_centers_camp_may20.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1464,"md5":"e90644979900c9f7a9cf2080f44bddfd","sha1":"eb068d0bc4e569e8abe5998e7a20a7dfb23e2280","sha256":"c33f8985b7d591460e1f832a96e83a88341f7e13c498daf09c83149c7209556e","sha512":"694b9072a0d888dcfe7ce849ca228a9a9f8903f424db9181493057a197eb03fd4e81fcfe18629a4659a7eb5a0cc9a948ef8552627731a29bf32f03615fce6905","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_andromeda_jun17.yar","filename":"crime_andromeda_jun17.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1699,"md5":"cd753c295d4d8a0587b7479f66bec6a4","sha1":"fdc3f34f554ba1da6287586ab53466a7bda368e7","sha256":"6a3433c750cd2e5b3ca5ac36f3918a632cf57ab8b166cf45b3cfc7a67063c628","sha512":"81e246466540c821bfdb8f0265d310cdcd993c0665f967aba0d54eb668541caeae2acc6d2310df5ba4eb586d251c9b2a64c82692626440793f213db05fbf3e81","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_antifw_installrex.yar","filename":"crime_antifw_installrex.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":674,"md5":"9066330febf50c9802c915f8bfc0c85f","sha1":"ea1a35b3cdb936619989b5bf846002a4496ae047","sha256":"c0fa3acbe3236c11620b08cb8b986a43dd2b219d558dcefdb9240a79b467dec1","sha512":"7e06cb07ba8d33fd2159cc49d796d2f44420ac7eb88be41a700af8349d65309be6466cf23f50575e1ed56c98b561284a6e07362912ccc0f8cea5e60a00b7c926","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_atm_dispenserxfs.yar","filename":"crime_atm_dispenserxfs.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":784,"md5":"3b84aacdf1d4a5bd088861ba7312e4c2","sha1":"99a84019bd97e267bbcf30bb3cecf00bce6c34de","sha256":"36a8a652f89a98ec4c24935a5e62bf2e9be055d76d14ccf754e64c3063d9d0cc","sha512":"77f365679d72117f2553c69664e64b2adfd67b6332df3ab39903c7efdae4b60e46ca60a2ce3298378e0b5bdefcd9026b222515069c099e3098cafdc25cf05430","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_atm_javadipcash.yar","filename":"crime_atm_javadipcash.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":746,"md5":"e6ab2cee9cb97d41cc04beffe60f8744","sha1":"d552fdf457cd445d65c952a258df03e9397063a6","sha256":"821599f7c30698fc768679b1a6d16283471b7a5727557ed57cc33a931e0926ef","sha512":"b593137f5ad27ca893bd5c2c0551c1f61ec80a915f1ca149799a2d9fc808bf3b3df6b1f442912556444c6b91d5e55346d10174a1d14372e9ce263d5baeb3a14d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_atm_loup.yar","filename":"crime_atm_loup.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":757,"md5":"7615e93ad796726f9b6a22da76e6c2dc","sha1":"be92f6bca1a77aff38b3e5a038994f3d4ec5a63c","sha256":"d64845646433c46ed46c6ed5ea4f4ed1ce010ff1e8f3220a28fec4e343b89224","sha512":"07e8f6093ae45caf21fdebbcd92fcf387c34d9ac40be6187c70ef3d24d2f91009e4eed6cbe93a8fdbfd3bdd0cb6c6b291edbcac5b3f0196b659a25bd161865b2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_atm_xfsadm.yar","filename":"crime_atm_xfsadm.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1003,"md5":"3e22e6e88b82a6f06fab5064c8c91fa4","sha1":"36ab3aff88c291e5ff97677cffeff70bfd7b025b","sha256":"4f6b3e77e03c282bbd9a72e6bf5de81c6ad01549ef68256a28b718ab32321ee6","sha512":"f0c11b7c3ed8f74b7c7963011ffb03c210fc89efc238ae63a7565008122c858a1d5f8ff959ed9d74d30009209ac84777c16eb38247414054fd66df577da3f9b0","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_atm_xfscashncr.yar","filename":"crime_atm_xfscashncr.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1077,"md5":"9dca4d55c094dc2d0b2a6fa084b51ea4","sha1":"cabd09154810f18c2b527141ba050914e7747c8b","sha256":"2f5f01c544e0d65aeb3e4c8b4aeb74ae29995a0c3c5ce6126fce7d4f8bb51c2a","sha512":"64b1186de3417051e2aeafd4af21889193af6476b3fe9903cf291142ae647cf8e1114afba94d4402af6eb8e266adada77ecbf558467f3e5aabd053bc8c185766","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_bad_patch.yar","filename":"crime_bad_patch.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3509,"md5":"6c53315b4cbed010998ecac6969e75c5","sha1":"69036db72fd1d85c0ba5370b49638db4717d2c75","sha256":"ff3d864fc71152a9eab80b6c139fee63054ce9fdfbe4c312a2a01bb8cbe35516","sha512":"df67ec614112b15e8fad9e974828a6b7137368fcf2b84ece5cf6a662db8be9fd8b9f248ad49011f999bb9f5c26d13cef92c19b4e115634df2ce1058f4e03346e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_badrabbit.yar","filename":"crime_badrabbit.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2720,"md5":"c721073bb70d112cbff957c057577dec","sha1":"97563be9ab1a1fe84ea58de156691dcb4acc50da","sha256":"1bff4ed6414702a28b4452135b9171d7c1190aa1d63ac15dc4b086c0360b4d45","sha512":"aa33875bf12f5279324de387e5344b158baa82e13607cb876348cc3f642562c0d9a637ae3d808a681273f77c85dd42044fdd0af41d7f38d52285b27a0c23b3ce","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_bazarbackdoor.yar","filename":"crime_bazarbackdoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (514)","size":1347,"md5":"3ce6798d34b011a8d48ff35f1d0a4112","sha1":"cbd2a3193f0abe141c2877f9895dd518f2df59be","sha256":"05b3ddf4032d075db1ea5977f6eac0ae8ead2a651551a3938835cbcc829353bc","sha512":"61154d59f9a3a5f76d255ba40bb60ad89d27724a0507e14d4cb3c2b3d59a0f161ff4518dbc2bbdcd701b1a23b431c7ee473a32a7ddda673361a772ceb5435edf","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_bernhard_pos.yar","filename":"crime_bernhard_pos.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (404)","size":1256,"md5":"fbf05b24f7a883f121b8ccc4b0ff0f1c","sha1":"a8d4c2e632eb814d20a083fa3ffe4f224ef09334","sha256":"3a06fe0885470dc820826016b55f5bd4728d1968a0d08da057982f83bc794e98","sha512":"235d2dfb9667f7634a8392e8a1720064fe9e399ca441262fc6b84b465f26aa7598823a29297ae93b5e73c0574a6a0d2606caf2eb2579982bdbdd0da45e2e004c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"BernhardPOS Credit Card dumping tool","trigger":"signature-base-master/yara/crime_bernhard_pos.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Hoffman / Jeremy Humble","description":"BernhardPOS Credit Card dumping tool","last_update":"2015-07-14","md5":"e49820ef02ba5308ff84e4c8c12e7c3d","reference":"http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick","rule":"BernhardPOS","score":"70","source":"Morphick Inc."}}]}},{"path":"signature-base-master/yara/crime_bluenoroff_pos.yar","filename":"crime_bluenoroff_pos.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":741,"md5":"6cae78d09309ecb154f3b0c8b0e4b2e0","sha1":"83db3f7f6d42c28ee1f128735e142f2f32c7578b","sha256":"ec639054f1c59674a285beee69666f0583f2b096c77a91ddbac48703df12d339","sha512":"d2cb6e9824db1e2dee5dcffd249d8811ff9c066c89c9095cd9f813050f4e7ac307403b358b8ab4e342790adc54b3932561807a4c5240501be45901387b73c28f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Bluenoroff POS malware - hkp.dll","trigger":"signature-base-master/yara/crime_bluenoroff_pos.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"http://blog.trex.re.kr/","date":"2018-06-07","description":"Bluenoroff POS malware - hkp.dll","reference":"http://blog.trex.re.kr/3?category=737685","rule":"BluenoroffPoS_DLL"}}]}},{"path":"signature-base-master/yara/crime_buzus_softpulse.yar","filename":"crime_buzus_softpulse.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":801,"md5":"29051f5a83717a91fa3f2ddd3de10054","sha1":"6c9c910bcf7ca7dba9ef018e396cfedc27da6a4c","sha256":"e380fe5e1e92c432967c7769fdb7819ab053e0d4f2aa99b49bbb30d3320d5c3b","sha512":"c2019993ad21b8b2d5d753006cef6a2fcc56c687be57a143442397fe1793923d5de13edb993c8bd8cd62bb1320554afa2c95ba2bcf866a380b4331bc7da25aed","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_cmstar.yar","filename":"crime_cmstar.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":590,"md5":"c9b6877600ca6e9425eed27825fb2427","sha1":"a0a12ad990805592f0ad110a9a2cdccff134a040","sha256":"6c65cf72c47c5b8c99e3ca5f3a724eeb2f2d65cb553d341250944beb983e0037","sha512":"ab4b28c99d313b0388c7fd543540e7e45550784032adee36d964eabddf6939c2b86e466f96ae2a19461e5f5665540220f992938e417dad2e3d2ad73816c25237","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_cn_campaign_njrat.yar","filename":"crime_cn_campaign_njrat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6981,"md5":"d5eae7f013249c277736bd9bddf77764","sha1":"a5166083665fe2ec7d61fab0d61016e9c7aea056","sha256":"eb5c61a6bbb14a632105287ede03d5ff67fa0402e17a40277dc165ada44963ef","sha512":"394915dd231dff7a834e85b6a93a815824f4caa3873117c9e2a66eb209bc55d074d3ee664fe477df34983523e3491c99766d4dadf493b87fade21a3442e89418","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_cn_group_btc.yar","filename":"crime_cn_group_btc.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2550,"md5":"7b4f76d14dc7b5aad3ca1316e80ca544","sha1":"957eea691d3b973659fe6b17019b46b291cf352a","sha256":"4c634fe3f877b581b929b165c00bd68ac373899a2163fda3774c41a27ba2e8aa","sha512":"d044f405a1a19ec767edcb331bfe86fb786aa4c46f5365648a67845bbc3a1a6466dec8d0aa0ff1c03f5b39be274947bc333e6bb7a6cf684c357da24e7ec302e1","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Crypto Miner strings","trigger":"signature-base-master/yara/crime_cn_group_btc.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-01-31","description":"Detects Crypto Miner strings","hash1":"ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05","reference":"Internal Research","rule":"PUA_CryptoMiner_Jan19_1","score":"80"}}]}},{"path":"signature-base-master/yara/crime_cobalt_gang_pdf.yar","filename":"crime_cobalt_gang_pdf.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":555,"md5":"14d8d43439ae0a38ca324f72745c7868","sha1":"ff2404a26a5e1a8ddb40e20dd4524e3c63590e22","sha256":"a7f8dbb87e59aee46e4ca78bf7910b259941ccf84223295331b31b325ca1a442","sha512":"b19beeb3f0dacc3e34c80f26214aabaa5d5847eee8162df61dc70023f5b0b4ffaf77704e0c467e686b30fe6505704805cce4ea9b62d54be3a4c37d5687bf0bb2","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Find documents saved from the same potential Cobalt Gang PDF template","trigger":"signature-base-master/yara/crime_cobalt_gang_pdf.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Palo Alto Networks Unit 42","date":"2018-10-25","description":"Find documents saved from the same potential Cobalt Gang PDF template","reference":"https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/","rule":"Cobaltgang_PDF_Metadata_Rev_A"}}]}},{"path":"signature-base-master/yara/crime_cobaltgang.yar","filename":"crime_cobaltgang.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4219,"md5":"2c295d90258c10166e26b8bf1e6aa3d9","sha1":"00488f3d412120fa0c43caeab093662689292f17","sha256":"f0cd03747f75fc1a1e4ceb63dd0767a4b0983c7fbd86dd966a244cf323ed4db7","sha512":"78f61a471966ef1c48b3d5c0b35799218b86b2dd87ab1db32cde492313579f52e79c630495956cb79b55fb32218c07b96b1b3af78bb01be309fb546ae18a0bf4","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Script Dropper of Cobalt Gang used in August 2017","trigger":"signature-base-master/yara/crime_cobaltgang.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-09","description":"Detects Script Dropper of Cobalt Gang used in August 2017","hash1":"fc0fad39b461eb1cfc6be57932993fcea94fca650564271d1b74dd850c81602f","hash2":"1c845bb0f6b9a96404af97dcafdc77f1629246e840c01dd9f1580a341f554926","hash3":"6206e372870ea4f363be53557477f9748f1896831a0cdef3b8450a7fb65b86e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"CobaltStrike_CN_Group_BeaconDropper_Aug17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious statements in JavaScript files","trigger":"signature-base-master/yara/crime_cobaltgang.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-02","description":"Detects suspicious statements in JavaScript files","hash1":"fc0fad39b461eb1cfc6be57932993fcea94fca650564271d1b74dd850c81602f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research on Leviathan https://goo.gl/MZ7dRg","rule":"Suspicious_JS_script_content","score":"70"}}]}},{"path":"signature-base-master/yara/crime_corkow_dll.yar","filename":"crime_corkow_dll.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":957,"md5":"7094586fc27f55b7b0847ed14b6c6d1c","sha1":"8cfe82883441c9222777e0cb265ba48ffa956939","sha256":"ef17a4daae32f4eb56108c25af493c5f83f0db391cf41a63acd087cf5c59bc64","sha512":"08a39577f8405f815c63e63b5127cd8cae0663fc71d7e1b36e8dca6d8f2dd3d1f0e9a4535bacb834c1a79b6034192def41f912140e3d17f528ac9cf3d6bec24f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_covid_ransom.yar","filename":"crime_covid_ransom.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":756,"md5":"5d4f0eaf6339f71c9344e292b91eb9cb","sha1":"1d30fe7b7672716b56d5e8151ec0684044f361f4","sha256":"e7a520bc873b320e4ccc9e3b8fbc047fa6107d7879a8d844aec04685e48d086f","sha512":"28fce930c1534bf6f3d6608da8525667359cc33ca98602f5b0c490104b75747c349b2826d1002a94ab45f2e36afbea94f743828a24d17f31b15a41d5d397873e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_credstealer_generic.yar","filename":"crime_credstealer_generic.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1216,"md5":"0b6dbc9eaf909a2d0c1f5e1cde8e179e","sha1":"061de0e6517e6ab42cd647d3a64a33f1b164cb39","sha256":"1c93bd7fc65421432620cbbfeafa6d51e7be16287ddbb9dedb9646cc68e9fe8f","sha512":"62725e26258d706a975b50136ecff79c6fac21e0df79f4ac862865cbb2daf4ac1c80f8f8c4a9b265474ad9d330005b4056612dda59319d6ef6734b2ead3282d4","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_crypto_miner.yar","filename":"crime_crypto_miner.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1324,"md5":"d6fd3bb68df61ad471d04281962f6571","sha1":"ef4b494dc6b85ee5ad9347ecd9de65ec2c3dd6f0","sha256":"a9bc0e768fadacf17116ebd2e5c5bd267a651dad03433b0effa733f8920e54ff","sha512":"5cde18b1494af8a2b678d7bc9264a4d0df04003cdd52062d2aa4b67749245b3e726067c090b92e8d7b9ab9df80b7f291bfbbdb64e7a149be355b315713c4d141","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects helper script used in a crypto miner campaign","trigger":"signature-base-master/yara/crime_crypto_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-12-31","description":"Detects helper script used in a crypto miner campaign","hash1":"3298dbd985c341d57e3219e80839ec5028585d0b0a737c994363443f4439d7a5","reference":"https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/","rule":"SUSP_LNX_SH_CryptoMiner_Indicators_Dec20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects command line parameters often used by crypto mining software","trigger":"signature-base-master/yara/crime_crypto_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-24","description":"Detects command line parameters often used by crypto mining software","reference":"https://www.poolwatch.io/coin/monero","rule":"PUA_Crypto_Mining_CommandLine_Indicators_Oct21","score":"65"}}]}},{"path":"signature-base-master/yara/crime_cryptowall_svg.yar","filename":"crime_cryptowall_svg.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":726,"md5":"431975757009b0a76276e1a490b3363a","sha1":"bb0a816d87496c7b360c2c19a918761b78b3742b","sha256":"c98bab03b09eaaae0204bbbcf7a8ea0a4be6ee6b7897ab741728a1c97e48fd91","sha512":"1e9f7c20a70c45129ee306b53d812a917dc11ae5fa570c29b63b64aaf9fd1d239e6d10c0ab2105240c47192b0ee5d111f91cdb8efe951db95358a82dd5d48d68","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_dearcry_ransom.yar","filename":"crime_dearcry_ransom.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (419)","size":2683,"md5":"b332126bf6b7e73a77f4c87dd112ee82","sha1":"e0ff7c20f5fde6bbcca6c9181edaadac6221fda6","sha256":"aee882406772826c2aa26988cb8c1c8decc8ad9b61dd73380c6e323ddf01c34e","sha512":"acf21ec8e031b6706ad77b137709343bc14938e2b4bbf5863371699a09312d489982b2f087bb42ddd0c8e0d131154871234f45c63ef761999be7e24ed5101856","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Triggers on strings of known DearCry samples","trigger":"signature-base-master/yara/crime_dearcry_ransom.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nils Kuhnert","date":"2021-03-12","description":"Triggers on strings of known DearCry samples","hash1":"2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff","hash2":"e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6","hash3":"feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede","reference":"https://twitter.com/phillip_misner/status/1370197696280027136","rule":"MAL_RANSOM_Crime_DearCry_Mar2021_1"}}]}},{"path":"signature-base-master/yara/crime_dexter_trojan.yar","filename":"crime_dexter_trojan.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":584,"md5":"79fcd4bca201c0b785164b0b846685f9","sha1":"e357b0d2a147b23f25adb4c65e2a8e21afb5103d","sha256":"b6e175f5a3c610c24f3f93476cef7d73246299230a1a9e1613190daf9de6c57f","sha512":"23b2330f1d92e31dd4ac8e2109807e210a4c0e7bf9afafff476b0cae52c7f0a19152c3e7f51ad50a2ca0dcc54685a9588f9ae60151c0bbc5871e80f21e40d424","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_dridex_xml.yar","filename":"crime_dridex_xml.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":932,"md5":"b83556fc47cbef91ddfb8e606802b86b","sha1":"c0d637c8a6e60b12fdb7b3dec7ffb5ba8fd3b7b6","sha256":"ee8711b5e8a719e7bfa7c2cd5f30fabbb1422c0b1ea0068593209156579b03c6","sha512":"9f61bf37b0ff884125c8fa12e666d7947a6f987e55286b6bedf8cc0d8e1f2bee73228921eb7d4ea823268e40bb50bf520c46c3df018351d060f7ad0a87767bff","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_emotet.yar","filename":"crime_emotet.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (409)","size":4649,"md5":"595a7643743ddf67dcd1a55d92ccccb8","sha1":"fb773493d92d63fe4c93d8866d5d5364ce3db20b","sha256":"515869fa046299535d06927abe835c576c276b192b3739f83c2595f5ae0fd276","sha512":"ca444dda0559f3d35aee0d862a50c3d4ec9dce01b1f55e93f9298af506fbc02194de9daadc0914734f51dff03f36755d0cb3c3725b846f8ca19d8f568eb06623","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unpacked SystemBC module as used by Emotet in March 2022","trigger":"signature-base-master/yara/crime_emotet.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Thomas Barabosch, Deutsche Telekom Security","date":"2022-03-11","description":"Detects unpacked SystemBC module as used by Emotet in March 2022","hash1":"c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5","malpedia_reference":"https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc","reference":"https://twitter.com/Cryptolaemus1/status/1502069552246575105","reference2":"https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6","rule":"EXT_MAL_SystemBC_Mar22_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies SystemBC RAT, decrypted config.","trigger":"signature-base-master/yara/crime_emotet.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-07-01","description":"Identifies SystemBC RAT, decrypted config.","fingerprint":"8de029e2f4fc81742a3e04976a58360e403ce5737098c14e0a007c306a1e0f01","first_imported":"2021-12-30","id":"70WDDM1D5xtPBqsUdBiPTK","last_modified":"2021-12-30","malware_type":"RAT","rule":"SystemBC_Config","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}}]}},{"path":"signature-base-master/yara/crime_enfal.yar","filename":"crime_enfal.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1978,"md5":"2656d39696a545f2eacac15a4b9c073e","sha1":"af2a3773f600fdc895edcea2d26f95b102ef89e6","sha256":"b4d814ef48a6730c5033fd8c5b6f38baf2e54cc83d33ce459cf34ee4a6d0aca0","sha512":"80b3ed6d830b29ba63f9f30b26c649464dcc684dcdef833b91208e31645589141c18097582da5ba10c4e9eb164953c8b8d02e38b0fbce5103ea7e8f19f15efc4","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_envrial.yar","filename":"crime_envrial.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1558,"md5":"9a13aea10871282c5e5f3d794cfafdc6","sha1":"310c258af27048fb2df6ff8528545f860b35dc03","sha256":"5eefbce601a784df32b0720da8108eb9eca1fd165b954f2563a44e280f37fe1f","sha512":"ab41dc2928d83c1ab593cd59e7cc3ba0fb0897aad8518ce59ad52aebf85f524f00aa2f017631929a3515a8cdc9893cb212dac798ae2b3f603157aaa69bdd21c2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_eternalrocks.yar","filename":"crime_eternalrocks.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1855,"md5":"c1b01a28018faab50f64bf54cd57e48f","sha1":"c376df1fd402e44f15d2ffb28b26be2d440f2e2e","sha256":"be58babccc2e109a2a6efe8eac3872d54f07b2f9bda51bcd4f043f2a48ba1163","sha512":"2a43d010f42ac5c6f44b15e0a96522191aeff88a7c991852b7ee39dd9588147c97317114f5888d7cee9a61772efeb6c8dd1117b585046ac9c911be2d2b025b0c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EternalRocks Malware - file taskhost.exe","trigger":"signature-base-master/yara/crime_eternalrocks.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-05-18","description":"Detects EternalRocks Malware - file taskhost.exe","hash1":"cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/stamparm/status/864865144748298242","rule":"EternalRocks_taskhost"}}]}},{"path":"signature-base-master/yara/crime_evilcorp_dridex_banker.yar","filename":"crime_evilcorp_dridex_banker.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":881,"md5":"681d849b2bb15396e7845776104912fe","sha1":"d28831d439a9df9952f82cd4ff94db84ef4a9c85","sha256":"a045b642432c9a1d5586e1bf4e2e4be993622acae6f14619243b08a35fc17f6c","sha512":"2ca665f0e9b8293d3f6956fab6d95718583646ded7a4a54eda6e3296a0dbc32fed2917b4360f4efa53b4148a9122fdb9d9231fd6b24a6cf708d02b62020331a1","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_fareit.yar","filename":"crime_fareit.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1164,"md5":"3ae17490bf2dc95b7fa6e0f27fcaa5a1","sha1":"6df6fb811410c699b2cb34aa3f9458555d084477","sha256":"268afb931800e0389124e83e5d76cd0a172f65e0bf76a09d485703066c7a4e94","sha512":"f5fb0054d164bdab3818e94ffe98ba39e00e0690466da55746af4cf46e3507acb6a9886dc12dc1c032af9d6718638b565ec977caee6770500c4e478554c9ce91","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_fireball.yar","filename":"crime_fireball.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":8076,"md5":"82793ad266c336991b96f6b4987dad45","sha1":"0f90bc47824ac7bde9bd9605a609a9f9f59ed4b9","sha256":"13bca5ff8df2da1aedf361c1fbafaa791a2354e19253b7aa4331c0e2d3a6aa2a","sha512":"06677a35c1d4afd6209eba64401887ffcf059e07aa4813b4a807a25647bde629ed7a8bbde01ae43e2f30228eb90a523f3328de35cead71bd7739aa7449f19f3e","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Fireball malware - file clearlog.dll","trigger":"signature-base-master/yara/crime_fireball.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-02","description":"Detects Fireball malware - file clearlog.dll","hash1":"14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/4pTkGQ","rule":"clearlog"}}]}},{"path":"signature-base-master/yara/crime_floxif_flystudio.yar","filename":"crime_floxif_flystudio.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1402,"md5":"6c30b8c204041d21910d82c4a9780c71","sha1":"52dec9628486e4617b545ec657e20acaea5f853b","sha256":"25619ffe3f5944ab823505a92c6a6ea87b055fd4b490aa09eea7c6c015b47829","sha512":"86ba0fafa364d3c5c4d5c52deec5f058d75203136260d612af11528f486399f2369c3623d5b78b4eea5432966783081db73f35c4939f1f1c5d8ff4377aa44c50","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_gamaredon.yar","filename":"crime_gamaredon.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":874,"md5":"9afec3308388812540be844347f2a573","sha1":"04543c09502a29c2bac24d00fe761a1784da1443","sha256":"589b3cb85e63c02d34a45e3d7da3e9e67c0d367532a2be8629902d07678e194b","sha512":"a9580f3c47c1f36ca81e4ad6a305a1c54c1f3ab788a51cb621400bbcdada10e7250f41bf312e7594ad1542cc8841f1b782601f45d8c471a69ee2d1571f98fe9e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_goldeneye.yar","filename":"crime_goldeneye.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1598,"md5":"45682b68d673e4c3d73061321fe79b2d","sha1":"604c7b089c1e8e0d750a0d3117ff8bc9795483f1","sha256":"c619d42f6456f991725a9f47423c7088bb7f33fdc5a855469053a0e7d8deadf8","sha512":"25e923dbdba4ddf2a78670518012ca2b980fc1dabf4f4112fc5c4a7cf7b345c92d01eb8cefa6dfb96866118025f8158c4f2d4e2ff579243c9f0045adefca8440","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_gozi_crypter.yar","filename":"crime_gozi_crypter.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":434,"md5":"c41f17e3723b8cfc700b73bfb54c331a","sha1":"b4faba118982b18c11f3074f68ec15e7427b56d7","sha256":"5245c7114927305f720d732f847beb16c71af67a5e3ac66c9f778a6342d94ffd","sha512":"b40d727a1f41a19434564f3cb02175202da22382e33328cd8da9aff2b14e573296863b0b8e39d723b888009f8d13274be7ba595b9382cd51bf7506b864b15df9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_guloader.yar","filename":"crime_guloader.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (519)","size":1071,"md5":"3bded53bc3d18363793766f583034aac","sha1":"2971b052fde883e9ec4808b7264edc58d385c49b","sha256":"4572f9f9e3606e331faf434973a5bd6a75b56b697156f6fdc151711342d311e1","sha512":"5d897857997a10deb58eb1a13be2121361acdb71a242f9e4baeb16aba5357a2894cb2722fbfbd50201f87997fc75b07d120e65d525bce4fde8e4b9d161fd1a78","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_h2miner_kinsing.yar","filename":"crime_h2miner_kinsing.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":610,"md5":"cc95f53e4eba8d7a90f64d989190c569","sha1":"9accd6cd1554eba7e32aee012e12700042e8c795","sha256":"fc580f3fdb553cb41a94ca29ad15c059a25644b00f2dabbe7f5faf135c5ad42f","sha512":"fd4092677f37ad00fcab033f8afdfc40909303bef4ce151e280111f23a540471b15a18518f7e07bbd052a0f9af5f1f6ceac0481fb4c5f19bff5f5348c0f71c84","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_hermes_ransom.yar","filename":"crime_hermes_ransom.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":989,"md5":"5a3b2704ff7a3a1289153969e7054b3d","sha1":"861208d72776348219b25b626dd938f6b17142ae","sha256":"dbb2876b36865fcf629f94cf18ba7c85b6f139f46331df27d729095610f8bdc1","sha512":"33aeba41e095ff8ed55433153eab6fbc7d7e61c16128e7e6f39b740fcf80fc8e61338cf107b219097652340348a94dc27d038fedca4287aa375bf0e66a5bb95b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_icedid.yar","filename":"crime_icedid.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3424,"md5":"3fd5c9001ba52a7c47147d154f34c366","sha1":"92002eb6e53153e08f39269ff77bddf1a2dc6282","sha256":"2576ca0c24b59abbe035105b2e351c38673cf1a6310cc636f5a2068456f328f4","sha512":"5f530ed12c19a76d949ad3a8143b7d83676131e01ca0534f9a40c447444c863aaa9c5364142e932e9c12a7a10ed60c80c38912c81c280c934d3a83b06fedf8a5","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"2021 loader for Bokbot / Icedid core (license.dat)","trigger":"signature-base-master/yara/crime_icedid.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Thomas Barabosch, Telekom Security","date":"2021-04-13","description":"2021 loader for Bokbot / Icedid core (license.dat)","reference":"https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240","rule":"MAL_IcedId_Core_LDR_202104"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.IcedID","trigger":"signature-base-master/yara/crime_icedid.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-16","fingerprint":"155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e","id":"11d24d35-6bff-4fac-83d8-4d152aa0be57","last_modified":"2022-04-06","license":"Elastic License v2","os":"windows","reference_sample":"b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982","rule":"Windows_Trojan_IcedID_11d24d35","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.IcedID"}}]}},{"path":"signature-base-master/yara/crime_kasper_oct17.yar","filename":"crime_kasper_oct17.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":929,"md5":"79cb427bbc8b77f60d6114c91032d130","sha1":"69384ebd2eedea49635a40583ba88a89a589e294","sha256":"9fd10eadaa6b9e4373fa548c40c747a0c99b6578149e2afc8b0490f85966d537","sha512":"161208bc0ac0b720702d8cdbd0490802533179ff7e7b074e6fb30acdcbe8255fb3f4acb7b50cf0fec76019d19f507c350a62716b5874d69f9af62bad7d92b659","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_kins_dropper.yar","filename":"crime_kins_dropper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1591,"md5":"0281f6231f915f38a415b0f0835d4a16","sha1":"d511f1c245aad95f4da978123ddcad910d3d6315","sha256":"9a895e31c65591d3a15f20443e1cf7e99a677735d397cc23e3b598f0c776d4b2","sha512":"edf0962d472c3ea9bd455c3a7a7b27bf731460595a936e70cd2f226c424b5625e65adfbad950ca797ee64a90f4ed9b19a5bb142d08c79dbc2843b46d87abb249","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Match protocol, process injects and windows exploit present in KINS dropper","trigger":"signature-base-master/yara/crime_kins_dropper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"AlienVault Labs aortega@alienvault.com","description":"Match protocol, process injects and windows exploit present in KINS dropper","reference":"http://goo.gl/arPhm3","rule":"KINS_dropper"}}]}},{"path":"signature-base-master/yara/crime_kr_malware.yar","filename":"crime_kr_malware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1341,"md5":"1adfead70dd6bd1941738212bb0f224f","sha1":"76900dd40c7e41e83a97e47e045485e66a6de4de","sha256":"05cf97ce14d5df9ee0333bb422e6163b585bf91db5f34a9879e3cd8ed09ac6ae","sha512":"25ec14646109ebb4d6e69abee23e297fd30b071d0ff439cf07dd55693b8c22622e07862ac99673f534871c4ed9191dd1edab6cec60141ffca41f2cf9d14e654f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_kraken_bot1.yar","filename":"crime_kraken_bot1.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":867,"md5":"85bb8f8d67ee052c0172b498823cda51","sha1":"e6fec61ecc270b7406868aa4e16005f6dda83adf","sha256":"aedeafd0a533ae7099cae1fd0a7f69ef727d77a824352213c9e94a2251ff10d7","sha512":"5eb6ef6ef35e444a9913c00dea9ec309f4c1cb02789049676a12cd44a7dbc321b59a68444d3c7b357e833e19178398e21e7bbd85e6e3fc4226e9a75162a15c90","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_kriskynote.yar","filename":"crime_kriskynote.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2531,"md5":"1723c99f6fd53135e8b3531f73d19b66","sha1":"14523d503abfcd9965e6004a6a317ebce19e19ed","sha256":"e7b03d0193b447e18c7137a947c24aabb31d98c9e604e9a9ab47d8391c2674c5","sha512":"2ba7efcd3bd18363033064d9a80670a18b3b5bd465c8a6974d62191e635503f3084ba5dc1a1daee4a152d24f79261d82345e6e21505ad8cec09b0610122bb257","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_locky.yar","filename":"crime_locky.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":612,"md5":"d7442fff2e444c5ee812e99211327069","sha1":"6d1ca590bc502ba4596570280e7e99593fe93db3","sha256":"429ac47d433dd2dfb16924fbc7e4254237b56ab38f81666fb15346ab14ab3ce8","sha512":"49bb589a1940cf81f1441aaa2986685d45c3cf6c79c12b1095a35dfdd7a812360e80fa962bf33c387103f4d3925e1c22d9210154c256e5ee1a84f19d51097caa","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_loki_bot.yar","filename":"crime_loki_bot.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1862,"md5":"7bd5a107174d67e0886c5dbdb777884c","sha1":"8d99d2b109eb6deea0a1fa963dd5a88a91b9b3fc","sha256":"7b2755d48cff6f82d652298e2013dd94b5c1c142bb6a906c95fad61234bd6305","sha512":"2ea50d6af74836fa914fd254cc40d2ef96543ac95c10aa87130be1618b2cad7bf2f8a841112b643747be781188faf84dc07801f408d0c3b310a999f7061d9890","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_mal_grandcrab.yar","filename":"crime_mal_grandcrab.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":607,"md5":"e74aad04c6cd5c1e812edc95124749f1","sha1":"5e32bdd2c925357d4ea6d06e7f19b003d2f1b43c","sha256":"a726d5c85237b4f40d69c4a3de9207ac23510d9b6fabe1fbd1d80d1a36d3018b","sha512":"752c4e806574541c92f7df102c4e4621073f8b6c1d64b8612f6559f1a69581f4002077ed58e3119884937fc510da43ded8a0f75b27d59fb69702ddacac83c32a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_mal_nitol.yar","filename":"crime_mal_nitol.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1241,"md5":"88685b782616e8bfb82c0652868ad83e","sha1":"94568fd12c36d75d2491d72656abdb59df2dbe0a","sha256":"882ffd622ffbadca01a4b47ffe85528f87c351bfa517a8e14b3c7fcb37ab75e5","sha512":"d206c7957e1b00a2c76d544e2a82281e63f5d8812acadeea9c476a96ab265b80edeb690dae0999e5e03cec949db9c0c090a9b70ac261ac02041ec82d2b516023","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_mal_ransom_wadharma.yar","filename":"crime_mal_ransom_wadharma.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":455,"md5":"a178afa8f238c037e2a7a64b5fad91c3","sha1":"fd3af187a02be2673bab626649e92abfcd92aaca","sha256":"d435a8c6347c4a618937f85bc5192738d9e6d68e3a535c031a0a4bd27d13a1b4","sha512":"3b93adc8bed146d3fb8b55e9872ab3b300875d7b32ff30fbdcd152144aa90053654dfee663c41b01b34127d6f02e93700de96a0df30c36aefa8decb1d0957907","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_malumpos.yar","filename":"crime_malumpos.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":569,"md5":"fa2d69ce0c76f1decce2a0435a93aa2d","sha1":"5d48b6f31a1d85869ede2d364dbfcc0f7467ff5d","sha256":"29ac7b184ff1af96d2d5aef103dfd44e377fa0f7c5d37dac45c7983fd3cbfc15","sha512":"0797930ed8bc6a741a4e263ce7838746997e6f8f7fe2b74cb7bd1598f79704622352354220298fc6ec3fd454aa3a5bb06ad5ced80a991e7ca6d549b5e5be1279","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_malware_generic.yar","filename":"crime_malware_generic.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4338,"md5":"b8d9c0994ff0d69ac84d743d843f6479","sha1":"a0637ad0562f6c434e1d08d446010586c3c54c3a","sha256":"93b1c9d8e841b27018547854dd683d04ddb507fe95aebfcf438e40fab2b74b17","sha512":"10378622358198576a2566b626e187d9232b95c4f901d1963699db7be78f2bdc7948b1b1bd0bb3893fc6aa4671fa7c468fe5bbd5239f6575f0fa408eda0986e9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a string also used in Netwire RAT auxilliary","trigger":"signature-base-master/yara/crime_malware_generic.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-05","description":"Detects a string also used in Netwire RAT auxilliary","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://pastebin.com/8qaiyPxs","rule":"Suspicious_BAT_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Trojan Downloader - Flash Exploit Feb15","trigger":"signature-base-master/yara/crime_malware_generic.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/11","description":"Trojan Downloader - Flash Exploit Feb15","hash":"5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/wJ8V1I","rule":"TrojanDownloader","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unspecified malware sample","trigger":"signature-base-master/yara/crime_malware_generic.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-19","description":"Detects unspecified malware sample","hash1":"f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"MAL_unspecified_Jan18_1"}}]}},{"path":"signature-base-master/yara/crime_malware_set_oct16.yar","filename":"crime_malware_set_oct16.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6826,"md5":"caac6321363372ae67e640bb7fdece49","sha1":"a2983b2c8529b18b1469246191ff83c40fba8da1","sha256":"3019f37b5aa5bb88c72ad417b37200818479609e671ceaec381b12eb15365db3","sha512":"50e6c3d7bf689e7dd8a81c465c7e2423f5683da2b7ffafa63f7df33b2bdfcd6ecac8567c807c26de3959af2b547764edac11feb9fc5bb3c92ba4d73634cf31b3","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_maze_ransomware.yar","filename":"crime_maze_ransomware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (560)","size":1068,"md5":"2232133fd520896a35f2c258868d4bce","sha1":"b49eeed87a63acd9771b2a9187d0f11310a087c3","sha256":"efc919e68025126e8dfc39bd6465ef2153e07a8e9be2ac739787a91e116e1235","sha512":"77f3d22d3a463a65811d3c03b2489d163d4f0bc51af9d6a9dae8b78bcbc4cd9284300639776decf7fd4ba0a426aa47d36b712ef3cea76cd5659627f4403b6f05","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_mikey_trojan.yar","filename":"crime_mikey_trojan.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":918,"md5":"f7fcc42f7a2f88093ef433c44bde832a","sha1":"a2171808186927a7394fc3eba33918dd351cad48","sha256":"21d1a61157d48d59f8e2cdf11e3b47dbcc9b65522ca138c29286395ad0b2e160","sha512":"610646ac590701439dfc930dad6ad5514302025f523704e432f0c33c0b5f5da40df252c5aa59eb4f152c299c46129b1565b85ecbab39d5e29186f83748be61b8","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_mirai.yar","filename":"crime_mirai.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":7204,"md5":"48af4186d21041245ed12fb3abc8262f","sha1":"8799dcc7db4181f27f42c516041eba83f0ea7aa2","sha256":"d33bc05b7c620c6ccbdba36d4aa70c247c456e8deb67590cf9ea4104e7f285b9","sha512":"3063fbf1789bf2cf2fa740aa271b25087dfb3c6d167effecb2bba749a2180dabc2d1be37c3ad4f3d75d964a757c3c1c2b0ecd8032d5956e55dfe7bffb3de5887","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_mywscript_dropper.yar","filename":"crime_mywscript_dropper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1018,"md5":"61732e6d94bedd9b8bebbf721c8a137e","sha1":"63e02296ff126486bd4733a8163620cbb21b9c8f","sha256":"a43796e73963d7c13d9b3ca06e017b0ed84cd65adbf9d2f3b256a278b1387d71","sha512":"49528d9c5434496f4b012cd20b5708c63ea36091b3d13871f9b849ff683881a0b2a22864e90644c5288c10415e32e81137086b5404be3a0e5314b5c0ef2757fc","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_nansh0u.yar","filename":"crime_nansh0u.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5427,"md5":"c31f0ea9a3f9e92fa4e03a261ae379bd","sha1":"0179784d99ec0f528048d7032f904a6d60587433","sha256":"325d0f14391fb7759280ef8a5763a577dbefae1aa475d1f43a8362772ddb1b49","sha512":"8d8df57be38194a76c3ff8c10c8c66b90acff8095c58e38ad8fe33cec4e5e014a82cf8ed4a94700f9b790b53110b327684b6548c7fa99da7d06f9ed39220069d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_nkminer.yar","filename":"crime_nkminer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1706,"md5":"33c59447c3cfcbb77f6b44d84928c686","sha1":"61d1266e7b0ef16f55beb28b1e59adefa7ebf94f","sha256":"c12340728af7cb6ff3dd03694af778e21b28a6e8e108549e2e300396b40f2b23","sha512":"33d5957d9778b50f82f54dae161dae398010f56195278f402e2d0d534f73063cb61fa93a1e5c9eb626de529a3bd383f831099e5c124985c75d1e7de7164fa945","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_nopetya_jun17.yar","filename":"crime_nopetya_jun17.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2023,"md5":"d70bc0ca4f7a2cd056e7697169428756","sha1":"739cf5602dd29b12594c8ad75a79794675937efb","sha256":"7e3efd2fb3d1aa2b4c5294f583785ffa246e1559cefc7f8c248178c122a61f0e","sha512":"3a48185eb9784c31e753c07b7b82a24f8ebcc7a607398c36a87aa15a74acd5d04bd2dec7dd29fc7194aaba1c685c684c474293b9cd1d43748d669e62ac24896a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ole_loadswf_cve_2018_4878.yar","filename":"crime_ole_loadswf_cve_2018_4878.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1266,"md5":"26188fc53b0ced98c56d5991cf878ba1","sha1":"2ba8c3fc12663c0134c26e785b7bd19103c9811d","sha256":"969993b3c752f15bf818060d82eb7386ff833ce3fa2de1b07f64a20a201bd09a","sha512":"8e12c41fe86ee4fa612c205037ba2ca6c2b2b0af17cf549ead78b3b613f04bdb570417dd22cc60c7206033d2b0e023466a9b3b8798b0ea9326eab5c1205d6582","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CVE-2018-4878","trigger":"signature-base-master/yara/crime_ole_loadswf_cve_2018_4878.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"actor":"Purported North Korean actors","affected_versions":"Adobe Flash 28.0.0.137 and earlier versions","author":"Vitali Kremez, Flashpoint","description":"Detects CVE-2018-4878","mitigation0":"Implement Protected View for Office documents","mitigation1":"Disable Adobe Flash","reference":"hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998","rule":"crime_ole_loadswf_cve_2018_4878","version":"1.1","vuln_impact":"Use-after-free","vuln_type":"Remote Code Execution","weaponization":"Embedded in Microsoft Office first payloads"}}]}},{"path":"signature-base-master/yara/crime_parallax_rat.yar","filename":"crime_parallax_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (766)","size":3244,"md5":"95a4c248bf8c998b2cf9f7da3719929c","sha1":"1e43944583ac972a81f3a95ea8fd5bb53f35061a","sha256":"af94883d02f79a13b9360210564950a2470cf29406f92820df3ab182878f3c75","sha512":"3b979a113688bb2c8f796cefa09fdf69225748de5ec4086f4ee52914c118eddfbab260e10b0ce97078930e113c0768b5cd8597ef6de1580c6127ceef9a02f6b3","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_phish_gina_dec15.yar","filename":"crime_phish_gina_dec15.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3600,"md5":"c387b234fe2f58be15ea464bd7c04d19","sha1":"6c7e73492d6d649ea555ebe89b9c5d78f21d0196","sha256":"ec22c728468eac4c05998f9bfa1adf0ec7f261d6735df21364a043dea608e6cc","sha512":"949318a35a30df12b1f341e70931d27d62bea648ce0d921b37f01a9a639917b8915e9ca7f83736c7569c4f73b7eaf37c23daff847b0718494486c3e3e9eb4635","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ransom_conti.yar","filename":"crime_ransom_conti.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":755,"md5":"0e96749ca0e96813aafa837707f41209","sha1":"046cae6550623aac1e33ab08d3948fafd0833dd0","sha256":"4a6887c48668c674603ac7aea2cdd8590b7355d20ac9984415f386542c1f9789","sha512":"68f010c7365664a24cd929a507bf8678e515ca264bc48021682f09adb1f2cf3bf0ce760449b5573ad9e4e3fc63645d323039cfc91b4d2be94d026c947e68f79b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ransom_darkside.yar","filename":"crime_ransom_darkside.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (424)","size":4722,"md5":"11869959e96253170b4c189c4c32de71","sha1":"eb4c16684e48c40a738bb35d6627071b0d2a34a5","sha256":"27c4ca64188babd2c97016289696e18112a06a22466b1fef8b68298cc52a6c83","sha512":"f9b4c8c5059d0b4e27d0b9c81e135283a64ba059ef5fbcfc691002a72a1d8d6c2057b98025fa96abb0071f4ba5eba1305e08bef149b101097a57182f177eca5c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Darkside Ransomware","trigger":"signature-base-master/yara/crime_ransom_darkside.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-10","description":"Detects Darkside Ransomware","hash1":"ec368752c2cf3b23efbfa5705f9e582fc9d6766435a7b8eea8ef045082c6fbce","reference":"https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/","rule":"MAL_RANSOM_Darkside_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies Darkside ransomware.","trigger":"signature-base-master/yara/crime_ransom_darkside.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-05-01","description":"Identifies Darkside ransomware.","fingerprint":"57bc5c7353c8c518e057456b2317e1dbf59ee17ce69cd336f1bacaf627e9efd5","first_imported":"2021-12-30","id":"5qjcs58k9iHd3EU3xv66sV","last_modified":"2021-12-30","malware":"DARKSIDE","malware_type":"RANSOMWARE","rule":"Darkside","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}}]}},{"path":"signature-base-master/yara/crime_ransom_generic.yar","filename":"crime_ransom_generic.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1375,"md5":"5b111910ae10982e87e7a12d1af21507","sha1":"73ce4770b3fa54e864aea35ac3d88326fb2f8384","sha256":"d33a4dc9a76e60ffe0eaae30e0948e32103ef78bd61a0c4cec3bd9228cca7e71","sha512":"94d44bf2412fe0e47bf1e31baed5dbac01424cb782b38ad72ed448d740e584bbca8abba8f872bfb4c69ac009bb2dab967e227a3c26ccec09c787b70ccb349d42","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ransom_germanwiper.yar","filename":"crime_ransom_germanwiper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1222,"md5":"2340ecbb0fa67e8b87d53c278e3f15b8","sha1":"4735e4ffa0d4f8aa1a17b83c80d14a140f7cf95c","sha256":"a5e476e28d33ec8b3a1f7acb80471370bb70acce2946100110899eaf3773cd62","sha512":"34cc7f3f97b1d81782597cb6ea6f22b82f9ec691e8ac615d021916d137cc473bd327cc9eac7038fd1b44f6e713a49975c26626f570d860721667cdf6e67a1d04","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ransom_lockergoga.yar","filename":"crime_ransom_lockergoga.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1336,"md5":"8739d5f91863d88f8c8c5b725bf36898","sha1":"c201f6a1627f0a1f0356cfbc046b85e1d68a7737","sha256":"9ef897a53112344a4a84d102e6bc67bffac5e891dc3899c12788ecef299af303","sha512":"6a213f49e6399011d3673763df9d53acb59974b4c9b328547c6eea02065dd0583a81864ce7dcbae2c0f765d8df132faf28daf34e257470fea1b83db40ab7d7ce","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ransom_prolock.yar","filename":"crime_ransom_prolock.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1060,"md5":"af6473e3030da94f4747675158d6bc94","sha1":"57a73a6280c2a2f4c46efc6235cb811a14f08fe6","sha256":"88234945d6d8125a91de705e59cc82934b629e033088b5bfe4096c08b4b64328","sha512":"b07a403c18b52bed47ac6775ce69a4e126a49c8f737e83fb2e9896cd770c0abfa428233d2bb897dd1e62fea434670a9a1d98cdb079c419cc5b18453c84efc446","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ransom_ragna_locker.yar","filename":"crime_ransom_ragna_locker.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3245,"md5":"d6cf63081382cb254d098739d38d0461","sha1":"a2712c014ef490741661055c7bf53109539b6cfc","sha256":"0118bf770772571528d6371108341cad332d496deb9f66fae95c1bd77c714954","sha512":"69fea0814a0be0aa9197395baeda8914c46cf97b8a8cf62bc712d58fe8bf15d224fae8ac01f79d974591efb0d3673f19a3fb2e32498a170e4d9dd2f4ba409335","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies RagnarLocker ransomware unpacked or in memory.","trigger":"signature-base-master/yara/crime_ransom_ragna_locker.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-07-01","description":"Identifies RagnarLocker ransomware unpacked or in memory.","fingerprint":"fd403ea38a9c6c269ff7b72dea1525010f44253a41e72bf3fce55fa4623245a3","first_imported":"2021-12-30","id":"5066KiqBNrcicJGfWPfDx5","last_modified":"2021-12-30","malware":"RAGNAR LOCKER","malware_type":"RANSOMWARE","mitre_att":"S0481","rule":"RagnarLocker","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}}]}},{"path":"signature-base-master/yara/crime_ransom_revil.yar","filename":"crime_ransom_revil.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1005,"md5":"5dcc7914d6ab38b9aa2d7ccd84c7ae77","sha1":"9c4e37e54ea3779a32cbfe27a8d241d12c4d5619","sha256":"cb60913a70165b43998bd16838b5f5aefb977bda54975f62b96db95784b03f9f","sha512":"be810439e122ca23d1cc412ca604058c4df253a587f5491731591a242eab072a6c441c76b9d287d6311366afd895747f678763f96da58c9b3e6a13066c5b7a28","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ransom_robinhood.yar","filename":"crime_ransom_robinhood.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":848,"md5":"6a8f3ef5ec64aca3f0774ef485197eff","sha1":"5d2cb9dce5a38bc01e1ed0d457c5c1edeb919e42","sha256":"ab5696aae4d4bfb0e5e596e19f132d9c03e5ea15095c41255513ee98dae77354","sha512":"9f761e7f560655cfed04aa6d6a475c20778d8ed60f330f14761874b57194e04d5f1bf817b43b1911de935ecf111045587e615d51f5595973c73bf2351c295387","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ransom_stealbit_lockbit.yar","filename":"crime_ransom_stealbit_lockbit.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":654,"md5":"a52c1e384e4c168b90c9801fb9fce521","sha1":"e22cebb2bd351dadcb3c9bac0324a71c67fb6e05","sha256":"a8561c273cde579dc6ff78f1707ded7a615ddb7e62dcddac8f4924d6bf4a4b5b","sha512":"133e53d645f7a0bef8a85bcaa1642587b148382e64fca21008f2da980013340c8ef5faebbb15687a8f736584bdb0cdf52f9fbe5e12fe7727f8cad7097491211d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ransom_venus.yar","filename":"crime_ransom_venus.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":1694,"md5":"e80cdd268cc19ebffff105e21523b5aa","sha1":"66e242afade3457a79bda81898b1cf86cb3fdc64","sha256":"30fbe41b6301ccf01127e4fc43a6250bf664de08c4f1eb1b690d3340428e4207","sha512":"8f6d94e09fff26cb1d30c0f6d941ee27dac8d2d00e9805c88ff674bd9d0c913c45cdf048fa4d0b97a656afbb41c466b22254d9ef00137844770840ddaac1965f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_rat_parallax.yar","filename":"crime_rat_parallax.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (533)","size":1859,"md5":"e14ac3e5cbfefbe2e6954774a1ebe8b8","sha1":"9adca890803565bc743d3c95a269d16960c51495","sha256":"4f83b1e4c55cf8cd1c55b7c92b42a6dc516a822e92355f8dc8ed05d5c8b7b6e2","sha512":"72cbcd0b319cc36dfc0c565468e146f34e9690c18361241021c19bf05b8a3bab702fa858a31e31bcd86b14e5e500b36267efc0824bbf23030c2c3c96e4718a70","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_revil_general.yar","filename":"crime_revil_general.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3103,"md5":"8f0ebfb0a79069e80c2501c7195330ef","sha1":"6f1ab0e83655b8a6753d7cf98408b8e52f135e23","sha256":"5d7731f19ee26ea1a894670ba2054f9e37249718f0aa31d303a89786eabdca37","sha512":"6a7cc57c4a645a980e3dc6f457e0f9b80fa0d6b40c8891135971bfb67cbb7f1530253b0c1d6549e1cd0ab258c5844b30bc01245aa339718f59dd5818f61044c7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_rombertik_carbongrabber.yar","filename":"crime_rombertik_carbongrabber.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5072,"md5":"4581976901210f783a356b6012ab3720","sha1":"340df5c4bc6ec54040815ab3b3abf3e5e3cf9f15","sha256":"a9ecb05f1aabf148277b54daa22c08ee08ab6daf0626a9c6b5f783e5a444352d","sha512":"9e693aa832494fca00220252fbcc84e57fb257734da86b87b81dbd44e3ded53bcec55fc8141205778e71b2415cee215ff73933c233bdad816a1f666285969def","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_ryuk_ransomware.yar","filename":"crime_ryuk_ransomware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":962,"md5":"58d7b9deeff64b48aed8f3e7331b3e4d","sha1":"08aca97308eb79a967598e7d3bbeaf93e964e968","sha256":"f96d71f30b76bac028f8ea7f1e121c0d7d66e209684ac33fabdced32b1600b1c","sha512":"67adfd7e9c5ec0601c4b71b42f6eef909882c9e4395847aaff4b8f876ffa05d140739ef94b320e566e5de51eea1d14788eccc800a8a9dfc872926fcac21a6cd1","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_shifu_trojan.yar","filename":"crime_shifu_trojan.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2885,"md5":"a7fae0aac666f5111554e282ede5c5bb","sha1":"576d48cd739431c9f594782af7abac4ec353df44","sha256":"0c6a74a7c92e7b5fdf666dcadb0a8d5c5b4a728f5e4471572173fe475c3a71cb","sha512":"115fab82bafb3480dc47a3731c553ac2e038d8190d3642f45ec1806d9ac87b919a37e9ed767c8442f0c804a9cb48e8ba27ef158565c2451dc51c62add486c0cf","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_snarasite.yar","filename":"crime_snarasite.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":643,"md5":"e22715c6da6adcb53e3f8016a3b38374","sha1":"d5b65a86587f0f964ef78bc6134aaf2e2e992039","sha256":"3b97370e885c2df1e512c94542b72091c8d666e610fae4cfbfe6dda4057690f4","sha512":"7089b887bcef9eede39d1bbb0c762e356a8abac0aff6b9d27f95f885fab84d7374538084f82083c7d79b3dc1eaeb0282b2adb3fc34d12373167dc069f2d25f2f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_socgholish.yar","filename":"crime_socgholish.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"Unicode text, UTF-8 text","size":2684,"md5":"9722a11777f5d27be55470bf00e398ae","sha1":"1ee684eaccb21387a12f84c77259aaf3664988bd","sha256":"4f5e66679d221b10111647955507440307cc5427954163c6ffebb2c78d91d340","sha512":"f341ffeb290413d2dd3193a2486a03ed882d4c7f4d65f2f0a0c4778b87ea77d7cb7f20ab8f1e988651fe038b40bfc5cfe0bb81b3030eb0037a3a35d7561b4aec","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SocGholish fake update Javascript files 22.02.2022","trigger":"signature-base-master/yara/crime_socgholish.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Wojciech Cieślak","date":"2022-02-22","description":"Detects SocGholish fake update Javascript files 22.02.2022","hash":"d08a2350df5abbd8fd530cff8339373e","rule":"SocGholish_JS_22_02_2022"}}]}},{"path":"signature-base-master/yara/crime_stealer_exfil_zip.yar","filename":"crime_stealer_exfil_zip.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1273,"md5":"6f6f481bc0d6e2d61286a0e03c8d87f7","sha1":"e98a6788c607255fe07034a7c0906c0dcfb9cf4f","sha256":"ab95a1fd721e5b300b91124082fbcf544fb0e3b24eabc89c90d1d61a5d7aa39c","sha512":"77444def519e19e62d8807afdd7393056f7062eaac6c4bd851bc4a0b0105c9cfabe71360322a98241e54990016646ad72d82629b2ecd06e474554cf80049f555","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_teledoor.yar","filename":"crime_teledoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1290,"md5":"5b2426c94c85349060b3d1afe0731951","sha1":"2c6f69a6254217322f4d043016957932bb6359d6","sha256":"92f3e04666ee8591c6e777e47f4f89bb8bdc0559b34fd1788272e4c0083a92c2","sha512":"8f65bfa6949de0e2c630615cca3c3cc376772cd3f5387fd5ab9c305b36f18173592a0d8e268d4f1f22e2fe18638681d7862e41f7cb9290e7cff6cb3453e3a218","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_trickbot.yar","filename":"crime_trickbot.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4975,"md5":"955e02202f3f11385d5bc72e5d538f0b","sha1":"c4692db67014d959704783e2506c45143a08c71d","sha256":"d28f3afa406dc736a15e7a20fe7f6dda27f4cb2d8b4737bb6961c78132cee4d3","sha512":"5a82de738d9e3f11a595d7e1c1433be15ca9ffc69859b0021d8b97775c1efc19dc18ad3070bc46ef779346775dbdfb37188c4dc8e38f0f844e72b8d6f6e164dc","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_upatre_oct15.yar","filename":"crime_upatre_oct15.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2109,"md5":"fc02bd6f02edb4516c25520239e5a08e","sha1":"9d839af3aaa2a6e5c8f8a5a32e85a31a6483b21f","sha256":"d8c48e62d2f1dda014a4d581e1d80a57c122c4beb929f9d450c9ae6ef3003054","sha512":"31506a21241829a10abfdfc143cf8f3788602f5231d4c8825d4011b08ea989583a13850a93c02a4484becb413e38b9d77777679987820b8774e8c0fb34c71a84","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_wannacry.yar","filename":"crime_wannacry.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"exported SGML document, ASCII text","size":6116,"md5":"26df39e20a79b92962762363655ede84","sha1":"fc0a606fac83a038de0a960952e1a2f19b78052a","sha256":"b573bec4dabb1e94ebee0665393ed43fe2bb2cd17b8eb6cbc661f75901aa26c2","sha512":"327a9669578170d4e799b9ba9df987574f3bcaa14dd8b5012c8f8a29167c3e473321151e7a86cd3e65fe61765a90a0db6fce7c25c2175633d034d0d3f67315e1","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_wsh_rat.yar","filename":"crime_wsh_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":716,"md5":"d2e341c1aae292b6e3919526af7f2351","sha1":"ec2d17f15c3331c22fce7a4a7f77052a1150dfbc","sha256":"dd279d12567ed25c7224a8aa616fa5f75673e032a54612a19a63e63463db634b","sha512":"6f3ccbb49acea19c3eff74e48e20f40b4b4db747f21746eb1ae8f1fb1dcae01a0d5f2debb7adc8a3e06bfb8c1abe01a6af568bdfd70942f031dab18b9e0c9b75","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_xbash.yar","filename":"crime_xbash.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":2837,"md5":"259b4d86f0f01e2ea8e17c6afc4a7091","sha1":"678088325664a1cd5fa2bdf684a53fb570497437","sha256":"d10cbdb98a0fce77ecfbd603fd3d23489f1fe148554a67a9694c6a9fc7528fa0","sha512":"f733a968f468d418b176b356f80115c2163943eac83669cf30905601a4c8ff5bf5f88c53ee9fba309781a4b0e979e31f68eaf07cc043ee8c32926a8ee0c17cb2","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects XBash malware","trigger":"signature-base-master/yara/crime_xbash.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-09-18","description":"Detects XBash malware","hash1":"f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8","modified":"2023-01-06","reference":"https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/","rule":"MAL_Xbash_JS_Sep18"}}]}},{"path":"signature-base-master/yara/crime_zeus_panda.yar","filename":"crime_zeus_panda.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1210,"md5":"4a7c7d212c00555ce2bacab8ddd7fe90","sha1":"6c0cf088a3073b242059f3dbd4fedccee03aab41","sha256":"e28ba9599f5304ab6abe54aabd8705caa0c3d7e8bbdf2846ce3f59c8545a508e","sha512":"b0da661ca59bd880205422c320467fbddc7bc94c0c8dc059e4fab33cace90dee793eb688f78efe14661d51a6078205bc968ac4da658beaa60bcc13b52ee11ef2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/crime_zloader_maldocs.yar","filename":"crime_zloader_maldocs.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":918,"md5":"2b60ae65e5eb24feafd74c0a665a170a","sha1":"505c726f9e9a1b7c031278b9d7fb564aed168101","sha256":"52786bdb6c4b2c2a62a2d0d197e8d1bd698479eb142d49be926bdf723974fac0","sha512":"6b03760a91362c107dfa80a9b9861cccb7119b3a52fab32bffdbcd4032612e172509d890a0ff5110c8f0835deb6fec37d58391d9cd5e5a550201c14cdacf572e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_adselfservice_cve_2021_40539.yar","filename":"expl_adselfservice_cve_2021_40539.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1221,"md5":"cbb3773dcf05a7df81271e912903bafb","sha1":"d0e72d28f20afcc58f2a5abc0586c31a4daeb9a5","sha256":"fe03253b90db12bf0dc08b689ae51729a77de9d5332cd4cb3f739477b2427762","sha512":"c8994eae9c8e2875c87d3c639b5bcb2b650acc856daa4c0fd8c164c39458fea789bc52167ab6c068bfa9f7debcc8388c141b9f1bcd497721a15f6d28910389ef","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","trigger":"signature-base-master/yara/expl_adselfservice_cve_2021_40539.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-20","description":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","reference":"https://us-cert.cisa.gov/ncas/alerts/aa21-259a","rule":"LOG_EXPL_ADSelfService_CVE_2021_40539_ADSLOG_Sep21","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","trigger":"signature-base-master/yara/expl_adselfservice_cve_2021_40539.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-20","description":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","reference":"https://us-cert.cisa.gov/ncas/alerts/aa21-259a","rule":"LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1","score":"60"}}]}},{"path":"signature-base-master/yara/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar","filename":"expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (354)","size":4106,"md5":"dbcc2dcbbeafa34232df608f8787ecc0","sha1":"8625ec3e31b04fc6e56f97451ab186dd36e34c4c","sha256":"857ea344a1d5bb7044dfb2b418b56438f3b77bc8a760bbffbbd4e36190c6ea80","sha512":"970e6da802a28b1f3f5104d831466b4a9a720206fe3fcaf2e6005c5dbd7d1b6ef951a04cacb87f2276a5a90c1dc9a397dca0c17efd4214b5f57744e9a9408441","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects payloads used in Shitrix exploitation CVE-2019-19781","trigger":"signature-base-master/yara/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-01-13","description":"Detects payloads used in Shitrix exploitation CVE-2019-19781","reference":"https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/","rule":"EXPL_Shitrix_Exploit_Code_Jan20_1","score":"70"}}]}},{"path":"signature-base-master/yara/expl_connectwise_screenconnect_vuln_feb24.yar","filename":"expl_connectwise_screenconnect_vuln_feb24.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":14139,"md5":"6b41c69f3911babb45a8f729ebcccde8","sha1":"128dcb70d7d640ed5fc1466b635ba0562aa11b22","sha256":"929fc886d2d60c6712c444dac4b3481b4384a01d09736a14cdffc064062a6397","sha512":"53c9f9b1f58a036bad079fb7689e89a9a2c1da10baf953065acbabd5597190f3eaa1041881fa33f7ba095320d48d9af295eb4c67952d2733343cc20c000ac24e","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-27","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"signature-base-master/yara/expl_connectwise_screenconnect_vuln_feb24.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}}]}},{"path":"signature-base-master/yara/expl_cve_2021_1647.yar","filename":"expl_cve_2021_1647.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (1134)","size":3077,"md5":"dd88e7a6176d55873eac10b5de3de718","sha1":"99a3fdf4b4d1349c2857ee3e67efa24f26430412","sha256":"f8ba1ec595c49b854279353a3df0a5f58c74c22e32429e77ba7c54e028972d8e","sha512":"edcb3040e9297eb0d06126a12d79eaeeb745ee56c976b55dad3ee2b72f35473feb9577030a88b4a1fb7bae23fb84cebd17c1c66d0a4206580ad9a048a6d86521","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_cve_2021_26084_confluence_log.yar","filename":"expl_cve_2021_26084_confluence_log.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1265,"md5":"7571e854412af7b086e4e0c9cfec0db7","sha1":"304dde734a78cc008311d751f013443cff7ed19f","sha256":"44a182482b114bfb401d9a7e2eb73dc097930c35fc878605a180923b2cc0eb64","sha512":"9635d61241af6431a9691341ef6d417825a677aabd81b91aead5f86a410ee546c396ac4527be2b95abc000adaa7cf46ea3c45b9e91b2b807ae79b1efd00c1a9f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084","trigger":"signature-base-master/yara/expl_cve_2021_26084_confluence_log.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-01","description":"Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084","reference":"https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md","rule":"LOG_EXPL_Confluence_RCE_CVE_2021_26084_Sep21","score":"55"}}]}},{"path":"signature-base-master/yara/expl_cve_2021_40444.yar","filename":"expl_cve_2021_40444.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3990,"md5":"79ec7bf461732616949244b0824dcd47","sha1":"8f3f8f3ab7f4b9b387f9acda2f45811d4e78f2dd","sha256":"b0fa54eecabcec320a27d9187d0b701508116f5d9c981b42c2394f45bcdec67d","sha512":"60398e353ea60872beef3f1ab3adf333ee449c35fc97d7397b2f1d8aad03c9716fc1844ee49137ff61ae70bc0b753c3b0d50ae1f59f49202ef8e587af608b7d0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious office reference files including an obfuscated MHTML reference exploiting CVE-2021-40444","trigger":"signature-base-master/yara/expl_cve_2021_40444.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-18","description":"Detects suspicious office reference files including an obfuscated MHTML reference exploiting CVE-2021-40444","hash":"84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69","reference":"https://twitter.com/decalage2/status/1438946225190014984?s=20","rule":"EXPL_MAL_MalDoc_OBFUSCT_MHTML_Sep21_1","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents","trigger":"signature-base-master/yara/expl_cve_2021_40444.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-18","description":"Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents","reference":"https://twitter.com/sudosev/status/1439205606129377282","rule":"SUSP_OBFUSC_Indiators_XML_OfficeDoc_Sep21_2","score":"65"}}]}},{"path":"signature-base-master/yara/expl_cve_2022_41040_proxynoshell.yar","filename":"expl_cve_2022_41040_proxynoshell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1065,"md5":"44ba519da0fe4e670d4a5387648904ab","sha1":"ee91d0eec735d67b02105eaec160bf461010b55e","sha256":"90ff7dc15908c68339dc722b86672c9c6529e66f7d729ef6ea25e9c31ae7077f","sha512":"d589147263bf293a95e212863f6886515670eee18b69af81db029bee88437af71ba2d18142496c43d4361061a31ffb18c35c7031fd0ec0e0e32efb8785bdacc0","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_cve_2022_46169_cacti.yar","filename":"expl_cve_2022_46169_cacti.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":585,"md5":"a7a8dc62cdbd4c290b3dd35d0ea2935b","sha1":"10fe2e45f17d06594ed8a6b78e4ee7f36b71eb9e","sha256":"1c075dd0bd5053dc7d1ea36c5fbccadf7266aaab7af2aae8d00a8dc0d764cf6b","sha512":"88253fa58197e62b163669ac98ba7e5b03ef6cf5c2910a6de5d2897f589046e398158a47d6cc536165db70e1267fac3747d54150132adddacd6606169b14b413","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_ivanti_epmm_mobileiron_cve_2023_35078.yar","filename":"expl_ivanti_epmm_mobileiron_cve_2023_35078.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2042,"md5":"6af0a58e16e5cc90f6cb55f996901edf","sha1":"f352a9ae2dcaf2bca1a5898f3d5afe222bfe6b82","sha256":"16eacd742044534abc3e84c68c551c64a200c142065368658fa804784fdc24ac","sha512":"54f02927ada8d485d61ebe5dd48d4ede2289fd2d8feb88c5209a1434327a48680791f492a3229fd4a1fdc5046c2a534fa473a8d76c15554befec4f72bdf27c18","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_keepass_cve_2023_24055.yar","filename":"expl_keepass_cve_2023_24055.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1334,"md5":"fcf3542acd7ef15747a1d0327dfa5de2","sha1":"63cad3ced47bd8099262d1a65708719eed0d8fad","sha256":"2155d5a7a91f257047cd627175316d3ac7167783fd220fec789290cd4cac9c64","sha512":"a48566612814a2872c4c8f2b29e61cffc85c8bd86ca8c1ffad5736fe39861d048f26d5d9ae6a1291cf954ac9f59434dd9d833dbc46482f219ac23761f952b31c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious entries in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055","trigger":"signature-base-master/yara/expl_keepass_cve_2023_24055.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-25","description":"Detects suspicious entries in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055","reference":"https://github.com/alt3kx/CVE-2023-24055_PoC","rule":"EXPL_Keepass_CVE_2023_24055_Jan23","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious triggers defined in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055","trigger":"signature-base-master/yara/expl_keepass_cve_2023_24055.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-25","description":"Detects suspicious triggers defined in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055","reference":"https://github.com/alt3kx/CVE-2023-24055_PoC","rule":"SUSP_Keepass_CVE_2023_24055_Jan23","score":"60"}}]}},{"path":"signature-base-master/yara/expl_libcue_cve_2023_43641.yar","filename":"expl_libcue_cve_2023_43641.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":577,"md5":"e35bd881a90385e85e1a0c6619221ced","sha1":"ec00d5156413e7ec441eace5710974ccbbae22b4","sha256":"8c954548bbf54cc3f2d2b739bb82c9d2ae9e8ee9ac17f95b8667ab4e69bf5d8c","sha512":"d8b3f2d42e4076aa8b1f754094aa31bd86d607498b3e8070946cd3b3fe81e7baf6936e57568323f9e551b2b5884fd94f53947260a7886885d9f2deaecab70c2c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_libssh_cve_2023_2283_jun23.yar","filename":"expl_libssh_cve_2023_2283_jun23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":610,"md5":"829c048f07c6621eee6aac94138e62f3","sha1":"ddbe7949d54cfe311f6b4dea36a4d758bf8b4204","sha256":"585b92f3dfd7610bbc31a91a652281603fe185031c0640f5d27246bf1eb5653e","sha512":"4a160f357d36fb9b1e27ef441f26504d509f0ee33493c91f3822be30390820645232574109970a2211f7f297c682fe8d33ef9699c580d936ab6d087b28f6c60e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_log4j_cve_2021_44228.yar","filename":"expl_log4j_cve_2021_44228.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (450)","size":8187,"md5":"e7e051859857d09aec33088b1c4dadf7","sha1":"be5a5761bce7ae3c4a53963742464a990ce52b6a","sha256":"8062b50dac79368bb6702895496a5c1532326adcdb848b3c5be65ee7e9cc6174","sha512":"6a8d1a95b71ee5feb296e3c92a272ccf1647021dd7d44cda7ee5f793ba1dbcd46bc9a121c5dafe9eccd3600f158f78e184f85eec8d483f3a3e44f1d1cb200ef0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228","trigger":"signature-base-master/yara/expl_log4j_cve_2021_44228.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-12","description":"Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228","reference":"https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b","rule":"EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation","trigger":"signature-base-master/yara/expl_log4j_cve_2021_44228.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-10","description":"Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation","modified":"2021-12-17","reference":"https://twitter.com/marcioalm/status/1470361495405875200?s=20","rule":"SUSP_JDNIExploit_Error_Indicators_Dec21_1","score":"70"}}]}},{"path":"signature-base-master/yara/expl_macos_switcharoo_dec22.yar","filename":"expl_macos_switcharoo_dec22.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2634,"md5":"2a7ffd127259b0ce74ff1d60b44278d5","sha1":"c3fff85994cb091c95884195a3097096df922136","sha256":"84d6bd8650c3815f0b316b590c1c0d90fbf577ea19a64a4992f1b8e76519c1d4","sha512":"6a1597ab24a4c48e2512891d828173361ef6ce0efbb71c7ffee09eccc6141778bd35e1858ee0b542cbb68e2caa3b7a27cb22ab5a06d8c940666d3bb8b3ae5724","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects POCs that exploit privilege escalation vulnerability CVE-2022-46689 on macOS","trigger":"signature-base-master/yara/expl_macos_switcharoo_dec22.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-12-19","description":"Detects POCs that exploit privilege escalation vulnerability CVE-2022-46689 on macOS","hash1":"64acd79a37b6f8443250dd33e95bd933ee39fc6d4f35ba6a987dae878d017386","hash2":"6c2ace75000de8a7e8786f28b1b41eed72816991a0961475c6800753bfe9278c","hash3":"6ce080b236ea3aa3b4c992d12af99445ab800abc709c6abbef852a9f0cf219b6","hash4":"83cc4d72686aedf5218f07e60e759b4849b368975b70352dbba6fac4e8cde72b","hash5":"a7b7fcfd609ff653d32c133417c0d3ffd9f581fb6de05ddbdead4d36cb6e3cc2","hash6":"b2a97edb0ddc30ecc1a0b0c0739820bbef787394b44ab997393475de2ebf7b60","hash7":"c7a64c6da5cf5046ae5c683d0264a32027110a2736b4c1b0df294e29a061a865","hash8":"d517cde0d45e6930336538c89b310d5d540a66c921bf6f6f9b952e721b2f6a11","hash9":"d53a559ea9131fe42eacf51431da3adde5a8fd5c2f3198f0d5451ef62ed33888","reference":"Internal Research","rule":"EXPL_HKTL_macOS_Switcharoo_CVE_2022_46689_Dec22","score":"80"}}]}},{"path":"signature-base-master/yara/expl_manageengine_jan23.yar","filename":"expl_manageengine_jan23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":551,"md5":"bb4408e96a9f32c64e9f4660a0a64ae6","sha1":"0ac93cc42d4a13f37198f3ff1068d53c445df9b3","sha256":"8f45503cd760976b69c3d18b5c91b6c1f4e6d8efa3732ccc60feb5f9e78a0df0","sha512":"7f14095a174a606d72982ca90e0f17f1e532026da61289f8e4ea574174c175ec617e528430985aa680d688cbf5b515d8d923cecf483708370ddc9109c354e3ce","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3","trigger":"signature-base-master/yara/expl_manageengine_jan23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-13","description":"Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3","reference":"https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/","rule":"EXPL_ManageEngine_CVE_2022_47966_Jan23_1","score":"75"}}]}},{"path":"signature-base-master/yara/expl_outlook_cve_2023_23397.yar","filename":"expl_outlook_cve_2023_23397.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5241,"md5":"b3af50fcd24f073fba6798544162e859","sha1":"b84bcf82fb4c69b53ca4971d784c8231a2d7315d","sha256":"7c6a599abcd65dff0698e01560675fd37b281aa8380882609f76ee3ac77abbf5","sha512":"9f69dd3bee280e442bbee106501aa030b4d47cb85188c3df50fdea82ddc70068f0b5f361c65dd2cc5b7c639553ddbe7ea1c98cf175b479138311d50264ecfae2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_outlook_cve_2024_21413.yar","filename":"expl_outlook_cve_2024_21413.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (382)","size":990,"md5":"3116394442366264ab5378def42062b0","sha1":"9ae36ecadce1756e4ebc7e218c54961e76427419","sha256":"a5590aa6c5047ec335bdd04639c5edbcc6c530a90798173ef24a3329ef98f786","sha512":"510eba3c0c621a9f7512f8c82eb96fc9dd33fd5c4c6ca00ef72b73addb42e69c30ee57d99740136a5d6f01b876778b9a37ca7ebf1842ced62c1e67701382c9f9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_proxynotshell_owassrf_dec22.yar","filename":"expl_proxynotshell_owassrf_dec22.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3996,"md5":"24be9624715e614fe1b7b3bf4c00ee9e","sha1":"bebacf02ddee1f629e32c2f142a6491c95276392","sha256":"63375972f88a909b2edef84cc9869cb3cc32b75d5be09f67910f81433e3608c0","sha512":"f3ca0cfd0e135127765fd142a267b8dd6d7c8abd33692f2e11ce379002a53ba683abbc3d31e603a5e9c0e3d8cc46b1deb739186dffeab3c849a6cdb6a027c73c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_proxyshell.yar","filename":"expl_proxyshell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":11396,"md5":"7f1daa6cb36a379147ad8fe46801872b","sha1":"db0c9617572883ce26df2e273fd52095c3cbbe68","sha256":"40ccbf043b354b3a084243622122f95be8d56c994b8405b229d81abcccaf6f1c","sha512":"0e121ab0a84e175bd61a5e71cb0b0c0b96857ec733f804f72989cb517672186c759f72ce19a9b9a2894b7ed670bf28779fb13a233e15d36b0db85d00267ed708","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unknown malicious loaders noticed in August 2021","trigger":"signature-base-master/yara/expl_proxyshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-08-25","description":"Detects unknown malicious loaders noticed in August 2021","reference":"https://twitter.com/VirITeXplorer/status/1430206853733097473","rule":"WEBSHELL_ASPX_ProxyShell_Exploitation_Aug21_1","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects webshells dropped by DropHell malware","trigger":"signature-base-master/yara/expl_proxyshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-11-01","description":"Detects webshells dropped by DropHell malware","reference":"https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside","rule":"WEBSHELL_ProxyShell_Exploitation_Nov21_1","score":"85"}}]}},{"path":"signature-base-master/yara/expl_sharepoint_cve_2023_29357.yar","filename":"expl_sharepoint_cve_2023_29357.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2223,"md5":"0f098739390b8fa1f49764935f1094ed","sha1":"0d488e534310f343e3c6ccf2d91f7eaf511b1f17","sha256":"5513e8732751d83fc83105ae0391a4f0582de015150035631e3df1543ddb2a7c","sha512":"762c8d001691c7f8a5ebaeef0421690378d375cdb84966738b1c5cb47acecc2832b5f2c6ded567950276979216a3d291cac9de5f25bce45ec2be4824ccf3698f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_spring4shell.yar","filename":"expl_spring4shell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1976,"md5":"f6cb00fd6cb86ffb557420d487cb433d","sha1":"5763f8eb3e7e46c22b9fa943c8b385ddc9fafbe8","sha256":"2fe4f072c65ab34b731fa6ed09ea8d1074a9efe96f99cf7a586eff335d35e202","sha512":"95dde45e313a3f49fccaeed54b1912bce8ae9e89567f7efc68573af994e034820ca67627ba9e6acb8a88c873b7178a0f45c8d8be254ac66aa26e6aa9e9415d65","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JSP webshells","trigger":"signature-base-master/yara/expl_spring4shell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-11-23","description":"Detects JSP webshells","reference":"https://www.ic3.gov/Media/News/2021/211117-2.pdf","rule":"WEBSHELL_JSP_Nov21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators found after SpringCore exploitation attempts and in the POC script","trigger":"signature-base-master/yara/expl_spring4shell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-03-30","description":"Detects indicators found after SpringCore exploitation attempts and in the POC script","reference":"https://twitter.com/vxunderground/status/1509170582469943303","rule":"EXPL_POC_SpringCore_0day_Indicators_Mar22_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects webshell found after SpringCore exploitation attempts POC script","trigger":"signature-base-master/yara/expl_spring4shell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-03-30","description":"Detects webshell found after SpringCore exploitation attempts POC script","reference":"https://twitter.com/vxunderground/status/1509170582469943303","rule":"EXPL_POC_SpringCore_0day_Webshell_Mar22_1","score":"70"}}]}},{"path":"signature-base-master/yara/expl_sysaid_cve_2023_47246.yar","filename":"expl_sysaid_cve_2023_47246.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2563,"md5":"0f4e2e3cf7e00b5a2ddd424d2a682103","sha1":"afc69430ab5a2f32cd53ff608083f8fdd8a2f3d4","sha256":"20ee103efa51732cfe06ac59fe87bb0ad39270f96191ae4681b15903472fbc14","sha512":"dd1d946a82a57a527081a4de31a0b2f7b75aa2aa0e803de5da0f20d13e344eec9fc12acc2983877ff34ec749e8bdf767f73c0705e8b118c58d17e5ec30979474","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/expl_teamcity_2023_42793.yar","filename":"expl_teamcity_2023_42793.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1313,"md5":"6c85e2ffc4a377209020d10682f4ab5f","sha1":"ea45c44c9998d8511639d02b0f96f3df6ad17666","sha256":"c3b5f6bd04164332897bf4a56db13e90fcda9953bfe18f5eff2c2085e0c1debd","sha512":"7a036593ea7ec172a5eb72001d9c5318b8d0846a72a561173cdc2b3c36c11a061c917e4fa13c18ebba3251ed5dfa56692f89b9731e1af0d1b61d7a7fbc08c6f7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2014_4076.yar","filename":"exploit_cve_2014_4076.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":797,"md5":"4edb4bb188588817fbea8d81c72017a1","sha1":"f4c5a9cf1e183044f4c9f8c5918ec87146feca3b","sha256":"0bb694b2f7c1d06d9d4a76c9fe7f33fc7ae18e6a52c304af1c65237574028041","sha512":"eb6b1589b70861c48106f4fb2ad92299cbdb5304038fd1d9f7fd5c2185f245bc5580ab4e59964e3d46912ba86dff5af5397ed52baec029f9a71336c72b96602d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2015_1674.yar","filename":"exploit_cve_2015_1674.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":843,"md5":"6a00d3a35e55fcbbb24c506c1a85abdc","sha1":"cb7a7812c91194a91fbbbb7201f46d8563fa07ca","sha256":"69ea26e366c0e238d4ffd89c033c4123f15f5441c75d7c88ef5e7a3f63bd721b","sha512":"8e625f910e651360f08c4f447cedfcda707d86c01b645e124055ecc00fa330c05e155b227878545fcda73bbfa61ca7210d48eb9505bdb67e79d43ab798382503","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2015_1701.yar","filename":"exploit_cve_2015_1701.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":971,"md5":"6619c9b9f32bec8626e9e842cbe869fa","sha1":"2e72d344882f41b7abf80d18a66a5525ec2d514b","sha256":"06507258b5474f53ca39444fed5b6143549639d77fef25313b7c27f88207d185","sha512":"bb01ef7e07a676f8b910ee61112346bab5908613a3998e0ad726d2e55edb5fe828ec79951633b4b832ceae29a1a576fa33713709cb81eccbb70533f88f4e19b7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2015_2426.yar","filename":"exploit_cve_2015_2426.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2530,"md5":"cd2ef52c1812c5cd6e78efe8eb8cb331","sha1":"ec89e1ee9b9b02a58b374242199cfa75437dd402","sha256":"9746dbf42ad1980f6295fb0f91765b016f332cd100f120abb474484f1a022ffa","sha512":"ee42fa41b775ef805a4b3a15f767db9a8f5ea90dd0f2dc522c8b3dc82f0e2c159516df6db8c76a1a0ed99ff29371da04bea2c5024f2f7c2b0ef9657953a3a487","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2015_2545.yar","filename":"exploit_cve_2015_2545.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":540,"md5":"46b6618cffb93833af2659c194b3f5a7","sha1":"ba4247b44268d1eed20dd32eea2ac1408c08b2b5","sha256":"db5dba0b55ced2bdce75a6875bc3a99e1d94bbecc9e07eefa4ec98ff823d546c","sha512":"5388da2156e7e7a6bdc1f375383852694b0436ca52a4c38f6461bd4ff1456cbc7b763bff5876fc86a29256017a4e685f914171bed1ce5256b8ff2711ae1c1c37","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2015_5119.yar","filename":"exploit_cve_2015_5119.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":816,"md5":"eb5b8ca1fb11835eca97d86802c0a60b","sha1":"0e32c824616adb67dea2e3a0ad2adfc11f86acf1","sha256":"c610d8058613cbc1f5865434fafe15ae97979acb70a7016d5a6b969787ebc973","sha512":"fbafb7901d23bd84d16e96c9b95b0d236feb24012f239c566480bb367d2c04d6e9e5a9f58a452f9455b63dd35e5ef07667855b37b0cea14754cbf276a740df5f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2017_11882.yar","filename":"exploit_cve_2017_11882.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4398,"md5":"75b357f521047abc24a96cfa738bedb9","sha1":"a2b030e95303a6751b0c6b2b18df58a163b7b4ad","sha256":"5567115f282d33a36455dee240a5a21eb524610040c6489eead8f2cf5c3f865e","sha512":"1cdc018ae332f8d7dbfcf590cea5bce49c6085fde4fe03ff9b328acf205b3608092d0717be441a1159d2fdc82faef421c2186d4026b6df514865dcfd67ce1633","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2017_8759.yar","filename":"exploit_cve_2017_8759.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4472,"md5":"17ea7f10abef7e885859c3fd68a715b9","sha1":"e444f0e2cd10c47d7f5a387ebeab48f77171ca08","sha256":"1ce5993e5f5761be414a5f7f7762a29d40ea9f705ea8e40e1dd3e4e9dac28fe3","sha512":"a38f02ec4f5ce67d5f01292d182e61dff99aff9a455db1f804cd7e7bf3c4267500b0b03d7e37babe9a06307068b85752a64ef4705e8f3a022d5b2ac0d3af61e0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious files related to CVE-2017-8759","trigger":"signature-base-master/yara/exploit_cve_2017_8759.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-15","description":"Detects malicious files related to CVE-2017-8759","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/buffaloverflow/status/908455053345869825","rule":"CVE_2017_8759_SOAP_Excel","score":"60"}}]}},{"path":"signature-base-master/yara/exploit_cve_2017_9800.yar","filename":"exploit_cve_2017_9800.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":621,"md5":"e92dc3c16d421d67439cec3af1ce073e","sha1":"cd08c1bbb4a073cd83ce7516344381dc66153028","sha256":"022c6010e45e61181f93dd745bef879f1864bb0bf306936444c6422445dcd310","sha512":"150f13c1dcc139e0a30c6b87e20fa6bcb4ce45fac2f6ed96ae74bd67296e0d13a7872c2057f3f942b15743f3ebec34eccc173dc41b6e9ceb32268aa13534dbb9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a CVE-2017-9800 exploitation attempt","trigger":"signature-base-master/yara/exploit_cve_2017_9800.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-11","description":"Detects a CVE-2017-9800 exploitation attempt","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/mzbat/status/895811803325898753","rule":"git_CVE_2017_9800_poc","score":"60"}}]}},{"path":"signature-base-master/yara/exploit_cve_2018_0802.yar","filename":"exploit_cve_2018_0802.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":458,"md5":"b63a61ce4c2cc5debca9b1186d2b4f0d","sha1":"478c4447791782e2b4f76fee9b07f2272fa6583c","sha256":"b0a38a185d5a47b759363512ff41b074c4f179fac5a81b793b9b7d3110e9c049","sha512":"52e89d9ace4c8101b0b7ffa0a142cbea0aa51679063271d41e16eb0057a6ae297cb2658cd42a13c04f31c94d88c7f8ba1d1fa2578e8b153ca88b5e29472ca322","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2018_16858.yar","filename":"exploit_cve_2018_16858.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":776,"md5":"4e73431ea2d61601ec0e1c93347cc539","sha1":"c703d7fd06905552b2c0854bb6dc6ce8a0df9a8b","sha256":"9a642cd87b7d4453e944de41db8b509ee10d3781b43fbec77724b776ec05bdbd","sha512":"7dd5c49bd81c7c2c1ddfaebe6aeb4c7b9316f1a18a6dc626181ffb5984fdb2b2e310032a11e59568bb719ef88f9c5931959dcbe88344ac44dd41426274a89c54","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2021_31166.yar","filename":"exploit_cve_2021_31166.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":505,"md5":"1c5d79305e56fb4297a5858341eb22b4","sha1":"3d34e3563dfbcab7a94b71f41440de7a51b7e4dc","sha256":"69f49dae3cbdc423f2b44502fd96d9fb9cbc16b1a54de88713071392da36fb9b","sha512":"5b6d14e14f5222eaf2ef9c4626097e194d08658aa4ca3d08041229659f23e5a61a15546d07e83c41116bac616bbdb445d5a78dbb5104b124c795b2128e1bf3a3","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_cve_2021_33766_proxytoken.yar","filename":"exploit_cve_2021_33766_proxytoken.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":724,"md5":"a60700c77f9ee0dcda96b99620ca91f6","sha1":"cf2f3fd7e1e07b72f4ffcc7c32d64ac758b16d93","sha256":"50ffe9eeb70c331ff14c199be7a46f5de1a65ca38a2d1fbe7fb9e5f30f53442b","sha512":"123e2126b96dd3d4841a1b5f2ace46731900ae64b056b6dbce96dee5eacd7bd6a89507ce39032b0d7119e8d431d4f3e6f6c5e25261cdb2a9f44a36e9f21c54b0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system","trigger":"signature-base-master/yara/exploit_cve_2021_33766_proxytoken.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-08-30","description":"Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system","reference":"https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server","rule":"LOG_EXPL_ProxyToken_Exploitation_Aug21_1","score":"75"}}]}},{"path":"signature-base-master/yara/exploit_cve_2022_22954_vmware_workspace_one.yar","filename":"exploit_cve_2022_22954_vmware_workspace_one.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1318,"md5":"b7be1e31a1350e22e046c92d5dfc0220","sha1":"9b78914b83cbd9929b552688b684cbe21fe4b2c0","sha256":"2493b2661859670b18b02afdcccfc21f28b13380c437b94757db94cabe12a0d3","sha512":"6624eb202d5ceb462fc717159a65059690c7ade465c2c87f18e28febf6ee67beddc0ce7db711a099dd888b323f1ea43025ae1c70cf65e5ec6cce1fa0a194be61","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954","trigger":"signature-base-master/yara/exploit_cve_2022_22954_vmware_workspace_one.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-04-08","description":"Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954","modified":"2022-04-12","reference":"https://github.com/sherlocksecurity/VMware-CVE-2022-22954","reference2":"https://twitter.com/rwincey/status/1512241638994853891/photo/1","rule":"EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22","score":"85"}}]}},{"path":"signature-base-master/yara/exploit_cve_2023_38146.yar","filename":"exploit_cve_2023_38146.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":496,"md5":"8df09b11b2d26049db07b0326a253b3b","sha1":"756ec82629868ff6cb9ab158231f28e8d2bf6a7e","sha256":"74c14f51357fa7eda2e6bb080f1cb3ce8b9af46c3395865c3ec965731389d661","sha512":"601342b32fbf7dd166ea256902446983d0d6aacb557c267c754d3792a7055d72575355a101708301b7f5cb004f705be3107331d9f4787d7bb229e7b7c4c914ca","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_f5_bigip_cve_2021_22986_log.yar","filename":"exploit_f5_bigip_cve_2021_22986_log.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":781,"md5":"b486f55e91dc8cd34e7665ca0e815148","sha1":"2a5049f82ce4252dc66e74d618497a38a3e81057","sha256":"a823ceffda6a1143189ef285e2b2408d8b3b819a8176d982cdf8ef7073587905","sha512":"99bc9635e266f20ae7772801d470d32b765b1a569161640972ad33f6bfc2a4016a05cb802a3ac72c3a8b4158a4f9e8e44911f7a501a0b34482f85b511d145ba5","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup","trigger":"signature-base-master/yara/exploit_f5_bigip_cve_2021_22986_log.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-20","description":"Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup","reference":"https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/","rule":"LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1","score":"80"}}]}},{"path":"signature-base-master/yara/exploit_gitlab_cve_2021_22205.yar","filename":"exploit_gitlab_cve_2021_22205.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1529,"md5":"f46828921129228ecba60c291688077f","sha1":"9fdd90315d090491ebcee18fd8ed70f29f1830ca","sha256":"6963991f9efb90fde3d6e3083d2ad5a70c5d5a6255b697cb83ea2c4d84595d59","sha512":"34c3a97c00aff0f86e157e089a52548ab61521f465a52cd2ce3a7406ac5c47e7a2a0dfe3f4eda6431371337c4c539d2cbbdaf76c63e273ec430bac7df4689246","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects signs of exploitation of GitLab CE CVE-2021-22205","trigger":"signature-base-master/yara/exploit_gitlab_cve_2021_22205.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-26","description":"Detects signs of exploitation of GitLab CE CVE-2021-22205","reference":"https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/","rule":"EXPL_GitLab_CE_RCE_CVE_2021_22205","score":"70"}}]}},{"path":"signature-base-master/yara/exploit_rtf_ole2link.yar","filename":"exploit_rtf_ole2link.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":798,"md5":"71069a39f069c6e3ace604932426185f","sha1":"72dd5519b37c822fdf46cda881b9a1e09ddbb78c","sha256":"d92d30eca5e80aef72d4674904e185592c0e1ebf5d1db9fce3b118b1f3ccd441","sha512":"4877290a7719aec80550912f97096f479ec98c226426af02448bd248ac8a3303afd6433680c2218a8f07bb8090a59c42f9e219b45c574326044427001842d0e7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_shitrix.yar","filename":"exploit_shitrix.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1434,"md5":"4eb27c44711c15b989522288390bc895","sha1":"0996cc4ba41d17c324bca0213ff000c77002e113","sha256":"c1fb88018dfe4be1090192075c17b5c9e8e5326f12dcafd3b60f499402859eb6","sha512":"004b62d0b44c0f35ba1849a10682925cb8dced10afbe0ccbd68af4eed6c7452fa3caf13b7f3fad710da11113c1036f63d71d40d6365e19c278353bdea44423f0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects payloads used in Shitrix exploitation CVE-2019-19781","trigger":"signature-base-master/yara/exploit_shitrix.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-01-13","description":"Detects payloads used in Shitrix exploitation CVE-2019-19781","reference":"https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/","rule":"EXPL_Shitrix_Exploit_Code_Jan20_1","score":"70"}}]}},{"path":"signature-base-master/yara/exploit_tlb_scripts.yar","filename":"exploit_tlb_scripts.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":713,"md5":"cdb64670f4f5d6813ad9391e022968dc","sha1":"7d873a0ddee81224a586d92f88aa471e5b638e95","sha256":"5ffad999aa2eda6aecb46661fdc890cf019b00137a96c80c097f91e92b00f690","sha512":"f01a78a3cd3b3aa075dc3ce671431d3d7143269747f699ed481f3e3d222d4ca8bcfa26954fde452d9f982ec0d8536524e4d7deaa54e0c20730622a516752078b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/exploit_uac_elevators.yar","filename":"exploit_uac_elevators.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6982,"md5":"fa95e6fe6ba4c0ff1740eb77bf6ac5f5","sha1":"32f95a4541d1f0abab9407949eacc94e6d75c5c9","sha256":"b01192352f7d088bd8991d41164142b0d7f9efea6dd8560135ff0172b1eec435","sha512":"52d205663e942d45dfaf2a8aeebffb5dbe037f7a1d3670a1c4712ea21e361a552c8c955e5b3ccebb10c94d504c0183fd5b47514d28edda75d3ae2a194f6a9810","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_100days_of_yara_2023.yar","filename":"gen_100days_of_yara_2023.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":8409,"md5":"09115f99e1d06028ca04a426a98cedc4","sha1":"b45bf6d9a93676d8baf01e905454dc3d32f2aec1","sha256":"42e693959f121bdcc0f4794c0d7ea8e0117685306fb91a009f815bde19314d56","sha512":"df0552fea5a0e62814927da2aa471e3a95bb2f459d58873e9117c27bba2b04e113b71c4424e58d94e51b5bb2efec2059de4d615fe78d31f072ca5585688d4cdf","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detection for Dimorf ransomeware","trigger":"signature-base-master/yara/gen_100days_of_yara_2023.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Silas Cutler","date":"2023-01-03","description":"Detection for Dimorf ransomeware","reference":"https://github.com/Ort0x36/Dimorf","rule":"MAL_PY_Dimorf","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators found in LockBit ransomware","trigger":"signature-base-master/yara/gen_100days_of_yara_2023.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects indicators found in LockBit ransomware","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_Apr23_1","score":"75"}}]}},{"path":"signature-base-master/yara/gen_Excel4Macro_Sharpshooter.yar","filename":"gen_Excel4Macro_Sharpshooter.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3080,"md5":"3643d86f67621771418a4dcaca5e6248","sha1":"9c9d74c2917c031627f297a6d921d0719075daf3","sha256":"364a8fb68cfa56ad4f9e37ab846017c86ba73a020b7dd38da2057e5766d33b39","sha512":"2510fa404c37f18b7ce1dcb7c68738215ced64a111e46838a97e65e170166c5f7297a2aae81accd5cc38a91e4acc77b3f99e1e82e1375ad8020602879b2f23bb","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_ace_with_exe.yar","filename":"gen_ace_with_exe.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":612,"md5":"16c7a950179da1c6e938d3e4eda179e6","sha1":"5a5167f602fe1a66467e58cf17db50750092bd88","sha256":"079c297de80bd3906eafc3d705a2725ec323e5a437868d423e0fd33882d93982","sha512":"497fe82e189a36ef49fa8952bf22be58c299148c8f708d2c3d7073620db6273b67af8e6cb4452ad15d3856b7a5bdf7e503fc0a3ab4453446e5dd1686840077c9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_anomalies_keyword_combos.yar","filename":"gen_anomalies_keyword_combos.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1331,"md5":"c199df287f5bca71b010fb46810d6e98","sha1":"9c89b341b65ef6e80065841905855122c4db07e8","sha256":"a21e505c7fe81c775380f2aa94fe21fe04e4a442e80ebfe0798947d7877256fd","sha512":"7bd0cc901dc2de2e5e371bfdead90854ed544d7fe68974c495aceffdeea3ed861693e894c0367850bdd144bfdef98c9a17357e280e5448d0d00e5f161cd23377","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_anydesk_compromised_cert_feb23.yar","filename":"gen_anydesk_compromised_cert_feb23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (309)","size":3473,"md5":"f89722aa83aca23efa41994def0fae9b","sha1":"fbf085f73642f712e9c1ebc4786e5d9014fcf300","sha256":"330ba363992892ec8547913eb97dbaa2f19b8663180f0a07780b979aa64d652f","sha512":"148eb75aa344e02de756f353bd6c0d6a717cffc01cd6cdc67351cd61f34a61d9335d73f14ad0daab89a856a0ab17d3670d9eef9d45a754704a2303cf2e55b8fe","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_armitage.yar","filename":"gen_armitage.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2385,"md5":"b0759a89d1d0a0c8fe5afb72cc854e6d","sha1":"27aefa27a92ec21b15faf3e46d174bb69721df8b","sha256":"cbd67fcd107db1e6f614d5cb8d3df85bfb6c1d32793c8efa7127d095fe10a5eb","sha512":"7c7cf7935c38dcc4b492df30370dbe0bc287454e1e2b50e83cc7f60e52d918107679d782b1596cb93b98e78ddfd8c87f2946b637f347ccc225b31609221a240c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Armitage component","trigger":"signature-base-master/yara/gen_armitage.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-24","description":"Detects Armitage component","hash1":"b258b2f12f57ed05d8eafd29e9ecc126ae301ead9944a616b87c240bf1e71f9a","hash2":"144cb6b1cf52e60f16b45ddf1633132c75de393c2705773b9f67fce334a3c8b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Armitage_MeterpreterSession_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Armitage component","trigger":"signature-base-master/yara/gen_armitage.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-24","description":"Detects Armitage component","hash1":"2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af","hash2":"b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Armitage_OSX"}}]}},{"path":"signature-base-master/yara/gen_autocad_lsp_malware.yar","filename":"gen_autocad_lsp_malware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2827,"md5":"89a29be289c227e8bacd27d7c278532a","sha1":"dade79e51cc19a1e6b75ad7674c17c8b6abc30e6","sha256":"9a1fbe7b36412a2d5acd577558083997e12bcc256f4b169ea4e32aac5fa79de2","sha512":"b34a8bd623f956940f465829a7fddc013171f916cc3875f677279822769f38eac041cb81983b146166d693ddbc1f96a9a995f0c73e76d78bc43757d0d84853e8","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_b374k_extra.yar","filename":"gen_b374k_extra.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":732,"md5":"ebe390aa6615b24b293c60ecf405c5ff","sha1":"bb69ef49b9470a000afc172eee31d5ed75d0079b","sha256":"f71129aa36b534d60e71fb6068df2000b6dbe6e76b834467b529ffce5b6694a6","sha512":"df95018fc34dd7192e23dc5b7ea1ca37a54963baf00181595da464168a89bbc57f1d76410221e2d0e268dfb916cec0b57f28d7213c992ca4b0af34440f75684f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_bad_pdf.yar","filename":"gen_bad_pdf.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":572,"md5":"b79945e64f7897e927af0ce53680b734","sha1":"de578de58737d4fafcdde4a8c8da5becc5411801","sha256":"31113aec43265a7c1a12944a9589eaf2b2e7093ac05fd55ac0b562d80778b1ae","sha512":"8d417e3b706bb9dd5d00f3caab90737e4680240beab1d7f4de0c7dac720c3ff96c6ca4942c772fff710bd1b58baf377904ca61d007f1323e2fa10ddb21e5bd98","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_case_anomalies.yar","filename":"gen_case_anomalies.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3210,"md5":"6903985a298dd2041a6020c741b3d3b8","sha1":"0cb18051046f67474b6dd53656b05d49545d28d3","sha256":"445202a9476da9ebe0844fa12f5352de0b7d4fb1b364cbcebb61cf6d0b869c68","sha512":"265b32d05d664873177670c206cf5360f33ddce5f689677689617d4fb8b843b08d1c069ef8bf73832d88f037f2c5bfed157cb64cce2eae49a5211a29a9167de4","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_cert_payloads.yar","filename":"gen_cert_payloads.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":748,"md5":"c00c31ae9d758f89ca95f0228215ce01","sha1":"9e8b1fae8dde17ce93be3e5475cc2e5330b40eeb","sha256":"ba0931f1654d718d0146e731b02790bc2bfccdc029f569ea5117a94699324859","sha512":"6cab46447cc65cb86a19e812471d918a52aad92200f2155c521508c93e5817b12905f5a32bb5cdf85807c29c50c62559e88158927205fb0a86001c2049126236","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_chaos_payload.yar","filename":"gen_chaos_payload.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":951,"md5":"560ade36da05a295df648ba70df73dd9","sha1":"cb12362bfb94de557ebe879c3dd03de80a2feb0a","sha256":"bb7677aa0dfe01e8a46cd1453433da227bae78850ba7f7faed1d98135d157f1c","sha512":"dd7c7c2e1ec48b29f3d838741119bb9c48d2a08918a88be14a8346415f43f50177861677286e0e69ab42b6d8c3989e9ac0d82e10ca7d8c19b68013fe829b54b9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_cmd_script_obfuscated.yar","filename":"gen_cmd_script_obfuscated.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":735,"md5":"05cbf69a4a89672733a630d8ccef605b","sha1":"8bfc3abf983cce5e7b38a64cc26f85ac46b1ad84","sha256":"440a5886184dad7cf4159e5341ad4f1974c67c273ba0b6be84420a0a315e48ec","sha512":"fe0eb1de030e48737359cda5b029d4be5eb8c5233a80828e7cd731b8a8b4a5498a1e36ceb0d576593776f4a6dc603dcf1763fbe6f0beeb63339b22106d2d7a8c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_cn_hacktool_scripts.yar","filename":"gen_cn_hacktool_scripts.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5891,"md5":"caaee5c278609b3b663292502276db0f","sha1":"2ce36fa60f1db11c3f1e250f901193987b7be834","sha256":"6ea32573f85c63a2e270805d886a8e99faa9c1a903d9cb2c61f3298b21db565e","sha512":"eb2835ac50f47466fd8b8c69c667a24c3ddd3c1943f29f3f293a02d5b17bf93247ce5b01d2a83c98f76f2e1445260d36d1452efaa8e55464a5fdcb24a848327c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_cn_hacktools.yar","filename":"gen_cn_hacktools.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":101677,"md5":"513fe25bea16de2b1f78377e65358c8e","sha1":"3be02b8052225507d30fcc3d892d53beca32ebba","sha256":"24a12ed9d44465772178a2052be1c5e575a5404f1a3f64bf869f3f27b2d9e29c","sha512":"5a38f9e93aeca74069d40a0c976e690fd7fbfc4a27277f6b32752c48bd382a68444af63deb7d9fd9b941c51cbe862c92037a7e08a6bc3473d5b67bedd2cc730b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - htran-exe","trigger":"signature-base-master/yara/gen_cn_hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Exploit.Dcom","trigger":"signature-base-master/yara/gen_cn_hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"0abae84599e490056412d5a5ce1868ea118551243377d59cbb6ebd83701769b8","id":"7a1bcec7-e177-4adf-97a7-0d876bf65abc","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5","rule":"Windows_Exploit_Dcom_7a1bcec7","scan_context":"file","severity":"100","threat_name":"Windows.Exploit.Dcom"}}]}},{"path":"signature-base-master/yara/gen_cn_webshells.yar","filename":"gen_cn_webshells.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":31923,"md5":"43b3bd9eb8820abc321d7133273cc917","sha1":"4088351009c9466e2ba2124271da071c7b3476be","sha256":"4775d01a68755e57dd63d934d5277dd290d8bb11a6c88094913370140a4c5ea0","sha512":"e6434d87291b1f18d753c142c88b2ba8fd30fbae0412234e87615e541eef60124d614f74be2e37923cb991e3c3f7cbe0718ca465905e33705880cda2658e9ccc","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Chinese Hacktool Set - file templatr.php","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-13","description":"Chinese Hacktool Set - file templatr.php","hash":"759df470103d36a12c7d8cf4883b0c58fe98156b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://tools.zjqhr.com/","rule":"templatr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Chinese Hacktool Set - Webshells - file php.html","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-14","description":"Chinese Hacktool Set - Webshells - file php.html","hash":"a7d5fcbd39071e0915c4ad914d31e00c7127bcfc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://tools.zjqhr.com/","rule":"Txt_php_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic PHP webshell which uses any eval/exec function in the same line with user input","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic PHP webshell which uses any eval/exec function in the same line with user input","hash":"90c5cc724ec9cf838e4229e5e08955eec4d7bf95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2021-10-29","rule":"webshell_php_generic_eval"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell which directly eval()s obfuscated string","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/12","description":"PHP webshell which directly eval()s obfuscated string","hash":"49e5bc75a1ec36beeff4fbaeb16b322b08cf192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_gzinflated"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell in c#","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/11","description":"Webshell in c#","hash":"b6721683aadc4b4eba4f081f2bc6bc57adfc0e378f6d80e2bfa0b1e3e57c85c7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_csharp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/09","description":"JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","hash":"06b42d4707e7326aff402ecbb585884863c6351a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_by_string"}}]}},{"path":"signature-base-master/yara/gen_cobaltstrike.yar","filename":"gen_cobaltstrike.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1893,"md5":"dd89a8d85f88a31e6887e4b3f044c3a2","sha1":"d3dede6c5dbc4afbb8b671ca7e02c223f1197b3a","sha256":"fc6960ab5d37100be47618a97307a68f2443292cfd4fbddd96226d55e700dac4","sha512":"7d6ac00ba07c2b76a0218ac937a97f59c1d79109f93f3516d06b9d72c9868d74bc4a4aa306477acd38eb522e6d29a1306af17db0b463591c4a7948c450070e6d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_cobaltstrike_by_avast.yar","filename":"gen_cobaltstrike_by_avast.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":31494,"md5":"bf65dea9bd05d55e969ce7b07f8e16e0","sha1":"03f643235605889b7bb8ec055314882df75d2f4e","sha256":"203a3cc1a742ca4abf0f8a365a328f74b3aa68bf68785b6551801ebc705f27ee","sha512":"fbdb8d003818efc19bd2302ff61b0b8a82d1405ecc50b0d52903cb99053ba917c9d35119ba24207d7dee3536e9eda515af4d22ff61e7365214188f949e1b8262","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CobaltStrike payloads","trigger":"signature-base-master/yara/gen_cobaltstrike_by_avast.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Payload_Encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CobaltStrike payloads","trigger":"signature-base-master/yara/gen_cobaltstrike_by_avast.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Beacon_Encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Base64 encoded PS1 Shellcode","trigger":"signature-base-master/yara/gen_cobaltstrike_by_avast.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Carr, David Ledbetter","date":"2018-11-14","description":"Detects Base64 encoded PS1 Shellcode","reference":"https://twitter.com/ItsReallyNick/status/1062601684566843392","rule":"Base64_PS1_Shellcode","score":"65"}}]}},{"path":"signature-base-master/yara/gen_crime_bitpaymer.yar","filename":"gen_crime_bitpaymer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":529,"md5":"144cde64f09029149ab5db188553c718","sha1":"0e1a9b52883c19d926345fd0bbc371b6e8c155bf","sha256":"7c5df0a3ef7e1cfc75cfc15e94b403f717a03549e723c2132a0c1b64ee063719","sha512":"79c8a5aaf0e876a819a543ed44482316850d4f49adc206a00a4ed1f44ce79f93464bb8e2fd22f88f37c336cd7aaeaa4cb60166b95c0d1988561307a0d0671a4d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_crimson_rat.yar","filename":"gen_crimson_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1749,"md5":"c6c5c2650b834a51124f9a9fa98c9856","sha1":"165fc58888b841013fbf5db82cf1c52821306d9c","sha256":"cbe4f0a7128955fcdd8f80d3a77a9ad3968237858aa7cf2ae83ff358e16696a6","sha512":"59dc16f51d9f7f1b80ec4ef8f8a5378600e5a65551fabf2d8694d2bfa11692b007cf2ba567b1a36dd34ac39f17c5a09369366a21731601f2be44cf3f6ce81748","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_crunchrat.yar","filename":"gen_crunchrat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":943,"md5":"4325ef907fce1d27e6a30e1467c67d7e","sha1":"6974ddc41e995d3ea940b0251d4674548f4c9e82","sha256":"d1466dbed3cd7a5a1708cbc4c135d372cae0025b9e80ed253f7c3bc5c19d4cbf","sha512":"79a24ea9203db706600f92d7be8a193f544416617068c125320ca81b221fb6cf4983e32ba8a8a43ccfd0aafb1212ab2a26ffe76c514fcb31b19c7b6a5544363a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_dde_in_office_docs.yar","filename":"gen_dde_in_office_docs.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1941,"md5":"e2a3b0b5f03faf9dfc3ed3dba95217cb","sha1":"369c2d6bbe113a4c7a4f25f7c6b4ead520b277d1","sha256":"96f8e9090e620cc09d4afccd0b26c872a71c1953f35e53361fc515495bcf98f3","sha512":"ca1f4e05888b6d26abbbaa170a3469a239bea7e4ea029bb75a0599253bb1c45a5cecf6fdaf5b4b2f6f697a270ee7d3dd379ecc14b589b53cb6eaae6f56f64bae","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_deviceguard_evasion.yar","filename":"gen_deviceguard_evasion.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":540,"md5":"f19e7d3fbbe6d24567381f184292c2f5","sha1":"8cba96ce729a6611addb159db0e38f08d97a5448","sha256":"954f32c912a7a0ebd1d60c1338cd272c2e5cc7a634dfcd750e2f5ebc2ed700b3","sha512":"e2324751e53b1061c417a3b8ad6eebc8adf62d51bceaac01853c02af78dd9587ea1405a0de94f58adf8eae4069c30a2514bd1b80e6aa7f56d0726ec9fd7d3282","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects WDS file used to circumvent Device Guard","trigger":"signature-base-master/yara/gen_deviceguard_evasion.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-01-01","description":"Detects WDS file used to circumvent Device Guard","modified":"2023-01-06","reference":"http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html","rule":"SUSP_DeviceGuard_WDS_Evasion","score":"70"}}]}},{"path":"signature-base-master/yara/gen_doc_follina.yar","filename":"gen_doc_follina.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":9538,"md5":"8ef5b749b1b17ee61d7ed4aa8adfc2c5","sha1":"24bea08a21ddd6543ad785942fd711124d17de5f","sha256":"04b070872c89a7668769df1bf0b714ab9b9cac977bc5a2954a86d726cfaefeb3","sha512":"9ac1abbf4679cdb446a3d962d6a5122116bff0cf0ded77b11a8028a3294f38d523d5f194f888b5264e9ff464136a05c0e1195da95d3929667a2d6d536bfabe52","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nasreddine Bencherchali, Christian Burkard","date":"2022-05-31","description":"Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation","modified":"2022-07-08","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"SUSP_PS1_Msdt_Execution_May22","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Tobias Michalski, Christian Burkard, Wojciech Cieslak","date":"2022-05-30","description":"Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation","hash":"62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0","modified":"2022-06-20","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"SUSP_Doc_WordXMLRels_May22","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Tobias Michalski, Christian Burkard","date":"2022-05-30","description":"Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation","hash1":"4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784","hash2":"778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07","modified":"2022-07-18","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Christian Burkard","date":"2022-06-01","description":"Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments","hash":"4abc20e5130b59639e20bd6b8ad759af18eb284f46e99a5cc6b4f16f09456a68","reference":"Internal Research","rule":"SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious pattern in RTF files which downloads external resources as seen in CVE-2022-30190 / Follina exploitation inside e-mail attachment","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Christian Burkard","date":"2022-06-01","description":"Detects a suspicious pattern in RTF files which downloads external resources as seen in CVE-2022-30190 / Follina exploitation inside e-mail attachment","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"SUSP_DOC_RTF_ExternalResource_EMAIL_Jun22","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-27","alert":"Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Tobias Michalski, Christian Burkard, Wojciech Cieslak","date":"2022-05-30","description":"Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation","hash":"62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0","modified":"2022-06-02","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"SUSP_Doc_WordXMLRels_May22","score":"70","techniques":"File and Directory","yarahub_license":"CC0 1.0","yarahub_reference_md5":"5f15a9b76ad6ba5229cb427ad7c7a4f6","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"a9aad367-682e-440c-8732-dc414274b5c3"}}]}},{"path":"signature-base-master/yara/gen_dropper_pdb.yar","filename":"gen_dropper_pdb.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":597,"md5":"33edd94efd83bd6c09e41ab4d145b248","sha1":"db43471d887642eee6b82b8ebb97456cdbc2cbbb","sha256":"2e7ce616b86f808265439c35dab256ae81c86ca5e4ef2d4dc5af71e458520e76","sha512":"354d278050a3a7ec746b7b7505478c10cf23e8d1d0e0a21e8ca83ceeb11381ecdd3898e9dc39d4a97dfc9f1161ad2c9114be6cbb63ed49fa5aa6935232faf577","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_elf_file_anomalies.yar","filename":"gen_elf_file_anomalies.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":748,"md5":"c25ae31c5860e98918d5bee5cebed5b7","sha1":"3d19e389fecc067e1cdf9ccb8c4d9a51b40236bb","sha256":"bf6701ad6fc1dcf3b8f85e5faf48f0945a7aacbb6a5a5642b9d8d20449197ed2","sha512":"7c6ed26a18aa131cb4f48e66df770d63878f7ddfa0c2086ff437af39ff471fdc43543440a24235abfef1b38fc2383115311061558cf4d255a063c98e25459a4b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_empire.yar","filename":"gen_empire.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":29254,"md5":"f040d5a14e90bcd99a082eaba33829bc","sha1":"fc1b0401816896ebdcfaa84e01642baf64765597","sha256":"0b96f2718369ba56d1c302db218938fafc0dc1053ec35f369f5516b5f372039b","sha512":"755d2699924126645064b8297075cf02b2877876d081e5da6269afb54495bfa05b5d8964a08aad8462ca118358dd86832e763aab453c4be12be259b97b3e71b9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Get-SecurityPackages.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Get-SecurityPackages.ps1","hash1":"5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Get_SecurityPackages"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-PowerDump.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-PowerDump.ps1","hash1":"095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_PowerDump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-ShellcodeMSIL.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-ShellcodeMSIL.ps1","hash1":"9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_ShellcodeMSIL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-SmbScanner.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-SmbScanner.ps1","hash1":"9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_SmbScanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-EgressCheck.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-EgressCheck.ps1","hash1":"e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_EgressCheck"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-PostExfil.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-PostExfil.ps1","hash1":"00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_PostExfil"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-SMBAutoBrute.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-SMBAutoBrute.ps1","hash1":"7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_SMBAutoBrute"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Get-Keystrokes.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Get-Keystrokes.ps1","hash1":"c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Get_Keystrokes"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-DllInjection.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-DllInjection.ps1","hash1":"304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_DllInjection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file KeePassConfig.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file KeePassConfig.ps1","hash1":"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_KeePassConfig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash2":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash3":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","hash4":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash5":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerShell_Framework_Gen1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1","hash1":"ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerUp_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash3":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash5":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","hash6":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash8":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerShell_Framework_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1","hash2":"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_KeePassConfig_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1","hash2":"cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_Portscan_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash2":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1","hash1":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash2":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash3":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}}]}},{"path":"signature-base-master/yara/gen_enigma_protector.yar","filename":"gen_enigma_protector.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2103,"md5":"b1842b1ca304a25e244532d54fe19076","sha1":"44ff17692b59486a9f0844230e22dc66c21439b6","sha256":"fc625f9b40e979b41c0869471d77e5785325fb034e7c6dee61bd650fd550c0b5","sha512":"5685079064e5e41cf6be669a0db951c16b645e3099458e3fead316f0f153ee53afcb8520f237647c4b08fde0d1c52a4cae08992ea0cc0f14373ccd62ba76168d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_event_mute_hook.yar","filename":"gen_event_mute_hook.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":713,"md5":"d747e13a2b4c40c348fa58e70e29d61c","sha1":"9293e8d8b9ceccccb417b7cfc404063433468269","sha256":"246c7ac3322544958c4b1c43534e668b77df2139957224841315ad1291cd8680","sha512":"c289f42412d6d7ce16886c1b60dc54b2b5f149b3e92f86dc0854337c6915826f4ee1078b39828d7e6d08f5b08459822511bc21d1a2eeadaf40ef8fb59f72bc36","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_excel_auto_open_evasion.yar","filename":"gen_excel_auto_open_evasion.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1280,"md5":"d1479306211cfed050f256fc4dea41d8","sha1":"22be18c066a852289459865a5efca6848dc5ed3e","sha256":"4bd99247367569650f5a871142f02eb6aea5081b9f1b215e76cfedeaab9b71c2","sha512":"02c64b6f083fc7c2a733266a04bfbc1b722ca704ccc179d0c89637cadb1718616abf6c1a3376559d9e7765da10e36769fd417c1778d0cd29f9aea4e965df4b0a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_excel_xll_addin_suspicious.yar","filename":"gen_excel_xll_addin_suspicious.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3473,"md5":"376390686e71a22eb65e777727eb439e","sha1":"5bb8583201f5be22d327e35623e43e7743f3038f","sha256":"b23d78c3b7ce6a7f90796b0e0761893e8933823d6a7b7308a724e2cbc76f2079","sha512":"cf07ea0c433581336131116d9cf66663652c6a44e12efee8614a8412bd1c0a612a6bdd266d382ab07acc288e7d4dc59d07b9840c67545b8b58fd0f78afb680b3","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_excel_xor_obfuscation_velvetsweatshop.yar","filename":"gen_excel_xor_obfuscation_velvetsweatshop.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1205,"md5":"e11e5f5ddd32080116a5c1db87952127","sha1":"fb167d26854d1bcad5c49bb114851ef457001b0c","sha256":"e237f59771a7d3deb6eef0e553e5076d0d929e0741c99c74fc644bf98bdcda6e","sha512":"aa221c78b946d67bfb24357a0a8a838c715975dafb7b79df6c7cacc28b3a9d1dd4f4f4418b6207fcab629d1cbda684c4848ea412029ad1df35b31d210a4a3cc5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_exploit_cve_2017_10271_weblogic.yar","filename":"gen_exploit_cve_2017_10271_weblogic.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1148,"md5":"90e898d2bcfcfa99a9ddcd3037c73949","sha1":"f1dce9508730e4c8bc50ac4759c5963b137508e4","sha256":"22b6d223694eefac7a9ce644e1ff567f1b26b3c90111948ed1d443639df39405","sha512":"2ec06877587bb25fc3b2b0cfee914a28b8cc58a20eec95dfe8147f12db5e3272719a6ef6d1ea8019301c81945305950ccba26fc1eae1cb81b5046a9db9e8fb97","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_fake_amsi_dll.yar","filename":"gen_fake_amsi_dll.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2325,"md5":"09a609a566df6db8db9102990a058a23","sha1":"bc6436e8efd6ec12b6d90ba937b8c8936ba5de46","sha256":"35743cab69e5df774e5966ecedbc90ad94dbb929677a502c63e16759c9259389","sha512":"4f6923418262481ec8be995a8ed7145e8044399e2a6eb09afc630fda60caba27b72120e5f16fa815c91d718fe8b88b9c760797053fd54a5edd4ce0b9feaf8bff","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_faked_versions.yar","filename":"gen_faked_versions.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":39,"md5":"8f38cbba8769b9c87b3f93001e45e0f2","sha1":"57a94d3d77a6b127bceb06f11110374e175be0a2","sha256":"a1823955d01a1bfa23597ab776583f06cab6917577d0644eef6f0e13d6715d3e","sha512":"75f5310226b1945726aec35ffa3fb0cdf733ef1c127b933eb69c894033e85c8d1723249698ee3da9e89ed17a7b7a07b343fcb21863a845a75f73810ce69394a5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_file_anomalies.yar","filename":"gen_file_anomalies.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4066,"md5":"19bab7c6646f3683bd107e98d6d9788a","sha1":"62ed5e74f372525f282e16130ac5344ed77dcfda","sha256":"34114a3f7accd7eb93f49a051f638f46d25ed1c2cdc68f9106866c2d8c427081","sha512":"50f7d528f73459a96187b433355466a0a28957840f7c6937649c2973984f3ddb1e155143d1cee3ec6f2505f47be9339ead9ca9cca61ba94ae2c9e52bb8071e1a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","filename":"gen_fireeye_redteam_tools.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (3182)","size":215893,"md5":"e7a561b4920f1c50d9f5da429dcb0b7e","sha1":"27d98056218312e86e6c8cc0a0db8091e799a556","sha256":"1395a70e4adcb24327270ea8dbe88df90ea6390f43909fe3367f656a5bccfa13","sha512":"2d23a47276894ebdfdc1402ffd16e304da4cb237d66175136f1251835663f4d58b4663f444c27680f126faf3fcf98571d6b64feded3a1da58ee728e38d948769","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.","md5":"7af24305a409a2b8f83ece27bb0f7900","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"Hunting_GadgetToJScript_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"HackTool_MSIL_SharPersist_2","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","md5":"98ecf58d48a3eae43899b45cec0fc6b7","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"HackTool_MSIL_SharPersist_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"CredTheft_MSIL_ADPassHunt_2","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","md5":"6efb58cf54d1bb45c057efcfbbd68a93","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"CredTheft_MSIL_ADPassHunt_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Identifies GoRat malware in memory based on strings.","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"Identifies GoRat malware in memory based on strings.","md5":"3b926b5762e13ceec7ac3a61e85c93bb","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Backdoor_Win_GoRat_Memory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects FireEye's Python Redflar","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","date":"2020-11-27","description":"Detects FireEye's Python Redflar","md5":"d0a830403e56ebaa4bfbe87dbfdee44f","modified":"2020-11-27","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Builder_PY_REDFLARE_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Rubeus","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"fbc2f67f394a4d21cac532b42c6749002cb7284b4a3912e18672881e6e74765d","id":"43f18623-6024-4608-8019-e3fecd54cf84","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"b7b4691ad1cdad7663c32d07e911a03d9cc8b104f724c2825fd4957007649235","rule":"Windows_Hacktool_Rubeus_43f18623","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Rubeus"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SafetyKatz","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"f0d11341fc91d2c45c07c6079aad24a11da03320286216be0a68461b6bf55b02","id":"072b7370-517b-45dc-af23-ba3adbd32fbd","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9","rule":"Windows_Hacktool_SafetyKatz_072b7370","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SafetyKatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Seatbelt","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cdbafa7507cb723f20ad0c7a288750a0d95792c8fe5ceb5e48c62fd45f2ffc0b","id":"674fd535-f188-4b20-8b5e-69a111bf08e5","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"a0e467aacd383727d46e766f1c45b424a6d46248118c155c22c538e8773b3ae7","rule":"Windows_Hacktool_Seatbelt_674fd535","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Seatbelt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Sharpersist","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"44fd3f1146d81c34051f8ef4619db369d364e809799e7ca57bea93fb8fef5d4c","id":"06606812-2be2-4155-a82b-6ab4629c5b5a","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8","rule":"Windows_Hacktool_SharPersist_06606812","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Sharpersist"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpHound","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"53d295223e2330a973f9495a7ca625c1e9429bc5daf7dda1b84b2aaeca5ea898","id":"5adf9d6d-b6db-43ea-95bd-e9747b82a36d","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4","rule":"Windows_Hacktool_SharpHound_5adf9d6d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpHound"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpView","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"379606da5cf6adb58d6a8e693d379252f7987ff295f838df092ce2246da08354","id":"2c7603ad-27f4-49fc-9fab-f4284620452f","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93","rule":"Windows_Hacktool_SharpView_2c7603ad","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpView"}}]}},{"path":"signature-base-master/yara/gen_floxif.yar","filename":"gen_floxif.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":717,"md5":"d9e61db5addc0aa50cfce958a0138b4c","sha1":"906cf0ceb149a5015c71a63e39ac772a7e617a57","sha256":"c0745a4346b6af39c5122c18068c80e29fcbed3366b4010fa48f0b05db772644","sha512":"a7646fcd298fa28024b439a6cca5786cb103294b08a4263c55549a1ca338ecd9b59f1f41dd838e870e0fd377c42c68c9dcf07a27610190cb6e4dd8391ebd9a2f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_frp_proxy.yar","filename":"gen_frp_proxy.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1485,"md5":"743d298c3aa7ef176ac68d6a2959756f","sha1":"62d7974a4b14b167d6eda4508f3c33543ef3c0bd","sha256":"acd8f5dbb71cc21ac96e7f4333fa96f97a01161e111e4ee46d063e2472bc90a5","sha512":"245c8badf7171a4ccd04684e9a79df9213e0d73a13e2c0c811d6b4b139a9545d5d7cff6858a2059636d670a31b63baaa1b8fc7299dbba32ccf5b5cb415656cdc","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","filename":"gen_gcti_cobaltstrike.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":161039,"md5":"6afc3141f06a3581e1164f623e7fa139","sha1":"09fd90fba7da526b4962176bab183ab1f3a6e012","sha256":"0f23b573e80b46b14a237a9fd13d4dfb72c1dfacc4fad1d0b02fa505ec6aa26c","sha512":"acd76eb07665094d21e52e135aed8c7589248b3637cbc3e2466943899cc374b81e00a35feb542df313002825b15bc43701ac33af194283a658b757770eb8da79","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Armitage component","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-24","description":"Detects Armitage component","hash1":"2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af","hash2":"b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Armitage_OSX"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","hash":"d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_Py_v3_3_to_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","hash":"ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies UAC Bypass module from Cobalt Strike","fingerprint":"70224e28a223d09f2211048936beb9e2d31c0312c97a80e22c85e445f1937c10","id":"c851687a-aac6-43e7-a0b6-6aed36dcf12e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_c851687a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-09","fingerprint":"c375492960a6277bf665bea86302cec774c0d79506e5cb2e456ce59f5e68aa2e","id":"7f8da98a-3336-482b-91da-82c7cef34c62","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"e3bc2bec4a55ad6cfdf49e5dbd4657fc704af1758ca1d6e31b83dcfb8bf0f89d","rule":"Windows_Trojan_CobaltStrike_7f8da98a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-09-27","alert":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","hash":"d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_Py_v3_3_to_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-09-27","alert":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","hash":"ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13"}}]}},{"path":"signature-base-master/yara/gen_gcti_sliver.yar","filename":"gen_gcti_sliver.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5061,"md5":"3a81472ea70c210d8aa44e44ea0c6b78","sha1":"2a40f7c2599d36a31d4abac79f33b051c66fecb8","sha256":"39f3a9cbf60b4fbe018863901edc9c8bd5a3894d0ea69b4d547b69dc293136d8","sha512":"a127e8bfb4d3d9cf4fc02f7e7bcadc9bcfe8c376a92c6805929df18e237e1743fd801b7a5d9b4cc07680099ac2307217826e3c830d5bc092527dc4cffbb6652d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_gen_cactustorch.yar","filename":"gen_gen_cactustorch.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1904,"md5":"b44103f584b724211b2d2f2918430358","sha1":"5d1eb4fc4a7d90259cdc9be2f86a108e90e6a287","sha256":"a50ff1e0814944032c4eab3e9acac1c5f8ba5f1be51858898c369f5bd3cfa27b","sha512":"8a11be6f4dac7a9e82c404cfdc48ec4b5852738f76080c3b3514898910eb4d6a94b6a615feac3d1820b26db3b9bed312b0d690e8dae06fad408debbc6dd537a1","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CactusTorch Hacktool","trigger":"signature-base-master/yara/gen_gen_cactustorch.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-31","description":"Detects CactusTorch Hacktool","hash1":"314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c","hash2":"0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea","hash3":"a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mdsecactivebreach/CACTUSTORCH","rule":"CACTUSTORCH"}}]}},{"path":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","filename":"gen_github_net_redteam_tools_guids.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":269484,"md5":"377d19a6d9bc387f7f821aceef36346a","sha1":"506bc6708a6f8f6bd01970be9a32af4e8e2b6f3c","sha256":"0a82913d664b22d08bf71910e95bb1c8873ded0f5a6ee9fe5cabce71c1b16df1","sha512":"c707c0ab4a8a7a8b36b8ede5ea8dd7da9945270bb6b0d552926ffb410bab157d6404fd80fd228596c0fd9eda8ebc3d82587b53738bf6e50351d04239d5b4c377","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Rubeus","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"fbc2f67f394a4d21cac532b42c6749002cb7284b4a3912e18672881e6e74765d","id":"43f18623-6024-4608-8019-e3fecd54cf84","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"b7b4691ad1cdad7663c32d07e911a03d9cc8b104f724c2825fd4957007649235","rule":"Windows_Hacktool_Rubeus_43f18623","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Rubeus"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SafetyKatz","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"f0d11341fc91d2c45c07c6079aad24a11da03320286216be0a68461b6bf55b02","id":"072b7370-517b-45dc-af23-ba3adbd32fbd","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9","rule":"Windows_Hacktool_SafetyKatz_072b7370","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SafetyKatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Seatbelt","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cdbafa7507cb723f20ad0c7a288750a0d95792c8fe5ceb5e48c62fd45f2ffc0b","id":"674fd535-f188-4b20-8b5e-69a111bf08e5","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"a0e467aacd383727d46e766f1c45b424a6d46248118c155c22c538e8773b3ae7","rule":"Windows_Hacktool_Seatbelt_674fd535","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Seatbelt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Sharpersist","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"44fd3f1146d81c34051f8ef4619db369d364e809799e7ca57bea93fb8fef5d4c","id":"06606812-2be2-4155-a82b-6ab4629c5b5a","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8","rule":"Windows_Hacktool_SharPersist_06606812","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Sharpersist"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpDump","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cf1e23fc0a317959fceadae8984240b174dac22a1bcabccf43c34f0186a3ac23","id":"7c17d8b1-35cf-440e-8f4e-44abdc2054bb","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"14c3ea569a1bd9ac3aced4f8dd58314532dbf974bfa359979e6c7b6a4bbf41ca","rule":"Windows_Hacktool_SharpDump_7c17d8b1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpDump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpHound","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"53d295223e2330a973f9495a7ca625c1e9429bc5daf7dda1b84b2aaeca5ea898","id":"5adf9d6d-b6db-43ea-95bd-e9747b82a36d","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4","rule":"Windows_Hacktool_SharpHound_5adf9d6d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpHound"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpMove","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"634efb2dedbb181a31ea41ff34d1d0810d1ab4823c8611737d68cb56601a052d","id":"05e28928-6109-4afe-bd86-908d354ddd80","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"051f60f9f4665b96f764810defe9525ae7b4f9898249b83a23094cee63fa0c3b","rule":"Windows_Hacktool_SharpMove_05e28928","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpMove"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpRDP","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"a7eb084004fce79efc39781044bad501a731163fa3ad6f9b8b334611d03f5379","id":"80895fcb-b98e-4865-a1f6-87cbea327cea","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"6e909861781a8812ee01bc59435fd73fd34da23fa9ad6d699eefbf9f84629876","rule":"Windows_Hacktool_SharpRDP_80895fcb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpRDP"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpStay","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"346e6cf9d85c737b171914b331bb1837f90696301dbe144cbf8996b8a8cb3adb","id":"eac706c5-975e-43f2-b106-149f884a2e9a","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"498d201f65b57a007a79259ce7015eb7eb1bba660d44deafea716e36316a9caa","rule":"Windows_Hacktool_SharpStay_eac706c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpStay"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpUp","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"4c6e70b7ce3eb3fc05966af6c3847f4b7282059e05c089c20f39f226efb9bf87","id":"e5c87c9a-6b4d-49af-85d1-6bb60123c057","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"45e92b991b3633b446473115f97366d9f35acd446d00cd4a05981a056660ad27","rule":"Windows_Hacktool_SharpUp_e5c87c9a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpUp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpView","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"379606da5cf6adb58d6a8e693d379252f7987ff295f838df092ce2246da08354","id":"2c7603ad-27f4-49fc-9fab-f4284620452f","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93","rule":"Windows_Hacktool_SharpView_2c7603ad","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpView"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpWMI","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"20719ea15d4dee90c95b474689752172a6b6fb941dced81803f9f726ddc26d29","id":"a67d6fe5-3ce5-4e63-979e-3fb799d9d173","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"2134a5e1a5eece1336f831a7686c5ea3b6ca5aaa63ab7e7820be937da0678e15","rule":"Windows_Hacktool_SharpWMI_a67d6fe5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpWMI"}}]}},{"path":"signature-base-master/yara/gen_github_net_redteam_tools_names.yar","filename":"gen_github_net_redteam_tools_names.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":33281,"md5":"5161641fbf5278101cf496de22c206d3","sha1":"df6473717331788b23f2803ea29612d0f0f709b8","sha256":"f6fdf1f1b63c4c00f89ec1cbd0830b87d3c6474058bbd31b42b4b786e5628154","sha512":"63a379b47cefb53f1a9c0332b7cdfdfa26dcb4cdeee92cff0cb71c15633d2026d1e5d54927ebb71e849360e11597370bdff1963565878b5a70ba8b19378ce66f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_github_repo_compromise_myjino_ru.yar","filename":"gen_github_repo_compromise_myjino_ru.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":581,"md5":"3de5cade877597af3b3e7da1a1a9bf81","sha1":"9c5cdac0408ec6ebcadba944d2e1f5c7d3adc1bb","sha256":"c2ccb18b12b55ff42f795647c0e6a71d1378a2dc0bbc2c1b01e04edd522e6369","sha512":"d6a27464020ad03f8d68b552adbbedab652be9bbaff82ddb83dad37eaa2a4804a5634c87e7bd5e0eed422465020e4d54e35bf72974d26c5fe3a13f49a6058ce4","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects URL mentioned in report on compromised Github repositories in August 2022","trigger":"signature-base-master/yara/gen_github_repo_compromise_myjino_ru.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-08-03","description":"Detects URL mentioned in report on compromised Github repositories in August 2022","reference":"https://twitter.com/stephenlacy/status/1554697077430505473","rule":"MAL_Github_Repo_Compromise_MyJino_Ru_Aug22","score":"90"}}]}},{"path":"signature-base-master/yara/gen_gobfuscate.yar","filename":"gen_gobfuscate.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":818,"md5":"1c47606dc89e483c2bcbff2aa4689a93","sha1":"f24fa588e5436fd9e0421c4148f2516fd6fc001f","sha256":"f9042ed9a390386217989e31079a76f2d9cb8f19533bd392fa0e509af56e3e1a","sha512":"0e1dedeeb1f22a80b5fc0749f870d373e698b263a525ac407be4030329cce2986bd1db0b088bfd7f00be91710360880989122d4556bb0ee287deb087bd494eb8","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_google_anomaly.yar","filename":"gen_google_anomaly.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":823,"md5":"7f240779dac682c6b9ab2db02bca88c0","sha1":"885471750951695ac4fa1d60228e161c6b44e077","sha256":"7d2fe82901ac9880aa9aaa0aa12efc5f9e74b7724f25924f4c9d96b76f405374","sha512":"553a9a438599b457e1b0cea8733884dd21c5433d5aae1d04ac2fa0c30170ace55f22e35037d60376683797d717c011118041af29d5e4cd3c8734861192816430","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_gpp_cpassword.yar","filename":"gen_gpp_cpassword.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":814,"md5":"1737701c45af36a341a5f218d8b24815","sha1":"c885d54fb08e10e724f6e49f2b16de571a4af445","sha256":"c9aecf6fb5ab4b1b1e85ff4c0735d283ab1eaa1472f1d7a7cb8a40abd0e96b17","sha512":"3a02153672ac2ae3021ead24105cf484c7802fe1879356b02353483f463e887729aaee4ed94984c6e9b8bb8b6b9b1b072c7a0b6e250f24d39f56d6cfd85ed15a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_hawkeye.yar","filename":"gen_hawkeye.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1205,"md5":"cfdac22dda1416ec6719e5d2fed9a457","sha1":"be6356c1639d70b13130d432a5741f34a020c882","sha256":"a3ba49e6f7c18a8fd7687bd62fdf686a124771b6d5cf672f4d9ca5e2df68ea8a","sha512":"6ff37edb5be41ce5b5c8fe813d9e5dd4ab0ead0f969ad297a484a7df7c537abbbd8cc35a335e4ba62232e7da328fc790bf229638a0c92fa0245aab3e3625f6bf","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects HawkEye Keylogger Reborn","trigger":"signature-base-master/yara/gen_hawkeye.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-10","description":"Detects HawkEye Keylogger Reborn","hash1":"b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad","reference":"https://twitter.com/James_inthe_box/status/1072116224652324870","rule":"MAL_HawkEye_Keylogger_Gen_Dec18"}}]}},{"path":"signature-base-master/yara/gen_hktl_koh_tokenstealer.yar","filename":"gen_hktl_koh_tokenstealer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":707,"md5":"89c014751650309a47e512f61760b817","sha1":"6de9292c86e4c9fb9b7e4ee0c62a6f1c08130b0e","sha256":"03ad55ab8f84444402621c106db00dbcbe22d88b1f4f4eb0ff1160e929f4c763","sha512":"f32945979f558fc591b3aebbce35459d3fd88a17be34d661163e7921d4468d076d2ee261bd8e1f2ffe44deefd70064ea29060e884cb510029eaa5b0000963252","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_hktl_roothelper.yar","filename":"gen_hktl_roothelper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1881,"md5":"fd465ad031de91ec7381f1f41c6b0806","sha1":"e72c420f88a799268a8b76555731ec3e5a9cd4c1","sha256":"96b691dd89602d600d27fe2150d3443b08b37a419b062201ee2058c37d6ef43f","sha512":"c1f4565a013336d85c76b62c5147727be2b276497b77d804e325b59015cd28dc0c88d2fd7d8e8d8000be76c8d24f45a113072940086c1d568ba0829bceb0ffcf","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_hktl_venom_lib.yar","filename":"gen_hktl_venom_lib.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1209,"md5":"b72f26916b3350113bc008b52b3a62a5","sha1":"4b44b800e6531ffec5c46b31307853f102bffeda","sha256":"3c878c0e170331bd044f52adc5cb820f88e473b79d7075773081b11a227f333c","sha512":"9c6b026ade7aeb82d88c542fa2458b11ebd5df269b54d40acb56af57b2eb3a23a3f04c16228d69738ce238aaf7d6d24a621235b221294981d6f25ff8a6de213a","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Venom - a library that meant to perform evasive communication using stolen browser socket","trigger":"signature-base-master/yara/gen_hktl_venom_lib.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Ido Veltzman, Florian Roth","date":"2022-12-17","description":"Detects Venom - a library that meant to perform evasive communication using stolen browser socket","reference":"https://github.com/Idov31/Venom","rule":"HKTL_Venom_LIB_Dec22","score":"75"}}]}},{"path":"signature-base-master/yara/gen_hta_anomalies.yar","filename":"gen_hta_anomalies.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":1440,"md5":"074316b3276e841ecebb4fc70f88028b","sha1":"499d9e4da1552ae6066b9ed6eefa7e5d63521c9c","sha256":"ee8bee912a3bdf9c1767c88805b0de9dc4a4b5add77a6efd8cb1b47f105f4111","sha512":"6928bce13f25c13c4341feeee0ec9afd63a78fa0176c9345e12219cd96d003a210be47bd046731c2141df8d8de02f2d5dd028ba35c4e36dbb700d02ed3755ab3","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_hunting_susp_rar.yar","filename":"gen_hunting_susp_rar.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1006,"md5":"ad25e9cb6d0120b4ad597d4f549e1a77","sha1":"ec193b3d5661a8b57eee986a96c16503e4b54738","sha256":"e86d7489e40ea4de78e2558cb1603e31e9f6a9af9ae1eea3b510305fbc2e3738","sha512":"72f03f840021c72f32a5e0fc81bab558d95172938193588d698f00dece1df3f2237421114352ce2371e619274477026fb3f4203bf1c2719c2448fbedd0ff0794","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_icon_anomalies.yar","filename":"gen_icon_anomalies.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3257,"md5":"868663bbb205b7e043871f1031faeb7e","sha1":"2a8b2e467461a1fbe96511219a8d4e3ea9d86fe5","sha256":"d8ab82494ed861a5115be0f53df4d81ad110dc4c95f1aae5d9e4c7df6b2a90e6","sha512":"d77e35220194b16c4efc8e5e6a7175c73a4dc61054b444e47576eb14ea2e3d1cab51f11dfb18804a5424ec7103988effeee5a66f38cb69257e229cb1ae462437","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_impacket_tools.yar","filename":"gen_impacket_tools.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":18421,"md5":"a1e70485ee63c042cc58defb70507c76","sha1":"ea84fd627a4f8c943fd14e113f850cd0fbdc6eae","sha256":"fd5d9de614e99107e514eeb0417b32d29a7962018fbcd66311ec5c12efd7a3b2","sha512":"8deb551186cda47f5ad1410cd6d1173f2093cb8524a7585e1325315d0feb89a8b8a52653278ff315164bb2f9fb2cca7d983c456ada960239f76a5bff043b8529","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Compiled Impacket Tools","trigger":"signature-base-master/yara/gen_impacket_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Compiled Impacket Tools","hash1":"4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3","hash10":"4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a","hash11":"47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d","hash12":"7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2","hash13":"9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f","hash14":"d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7","hash15":"8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699","hash16":"efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769","hash17":"e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b","hash18":"19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4","hash19":"2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086","hash2":"d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3","hash20":"202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094","hash3":"2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1","hash4":"ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6","hash5":"e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742","hash6":"27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364","hash7":"dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98","hash8":"0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b","hash9":"21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/maaaaz/impacket-examples-windows","rule":"Impacket_Tools_Generic_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies Impacket, a collection of Python classes for working with network protocols.","trigger":"signature-base-master/yara/gen_impacket_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-08-01","description":"Identifies Impacket, a collection of Python classes for working with network protocols.","fingerprint":"3c84db45525bc8981b832617b35c0b81193827313b23c7fede0b00badc3670f4","first_imported":"2021-12-30","id":"4slxMFaVQR9nCS6mQxIQj","last_modified":"2021-12-30","mitre_att":"S0357","reference":"https://github.com/SecureAuthCorp/impacket","rule":"Impacket","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"IMPACKET","version":"1.0"}}]}},{"path":"signature-base-master/yara/gen_imphash_detection.yar","filename":"gen_imphash_detection.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":22293,"md5":"6c416b93948bb51639f475b405e7560e","sha1":"bf3a55ebc90e1526f2550209dd9b5f4c5aec30a1","sha256":"81618c4dba881315e60833ced2aa04c8b3887555e86f271d0d5a231e26d9b575","sha512":"838f773d65a9c9ec925f32778929a418c2efa86d1d3af2f99062ba525f8779da42aa0ac1c6b70cb5350f6be88bf20ee916c4c4ff7097c3eb122fed0495421041","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_invoke_mimikatz.yar","filename":"gen_invoke_mimikatz.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":905,"md5":"b3f92d041364be009e9aff91c8615db7","sha1":"939d1a77281c83dd688fe3d678d1357fd3f884f4","sha256":"03e4100abcc558ba6a2f08a71b6532aac1ad86302efa4f2603199083de07eedf","sha512":"e63b03ca32d148c8b0c6cae5f5b17ffb3058095f68f19fd8097d7fc8f282098a344ab59064c7610804183abfc1fbcaf04d9cf4ac6f99496d17ea3c27692039e8","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Invoke-Mimikatz String","trigger":"signature-base-master/yara/gen_invoke_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-03","description":"Detects Invoke-Mimikatz String","hash1":"f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz","rule":"Invoke_Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/gen_invoke_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Mimikatz","trigger":"signature-base-master/yara/gen_invoke_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Detection for Invoke-Mimikatz","fingerprint":"9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135","id":"355d5d3a-e50e-4614-9a84-0da668c40852","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96","rule":"Windows_Hacktool_Mimikatz_355d5d3a","scan_context":"file, memory","severity":"90","threat_name":"Windows.Hacktool.Mimikatz"}}]}},{"path":"signature-base-master/yara/gen_invoke_psimage.yar","filename":"gen_invoke_psimage.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1228,"md5":"218c941e0ba20500b2e1ac2f60020d0e","sha1":"f469587af00832c5f60259eb0c89921f829e730e","sha256":"644f33a5f6cafbb34986488bf30e12d3bd974ba56cdc0fbcce1d52b18cab6f94","sha512":"66d9f8ba314c302292304ce3a4d53f26d5c377cdb10aec3bafef1c46288c6277fc9ec16a0cd867986c6a7d212c624527dc541161382c5085ff30098c074c3501","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a command to execute PowerShell from String","trigger":"signature-base-master/yara/gen_invoke_psimage.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-16","description":"Detects a command to execute PowerShell from String","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/peewpw/Invoke-PSImage","rule":"Invoke_PSImage"}}]}},{"path":"signature-base-master/yara/gen_invoke_thehash.yar","filename":"gen_invoke_thehash.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4556,"md5":"df604adb6035647d224affaa04bbd091","sha1":"7c9194925a560620e39fbd8f8b50aa7d64550538","sha256":"99ad47b7e348d532fd7470f6fca0cba9fc53cbc7dfb4d3efe96c3fb8915cbc7a","sha512":"2a57a9eee0c2787f4ee3fefa1bc3096b1d3fa6e1eed0b088e2becd6c86bf67b7733fdcf886220980b6a057a4a154ad5f94b9f1b65a310bea39e74a1c21c7f0d2","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Invoke-WmiExec or Invoke-SmbExec","trigger":"signature-base-master/yara/gen_invoke_thehash.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-14","description":"Detects Invoke-WmiExec or Invoke-SmbExec","hash1":"674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Kevin-Robertson/Invoke-TheHash","rule":"Invoke_SMBExec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Invoke-WmiExec or Invoke-SmbExec","trigger":"signature-base-master/yara/gen_invoke_thehash.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-14","description":"Detects Invoke-WmiExec or Invoke-SmbExec","hash1":"140c23514dbf8043b4f293c501c2f9046efcc1c08630621f651cfedb6eed8b97","hash2":"7565d376665e3cd07d859a5cf37c2332a14c08eb808cc5d187a7f0533dc69e07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Kevin-Robertson/Invoke-TheHash","rule":"Invoke_WMIExec_Gen_1"}}]}},{"path":"signature-base-master/yara/gen_javascript_powershell.yar","filename":"gen_javascript_powershell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":598,"md5":"b86ad58e04f313c226d6b427ac3f3105","sha1":"38554967a208861072c144d707a57b896e2c2d06","sha256":"eccdaa17aa3ae7a228387253ffb360d5e7c6629f393f75e902d492e8c8d677d0","sha512":"51dc13cee88a0016f6fd1a932b8fd132ed1a5098a71aab86d118fdda8feac722249b8abbc2a7ab7f42652bf07e9bd7d991a2cef3aff504aa981c296c752ecb3d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_kerberoast.yar","filename":"gen_kerberoast.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2592,"md5":"38d3b1010fb10b8f753db9ef30c15fd6","sha1":"59ebaf5213e7cd65990ae0ec1c65d064ca5f4a45","sha256":"206b0ed8c7d4e48b3a3fce43e1b40c5c34613ceba65861f87feeb25a73a81206","sha512":"82e954d00dac8b56e3915d402ba106e9bbdb442d4eb6d66910ee454f3ad806e803568259a55ffd44c96881d3e246530bb8442b14a33c21c746e7cba674900743","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file kerberoast.py","trigger":"signature-base-master/yara/gen_kerberoast.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-21","description":"Auto-generated rule - file kerberoast.py","hash1":"73155949b4344db2ae511ec8cab85da1ccbf2dfec3607fb9acdc281357cdf380","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/skelsec/PyKerberoast","rule":"kerberoast_PY"}}]}},{"path":"signature-base-master/yara/gen_khepri.yar","filename":"gen_khepri.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1537,"md5":"74394d924407a5fc6d7669d3ef66175d","sha1":"e2f8f9aa514b87b798d0cf20b6d246ecf1b21b93","sha256":"f0a51179b6185b7e12f5c2090a50e57212d279372f088df01d60cd2a1404597d","sha512":"fc60bcc54b8282ef9f9bb5cc07156de65ee896fe91c3ba633bf3f7894cb8b7d359baec8df1ddf4cf2a878ce963c0edb0d6abf085c820cefa88e503bceca439c0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Khepri C2 framework beacons","trigger":"signature-base-master/yara/gen_khepri.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-08","description":"Detects Khepri C2 framework beacons","hash1":"86c48679db5f4c085fd741ebec5235bc6cf0cdf8ef2d98fd8a689ceb5088f431","reference":"https://github.com/geemion/Khepri/","rule":"HKTL_Khepri_Beacon_Sep21_1","score":"90"}}]}},{"path":"signature-base-master/yara/gen_kirbi_mimkatz.yar","filename":"gen_kirbi_mimkatz.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":680,"md5":"c4320f6c1b5ba3ee3e7a6278ed1862f3","sha1":"059a53850b86fcfde97d307f585b5439016c2d8f","sha256":"7d6000ad4d3e78ec1e58352e83eaf0b934f666930c05c04fee9f38667d7bdbd1","sha512":"67730ee88643d10270cae9829f319f3729514e09c8b51237809d67c7c37ff04d37bd39c5857d2a07fef1e66530e8eb87b69e40ee132ed523c7d70a926b8d1ac9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_lnx_malware_indicators.yar","filename":"gen_lnx_malware_indicators.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":755,"md5":"20735aece8f73fe70186f58fe7a9bb5c","sha1":"79a8299cb908ac4339d6b82f22c9f7a890e27e67","sha256":"16d24965a810ed367a1fcee3da28fcba19d24c0389eae66111c1ce24e523e42d","sha512":"fdff13b1f7d4ddfe246ce9ed7c5e4bd323786e3d11e5d5deff2768f1c388db6f26602088f2ff4e7a1fecf721f9fdd69ff176d957ae03ad19176dbea9afa29bb2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_loaders.yar","filename":"gen_loaders.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6435,"md5":"e4af44e013fd61b6769b22d3cdb16bd0","sha1":"a2677bb2c5f8a6a14f8bf1c1397b0c927a7939c2","sha256":"39d47f9bf1c18666c6e2452c66040d88b6cab9c197410df6a536e56d23e419ca","sha512":"86f6ce49d9266cb653fb87bbd2fdf0952a3d762925def419f13555c6ce647cea894496de468d376925e2e6c09529becf385ce719aa5cfc13ba07958ed2108f09","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Reflective DLL Loader","trigger":"signature-base-master/yara/gen_loaders.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader","hash1":"f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Reflective DLL Loader - suspicious - Possible FP could be program crack","trigger":"signature-base-master/yara/gen_loaders.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader - suspicious - Possible FP could be program crack","hash1":"c2a7a2d0b05ad42386a2bedb780205b7c0af76fe9ee3d47bbe217562f627fcae","hash2":"b90831aaf8859e604283e5292158f08f100d4a2d4e1875ea1911750a6cb85fe0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_2","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Reflective DLL Loader","trigger":"signature-base-master/yara/gen_loaders.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader","hash1":"d10e4b3f1d00f4da391ac03872204dc6551d867684e0af2a4ef52055e771f474","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-12-21","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_3"}}]}},{"path":"signature-base-master/yara/gen_macro_ShellExecute_action.yar","filename":"gen_macro_ShellExecute_action.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1559,"md5":"4a36f52b7bad12910bc3ef3b74215714","sha1":"b18749f303e3227c31b2752fd380942e00823791","sha256":"c1eba4861b25852040da78c6128358b3b3dc821c4e2b63b904752615262441d6","sha512":"8c46ca2bb5a100059a09d5f9e3a8f2ef8ea5b59c2d90a226edb6a9d3bc0c90a147e593c998cd35f90195f4b4d392ff7e8de05634abb16b1d9410593754407b4e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_macro_builders.yar","filename":"gen_macro_builders.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":612,"md5":"de0c5374e21f8e542eead457cb130602","sha1":"25218d44cc44b3c1f89dd46881171c205ebf95fa","sha256":"e051c100d0c820249994aa8eb5b0c08ca96aa34c85f8e972ba33aceedbcd1f70","sha512":"37c0705b1ade942252a96cc575912dfc0537a43eefde6169315e838d7c601314451adc7c5af83dd6a647501277503b29ef18b08b95d9eb5b6df183b23e096d19","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_macro_staroffice_suspicious.yar","filename":"gen_macro_staroffice_suspicious.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1754,"md5":"ba31cd3ae9186acc63d379198d35b248","sha1":"8c0287c6db4d71598209ea96ef6f69a57122cb1b","sha256":"b7eab94e484c6bcc8775ad1f894272da67f5d330a147296f4ecdda137822f606","sha512":"535db57f2da179ab42c68da6cbb5e2a313d80eb09addeac9efe7af619d3caa4ae62b7c4388557ac3f9a86e319d2e66c3e8ce2e84240cb1f6754e8bea411e39b1","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_mal_3cx_compromise_mar23.yar","filename":"gen_mal_3cx_compromise_mar23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (329)","size":21534,"md5":"b60e93ae2f97a4d082879c9a56162c2a","sha1":"11588a2890ee2044f719be8bf2640b7acc070aa5","sha256":"d022cdfe8e4043fedb410b9e0c87dd08d72715405d50903bb4e0af03a32bc603","sha512":"182eadd2039fc3c6f4327a19a4f8a7c08e40ec58e5ab89c394880ea61a26e2d022992f2b66d9b79dab74ac2dfd7a6c2b303d5168c581bf643b68ea03722d72a2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_mal_backnet.yar","filename":"gen_mal_backnet.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":784,"md5":"289fddeafbe452ada944c2bfd3f3a1fe","sha1":"bd603d58db798749acdc88b1947a489cd7a25eda","sha256":"c42b56db87ec6bf3ea9c44a071bf4aa49788c1fe7fe261dd2397fddedaa751e8","sha512":"e29ee66fcf476c60f5ae9b6d2afdbe4856e471eaa590406bbb3df79979e447313407e247a5a25eb734f71af3e549a40989aee9eedbe3a1f1b9e3727246a18ad8","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_mal_link.yar","filename":"gen_mal_link.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1060,"md5":"a4f30625aade94373adcc222dbd1c9f6","sha1":"4338b66c5f965e30c6dc614926f42415cef1e628","sha256":"3271d22e543e595ed3de9ee8a92b87cd5973f26f31587f44d13ea0dc133dc73a","sha512":"dcec9f4d15ce2b89e22b1f88aba365e59ab9c0b9ee5574278eeb72c8ad9478b2df71904e8838beb70bbda0d5ecdc4907c3a8086258205aa8494f70c293580e96","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_mal_scripts.yar","filename":"gen_mal_scripts.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5837,"md5":"02709667c0aba8879d69d3f4e8c62723","sha1":"969fd6f59e1c90a0a1f362ec27ee23d924138185","sha256":"a47333e4e493c27e20cbb980957565bbbd917e253bd46113d16ec7e780b28765","sha512":"b37827e3cdfe06c8ba21ec1365e04549a13d6414887fa54c28181a38b53959588a5963ebfff7bbcad99771033fb47ce72d651b25aaa3d563ab423339d6847d53","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PowerShell AMSI Bypass","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-19","description":"Detects PowerShell AMSI Bypass","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1","rule":"PS_AMSI_Bypass","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects MSHTA Bypass","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-19","description":"Detects MSHTA Bypass","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/ItsReallyNick/status/887705105239343104","rule":"JS_Suspicious_MSHTA_Bypass","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious Javascript Run command","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-23","description":"Detects a suspicious Javascript Run command","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/craiu/status/900314063560998912","rule":"JavaScript_Run_Suspicious","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Certutil Decode","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-29","description":"Certutil Decode","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Certutil_Decode_OR_Download","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious statements in JavaScript files","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-02","description":"Detects suspicious statements in JavaScript files","hash1":"fc0fad39b461eb1cfc6be57932993fcea94fca650564271d1b74dd850c81602f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research on Leviathan https://goo.gl/MZ7dRg","rule":"Suspicious_JS_script_content","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious obfuscated VBS observed in February 2018","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-02-12","description":"Detects malicious obfuscated VBS observed in February 2018","hash1":"06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab","hash2":"c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036","hash3":"e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/zPsn83","rule":"VBS_Obfuscated_Mal_Feb18_1"}}]}},{"path":"signature-base-master/yara/gen_maldoc.yar","filename":"gen_maldoc.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":644,"md5":"27aee7a87e5607c915933d8c3c1e8cdf","sha1":"4a3f7ce4d3efe9dc68c1944d949b8a8c173a7732","sha256":"7d01133da8d308d08386176948eb15a3225170d374490873517f73b5e39008b7","sha512":"f6f09ffe599a48bd2febc87e641ee47ac6f21bf9e9d59629fcf31098f5280887166d52f3caef76cdaca1eb013a362f7efb40a9268053bb3f6c1e3fbbbdc4c036","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_malware_MacOS_plist_suspicious.yar","filename":"gen_malware_MacOS_plist_suspicious.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"exported SGML document, ASCII text","size":3086,"md5":"7b071350490174c99c5bfec33af6be8a","sha1":"ae82530bbdf169cd302496af42ab3977607dc435","sha256":"3b9dcf48b4a82dd2d9b54ed5324cb6833fefea15ec42391e9382828da05c6f84","sha512":"dc64dd61cf3de8b6b1e9e489093e77c7ac8ab6e9d68cdae1a70e5d808403274b151eeb9eec45e8ddd4a8e89fa93c90be37d89521dba35ae0a64fc7cc329deeb6","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_malware_set_qa.yar","filename":"gen_malware_set_qa.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":6688,"md5":"051f1b1c90b3b950ecfa92673755b0a6","sha1":"acaf478fd881592973e2bf5e87ec533eabf5c344","sha256":"c30bec86bb2491e72de0e53f4cd1d6a6303207c6a9f4c74551f27caeace4e972","sha512":"24f894c9aceee8f6a8a70e7e2351683d0f8163be4989a1f27ae436f63eaed545f2d5755aac8544f1cdfebea680bb541c6148a168e1b6e4b1ec5e5174fbb879db","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"signature-base-master/yara/gen_malware_set_qa.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"VT Research QA uploaded malware - file vqgk.dll","trigger":"signature-base-master/yara/gen_malware_set_qa.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-29","description":"VT Research QA uploaded malware - file vqgk.dll","hash1":"99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-12-21","reference":"VT Research QA","rule":"Malware_QA_vqgk","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/gen_malware_set_qa.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Attempts to detect Cobalt Strike based on strings found in BEACON","fingerprint":"e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71","id":"ee756db7-e177-41f0-af99-c44646d334f7","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_ee756db7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}}]}},{"path":"signature-base-master/yara/gen_merlin_agent.yar","filename":"gen_merlin_agent.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":873,"md5":"cb56da4f197d67773d47d2d41c155e3a","sha1":"42f4bac00c25a83096cb0e80b75cc3ed3e51f68c","sha256":"8f3db2354cf3f6ca7e5c5a20a96fdd5b8bae7c4f90261c4401c4c1e83813a25a","sha512":"0bf9719f0f6334e5fdfa95879fe58388afabedd55c895e6ec23c08c610e79ac729296f91bb26a9cc5b176824335365281cd7eba573d29f4f895332b185018795","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Merlin agent","trigger":"signature-base-master/yara/gen_merlin_agent.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Hilko Bengen","date":"2017-12-26","description":"Detects Merlin agent","filetype":"pe, elf, mach","reference":"https://github.com/Ne0nd0g/merlin","rule":"merlinAgent"}}]}},{"path":"signature-base-master/yara/gen_metasploit_loader_rsmudge.yar","filename":"gen_metasploit_loader_rsmudge.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1025,"md5":"78c77bfb344c5e0defb9a55ce9a98678","sha1":"5ea7ff961177e5569946d59b80d209f555f9d841","sha256":"9442524f94ab3ee59ecec194985e8d4dababf821afaf91f3a96eb87c8466a0af","sha512":"d62f3e306a053bdcb0059a3bb39e4dfa7f8a35fd8585e309a60123ecddf7a494c117a0e7ade60326817f6b26b275970cf7c8f29cf4896c4c4250bce1b6545495","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Metasploit Loader by RSMudge - file loader.exe","trigger":"signature-base-master/yara/gen_metasploit_loader_rsmudge.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-20","description":"Detects a Metasploit Loader by RSMudge - file loader.exe","hash1":"afe34bfe2215b048915b1d55324f1679d598a0741123bc24274d4edc6e395a8d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/rsmudge/metasploit-loader","rule":"Metasploit_Loader_RSMudge"}}]}},{"path":"signature-base-master/yara/gen_metasploit_payloads.yar","filename":"gen_metasploit_payloads.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":14953,"md5":"e48543ff5959e321d26a4c72c3bf3d85","sha1":"c98ccefe4c902e6b7f1582779a7c4a81050c762a","sha256":"559cfb96f7f468a7108f621a3a2690c0e23115319205afdcc54f008243653df6","sha512":"a46fe8da66a3aac6852b01d02e62763f0399fe1e96b47b460c8f770ef203dd67532ad2823ae7e7703c9a64799dd75654889bbd9a5bb2c023a3125beaaf2016cf","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf.sh","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.sh","hash1":"320a01ec4e023fb5fbbaef963a2b57229e4f918847e5a49c7a3f631cb556e96c","modified":"2022-08-18","reference":"Internal Research","rule":"Msfpayloads_msf"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf-psh.vba","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-psh.vba","hash1":"5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_psh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf-exe.vba","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-exe.vba","hash1":"321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf.psh","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.psh","hash1":"335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf.aspx","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.aspx","hash1":"26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf-cmd.ps1","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-cmd.ps1","hash1":"9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_cmd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf-ref.ps1","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-ref.ps1","hash1":"4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_ref"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.Metasploit","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Identifies Meterpreter DLL used by Metasploit","fingerprint":"4fc7c309dca197f4626d6dba8afcd576e520dbe2a2dd6f7d38d7ba33ee371d55","id":"dd5ce989-3925-4e27-97c1-3b8927c557e9","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/","reference_sample":"86cf98bf854b01a55e3f306597437900e11d429ac6b7781e090eeda3a5acb360","rule":"Windows_Trojan_Metasploit_dd5ce989","scan_context":"file, memory","severity":"90","threat_name":"Windows.Trojan.Metasploit"}}]}},{"path":"signature-base-master/yara/gen_mimikatz.yar","filename":"gen_mimikatz.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"JavaScript source, ASCII text","size":9304,"md5":"5dbb431911293aac591f902be3931030","sha1":"b87b6553feecf36c27fec521c2509124098c31fd","sha256":"6bccbaf608df05543515d8126250233d78b5bd7630a87f65f8614a32592a27c0","sha512":"542e4a978008f3d3fdaa42ba9f77f23edb9c340ca9f3d2bd0f8a17767ccf19b03ce3c0652aad1c9181b88453e75f89893b5dfb2f15ef31bdb349e3ac53f7c903","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PowerShell with PE Reflective Injection","trigger":"signature-base-master/yara/gen_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Benjamin DELPY (gentilkiwi)","description":"PowerShell with PE Reflective Injection","rule":"power_pe_injection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a log file generated by malicious hack tool mimikatz","trigger":"signature-base-master/yara/gen_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/31","description":"Detects a log file generated by malicious hack tool mimikatz","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mimikatz_Logfile","score":"80"}}]}},{"path":"signature-base-master/yara/gen_mimikittenz.yar","filename":"gen_mimikittenz.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1211,"md5":"863c3369c586f9d5846e05ed192b6175","sha1":"bc530ad580705f516b7587c992e96a67a8c7fec3","sha256":"a6bed14083bf2611ea2897dfbcecf322e5251ad843379ad28715fa0aa6811c84","sha512":"f5f539a622dd1d819faf0baa09583a0031267ebb509eaedca291d148298991a73a1b7b65fbf4f8d15c47cb3e5aee5835bb5c6bef8ac50638e06193b8e386fbd9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Mimikittenz - file Invoke-mimikittenz.ps1","trigger":"signature-base-master/yara/gen_mimikittenz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-07-19","description":"Detects Mimikittenz - file Invoke-mimikittenz.ps1","hash1":"14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/putterpanda/mimikittenz","rule":"Invoke_mimikittenz","score":"90"}}]}},{"path":"signature-base-master/yara/gen_mimipenguin.yar","filename":"gen_mimipenguin.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2752,"md5":"1394cc84fa80066841c675fe7c924f75","sha1":"c64547942ab73ea89084a17080035d10c883b5ca","sha256":"660eb71be42dfbb43eb696479db9b2cacd64c936e05d0fb3d6e7a05495486793","sha512":"23ee536955277ccd2ea09ff2c87f91ec0fb7965e18bfec5837ef6fd4e731657a94790638c7b93e340b2a0d0af2cdce105cf69122068a0ea8205f1372a1d27c82","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Mimipenguin Password Extractor - Linux","trigger":"signature-base-master/yara/gen_mimipenguin.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-01","description":"Detects Mimipenguin Password Extractor - Linux","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/huntergregal/mimipenguin","rule":"Mimipenguin_SH"}}]}},{"path":"signature-base-master/yara/gen_net_xorstrings.yar","filename":"gen_net_xorstrings.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":851,"md5":"81ce5a1895f6866709cc0b45c0ff9dca","sha1":"716fbbdb9cc6b33525a12f70d1d14bd9ba71e98e","sha256":"982e82e2e08c23aec1efbaeb6e3915d4324ae9e1bb3f2b57726758f475313808","sha512":"274895779d4d1ab98b39ce7854bf503387bc07e18d0b55ea3ab6db0020cc7c5a99f1e809123479a9adfe974f2dad29a8dec55ec314f54aaeaf02de88fc6a86cb","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_nighthawk_c2.yar","filename":"gen_nighthawk_c2.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (478)","size":3286,"md5":"cc8f68e47603d137e69e47e83001f6f4","sha1":"aa89f63979b9f7d0e13ce61029e2041c07e9e22d","sha256":"b8828c1fec97105904e9b68b08dd43d92c24e9b315fe19fba3aef67d06e09f32","sha512":"46ad59864620fe2fc880a7c1e55f8e146b54fc759e2a83bb915e27f2fab513f2b2dd1b40715359b9313a5a713faf56eeefe310612d83c24d92234f7c8e5d9763","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_nimpackt.yar","filename":"gen_nimpackt.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":787,"md5":"da2e4b20b8f8792826f5a7d459cf8f8e","sha1":"77769b6531be75b2066dcc65354b74a793d34889","sha256":"f11614e3d292091a8e01e20daab03b9374c391fe7438f946aa273b412eed0114","sha512":"3bebf865dca5422f26a7cca2f003f22c125f1ec1c11a215cf44c2615f2c430653735db6e18d375c5ca82cc3ab767d0f36b3173417ce06f3a17e67ab4930368c7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_nopowershell.yar","filename":"gen_nopowershell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":841,"md5":"ba10f08c803f8bc22ea61a8a887c4f6e","sha1":"9e86ccc1d3032a2cac3c74dad811a3bc1e0d5f04","sha256":"9952cdafbaf298e5fd158e6a3769b882fc8e502866e346fb6b066cc3a6e5fa88","sha512":"a4ae00c72f20dbd46f6c5cebb06ecb37e522d7019b1ecf0170c4ec3aabc7eec0e2acf0db7e5ca7b361cc7083638909479266c177f96c1ba87d2d2c49a9f397ef","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_nvidia_leaked_cert.yar","filename":"gen_nvidia_leaked_cert.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":945,"md5":"c59803dc0fbf0c241452413b4471c26a","sha1":"681680c2367555e9e6a664a3db9e76365c79f950","sha256":"22e038f97c16b5e209c9bca11138da2408f3436b47af9b582e3cf41a1ef13cde","sha512":"d6a02d666abf698a08fc49261e70d212805977a3ae2b5e511501156d06ade9c7d596e89daef4ee0743a4e1df5c296aeb737603407052de471c8828d9e6134474","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_onenote_phish.yar","filename":"gen_onenote_phish.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5098,"md5":"aa9b0645ce0d69ec6daed52aa69051d8","sha1":"93743b9846b282677c924d782696216276f452b7","sha256":"1553e71f855c801b2420751117a6b25bdd49fbd926c79a733b2e0b7cc1785fbb","sha512":"0dd667d8e478f6074a6aec548b5eeb3e78a7649a3c5d9a2f8a4228e737a3ea4e92715fbd5745131a4a3680a2f78b7ce2aeecee9db4f9398827163b0e2c8ce1eb","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious OneNote attachment that embeds suspicious payload, e.g. an executable (FPs possible if the PE is attached separately)","trigger":"signature-base-master/yara/gen_onenote_phish.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-27","description":"Detects suspicious OneNote attachment that embeds suspicious payload, e.g. an executable (FPs possible if the PE is attached separately)","reference":"Internal Research","rule":"SUSP_Email_Suspicious_OneNote_Attachment_Jan23_1","score":"65"}}]}},{"path":"signature-base-master/yara/gen_osx_backdoor_bella.yar","filename":"gen_osx_backdoor_bella.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1498,"md5":"2b9a0eeb1aedbe7dfbf341814b6705ec","sha1":"773d919098e7be8d0057e8fc34c97afab6bbeab2","sha256":"5b81051b1dd3bc13aee6950dc491c7b000506e214643813c29be8d6fa259efa7","sha512":"2cc8d5d224433ea0987b36c53d6cdb04f4c179e70e917f2e9dccea511b17a0942befdfa77c12358d05607ff786f0b4b62bce3f2975a614d1ba755b903b356067","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Bella MacOS/OSX backdoor","trigger":"signature-base-master/yara/gen_osx_backdoor_bella.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"John Lambert @JohnLaTwC","date":"2018-02-23","description":"Bella MacOS/OSX backdoor","hash":"4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be","reference":"https://twitter.com/JohnLaTwC/status/911998777182924801","rule":"OSX_backdoor_Bella"}}]}},{"path":"signature-base-master/yara/gen_osx_evilosx.yar","filename":"gen_osx_evilosx.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (339)","size":1440,"md5":"07a02677ab4c6d4a2d957c934e58190a","sha1":"e40f997a98eafe4e28704ee92019fdc4d119ebae","sha256":"9619326c04632047a37e8e1b437efc0f34d7cdd2919f119b7396a4a64fe46129","sha512":"9d7075af12128b53ff231b961f19da17c4a9f9978e265449d207267932466190bd85a0ceb05b15aa0c2ecd1f6112d513eaf7944223305f5700ee619adc6c3b48","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EvilOSX MacOS/OSX backdoor","trigger":"signature-base-master/yara/gen_osx_evilosx.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"John Lambert @JohnLaTwC","date":"2018-02-23","description":"EvilOSX MacOS/OSX backdoor","hash":"89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a","reference":"https://github.com/Marten4n6/EvilOSX, https://twitter.com/JohnLaTwC/status/966139336436498432","rule":"OSX_backdoor_EvilOSX"}}]}},{"path":"signature-base-master/yara/gen_osx_pyagent_persistence.yar","filename":"gen_osx_pyagent_persistence.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1858,"md5":"7624559fe3944b60605e384c63b184a6","sha1":"7b58dc444c5ccaa6a0dbfeb0b5d24af0742862ce","sha256":"1f2a26ccc89587cb01998ef1d38edb11a73cd6bee4e9f569ec9c3518f051537e","sha512":"c60851935c1d37ca8dbcd8c94b9ba581d881afec69c83eda52dff2892c3fc9911cedb98f2f7d7d54be491a6307dd87ccbcac53d43483f1c4a837a8a2df86ff2e","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_p0wnshell.yar","filename":"gen_p0wnshell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"JavaScript source, ASCII text","size":8893,"md5":"9725ba3eff70e212b0a53cd64f034745","sha1":"d3ea5bdb0ecaeef6816ec7c0edff0270c7f01f67","sha256":"8db8907f21fce67b54e74ac992c9af71d7c8d2c04a46da522950d6521346807d","sha512":"04cf45e0292e34489d0c93c041c703fe9485b4dff3d822dbbc897da19638794ae4dc416a326dc07d045bddc0c95dd10fa04b70c7b7e196acd1e819332e14c879","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs","hash1":"6a3ba991d3b5d127c4325bc194b3241dde5b3a5853b78b4df1bce7cbe87c0fdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedPowerCat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs","hash1":"aff2b694a01b48ef96c82daf387b25845abbe01073b76316f1aab3142fdb235b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedPotato"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs","hash1":"54548e7848e742566f5596d8f02eca1fd2cbfeae88648b01efb7bab014b9301b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedExploits"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs","hash1":"fd7014625b58d00c6e54ad0e587c6dba5d50f8ca4b0f162d5af3357c2183c7a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedBinaries"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs","hash1":"345e8e6f38b2914f4533c4c16421d372d61564a4275537e674a2ac3360b19284","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedAmsiBypass"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedShell_outputs","super_rule":"1"}}]}},{"path":"signature-base-master/yara/gen_phish_attachments.yar","filename":"gen_phish_attachments.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5035,"md5":"3877fb772988ae7750211b21d7ef19d5","sha1":"6cf317fd916f9e87a0855436fd3eb87525d30876","sha256":"6fb48f2b60803ba753223c23e519d310553c42184afa6ba730525268e2deedc8","sha512":"3dd4f4e200e0eefc153b40382076ec1cf20be753a79e1790b7e63a3e5b51d549b2ef58c8e158f63d4666eb2719131b33373132b45a009df08319885935386cc8","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments","trigger":"signature-base-master/yara/gen_phish_attachments.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-29","description":"Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments","hash1":"caaa5c5733fca95804fffe70af82ee505a8ca2991e4cc05bc97a022e5f5b331c","hash2":"a746d8c41609a70ce10bc69d459f9abb42957cc9626f2e83810c1af412cb8729","reference":"https://twitter.com/0xtoxin/status/1540524891623014400?s=12\u0026t=IQ0OgChk8tAIdTHaPxh0Vg","rule":"SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1","score":"65"}}]}},{"path":"signature-base-master/yara/gen_pirpi.yar","filename":"gen_pirpi.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2527,"md5":"3669a25414607bf27e643eb5d79b7ff2","sha1":"52b21b886784bb14411ef27db30290997277e124","sha256":"66b3972493daf565e31f8507b5ce28ac92327941ee1583527154d3339dd21fb0","sha512":"88eef12cca885d56bc385139a22c0603526786fe1f783d7da1f2c452d4017aa9ba717980d3084a7919e5ea48d6c8a96e4cdffd82186e053c0e844420cdb1d9ff","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pirpi Backdoor - and other malware (generic rule)","trigger":"signature-base-master/yara/gen_pirpi.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects Pirpi Backdoor - and other malware (generic rule)","hash1":"2a5a0bc350e774bd784fc25090518626b65a3ce10c7401f44a1616ea2ae32f4c","hash2":"8caa179ec20b6e3938d17132980e0b9fe8ef753a70052f7e857b339427eb0f78","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"Pirpi_1609_A"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pirpi Backdoor","trigger":"signature-base-master/yara/gen_pirpi.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects Pirpi Backdoor","hash1":"498b98c02e19f4b03dc6a3a8b6ff8761ef2c0fedda846ced4b6f1c87b52468e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"Pirpi_1609_B"}}]}},{"path":"signature-base-master/yara/gen_powerkatz.yar","filename":"gen_powerkatz.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1257,"md5":"7898b65f75087b7e45f39b8f4eeaf5e6","sha1":"d677b359bc4a4128a9c85aeed31846dbc81d87d2","sha256":"23b95a2079e0f37327ccbe35f166ee77ca2998ee7059c43ce2455569df58f472","sha512":"4a8085e916f25a59e61c0196166da00c96d8932da1fea7387329341dc8e4311d4b9e8aee081a231b721ca148fb4ef8d4cc9cf484871536bc2bf132dac3caf9ce","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_powershdll.yar","filename":"gen_powershdll.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":887,"md5":"8e71d0ebafa94b0fc45dd9fa00a52549","sha1":"5bef2cac797dd32b231813249b763a73bd43a592","sha256":"75646831ce0f91a96260f3f1aadc95e598e88bad53327c301c3051c423005327","sha512":"dfc27ac6c890237df6e80ff326a8cdabcae0c3df5ec41ac0e08fca1592481158930b915ff817541aaab7d0d3f56f01916b3ef1af930fce128edeb7ad185e0221","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects hack tool PowerShdll","trigger":"signature-base-master/yara/gen_powershdll.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-03","description":"Detects hack tool PowerShdll","hash1":"4d33bc7cfa79d7eefc5f7a99f1b052afdb84895a411d7c30045498fd4303898a","hash2":"f999db9cc3a0719c19f35f0e760f4ce3377b31b756d8cd91bb8270acecd7be7d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/p3nt4/PowerShdll","rule":"PowerShdll"}}]}},{"path":"signature-base-master/yara/gen_powershell_empire.yar","filename":"gen_powershell_empire.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":9157,"md5":"480c4fced01f74a00a71c9f7bb2fb82b","sha1":"205dc1fe196bcd04ed8788acb4be241e64f3586b","sha256":"170c4342744d309da52948525222eee842502f15971a40bc47568929b8695294","sha512":"8808396b044dd39ba72f47f1727ecab85deaa54cdfc2d917c675908d8afbe5549a2e5efd62b5ff4453f446245213af2970c0ba8392f736d3c274f5d035d8e60b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1","hash":"ab0f900a6915b7497313977871a64c3658f3e6f73f11b03d2d33ca61305dc6a8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/PowerShellEmpire/Empire","rule":"Empire_Invoke_BypassUAC","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1","hash":"ae8875f7fcb8b4de5cf9721a9f5a9f7782f7c436c86422060ecdc5181e31092f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/PowerShellEmpire/Empire","rule":"Empire_Persistence","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1","hash":"fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/PowerShellEmpire/Empire","rule":"Empire_Invoke_Shellcode","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1","hash":"c5481864b757837ecbc75997fa24978ffde3672b8a144a55478ba9a864a19466","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/PowerShellEmpire/Empire","rule":"Empire_Invoke_Mimikatz","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Mimikatz","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Detection for Invoke-Mimikatz","fingerprint":"9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135","id":"355d5d3a-e50e-4614-9a84-0da668c40852","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96","rule":"Windows_Hacktool_Mimikatz_355d5d3a","scan_context":"file, memory","severity":"90","threat_name":"Windows.Hacktool.Mimikatz"}}]}},{"path":"signature-base-master/yara/gen_powershell_invocation.yar","filename":"gen_powershell_invocation.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3021,"md5":"739ef191efe079b123b2602039290e5a","sha1":"541224472920199ff5bb280d83648f4d66601bc0","sha256":"ad5587e0e1edc74b20c3082aece0c189cbd2b8eb4a079f10d6cd2c82a55d4cef","sha512":"cd2afbce4bf8a5014c3aea62fea9e2b58f33ed945cd779a63b2108e5830443d5e3a2f82e0be3c98c176f71ce629888b3bbaf9de23d5b24e2ebfb5985340682bc","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_powershell_obfuscation.yar","filename":"gen_powershell_obfuscation.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2504,"md5":"c87b128cdfdbc62da165fa00cb362852","sha1":"606c7c612356e7d47bba04f388bc6eb8077995ec","sha256":"e989a18c160d3884cd0fc0a5ff168ee82ff71cc270fc9962b6f7d6d67f0f4936","sha512":"89506a264c1e64a0982d1f42ae930204dea923b80a239be33fc57347f40fd9fbb2dafc0178bbfd58cd59017773612e0a9d145b01e73e0d66a134765c9c6ea780","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PowerShell ISESteroids obfuscation","trigger":"signature-base-master/yara/gen_powershell_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-23","description":"Detects PowerShell ISESteroids obfuscation","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/danielhbohannon/status/877953970437844993","rule":"PowerShell_ISESteroids_Obfuscation"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators often found in obfuscated PowerShell scripts","trigger":"signature-base-master/yara/gen_powershell_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-27","description":"Detects indicators often found in obfuscated PowerShell scripts","reference":"https://github.com/corneacristian/mimikatz-bypass/","rule":"SUSP_OBFUSC_PowerShell_True_Jun20_1","score":"75"}}]}},{"path":"signature-base-master/yara/gen_powershell_suite.yar","filename":"gen_powershell_suite.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3755,"md5":"b775258e3c31e75d5db2e8e39a92007c","sha1":"3d9c865132ed4288104cbc6ef501bd8f78f413d8","sha256":"09e01c823ef9b94434b25894e0749577166d2f1d9edfe19d03126ac021260a75","sha512":"d19662c8c07a9e7cd26587afe68cd1362ab17d027fb07a04693736653883d9fbbe4de124469e665d03fbb7fc46b7203559887dc11f18e565bf2761c9749b9b5e","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from scripts in the PowerShell-Suite repo","trigger":"signature-base-master/yara/gen_powershell_suite.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-27","description":"Detects strings from scripts in the PowerShell-Suite repo","hash1":"79071ba5a984ee05903d566130467483c197cbc2537f25c1e3d7ae4772211fe0","hash10":"5608f25930f99d78804be8c9c39bd33f4f8d14360dd1e4cc88139aa34c27376d","hash11":"68b6c0b5479ecede3050a2f44f8bb8783a22beeef4a258c4ff00974f5909b714","hash12":"da25010a22460bbaabff0f7004204aae7d830348e8a4543177b1f3383b2c3100","hash2":"db31367410d0a9ffc9ed37f423a4b082639591be7f46aca91f5be261b23212d5","hash3":"4f51e7676a4d54c1962760ca0ac81beb28008451511af96652c31f4f40e8eb8e","hash4":"17ac9bb0c46838c65303f42a4a346fcba838ebd5833b875e81dd65c82701d8a8","hash5":"fa33aef619e620a88ecccb990e71c1e11ce2445f799979d23be2d1ad4321b6c6","hash6":"5542bd89005819bc4eef8dfc8a158183e5fd7a1438c84da35102588f5813a225","hash7":"c6a99faeba098eb411f0a9fcb772abac2af438fc155131ebfc93a00e3dcfad50","hash8":"a8e06ecf5a8c25619ce85f8a23f2416832cabb5592547609cfea8bd7fcfcc93d","hash9":"6aa5abf58904d347d441ac8852bd64b2bad3b5b03b518bdd06510931a6564d08","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/FuzzySecurity/PowerShell-Suite","rule":"PowerShell_Suite_Hacktools_Gen_Strings"}}]}},{"path":"signature-base-master/yara/gen_powershell_susp.yar","filename":"gen_powershell_susp.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":11782,"md5":"168b6dd9da40f10b3b4e135af6724596","sha1":"26aec751da4d53290a812e2ddbec35a6623ef9dc","sha256":"18f2c99b7213595b9a6cb28ae9993367957df0aae73664dd4d9f2008601d943a","sha512":"a9f24cad3189c5fc9f3d7235c2e7bbe9f89ea70a4ccfec6cf1d2eee3f46f8f70bb6134c0f53bd1680c112ca71fc06722ca17cf009e69a1e73d62d5c90eb4c745","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects obfuscated PowerShell hacktools","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-11","description":"Detects obfuscated PowerShell hacktools","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-06-12","reference":"https://twitter.com/danielhbohannon/status/905096106924761088","rule":"PowerShell_Case_Anomaly","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious PowerShell code","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-22","description":"Detects suspicious PowerShell code","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Suspicious_PowerShell_Code_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects base464 encoded $ sign at the beginning of a string","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-02","description":"Detects base464 encoded $ sign at the beginning of a string","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/ItsReallyNick/status/980915287922040832","rule":"PowerShell_JAB_B64","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious base64 encoded PowerShell expressions","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-01-25","description":"Detects suspicious base64 encoded PowerShell expressions","reference":"https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639","rule":"SUSP_PS1_FromBase64String_Content_Indicator"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-12-01","description":"Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.","fingerprint":"6c78cbc1250afb36970d87d8ee2fe8409f57c9d34251d6e3908454e6643f92e3","first_imported":"2021-12-30","id":"3xg5wneq3ZntsMg61ltshS","last_modified":"2021-12-30","rule":"MalScript_Tricks","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}}]}},{"path":"signature-base-master/yara/gen_powershell_toolkit.yar","filename":"gen_powershell_toolkit.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":12681,"md5":"c7cca579eb12384de9d25a234d976583","sha1":"b0c3af3fc3043a6a0b937aae908c9cd892d2e442","sha256":"02e21c178948b59a33b29c0c892fb5ecf5125226a20219b33f919a99922ac487","sha512":"54e5c09982a91cbb3ef5327640f2388d03c713768d110e49c34daae332ab09c90912679381ad73ff79c917c9c54036b5bc68356477405d5f0bd8fdaf2a468d89","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious PowerShell code that downloads from web sites","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-22","description":"Detects suspicious PowerShell code that downloads from web sites","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-07-27","nodeepdive":"1","reference":"Internal Research","rule":"Suspicious_PowerShell_WebDownload_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Invoke-Shellcode.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-Shellcode.ps1","hash1":"24abe9f3f366a3d269f8681be80c99504dea51e50318d83ee42f9a4c7435999a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Shellcode","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Invoke-Mimikatz.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-Mimikatz.ps1","hash1":"5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Mimikatz","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Invoke-RelfectivePEInjection.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-RelfectivePEInjection.ps1","hash1":"510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_RelfectivePEInjection","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Persistence.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Persistence.ps1","hash1":"e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Persistence","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1","hash1":"5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8","hash2":"510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection","score":"80","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files Inveigh-BruteForce.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Inveigh-BruteForce.ps1","hash1":"a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Inveigh_BruteForce_2","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files Persistence.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Persistence.ps1","hash1":"e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Persistence_2","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files Inveigh-BruteForce.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Inveigh-BruteForce.ps1","hash3":"a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Inveigh_BruteForce_3","score":"80"}}]}},{"path":"signature-base-master/yara/gen_powersploit_dropper.yar","filename":"gen_powersploit_dropper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":685,"md5":"b18e3f4930ecb2c6ad80ad20eb80a585","sha1":"8483b7c37e5b2e9dec2bf30bb6f457e5eed558c6","sha256":"cef8de29a755fc5b51ccbee8ad568bde33ad70aeeaf0164f89b1c6190c95f08d","sha512":"0096bad8b62009066e910acaa76a0a2bf58817ef01b3e14e52ff186e2ac4faf66c780b92e7cfa53fc14d3dfdd0fc23d674e1ea9618f73efb9d995c174033199f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_ps1_shellcode.yar","filename":"gen_ps1_shellcode.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":473,"md5":"f12150e0c0bfaba551b9082de1a616dd","sha1":"3d73e76fdcb5d66d47bfd30eef4120a88b8baaff","sha256":"f0b2f53a50a8cd79d283ba029cd6de1cef107c499e7cce6853f41a06d57185d6","sha512":"e2bffffffd65983edebfac18df6b8a5a60973f33d83dbe3e6b12ed9c7e7380eaadaad3b7e0ad14a2614ff202b99ec236791eed47a92feaf60446d7732cbcf429","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Base64 encoded PS1 Shellcode","trigger":"signature-base-master/yara/gen_ps1_shellcode.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Carr, David Ledbetter","date":"2018-11-14","description":"Detects Base64 encoded PS1 Shellcode","reference":"https://twitter.com/ItsReallyNick/status/1062601684566843392","rule":"Base64_PS1_Shellcode","score":"65"}}]}},{"path":"signature-base-master/yara/gen_ps_empire_eval.yar","filename":"gen_ps_empire_eval.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1496,"md5":"bb7c0be690b2ecb62f371b79fe3ca402","sha1":"6870a92960f0d72b50c4d6818d603f9728adcb7c","sha256":"edeec2460b6da457d55192c00a0cc904531f868f26c38b36b75cadf0b2ace73a","sha512":"139a137ab7aeb9a3835fbce7d93f9bcd1f220919ab2098e7862ff43cb411ffac919b595d19c0025e7720400b478927096ee98329aefe9c9870699bb71bcbeafb","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_ps_osiris.yar","filename":"gen_ps_osiris.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1204,"md5":"9331d92af7869168d6ea497edce55527","sha1":"b93d68e1fad30a44c650a70902d1481ab5b9607c","sha256":"2c6507561d32f3b59030e0491a9b6ac761a8543230469f2a953dae23efffe547","sha512":"80d4b81748306c96d93ab69b79088c90fadaaa7ae6f74c8d8e35a92b4ef4daac93124ee18367767c5f56fe750f57ecc413256352dc0d855121014fe1d618a90d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","trigger":"signature-base-master/yara/gen_ps_osiris.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-27","description":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","hash1":"19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Invoke_OSiRis"}}]}},{"path":"signature-base-master/yara/gen_pua.yar","filename":"gen_pua.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1017,"md5":"93407dfaed1bed6dca7bef9dd98661e8","sha1":"c4e4d9eb03dd17c6e0f4e5b8d4676ca2877197c7","sha256":"14690c2069f08a444875dac97da85dcdd4424a377102bf94a7f8678e78132254","sha512":"267ba62854f17aa9c41bd9a6763899e8ee729810710ddc8771f07cba03aad36b44c9bdcf941ecfc506d27a2dfec1e8e0d1c04382fb27f44cc1c3ba55a7c9ea20","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_pupy_rat.yar","filename":"gen_pupy_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2090,"md5":"c5012e69f986e57d268081de2546b534","sha1":"a2a73d54ae53224fb2931867a139ab92cf2d18ff","sha256":"2e41be33b023d591f297d1740591ec377f0718c296bf1c844b56fcba708cf83d","sha512":"69f70fc2226c39dad605cc4445edfcb7c743786c1bb795b0106a495c14924962b8a9c61f4d9cdaec7f8c4b9788d0671144bc25d368b3153037fbdf8ab53e8033","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pupy RAT","trigger":"signature-base-master/yara/gen_pupy_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-17","description":"Detects Pupy RAT","hash1":"8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations","rule":"APT_PupyRAT_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pupy backdoor","trigger":"signature-base-master/yara/gen_pupy_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-11","description":"Detects Pupy backdoor","hash1":"ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153","hash2":"83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4","hash3":"90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc","hash4":"20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8","hash5":"06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e","hash6":"be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2","hash7":"8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/n1nj4sec/pupy-binaries","rule":"Pupy_Backdoor"}}]}},{"path":"signature-base-master/yara/gen_python_encoded_adware.yar","filename":"gen_python_encoded_adware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":696,"md5":"0b06b4a81bbcac0abb396cd438383e3a","sha1":"d13d6ac2d8138e1361383261a92407cd8416d8bd","sha256":"29d3b5122b39951fdc68ec31fa3a6d778314ee6195e07bd7ba0a039de6c0a7a5","sha512":"4dc2b5872c27558e0b74a31524cd705303a323277f215ec55af6e447565c6d4b4cde2386bbdfcc8f0c248e13bf383380cbdc60418b85fd2124b2c22fc50f7653","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_python_pty_shell.yar","filename":"gen_python_pty_shell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":704,"md5":"fd59b0de74e2a9c82f842d43eed65bf3","sha1":"610ec15dbc101924e3f2cd8a76a24ba31415d8bd","sha256":"089d34f2cec574a86a886947eb6f2682e0a09565612ccaab5e366be06c9116b4","sha512":"95291f8a102339a11aba51febcca2526a3a891e021275c116de33aec6f7e540566c8b92a406fae0d048ba6c752546c19dee02923cf8a37ea0b789e91701bc9a3","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reverse connect TCP PTY shell","trigger":"signature-base-master/yara/gen_python_pty_shell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Jeff Beley","date":"2019-10-19","description":"Detects reverse connect TCP PTY shell","hash1":"cae9833292d3013774bdc689d4471fd38e4a80d2d407adf9fa99bc8cde3319bf","reference":"https://github.com/infodox/python-pty-shells/blob/master/tcp_pty_backconnect.py","rule":"HKTL_Reverse_Connect_TCP_PTY_Shell"}}]}},{"path":"signature-base-master/yara/gen_python_pyminifier_encoded_payload.yar","filename":"gen_python_pyminifier_encoded_payload.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1355,"md5":"95a9c4a69a2ba2e6bc6788a1fa571c8b","sha1":"a514cfffd8b12bdd915a32597506ea528404012d","sha256":"e0d4d211425e73939304070569d470cf749cb61ea0ddbc3705a13025fd7341f4","sha512":"efaabc1bd39656284c400c882583b68a7844e0c0ee7488441ecd90b3ea0fab3cf2da24aec59f652df0a41c55fda8429b9d371aaca26b517787b971a17e7900c1","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_python_reverse_shell.yara","filename":"gen_python_reverse_shell.yara","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1559,"md5":"c94ab6e357352d4ea764cff53b3ee386","sha1":"d1789331c787da84c64929efee0a3b3dbe9c6631","sha256":"e31e100bbcf061575f416331e956fc574713ac1414a0e6b44740e705053b1f46","sha512":"29ab9e8188fa8ef079bba50fdd3e178d1dd8e8b4f04545572714b7aa55a63209203a5f374117f4256110a61bf3aaf7e6cd534481ad44a00fc584d429a080bb99","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_qakbot_uninstaller.yar","filename":"gen_qakbot_uninstaller.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1742,"md5":"4f0e28a545ed4b57cc719397aa2e9bc3","sha1":"0d28b77a2d03638ef92d8b489ab76852d908fab7","sha256":"e574f8a03bdab5594e11e5f5fcf2ac4abdedc5628ea572ca95a19c0a0c973a4b","sha512":"b578f9843312e9693ff23b88aba267bf7581f0b31f953ce216f8717ee54b99f19487f50595c57705c726935fd27d23a98ea4967b7cc27cc6efb5b1272fa44591","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_rar_exfil.yar","filename":"gen_rar_exfil.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":692,"md5":"9f9fbf3f95e57830702b79f40822f568","sha1":"59fbb43e2c2550f08a02a3c25d4562ab88c54185","sha256":"89b5ccd9a9a5d29f19c408144f2ce0bbf6bc6116a2bdbdd9b68129001d2d4519","sha512":"645be13fb2e791a0a5b8019711cf8f3033d560dfff886d51cfcf86cc85c4f8a5474b0dbabfaf809f8aded01b556f1ac2fb9f26793cddbd76fda0b53c87a04d6a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_rats_malwareconfig.yar","filename":"gen_rats_malwareconfig.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":25468,"md5":"963447b80a5eb325497277544e9d1114","sha1":"f3d282a9fd4222c53bdb5d045361a4cfdc7dacfe","sha256":"504fc7263759d9e740d17736962b587bbebc4d5747a1f52fc337459bcf0abe93","sha512":"37819dbf7cb4e1bbe5f29eba1f487271e4359dde56588937be0e4ca1abe0fca2a845d5494ee3121259f2ab5700c0405b29e2528ea2bb23c2f012f39f9623e8c7","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Adzok RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"Versions":"Free 1.0.0.3,","author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.05.2015","description":"Detects Adzok RAT","filetype":"jar","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Adzok","rule":"RAT_Adzok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Ap0calypse RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Ap0calypse RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Ap0calypse","rule":"RAT_Ap0calypse"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BlackShades RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Brian Wallace (@botnet_hunter)","date":"01.04.2014","description":"Detects BlackShades RAT","family":"blackshades","reference":"http://blog.cylance.com/a-study-in-bots-blackshades-net","rule":"RAT_BlackShades"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BlueBanana RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects BlueBanana RAT","filetype":"Java","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/BlueBanana","rule":"RAT_BlueBanana"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Bozok RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Bozok RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Bozok","rule":"RAT_Bozok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ClientMesh RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.06.2014","description":"Detects ClientMesh RAT","family":"torct","reference":"http://malwareconfig.com/stats/ClientMesh","rule":"RAT_ClientMesh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DarkComet RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects DarkComet RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/DarkComet","rule":"RAT_DarkComet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DarkRAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects DarkRAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/DarkRAT","rule":"RAT_DarkRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JavaDropper RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.10.2015","description":"Detects JavaDropper RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/JavaDropper","rule":"RAT_JavaDropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects LostDoor RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects LostDoor RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/LostDoor","rule":"RAT_LostDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Paradox RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Paradox RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Paradox","rule":"RAT_Paradox"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects QRAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen @KevTheHermit","date":"01.08.2015","description":"Detects QRAT","filetype":"jar","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com","rule":"RAT_QRat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ShadowTech RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects ShadowTech RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/ShadowTech","rule":"RAT_ShadowTech"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Sub7Nation RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.04.2014","description":"Detects Sub7Nation RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Sub7Nation","rule":"RAT_Sub7Nation"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Vertex RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Vertex RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Vertex","rule":"RAT_Vertex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Adwind RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Adwind RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/adWind","rule":"RAT_adWind"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unrecom RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects unrecom RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/unrecom","rule":"RAT_unrecom"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-27","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}}]}},{"path":"signature-base-master/yara/gen_recon_indicators.yar","filename":"gen_recon_indicators.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2493,"md5":"df1064d62a8dfdbd22d28a5a1eaca9f3","sha1":"908d01739b2efc3e7150fda369ccaff68767dfbd","sha256":"baeb6cedf0e9e6410b404b796f3149f2543907adba07c93be7daa71a0f43c9c8","sha512":"b9e0eea2dd72829b05d13a7cab1609503d64a8d9fa794150b62f06217674fe65f8e290bd89835745d74339993987f5b0c6f2c386567c75e1da89b924e37a975d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects outputs of many different commands often used for reconnaissance purposes","trigger":"signature-base-master/yara/gen_recon_indicators.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-04","description":"Detects outputs of many different commands often used for reconnaissance purposes","reference":"https://securelist.com/cycldek-bridging-the-air-gap/97157/","rule":"SUSP_Recon_Outputs_Jun20_1","score":"60"}}]}},{"path":"signature-base-master/yara/gen_redmimicry.yar","filename":"gen_redmimicry.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"assembler source, ASCII text","size":2851,"md5":"b3dfa3b21044064e4123939a376cb824","sha1":"3b44108619f4c0ed72f0f055b5dd284a80d624f5","sha256":"e3c0ad9dce76d4ca981323e42cb92d6d625f1086f80f9fd6d3bb0c204f553f2f","sha512":"459dcaabbdb80d9e75eb45a814f583a07af486227f9a8d3f2c556d42fc016fca7e8469ad46af2b3d5777d1b401fc933d0cb8f4ee3c4dd747c4959601439ab4e0","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_redsails.yar","filename":"gen_redsails.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1804,"md5":"e028b96a81c6fb47df2d172b11e9d897","sha1":"0e8f3b8466cc2f5d17c9bcb84ba9744fb5a8b27c","sha256":"7f5d6d15990c61ca6dba4fbc7b617a3fb5c3d8fa1414a0cab574374f1edec3e4","sha512":"bce5544821b0739d53e0fc4730a75aef38d143245f984813bfc5915d9487672c4a4183c35552d74bbd9888ae1db83539a1a5499a2dece818bce84d9363a8ed0f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Red Sails Hacktool - Python","trigger":"signature-base-master/yara/gen_redsails.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-10-02","description":"Detects Red Sails Hacktool - Python","hash1":"6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661","hash2":"5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/BeetleChunks/redsails","rule":"redSails_PY"}}]}},{"path":"signature-base-master/yara/gen_regsrv32_issue.yar","filename":"gen_regsrv32_issue.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":39,"md5":"8f38cbba8769b9c87b3f93001e45e0f2","sha1":"57a94d3d77a6b127bceb06f11110374e175be0a2","sha256":"a1823955d01a1bfa23597ab776583f06cab6917577d0644eef6f0e13d6715d3e","sha512":"75f5310226b1945726aec35ffa3fb0cdf733ef1c127b933eb69c894033e85c8d1723249698ee3da9e89ed17a7b7a07b343fcb21863a845a75f73810ce69394a5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_remote_potato0.yar","filename":"gen_remote_potato0.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":754,"md5":"2205a6767c822d966a0ad959976994d9","sha1":"f5eef5e64c4629bf762815dc8e42e1f3227dc432","sha256":"3b8b535a6b478b36693840d7f597c1ad30dbbccc6736c9ccc1d4f86203ab672f","sha512":"3ccdb5db4fbb6c5fce41762247582aebd5de4e23c5f9e011c28324291a1aefea85afb52b85901532e239df2740fd4f9a49d05e066aff00ebab796b6e17cefcbd","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_rottenpotato.yar","filename":"gen_rottenpotato.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1482,"md5":"c2fa47f2ba373188ef136b6ddf60aa9b","sha1":"4b0698a5830ae61f8fe6f30635f80920a8e6a217","sha256":"fe8e598a333945a04e0eea97e7eab148c9d9c3432862c31c75fea04aafc743d6","sha512":"a55f6576adf11e1f23c546aa6d9b74dbd3fefab91b4e8f72549e356cc629941418cef145c1381630cb9ce4a23be896d19124a66861753cd4987a9a4b3bf48d98","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_rtf_malver_objects.yar","filename":"gen_rtf_malver_objects.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (755)","size":2490,"md5":"e70a06885bbab027b73aecde82541c2a","sha1":"15537f0c945f8b7059fbed520dc416189abe149b","sha256":"c0c147cf3d300651cd82476f22c4de0bf46ed1482c5596661684289b60fb4f66","sha512":"b753d560289637a17506736c5efe23efe381e7e4402d41e3d055545d2364c8b60d6d2909e161df2c6d872c4cc136cc958e2e482ffebc5b6b2aad30c0ea1bd0f0","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_sfx_with_microsoft_copyright.yar","filename":"gen_sfx_with_microsoft_copyright.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2238,"md5":"40e754e4aeaa9f8b105b58a850158756","sha1":"acfdc641b85e89ecff232fd0f1b1637617c386d5","sha256":"b7fc8ead82df83c00ab8804f38c110fa1836b19512c3637f6d831a25f1745d89","sha512":"b9ef52fc4105eaa1b2e55a77b6eb015dd536fecc6d5424feb6e5d94905d1c76e32be555e3ef770d5b73327b159bc8159f6eee1a956e2674ac50724d5cb17b208","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_sharpcat.yar","filename":"gen_sharpcat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":732,"md5":"4558044dbbaa06b487bb7be11371ffdc","sha1":"1ba01260940b8dd250770634a5601eee7b9f28e4","sha256":"b1df29aa0856a33efb1a5fcc00fbb079e83d274840265406d119de1ee9bd38f2","sha512":"4e3e24dea4fcb78056aa02cefcde1512ffa749d26baea70d1f6c11fd53494b55a078e8550ae518b2c680e1b206ec6c7720139323c4c2616147c84d259f8d15b7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_shikataganai.yar","filename":"gen_shikataganai.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2493,"md5":"6802c3a0e4e63812df7b9c65056938c6","sha1":"dac9ebadac0028c6499d63bc53a327741a8c1a8d","sha256":"359c41ec2548e924ddff27a7b773e4cde54c1923ed220469db9ccde113871866","sha512":"0ec96f298e24f2da8439001a8559e7af3c14d19ab4de3609f283f58e1f64a1312c49e583a400a9294da6723c07afd636ba2738a3bbbf5c9ca1306e8ff5b5527a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_sign_anomalies.yar","filename":"gen_sign_anomalies.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":16182,"md5":"11d19120e3d34a5ac7b0f6f34cf9c969","sha1":"0e4ae58d2ec173c83545cfeb188a4ff5989ef8a8","sha256":"436a80379cd1003b449146443e821763002c8ba78ffb33730651610c53cf46b9","sha512":"d4f2ac47412c2644aa60031d2557d5fab6b08ce1dd646e12e146c2dcd31ccf0b1e681b6018339235104f5546cfaf987fa2e100c3f6a867f442e60f7bc4bc1d36","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_solarwinds_credential_stealer.yar","filename":"gen_solarwinds_credential_stealer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1607,"md5":"e566f0854b9e0907e7468e04845d0cf2","sha1":"1912fc991a0fc4a2df3d725ff6212e26e8e181d6","sha256":"2d46045e2613cad56bd6a83b138197aa47860c18f1ec0ebe0a6030471c56132a","sha512":"842d2975a5fe478664b10d12ab5f0fdc20c8d4692f9dfc357f64fe2c221d3033838acd342aa34ee6f6bf3820b2b0ec9ea9c3b2e10aed55a8af1676937805c4fa","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_bat2exe.yar","filename":"gen_susp_bat2exe.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1207,"md5":"353ceb56d1a7baa9d0053c565317787a","sha1":"83d9c6054cddb83fbe7958f2a776908fc98c3984","sha256":"69d3189ba55d30787501916c54672f3e3778e71f988ca5190e8fa924a7a71a4b","sha512":"0884fdb8431b65bbff97a704eb5f4c7e59fe449615570908c01484dfa29b18af9208a6c1415ab9b0b1ad500563498e02539b795f24bd43e4b3defd2873563de7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_bat_aux.yar","filename":"gen_susp_bat_aux.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":780,"md5":"b7c0fa98d18704ebc700601f586e9cee","sha1":"2bb50595eb39212e78a1d3ea8abadeb17e70a653","sha256":"e6b08c582c6d146b30aa9384daeef1f5c45ed77f3d7ba33f2df2919a7d652745","sha512":"af748921effbe2fbcd6ba47e3a09d59dd1afce785487bd366e4dd49e44b8d71dc22b8c494c3d5414e44feb8d26f5e3ec9f9b5f275e887e19bf7bdfb2846c542b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_cmd_var_expansion.yar","filename":"gen_susp_cmd_var_expansion.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":468,"md5":"d15866b78b37c9c932125d3e90b7edf6","sha1":"d65b81f72d42e44bf13ee069af8e26e83c5f6c4b","sha256":"fe40c35efa29cbc7e47509b882b3395f8230fff3e8fcdf53e0641d116aa6b8d0","sha512":"29441c584e85dd08dbe4de4bb41ed4adc7a7d462509f9d1e4a4d9396e3b4b0f3c1ba62956121344aa1f719a2fa94222dc48321237a1839c6d48035b2c8ca3c47","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_hacktool.yar","filename":"gen_susp_hacktool.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1440,"md5":"07e04991b460d3bea71a4be3411e2bf6","sha1":"fe722183827771c0942b5239e984b0fae9537a8d","sha256":"97f497f17c2c356d879e0638ae65402cae95df7a7b903f60c1943f250d2c44b9","sha512":"688e7cb3da7ed046594d122de48cf3f1c24dbf05c8f903424449417043c43f997f6c19c3f065bad271efeb88b2c0df2f68125cd26c737b4cc7480130bfc06656","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects code which uses the python lib sectools","trigger":"signature-base-master/yara/gen_susp_hacktool.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2023-01-27","description":"Detects code which uses the python lib sectools","hash":"8cd205d5380278cff6673520439057e78fb8bf3d2b1c3c9be8463e949e5be4a1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/p0dalirius/sectools","rule":"HKTL_Python_sectools","score":"50"}}]}},{"path":"signature-base-master/yara/gen_susp_indicators.yar","filename":"gen_susp_indicators.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":871,"md5":"bc77a13cb5cafff87fbd29e2e9df2290","sha1":"926dc71c68c3fb48d1969610f17908a7d9da8f50","sha256":"e0ea4945598a3dc9e982c8c3cf4edb158596d553dc65dbd220cd9c6fccd0a11e","sha512":"ac8c2d1ca7c2f2000b881c55617533514cfe364b45f9964d25912646cbe0dadcc6913e1fde9e637a51763384879ab543fee594c48f0ddde428991f90526fb288","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_js_obfuscatorio.yar","filename":"gen_susp_js_obfuscatorio.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"JavaScript source, ASCII text","size":1035,"md5":"785327500bd1a2f1b2240909f2467adf","sha1":"665575f5ba83741a060be3170258ba07d043cc8a","sha256":"7984f1fc7fc340791e133e66c4e72abb6f4ff9b814d514aebec6590c3f26adaf","sha512":"7b5ec42f44de7db4d89239d118e1708deede504466e9493f0884cb8c80326e494d36e0e7d68853e3aa590afb1ad9656e4503dd98f590e3c7dda21a776ea02f64","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_lnk.yar","filename":"gen_susp_lnk.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":398,"md5":"6af21738495f1e86ee636bb7540cea7c","sha1":"7dc1410c063006a7d0edde1f14d35b2b23f16245","sha256":"12963718410adeffb531c9a516812333cefde9516f3f39ec088b225ebecb065f","sha512":"1e6aa7c35f1d5197ebac8f74c19891cbe4dbdc4c6ce20bac0a68a896b7f0020f76003e8a618265d5651e0368006d8ef2598ec40668deac032b49fce04bb73744","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_lnk_files.yar","filename":"gen_susp_lnk_files.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2344,"md5":"9d0a10418c382f91bd4cc5071c5572e7","sha1":"c463a87949bffd05c80b9e3e32978def477265ec","sha256":"1ac2357774fe5bfaad5085e2383ae40348c1e860c846bde686696cbfca6cfbe2","sha512":"c8d8c302de36cfd42eed31e39edef5946c7f6856b248eb22811c77ec70f96d19bdb339f3be0bd36c39f23b53a0f179ba686df7c97f003a91535de053a0c8d733","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_net_msil.yar","filename":"gen_susp_net_msil.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":995,"md5":"f74ba8d541b078d64b3a77fe0c1c970b","sha1":"3365fff887900f4ee113edc7243381289198789b","sha256":"c0414aefa1d0f96e45c4a7a2810365c230cf1db32c56f03a2a86bbf81533d7eb","sha512":"9c45e60d4dd222e6b9bfc569b9e808c1c1a989c912acc30017b22eb5325c4f9ca5d063a69d4578d1fcc00fe1763426b9ace3c21f190f4afe41640bcf46db97d5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_obfuscation.yar","filename":"gen_susp_obfuscation.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":4133,"md5":"66f3ecc95cb99fac523300768349879c","sha1":"d6a05b4b612264248dd4052351c315f87950bb22","sha256":"b8f90d800cdce32068d10c32dd6da2858311bcdc8283802a8babf23b5e8d2dcb","sha512":"2911f9a8fba0adcf353cae1912fadc7708c8d4bc4e931b57324406b98fbeba554cd4f7fba033e41897f0bffef6a3d05dc5eaf7af9000c863521cac0a4ccec314","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an executable that has been encoded with base64 twice","trigger":"signature-base-master/yara/gen_susp_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-29","description":"Detects an executable that has been encoded with base64 twice","hash1":"1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9","reference":"https://twitter.com/TweeterCyber/status/1189073238803877889","rule":"SUSP_Double_Base64_Encoded_Executable"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an base64 encoded executable with reversed characters","trigger":"signature-base-master/yara/gen_susp_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-06","description":"Detects an base64 encoded executable with reversed characters","hash1":"7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8","reference":"Internal Research","rule":"SUSP_Reversed_Base64_Encoded_EXE","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious path traversal into a Windows folder","trigger":"signature-base-master/yara/gen_susp_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-10","description":"Detects a suspicious path traversal into a Windows folder","reference":"https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/","rule":"SUSP_Reversed_Hacktool_Author","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious base64 encoded keyword","trigger":"signature-base-master/yara/gen_susp_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-10","description":"Detects a suspicious base64 encoded keyword","reference":"https://twitter.com/cyb3rops/status/1270626274826911744","rule":"SUSP_Base64_Encoded_Hacktool_Dev","score":"65"}}]}},{"path":"signature-base-master/yara/gen_susp_office_dropper.yar","filename":"gen_susp_office_dropper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4969,"md5":"5ca6ee0b1f4eb992fedc9f38897e3494","sha1":"43466b03ee4233f3bb378ce84e6438de308630cb","sha256":"7a5318c3b39b25125b5b2bf4e72709e3ff7462c2bb16954869ea619e3027bd9d","sha512":"c11cb3750c665257967151b39e20971f20cdd959705e2d4bc3eec7689b14f73dd321eeb0edeb4371a8e81666c8755be2436efd7bf71abd291c914e36fea6bad2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_ps_jab.yar","filename":"gen_susp_ps_jab.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1379,"md5":"6656c42f8daf8e88a909c1d7c65a4340","sha1":"24725beaa9619910237d5348bf9670dd75b73c9f","sha256":"daa272f6c709b3d6814fbc493e069c5720addd38640e6f8fbaf4174cadf60b16","sha512":"f94fb58b79acc36e9dc01b9e457309a315d9627b053555a794b50e7a05b12f431ab04cca58538afdcef747d15667d2ddf6e5ea9dcc8e1b6134a4019473b82977","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_sfx.yar","filename":"gen_susp_sfx.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":922,"md5":"3712763011f57f730a1448af3e4b487f","sha1":"4df562fddbb4c3e2ebcdba8bac23f6d9deecea76","sha256":"7687f6a3f4d3201862975ebcb7140805b1dd93cf29f1b611f4c86aae01eca00d","sha512":"4a11f0064ea6fc919148315dd56cc9b20683a1267cce9a81d8d24d5f232265fdf923f19c1a1132bf6aa7e0136a3466886583325a349ee6fe1c99452ca0df80de","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_strings_in_ole.yar","filename":"gen_susp_strings_in_ole.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1113,"md5":"eae413c43c39055c1b03e199cb751113","sha1":"4f0de548710f173c359f588000fe8ab8dd2dcc64","sha256":"5dba3dd17b39fba7a060dda7b4521a7a4f2d8ce1637e1e75c3bc70ff77287409","sha512":"eb595318ab75c5d455c8094fa713a1c6297524e74e192497015b3ac1d1a8caad5023809f58c841c2bebef382c771a6632a283f45ba0a8a55993e8657292df90b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_wer_files.yar","filename":"gen_susp_wer_files.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2081,"md5":"e2a90f9514a690afeba094d41cabbb4b","sha1":"f0d65d2d62c976171ee141f772049c0f1e4a02b3","sha256":"abbd869bf777ace5937f54063959c4082d3f1d18213110deaa0f05ffefd3c3e8","sha512":"d119e426470e9f194938d7505e9afeb10de1feadb4fb8fb946a0665a4edbaf3c8632eaef3658068ea0493e4d2d8642ba11c72116c6193e0f95b73c2eac43bb61","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_susp_xor.yar","filename":"gen_susp_xor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1497,"md5":"a2f14fd6c5f6631b7bf6b1c042edb7eb","sha1":"816d8b931e50cb0d35b2c04d1461ee183ee415b5","sha256":"f74f98644bab860042e6381399f10ab3da6cfbaed8724ac69f42b8223b79e282","sha512":"386a262cc21242f26fd492ca05bfd49e7cd0277a4eae195782df860c1708221e3c3d8da97538a8ac5887f818cd98e3a38a1ebe70fd33a3ffd7364271c0fc405d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_suspicious_InPage_dropper.yar","filename":"gen_suspicious_InPage_dropper.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":951,"md5":"c5b4b593c0ead2de17e4480485e12cf7","sha1":"373dc1d788662a5653329e86ac65bc0434cd23d2","sha256":"66a7da05254973d3ffbedf98cdaf94a65bedc9a9941790b54b2d0315dd984e7b","sha512":"a7ef04272bd6ae88b5c5fa5a00e5200cbc24c6e8b1a16d0cef61f51ff24a0220ef10640cc4a319190768d808f21f38dd37fe8a0d87e471ed95c3e566a63bfab7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_suspicious_strings.yar","filename":"gen_suspicious_strings.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":17128,"md5":"1c5ea8634faa664968436a870ab56d88","sha1":"f0d1e676a8b166031118fd557c1997e49d51570f","sha256":"ae5ac7833b5a279f311fcef6a964507ad87bebd26428bf25babc28cbe6850176","sha512":"f78071ac1c034a0f8862e9492a8325b47cea52f02c257e1ea1fecacb9971e653ebfca205121a18e1bd7d5ffee0975e170ca5fee2411e9b6022a3ea29213f3ceb","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious ","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects a suspicious ","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100","rule":"Suspicious_Script_Running_from_HTTP","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious string in executables","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-10-24","description":"Detects suspicious string in executables","hash1":"7bd7cec82ee98feed5872325c2f8fd9f0ea3a2f6cd0cd32bcbe27dbbfd0d7da1","reference":"https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739","rule":"SUSP_Win32dll_String"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious command line with netsh and the portproxy command","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-20","description":"Detects a suspicious command line with netsh and the portproxy command","hash1":"9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09","reference":"https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy","rule":"SUSP_Netsh_PortProxy_Command","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects method to disable ETW in ENV vars before executing a program","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-06","description":"Detects method to disable ETW in ENV vars before executing a program","reference":"https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3","rule":"SUSP_Disable_ETW_Jun20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_Encoded_Discord_Attachment_Oct21_1","score":"70"}}]}},{"path":"signature-base-master/yara/gen_sysinternals_anomaly.yar","filename":"gen_sysinternals_anomaly.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1090,"md5":"caf46c334f8d1b155954463c81ee0ebc","sha1":"3a5e19f73d784a5c4c7041464cd19f1c047ccb7e","sha256":"d3c7837159d2266afdcb145fe65248a6a76efbbe110db66b7461539b693a6875","sha512":"e8f2dfee59bdd69c6563ab578260167d16db7aa5dae31456614a461a73988070af983711adb1b6f77fd1043813178df49a6ff906b45674833f31a3d320690a0a","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_tempracer.yar","filename":"gen_tempracer.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":996,"md5":"df6fac84713dfcf692ddb5de1c8a58bc","sha1":"95926156d01242f9bf388deb56796803fa5c1237","sha256":"2fe4eaf1f8e74910e6c3c57b08760b40171f95a2cf69b98f53a6497c9e5db7cc","sha512":"f128f786d679b781cef48d5e62291e3e45bcbe0f62273acadb1332f3e022090cb5b821b1dde5eea7d0aa8c75dc458149812a8690a09d15119c937f25c1158474","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_thumbs_cloaking.yar","filename":"gen_thumbs_cloaking.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":39,"md5":"8f38cbba8769b9c87b3f93001e45e0f2","sha1":"57a94d3d77a6b127bceb06f11110374e175be0a2","sha256":"a1823955d01a1bfa23597ab776583f06cab6917577d0644eef6f0e13d6715d3e","sha512":"75f5310226b1945726aec35ffa3fb0cdf733ef1c127b933eb69c894033e85c8d1723249698ee3da9e89ed17a7b7a07b343fcb21863a845a75f73810ce69394a5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_transformed_strings.yar","filename":"gen_transformed_strings.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1665,"md5":"224c14bb682feb787a907930422cbe26","sha1":"5359c86d0933a57866d2738828a1c0329c3aefc9","sha256":"02472f988ca22dba3de84f815192e910ea6b25227b5b2629597a1a60f364df1d","sha512":"5007cef2220da6d5eb4674c1fc33527d22b6d1b96fa51107b0b4760fdd124f98008f5ccaaca124dbf04a12900c35119b5fff17530585596554a7cc9d873d10b6","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_tscookie_rat.yar","filename":"gen_tscookie_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1227,"md5":"4b57361f3e298506b6164cb3967cdd6a","sha1":"3207de250cdb76ccec91753ec0aeaf84c169af30","sha256":"3f68a3d1fb5eee49a3ab7721d0b601c3b808f5a72ed27e9ef889a43b15268e04","sha512":"67e0844f91eb4ebb76d08718a7941420a46ff736bd669d1d5675695bc3b556a306128944a071e7bffaa9f8e48d811e7850b671952aef6b1dc55d049c5b470a53","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_unicorn_obfuscated_powershell.yar","filename":"gen_unicorn_obfuscated_powershell.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1076,"md5":"9ddebad74c90d94fd6673250f7f137fa","sha1":"eacf91bacca207e5fab24e7cb0c5345bccc2dc67","sha256":"92e3aba0208cdabfe96dfbfc4f26c463e292d7785163d0ed78634740f24ef494","sha512":"9db08c8bac1d402b6193d764883d9c2bf995751640c05921519be1a1d9ef120184a9c9468d3e3f5708380dde348ef7dfbf5671a4bc19e729d82099d283cd2aed","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects base464 encoded $ sign at the beginning of a string","trigger":"signature-base-master/yara/gen_unicorn_obfuscated_powershell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-02","description":"Detects base464 encoded $ sign at the beginning of a string","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/ItsReallyNick/status/980915287922040832","rule":"PowerShell_JAB_B64","score":"60"}}]}},{"path":"signature-base-master/yara/gen_unsigned_thor.yar","filename":"gen_unsigned_thor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":735,"md5":"b4b758e36b8661272220212587efd159","sha1":"27786e979ba4771ce637c3979d8fe754522dcdba","sha256":"76f25f48dd0dbb7538d601188a536d51f8d7de616419bb718b5737ed5cec1b54","sha512":"a25266e8393fb5ee542b721aa8a904cfab81c1a480bf871d2f56702436e36a38c3209c6fa56e1cc55fb9a2b145c44a8c872b50a9c63af229ca11347f9d836752","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_unspecified_malware.yar","filename":"gen_unspecified_malware.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1175,"md5":"00f168f43e2ab4fdf7312f389b640184","sha1":"dd8c3dd0b4822c563a94d4bd897c46f785f56e19","sha256":"ea532772d9e77004d3a898e94c8ca45f2c360f852a9c14c6baa99fe103fe9ee6","sha512":"2ba59f61925c785ca5948f0790f23f77669d26269fb6427d11ee2b8defe1a7aae8c5381d333a385e1691a227ab49ab1d504c915cdb7f5809deac5d8b52919262","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_url_persitence.yar","filename":"gen_url_persitence.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":12120,"md5":"8b93b842879edc97a6e73ad69b1023c9","sha1":"c8833c402141666f8cd33c9b4c6e3530e9520628","sha256":"3411ebf63c00143cc6af45f468b0819b34808ff0ba3587d1357974acd957468f","sha512":"6bc54bf9ec9bd57342db7cc9c837dd0b8a86f24e2a14ce344a35f3d474e193239b2885ac04138838a07585c2ebbf775100eb2135058d51d5a68bce7e3a2c42d4","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects local script usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)","date":"27.09.2019","description":"Detects local script usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Suspicious_Shortcut_Local_URL","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This is the syntax used for NTLM hash stealing via Responder - https://www.securify.nl/nl/blog/SFY20180501/living-off-the-land_-stealing-netntlm-hashes.html","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"This is the syntax used for NTLM hash stealing via Responder - https://www.securify.nl/nl/blog/SFY20180501/living-off-the-land_-stealing-netntlm-hashes.html","reference":"https://twitter.com/ItsReallyNick/status/1176241449148588032","rule":"Methodology_Suspicious_Shortcut_IconRemote_SMBorLocal","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Suspicious_Shortcut_BaseURLSyntax","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Contains_Shortcut_OtherURIhandlers","score":"35"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/ItsReallyNick/status/1176229087196696577","rule":"Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Suspicious_Shortcut_WorkingDirRemote_HTTP","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Suspicious_Shortcut_WorkingDirRemote_SMB","score":"50"}}]}},{"path":"signature-base-master/yara/gen_url_to_local_exe.yar","filename":"gen_url_to_local_exe.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":607,"md5":"dfcb8360010af98aba1479e5f9660e9b","sha1":"3a75856e97e77f0683c4c87f01ecfee921d59353","sha256":"e9a311b2c514294aaf31723e56a731c1aa0ec67cc25f2253b38699785c40334c","sha512":"c6f1ab287e32e701c1618d73b5bf85405531bd3f6dd58760f07ec86c4d6f4b245566a0c75b6b63b374a65c131d0531963c9b6e1672032f0aa7b7aa49dc27ae1f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_to_local_exe.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Contains_Shortcut_OtherURIhandlers","score":"35"}}]}},{"path":"signature-base-master/yara/gen_vcruntime140_dll_sideloading.yar","filename":"gen_vcruntime140_dll_sideloading.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1172,"md5":"45c9657196a042218bd706ae40aca49b","sha1":"8e89443ce7c3a351bacae500444c666dbf7b7452","sha256":"49aec4ed31798769226b02e1cc05d5c651ae7a32b075dbf33ee5db2c18e04d35","sha512":"ded1b692d4e552d62155b82f8835364f515fb5544d1f9a8f7ada73b7683f607253cb9a9b80e6c23753da9b94207dcc4249304673ad44780f3861ebe33b7cf7f6","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_vhd_anomaly.yar","filename":"gen_vhd_anomaly.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":998,"md5":"0a77554415bd10b017e8c21e9a1358d3","sha1":"2aab37dacdba721c00a64300872465fa79947906","sha256":"0ad34d1bd51f1a7e6019463affd95c3ae89b3b8083f2500a602c1ca83077b2bd","sha512":"34c86ed71f1e1ea2e7b5a080b6fad4f812eb0ba85591c179fe219aaf636b8eefc54e0cb699d61e0499632900354d5ba1f287df18136badf9efe9bde3ff157e4b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_webshell_csharp.yar","filename":"gen_webshell_csharp.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1005,"md5":"7e3cfcd923e915819a6c7ed2dc00e5da","sha1":"5cf169e08fdba153735f5aef7a9b1fd2d1baf71b","sha256":"caa53f6a4d6174d118912b36f6cbf6abecf2fa4f6d376899ab46a00454487e9d","sha512":"6739d7493817c19f2c3c8683e3d13998511125de6d097a0921bfd6b068e180b0282dffa84491074ae3839ff1fbc6ae80090cdf506446f5103c863917a78b4a71","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_webshells.yar","filename":"gen_webshells.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":299358,"md5":"aa2f9dc951d64541763a1e5a632cdaa6","sha1":"77ea07e2ed3e41160691a78b3bb761b1f574a21b","sha256":"4254bf9cebf429296868d6c5e8a05272f697f3f93f3ee35a9b1439470c95cf1b","sha512":"c784e954e6fd294f628f98f7b937d04c0dc80bcc6bf3c3496bfb463a66ff8343d3759662bb3a80a6d7b4ec89a19c881845f1b53d3cfbe6ececebe66a2d31f45d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell obfuscated by encoding of mixed hex and dec","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/18","description":"PHP webshell obfuscated by encoding of mixed hex and dec","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_obfuscated_encoding_mixed_dec_and_hex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell which eval()s obfuscated string","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/12","description":"PHP webshell which eval()s obfuscated string","hash":"a698441f817a9a72908a0d93a34133469f33a7b34972af3e351bdccae0737d99","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_obfuscated_fopo"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/09","description":"Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","hash":"7b6471774d14510cf6fa312a496eed72b614f6fc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_by_string_known_webshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell regeorg JSP version","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/24","description":"Webshell regeorg JSP version","hash":"6db49e43722080b5cd5f07e058a073ba5248b584","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/sensepost/reGeorg","rule":"webshell_jsp_regeorg"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell with base64 encoded payload","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/24","description":"Generic JSP webshell with base64 encoded payload","hash":"1b916afdd415dfa4e77cecf47321fd676ba2184d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic_base64"}}]}},{"path":"signature-base-master/yara/gen_webshells_ext_vars.yar","filename":"gen_webshells_ext_vars.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":4131,"md5":"7aa2d33b7eee829969cc06ba6dab6f4e","sha1":"3e402e94743148bf886ec8126da115acc5c99562","sha256":"0c9305c3b911161c3649aefcd778f81f1501acfad8ee02bc342e91bcd3fedf1b","sha512":"3dcaf55d11061b4aa4ec5c579e4cccd20aaff67e01effc11d726d790f61fb04e14798cd60ed3913cf1aa2c64f3fbd3249570a4e62b5cd6ad84dbde29e9b633c3","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic PHP webshell which uses any eval/exec function in the same line with user input","trigger":"signature-base-master/yara/gen_webshells_ext_vars.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic PHP webshell which uses any eval/exec function in the same line with user input","hash":"90c5cc724ec9cf838e4229e5e08955eec4d7bf95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2021-10-29","rule":"webshell_php_generic_eval"}}]}},{"path":"signature-base-master/yara/gen_win_privesc.yar","filename":"gen_win_privesc.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2793,"md5":"f32b165ebcc0f625fb43a05f93c6c7f2","sha1":"6797ff99eb368bbe7ee6535983efd94fdf49b70c","sha256":"67e6d7472f139642fd8a1490011a2a4feb2f12effe0d44f4273fe1b51ec8b817","sha512":"61e8885d5fd60798db38a0aacf77423d1ba3110464be9aaed98bb1525925136cecad1c0566544fc22caf9f3657a5aa75da5b16681235fa5279b49cdf5797071e","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe","trigger":"signature-base-master/yara/gen_win_privesc.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-02","description":"Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe","hash1":"7d34e214ef2ca33516875fb91a72d5798f89b9ea8964d3990f99863c79530c06","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/","rule":"Win_PrivEsc_gp3finder_v4_0","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool that can be used for privilege escalation - file folderperm.ps1","trigger":"signature-base-master/yara/gen_win_privesc.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-02","description":"Detects a tool that can be used for privilege escalation - file folderperm.ps1","hash1":"1aa87df34826b1081c40bb4b702750587b32d717ea6df3c29715eb7fc04db755","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.greyhathacker.net/?p=738","rule":"Win_PrivEsc_folderperm","score":"80"}}]}},{"path":"signature-base-master/yara/gen_winpayloads.yar","filename":"gen_winpayloads.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2258,"md5":"f0387463e55f2bf7fcefa8b704c128ee","sha1":"9f51acc336ba38a39c84f96c87382475656439c0","sha256":"8ae6f126c14f45b843c7311202436b778096b9570568e3d201e7ad83e7766dd0","sha512":"57555ad8e4dcb2a8580c658c07922fc1e65b40b73e751e71cd0888dc2e2b2d7c4fd6d1abbbddf362bdf2e53decd27e724d13f920e0e7fd8520c3de87557b1d15","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects WinPayloads PowerShell Payload","trigger":"signature-base-master/yara/gen_winpayloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-11","description":"Detects WinPayloads PowerShell Payload","hash1":"011eba8f18b66634f6eb47527b4ceddac2ae615d6861f89a35dbb9fc591cae8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/nccgroup/Winpayloads","rule":"WinPayloads_PowerShell"}}]}},{"path":"signature-base-master/yara/gen_winshells.yar","filename":"gen_winshells.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5410,"md5":"e4970d5e193fcec0dbb7846a7c9a210d","sha1":"f3b0e059061d6aba9ac916cc12f9254d7b753d30","sha256":"d2685da141d0ddf666db6704df2b2e72b72eb8a070aa0f4cce12fc6d2a5f5474","sha512":"f1041a4f9817283ee6edf921c10b820ca562ce6a3023d78f4c7ce6db6411bf0da77edaacb328d2b96d4d93ad0b69aaf558444b906e8a7392a6f1c4bb359443fa","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects simple Windows shell - file s3.exe","trigger":"signature-base-master/yara/gen_winshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - file s3.exe","hash":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_s3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects simple Windows shell - file s1.exe","trigger":"signature-base-master/yara/gen_winshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - file s1.exe","hash":"4a397497cfaf91e05a9b9d6fa6e335243cca3f175d5d81296b96c13c624818bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindosShell_s1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe","trigger":"signature-base-master/yara/gen_winshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe","hash1":"a7c3d85eabac01e7a7ec914477ea9f17e3020b3b2f8584a46a98eb6a2a7611c5","hash2":"4a397497cfaf91e05a9b9d6fa6e335243cca3f175d5d81296b96c13c624818bd","hash3":"df0693caae2e5914e63e9ee1a14c1e9506f13060faed67db5797c9e61f3907f0","hash4":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","hash5":"f00a1af494067b275407c449b11dfcf5cb9b59a6fac685ebd3f0eb193337e1d6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects simple Windows shell - from files s3.exe, s4.exe","trigger":"signature-base-master/yara/gen_winshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - from files s3.exe, s4.exe","hash1":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","hash2":"f00a1af494067b275407c449b11dfcf5cb9b59a6fac685ebd3f0eb193337e1d6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_Gen2","super_rule":"1"}}]}},{"path":"signature-base-master/yara/gen_wmi_implant.yar","filename":"gen_wmi_implant.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1124,"md5":"82ccc02c52c8490b85cc6578fe2b6067","sha1":"1ef34d8c3b398123519582a577091b0d50b687e0","sha256":"920b91a15d7e1dce78c56375ecea518649ae31ebe6ec4465f91c75a3444e8db7","sha512":"a2d581d6f21e037672376a94589e7463f6caf89902617830d8d10742595edf1e56796b1d04eef4c2b5f0599c1a44fbb8d5b4159592b5ca6ced6f5644266a4fee","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file WMImplant.ps1","trigger":"signature-base-master/yara/gen_wmi_implant.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-24","description":"Auto-generated rule - file WMImplant.ps1","hash1":"860d7c237c2395b4f51b8c9bd0ee6cab06af38fff60ce3563d160d50c11d2f78","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html","rule":"WMImplant"}}]}},{"path":"signature-base-master/yara/gen_xor_hunting.yar","filename":"gen_xor_hunting.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2207,"md5":"d2569e50b4636450363cb8fcd04a94b2","sha1":"38303bc6370f0cc3e1f0cd26f327a8548f87b97d","sha256":"028dc8378bd97f9dfc907815321537c462782d62c26db285ba20533383bbb1c7","sha512":"a37c5cc3743170ffd6b8475a1a6d9801eb0b2448b052ac072babc3db6124491382b5439754cde6c599b8443780a6db5612e9d64647f68b7fe12877bd98ed884c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_xored_pe.yar","filename":"gen_xored_pe.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1062,"md5":"175d781545b45db9c1457c1bef4efada","sha1":"e3642ddbf1a4541fbca77af0fd519d6f152c5a62","sha256":"a384f6ef57e1ca74265d6d0dd130141ecd4438c68b9b90c8d00d3d37a18d653d","sha512":"03a540fff2e5f1e1bd5eb42d6dadca020371397adb30c10a6b9aecdc1fc2553fd731a7104d4ac2ff4fd10eaedb80d9af8e2c53e3495757ff3b739dbdbbf1e4eb","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_xtreme_rat.yar","filename":"gen_xtreme_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3190,"md5":"6610a9de4b1212f17cc2e9ed0c574b92","sha1":"cb34a1695bd323d4307141fca944349fe6b05566","sha256":"7284925149fb775b8a945c111baae420feb1cde91c6a1511bf0704edea61902f","sha512":"9c8749012d4c355f564fe779e1064e070e260b0a7989e29acb3c7d173ffe590aea3ee1edfb64101ae06e0c712b4e28b30db13603f33cd5a6a352e5a51fdfa4fc","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/gen_ysoserial_payloads.yar","filename":"gen_ysoserial_payloads.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":5107,"md5":"3e62203916ef6b07d4b3b947104c6b1c","sha1":"15de270debb1b9512d48bf283bd53b89c96b04ad","sha256":"a9d7a6547a3838498b7c1f197e94dcbfc5915fd2227707935778a5679ecf90b0","sha512":"be227e8065db1bf325648220e7f41a69b7029dfbf28eac90919a4f953f427508e10d72b23f018b533e8b7dd3ce7b6830d090f7c824a9e723a3a1003f17a9f3f5","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Ysoserial Payloads - file Spring1.bin","trigger":"signature-base-master/yara/gen_ysoserial_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads - file Spring1.bin","hash1":"bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703","hash2":"9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a","hash3":"8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8","hash4":"5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c","hash5":"95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1","hash6":"1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187","hash7":"adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload_Spring1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Ysoserial Payloads","trigger":"signature-base-master/yara/gen_ysoserial_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads","hash1":"9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a","hash10":"0143fee12fea5118be6dcbb862d8ba639790b7505eac00a9f1028481f874baa8","hash11":"8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8","hash12":"bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703","hash13":"f756c88763d48cb8d99e26b4773eb03814d0bd9bd467cc743ebb1479b2c4073e","hash2":"adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7","hash3":"1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187","hash4":"5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c","hash5":"747ba6c6d88470e4d7c36107dfdff235f0ed492046c7ec8a8720d169f6d271f4","hash6":"f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929","hash7":"5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56","hash8":"95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1","hash9":"1fea8b54bb92249203d68d5564a01599b42b46fc3a828fe0423616ee2a2f2d99","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin","trigger":"signature-base-master/yara/gen_ysoserial_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin","hash1":"f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929","hash2":"5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload_3","super_rule":"1"}}]}},{"path":"signature-base-master/yara/gen_zoho_rcef_logs.yar","filename":"gen_zoho_rcef_logs.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":946,"md5":"f2178abb5ad22d2971b22fb86baa4b89","sha1":"5fe0f37e930d5efe77b9887448c79f9b81ec61d3","sha256":"285ba1c06fa4e9062031a17402378c4e83cc15f661982cf680669ffe1b864614","sha512":"62c9962606e154beb868ab4eec09474fa160c71188fe56c7b9c43dd1882841903f5ad6f8f0bb96e4d0a67774212c733036e5cb42061d954a740317318bebbdf2","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects lines in log lines of Zoho products that indicate RCE fixes (silent removal of evidence)","trigger":"signature-base-master/yara/gen_zoho_rcef_logs.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-06","description":"Detects lines in log lines of Zoho products that indicate RCE fixes (silent removal of evidence)","reference":"https://twitter.com/cyb3rops/status/1467784104930385923","rule":"EXPL_Zoho_RCE_Fix_Lines_Dec21_1","score":"65"}}]}},{"path":"signature-base-master/yara/general_cloaking.yar","filename":"general_cloaking.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (314)","size":6206,"md5":"b562940c4a9239b5f33935ab54b91bb5","sha1":"069f8136fc19ecef9bb697b4e37936aceafc8edc","sha256":"514788a43d3aacef6ad89171033533905fae0aa07d5fccf8214cc9118e60628f","sha512":"00b0268abf93a59d729c469bb3849295015659196627a5f060d8257d50913d5bffd9d467199ca786c2e2a349a87ba4af76f4b52041226593f03cbffb580aa22b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Certutil Decode","trigger":"signature-base-master/yara/general_cloaking.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-29","description":"Certutil Decode","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Certutil_Decode_OR_Download","score":"40"}}]}},{"path":"signature-base-master/yara/general_officemacros.yar","filename":"general_officemacros.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2704,"md5":"49b067a746cf6510dc66dc1bb71e06f4","sha1":"6fadd23574f5fc7f3772c0c96b5b1c90091f1793","sha256":"bc26368ac77fd8663f12867da0b6c1cbb884aa4ba0257d0a809cf7189182d2aa","sha512":"9377d37e2fda600e6b8833623b0fabe45a348ff44f2c41e8cdf2efd407beb1e777a25cddad093cdd463d0ca52fc62123e2fa4f61867776c0ef681d2e61508c28","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/generic_anomalies.yar","filename":"generic_anomalies.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"exported SGML document, ASCII text","size":18934,"md5":"1bf16400a8479cdd5db1570454235720","sha1":"039a638cab95919315da2c325057afce83bb4535","sha256":"b36b8dc36753ecfefcafd5f67f505198826477d0785cf8dadd5635797a7b2c76","sha512":"943019784575233f80d5dad28cd3df0c715ed948767659470e04b305dcfb04baaec7c6c6343f5c37692d61259d036469793fa1fd40caf7b1112ff6f6d1bd0adf","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/generic_cryptors.yar","filename":"generic_cryptors.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":943,"md5":"c7fcfab79a284bc087eab51fe956ec5a","sha1":"78bbe70ac859b32bdba8d355726b923d3a4cc0cb","sha256":"25568bfe50bb1f23916e602f8c8b267060173a9615c4cfd7ad66927670aeffa7","sha512":"0ded1bd5d4bf837a186a135782ede1ceedcb95ce091302940a9d58ab31066982aceeecee7cbdafd97cfbfebec61731e3a1a692421718aea1b5b08a361571ec1c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/generic_dumps.yar","filename":"generic_dumps.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2081,"md5":"2db72ff883cc49775a3e484f10387f34","sha1":"5fb437dfff62c41d190875982716a1484d17f5e6","sha256":"fc314e7b5c393e86f4b2f7b194a1065a37853405c5f107cf05bd1c9fbcdebb60","sha512":"7feab625b46231697fe78c378ec56df5203e557dcd3c45306c8a6361ec92145a46ccbdb906b4c584c90718998cc69e4aec7e02950332f7de3fede157f8e4c843","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"NTML Hash Dump output file - John/LC format","trigger":"signature-base-master/yara/generic_dumps.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-10-01","description":"NTML Hash Dump output file - John/LC format","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"NTLM_Dump_Output","score":"75"}}]}},{"path":"signature-base-master/yara/generic_exe2hex_payload.yar","filename":"generic_exe2hex_payload.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":808,"md5":"00627b291709a56a8fa0fe65994feda8","sha1":"cc44477600d1bc4544d4997dff48e998cbc1e54f","sha256":"fdb4b31835ba5193c1be53fb40aadebfb47218d2e9518eb97298647bb83b4312","sha512":"1feebfecd706f137681a60c9c860ec6f3b5f630e0d3758bdb5fa334516930d0049045d6792197f5fba8105016670d0acc05ef2282753d16d5fa8795bad4a7f9c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects payload generated by exe2hex","trigger":"signature-base-master/yara/generic_exe2hex_payload.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-15","description":"Detects payload generated by exe2hex","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/g0tmi1k/exe2hex","rule":"Payload_Exe2Hex","score":"70"}}]}},{"path":"signature-base-master/yara/hktl_bruteratel_c4.yar","filename":"hktl_bruteratel_c4.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":13421,"md5":"15d557f4049c581fcc1c6220af52ffeb","sha1":"ecbb9b9dc948e8a37a42abbebfb748821e646493","sha256":"1516a138c75954c8b4ffff17e3b0882b262ef793f51b840a38d65cc5338ce110","sha512":"ba40249796c270781d3a9221b5945236513a05d4d9438ae9e55f4211b85a327f47c94a31f6ebecd499809eeb3b0317a1438db5c444a5fe92338b71043644833d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hunts for known strings used in Badger till release v1.2.9 when not in an encrypted state","trigger":"signature-base-master/yara/hktl_bruteratel_c4.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@ninjaparanoid","date":"2022-11-19","description":"Hunts for known strings used in Badger till release v1.2.9 when not in an encrypted state","reference":"https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara","rule":"brc4_core","version":"first version"}}]}},{"path":"signature-base-master/yara/hktl_bruteratel_c4_badger.yar","filename":"hktl_bruteratel_c4_badger.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":600,"md5":"86a20367629f4d95b528e88f221eb9e6","sha1":"45627e67b0631706498945ce10ac280fcd61ed26","sha256":"23ad8f89a1a460b1c80a4cbf93ec98a515b084b3afef4a5df8b890b791646175","sha512":"9cdc21c2b31c05faf31bd8b976eddfd40299f5aadd4051c83a425dffb1aff53fd9efa87dd9f79124e8868e5a512fc81698b3dae7ab8b7b4fb18f655b16fc0e11","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/hktl_natbypass.yar","filename":"hktl_natbypass.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":896,"md5":"b3375408c273d5d699a48139e2307e6f","sha1":"56e273bcf1d383b9f9e0afe7023273b14c356edb","sha256":"0f9933a9f4d902182e80918af66b6a807f82d8af2033f19d372d3aa24883df11","sha512":"f101e14224ac0846cec79f42ed15ccc8155b3d60e67b1d4d4c6283f1e4301a7cf6716ac8b9c1c8682d71bfd2439d86468691a3e5f4a709fb9f70ed617b84c3a4","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects NatBypass tool (also used by APT41)","trigger":"signature-base-master/yara/hktl_natbypass.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-12-27","description":"Detects NatBypass tool (also used by APT41)","hash1":"4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff","reference":"https://github.com/cw1997/NATBypass","rule":"HKTL_NATBypass_Dec22_1","score":"80"}}]}},{"path":"signature-base-master/yara/log_teamviewer_keyboard_layouts.yar","filename":"log_teamviewer_keyboard_layouts.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1705,"md5":"83bb6f4338e5fe7bc42149c12d9b1a22","sha1":"ad402fa0daa559c4300e0de9b41a4f2b5ef23186","sha256":"8cbc27f492751748231b4f138d663bd7c0f6ebd56071ea23ea6988f9cd499ac4","sha512":"6a897fb06ef58fc96e5e47d6de3f4d2bbf6d868e5b9b8034e62e9403f4735404032e9bc980e839a4bb659df9fe83bc4cdb5f3c360508bb85ff11c029e1c56de4","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout","trigger":"signature-base-master/yara/log_teamviewer_keyboard_layouts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-12","description":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout","limit":"Logscan","modified":"2020-12-16","reference":"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs","rule":"LOG_TeamViewer_Connect_Chinese_Keyboard_Layout","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout","trigger":"signature-base-master/yara/log_teamviewer_keyboard_layouts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-12","description":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout","limit":"Logscan","modified":"2022-12-07","reference":"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs","rule":"LOG_TeamViewer_Connect_Russian_Keyboard_Layout","score":"60"}}]}},{"path":"signature-base-master/yara/mal_avemaria_rat.yar","filename":"mal_avemaria_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":596,"md5":"0bdd2f16b011b5a2356ae531ce587647","sha1":"2e7d1e3071f1c7ba17e9411a694644825d8f2d8b","sha256":"f880da003c17af4139d708dd38c9b992137f583b772cc857713565d518b8caa4","sha512":"72992702c6a9b1b095445d9f123cd4351ebade1845dfac56b2dafaa62b56af8f11007af307c291697293a673f78125ae637feed5b175dc3bc0c8241385d0ba40","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_bibi_wiper_oct23.yar","filename":"mal_bibi_wiper_oct23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1812,"md5":"7d60f5381a1edb9792db5b6531171c12","sha1":"636ce07593cb60eb41ec3a0c51bad6f5340ff9f2","sha256":"1b5139c0e52a588a4b9508287d110e43b0ca5100633f48534d38d347efe269ec","sha512":"e3d27a42352381cc4b7455fa558159e6f1811876ef3537e7a4091a35192e021a549166ed1091ffec8f05ca94bd8986435f61257a67159b73b5e3f144c9efc4e9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_codecov_hack.yar","filename":"mal_codecov_hack.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":560,"md5":"b06ccbcd5bd94ee06d642d3851a9d34e","sha1":"4705af1da4a1711c304cdad5621d82911a117a79","sha256":"1f7dedcfbcfac2b67f62845a6455a56549b690627b11c8193502eb6033a55b4f","sha512":"3af2b6406e83d0690f92c288b438d7164bd292bc72e057e5195c8f4515ff8d3af2c39d9b7472c2f953d833620590ab33cf4e145334b0ed9cfaa344ca2c1a400f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_crime_unknown.yar","filename":"mal_crime_unknown.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (447)","size":2910,"md5":"458fa863a2c1d00ea9f44f01f893755e","sha1":"862a1847a42119812d92c86f9bec4a584b4e4d06","sha256":"58eb6a3e8d4a25dd7be947a938f1deb030beb85c869689db4ef20d616a585826","sha512":"1b784a6cae7cf52b69d6973ae1abde5a674dbc08af7eeed561bc616bfcf7388ab34a1191f5fd7b2199af6c287026cf9f11623c8300b0c42dc36c93d4f7e5ce29","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_cryp_rat.yar","filename":"mal_cryp_rat.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":581,"md5":"102ceea5b1230f7649bae202682648ae","sha1":"22d4c330b3bb5eae9f4ca7679ab072f161824a69","sha256":"a6430d45e91368fb6c50583311b9ffe5dfe73eeb5ac9d366969accbfb74305a5","sha512":"797be4f7aafa59db33ddddc4355d709d84489b3bfdbf8c1b2921ec43d0239f526c293ead133d0012c04b4178df9d81512a693898dca38afa1877452e9fcb1f1d","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_ducktail_compromised_certs_jun23.yar","filename":"mal_ducktail_compromised_certs_jun23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2270,"md5":"3cfd83f8ea682ff5d1a0c781c1ab3e41","sha1":"e2bf3a6aa17e78691553c467d462e3ed507cbe77","sha256":"47a1dc2d9f43243be5b4a32afb873ad73cedbcbd1f96586c0e22c83a8c711cfe","sha512":"bd483ebb7a9de40f9cbf2834988080820ac9a9be8bc0ab50ff4895bf76efe20ed6c63acb44c12876f6cf5d1d60fb535a3397673af880650ee5c3f9db9f9fadfa","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_efile_apr23.yar","filename":"mal_efile_apr23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":973,"md5":"4454fe13ac791aaa43cc189ac3254154","sha1":"1ea4edbc1200f7f8543cee057d1cc00d4986b69b","sha256":"d600b4faf92ca7078876bdef77ca3fe9fec70f55bb85bdd45f87f37ecad13980","sha512":"7cf4fb7dc0984ffb7347af721ffb38a9058503c411717a20c27488fca8f741caf519222c21d9ca2ee7cf8eabc9ace819ebe7f6d7ea4a80cd2c6c81dace71bb2b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_fake_document_software.yar","filename":"mal_fake_document_software.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":841,"md5":"61dc48be50c606a753c63924c263d421","sha1":"ad87cb2dbce39a332b4442461f3e0cd33eea2ecb","sha256":"4b91c4ce5092a4747b4b2e1d66bb084102a9d259e76fc71b7315b9e22413ae1c","sha512":"18d559f6395f34d7fcbf4073805c27b9b3a1f5c76bd04d37e54626e3da5891c50b6fd39f66d09eac3c1020adee8ec9baff001fdbe070755d89f6898c8712b857","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_fortinet_coathanger_feb24.yar","filename":"mal_fortinet_coathanger_feb24.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1348,"md5":"d90f312735a89b5c2b742c782332b2e8","sha1":"952d6ca3ef9f9218ccab3c9b270913d873902528","sha256":"00f9c3b49069e63efbf6caf87d337513ca4cba245af1bea2e901f465755f3138","sha512":"2904e1bb95c0ec4f5da6adddc4096f93e468781b1bb7b0b4887a24e1cdd81c78a6ccad8009a71e8b47e13f693115764034707a7178c0e5e94ebd53acc9b22590","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_go_modbus.yar","filename":"mal_go_modbus.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":789,"md5":"2ec5daac8c458e1b90e5b53211484234","sha1":"c9d9a4da698fea73a1b3d0b1fe7c20d1049ead5e","sha256":"70b34e5d553df6f5f3eaddae549bebffe6403d794c20e474aa625901023794ea","sha512":"fc3187a815ef44813b40eac1c6a6803831f6e2c046461a50d0d1b144d558610c7425e9ce4c1903999037402a2cee24dcaa6f5e1ad18220682f3def50bfc668c9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_lnx_barracuda_cve_2023_2868.yar","filename":"mal_lnx_barracuda_cve_2023_2868.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1533,"md5":"42e50b51c9f9c2ebac880d8c6ac278f3","sha1":"09dcba9bb2e3d4a83b91d3ead3731cca6fd6e314","sha256":"e047e0064c0363f4e85a8cb340b9026ab4d6c9613c91ff6ed27e003a247e0d16","sha512":"b65a641c367b82c127ada2dbf634aeb92e6932e76df3e25e665dff28fbb1cab7f32a05d013f8bd2523bf87c1c3e6d1d06f44534702d2fcf5ac47687423a6d16d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)","trigger":"signature-base-master/yara/mal_lnx_barracuda_cve_2023_2868.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-07","description":"Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)","hash1":"601f44cc102ae5a113c0b5fe5d18350db8a24d780c0ff289880cc45de28e2b80","reference":"https://www.barracuda.com/company/legal/esg-vulnerability","rule":"MAL_ELF_SALTWATER_Jun23_1","score":"80"}}]}},{"path":"signature-base-master/yara/mal_lnx_implant_may22.yar","filename":"mal_lnx_implant_may22.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":10648,"md5":"821787f9205a9c8c3b3dbc828a1c8bce","sha1":"e7a42a271a6c96a434e5d90d6b7485a5992e9d45","sha256":"a012f2405bf620a7fe279848c7ff34b1da01fa163b403c6a6d2e01ec0669f1e4","sha512":"d656208e389617431ebc8f2f9c827d30edfa9e63e05ca517dd74a62709b8805a7ebf75f066d93f3ee0d03e9f2cee026a0c24ae680c98cb7d583c9467af783935","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BPFDoor malware","trigger":"signature-base-master/yara/mal_lnx_implant_may22.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-05-11","description":"Detects BPFDoor malware","hash1":"afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7","reference":"https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game","rule":"MAL_LNX_RedMenshen_BPFDoor_May23_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BPFDoor implants used by Chinese actor Red Menshen","trigger":"signature-base-master/yara/mal_lnx_implant_may22.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-05-08","description":"Detects BPFDoor implants used by Chinese actor Red Menshen","hash1":"144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3","hash2":"fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73","reference":"https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896","rule":"APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BPFDoor/Tricephalic Hellkeeper passive implant","trigger":"signature-base-master/yara/mal_lnx_implant_may22.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Exatrack","date":"2022-05-09","description":"Detects BPFDoor/Tricephalic Hellkeeper passive implant","reference":"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf","rule":"APT_MAL_LNX_RedMenshen_BPFDoor_Tricephalic_Implant_May22","score":"90"}}]}},{"path":"signature-base-master/yara/mal_lockbit_lnx_macos_apr23.yar","filename":"mal_lockbit_lnx_macos_apr23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3930,"md5":"f383d45f39d80409b466bc741718bde9","sha1":"f16947bef300c7ff5ca4cd483c3e18c69e54b588","sha256":"b7b1f9aca344cd120329762dda90ec7e9dc48cec6f396754b2e3ca25904191c5","sha512":"35435cabd02dfb817b9748f3286771ee88b0882cb9a38f86459d4d53a6035ebace5a29ea45c9b54282bd00de4f5d97db2b1cbe631364f735c8a5fbef29c0f5e6","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects LockBit ransomware samples for Linux and macOS","trigger":"signature-base-master/yara/mal_lockbit_lnx_macos_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-15","description":"Detects LockBit ransomware samples for Linux and macOS","hash1":"0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e","hash2":"9ebcbaf3c9e2bbce6b2331238ab584f95f7ced326ca4aba2ddcc8aa8ee964f66","hash3":"a405d034c01a357a89c9988ffe8a46a165915df18fd297469b2bcaaf97578442","hash4":"c9cac06c9093e9026c169adc3650b018d29c8b209e3ec511bbe34cbe1638a0d8","hash5":"dc3d08480f5e18062a0643f9c4319e5c3f55a2e7e93cd8eddd5e0c02634df7cf","hash6":"e77124c2e9b691dbe41d83672d3636411aaebc0aff9a300111a90017420ff096","hash7":"0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde","hash8":"3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79","reference":"https://twitter.com/malwrhunterteam/status/1647384505550876675?s=20","rule":"MAL_RANSOM_LNX_macOS_LockBit_Apr23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators found in LockBit ransomware log files","trigger":"signature-base-master/yara/mal_lockbit_lnx_macos_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects indicators found in LockBit ransomware log files","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_Locker_LOG_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artifacts found in LockBit intrusions","trigger":"signature-base-master/yara/mal_lockbit_lnx_macos_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects forensic artifacts found in LockBit intrusions","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1","score":"75"}}]}},{"path":"signature-base-master/yara/mal_netsha.yar","filename":"mal_netsha.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1387,"md5":"298f29aadfc2a31185f516a65baee903","sha1":"10b464036b5e5d1bfc7728b37c98bc4f5c142c0b","sha256":"b26a80b478859ef9f22a79550c958154224cb2b11af26a776d3b970496120d83","sha512":"b26a7be68f7ead89a9c990e163b50bc4ba71b4906fb6122d2aa6445304e9ce25b011448fe51e518e2e47d24b3ec578ef76ec706bd4d2b245e21b9d266d4bbdbe","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_passwordstate_backdoor.yar","filename":"mal_passwordstate_backdoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1194,"md5":"8751be03e4487e396cde802f0eb939bc","sha1":"42ac04cfdf8f31c33864cf694578217526205811","sha256":"90bdcccf3aa94b870eec4ca269a7ce34a7318a9e6e6b27701acf95f7e7e8dd1c","sha512":"3c290d1db8619085ea09e0260a876b05c56adea1d8e1dad7196f2776b203223a5567f8f1ad8e6aae14436962fef4449ac5684eb4496bd05f9c59058f2217d14b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_qbot_feb23.yar","filename":"mal_qbot_feb23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2623,"md5":"e72ba9bc24a12e989bc8dead5321568d","sha1":"1d6216089bf0ec0c9022ef5c77e11142891b317a","sha256":"7f10400c3acfb021c9be390c257dee421e151929743cb6ea3d248d0d722bfb52","sha512":"6702dd8350025459aeaf77c4a0d86accc52288dd926ccc41932a834b1eaf156f0c0ecfb776b959e98ca7ed7e38cd0a26c93292d085f0692c2a7fc775ff0f9875","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_qbot_payloads.yar","filename":"mal_qbot_payloads.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2298,"md5":"9c386eb7160a301cc8e11215b9c11a62","sha1":"5bc19a02f01d14ab60174005ae0e91f059831176","sha256":"79711ad667a5ae35c0cb1a59e302b3ee9e862157aa6e10d26f11da385f6f0948","sha512":"68be31bde0bb2b64d86dad2d713a15330520e2cdbe059aa29bed9b623735b91dd48b4becd881dfe0465f9d7f44e2059a2aa2d70055669beb13b3c13afdcc6002","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects double encoded PKZIP headers as seen in HTML files used by QBot","trigger":"signature-base-master/yara/mal_qbot_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-10-07","description":"Detects double encoded PKZIP headers as seen in HTML files used by QBot","hash1":"4f384bcba31fda53e504d0a6c85cee0ce3ea9586226633d063f34c53ddeaca3f","hash2":"8e61c2b751682becb4c0337f5a79b2da0f5f19c128b162ec8058104b894cae9b","hash3":"c5d23d991ce3fbcf73b177bc6136d26a501ded318ccf409ca16f7c664727755a","hash4":"5072d91ee0d162c28452123a4d9986f3df6b3244e48bf87444ce88add29dd8ed","hash5":"ff4e21f788c36aabe6ba870cf3b10e258c2ba6f28a2d359a25d5a684c92a0cad","reference":"https://twitter.com/ankit_anubhav/status/1578257383133876225?s=20\u0026t=Bu3CCJCzImpTGOQX_KGsdA","rule":"MAL_QBot_HTML_Smuggling_Indicators_Oct22_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-27","alert":"Detects QBOT HTML smuggling variants","trigger":"signature-base-master/yara/mal_qbot_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Ankit Anubhav - ankitanubhav.info","date":"2022-06-26","description":"Detects QBOT HTML smuggling variants","malpedia_family":"win.qakbot","rule":"QBOT_HTMLSmuggling_a","yarahub_author_email":"ankit.yara@inbox.ru","yarahub_author_twitter":"@ankit_anubhav","yarahub_license":"CC0 1.0","yarahub_reference_link":"https://twitter.com/ankit_anubhav","yarahub_reference_md5":"1807f10ee386d0702bbfcd1a4da76fd1","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"8db8aecd-53ae-4772-8d9c-38b121cfe0e0"}}]}},{"path":"signature-base-master/yara/mal_ransom_esxi_attacks_feb23.yar","filename":"mal_ransom_esxi_attacks_feb23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":4911,"md5":"5c680a531269fbcfdbb4e02819ba815c","sha1":"6f539b5d32fb5e442c598c40c281c8b034c93b3f","sha256":"7d2f5fb2d835b51dcfc2048b359559dc91f70220a548ddff153b908a611f11a9","sha512":"7ed7e159d6d7f191d12aa462b934b49dabf7333479ad36c0eee402857c1bfce816c45bc98c2bb0c51b9eef41847118657e43a723457286162a150f99305d848a","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh","trigger":"signature-base-master/yara/mal_ransom_esxi_attacks_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-04","description":"Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh","hash1":"10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459","reference":"https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14","rule":"MAL_RANSOM_SH_ESXi_Attacks_Feb23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ransomware exploiting and encrypting ESXi servers","trigger":"signature-base-master/yara/mal_ransom_esxi_attacks_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-04","description":"Detects ransomware exploiting and encrypting ESXi servers","hash1":"11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66","reference":"https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14","rule":"MAL_RANSOM_ELF_ESXi_Attacks_Feb23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Python backdoor found on ESXi servers","trigger":"signature-base-master/yara/mal_ransom_esxi_attacks_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-12-14","description":"Detects Python backdoor found on ESXi servers","reference":"https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers","rule":"APT_PY_ESXi_Backdoor_Dec22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious script found on ESXi servers","trigger":"signature-base-master/yara/mal_ransom_esxi_attacks_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-12-14","description":"Detects malicious script found on ESXi servers","reference":"https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers","rule":"APT_SH_ESXi_Backdoor_Dec22","score":"75"}}]}},{"path":"signature-base-master/yara/mal_ransom_lorenz.yar","filename":"mal_ransom_lorenz.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1249,"md5":"d8021422e961976e80bc56648c60dc71","sha1":"3719ccf604164af3edea615fac219faafc759978","sha256":"9773667881798d80ce2965c1a0c39bffa2ec5306dc366ecad01b422de57440ff","sha512":"dfbf406d4d5b47a52c4a5a40c4c165eeaf7837d2775d6b3b47677ff272d6eefe85a538f5036c3d57a3db79cd5c7b17c2892b4036091ed764fe50380bbb9cdf54","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/mal_ru_sparepart_dec22.yar","filename":"mal_ru_sparepart_dec22.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (397)","size":1956,"md5":"cb82039e2ace812e861e8b69fbc3cd48","sha1":"784c51788f8af7a2ec18ed6e288039d1cff61a74","sha256":"ca4d44ce97aa656332f21f22b856e6f36c649aaccc141dbe6746f12bdd524c4b","sha512":"a6948f54995b0e874649183a0f08ef796e9aea2c70b5a6a772bb4ab484e7983245bfc2977f33d48829a65be45dd5c48c5c0c4f1503623c78fe8f26eef38ff42f","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/pua_cryptocoin_miner.yar","filename":"pua_cryptocoin_miner.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":2928,"md5":"e73edeee16dd3ff36fb83af66ea11581","sha1":"c0f9c5a726790754f672d0460236f3ceb62ec01a","sha256":"0144596e3d328f29fd00419937d3785dd6b92bba50595bf10c79c4fa5e32310f","sha512":"1cf413bdc898cc8bf6d88b80344de9eb3c5ff01c58bf0877c99f11315af10dc8c4d092ef5d8483cd035e1397a5ed7c403cc46e81026cb26725352811cbcd2d1a","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects mining pool protocol string in Executable","trigger":"signature-base-master/yara/pua_cryptocoin_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-04","description":"Detects mining pool protocol string in Executable","modified":"2021-10-26","nodeepdive":"1","reference":"https://minergate.com/faq/what-pool-address","rule":"CoinMiner_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CoinHive - JavaScript Crypto Miner","trigger":"signature-base-master/yara/pua_cryptocoin_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-04","description":"Detects CoinHive - JavaScript Crypto Miner","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://coinhive.com/documentation/miner","rule":"CoinHive_Javascript_MoneroMiner","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Crypto Miner strings","trigger":"signature-base-master/yara/pua_cryptocoin_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-01-31","description":"Detects Crypto Miner strings","hash1":"ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05","reference":"Internal Research","rule":"PUA_CryptoMiner_Jan19_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects command line parameters often used by crypto mining software","trigger":"signature-base-master/yara/pua_cryptocoin_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-24","description":"Detects command line parameters often used by crypto mining software","reference":"https://www.poolwatch.io/coin/monero","rule":"PUA_Crypto_Mining_CommandLine_Indicators_Oct21","score":"65"}}]}},{"path":"signature-base-master/yara/pua_xmrig_monero_miner.yar","filename":"pua_xmrig_monero_miner.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3822,"md5":"b32790f36c8a22bdf338d71dbb89cb4c","sha1":"5cecdde882aff5060a0549f8de29cbae540a3625","sha256":"6c00da6d2f1b2fb21c816e50b4748f9c455cf976d6c3aff51a12ff0cfbf2e851","sha512":"5c0d24c2c08172dffa26dab38214408c6da7900ddc9cdb1cde6b057bd7128507cc59ac81c4634bb04b0481dcb4b2c2e93c02909732e2de537360875468da236c","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/pup_lightftp.yar","filename":"pup_lightftp.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1483,"md5":"3edb3bcff9a84888937fd001f05ef81b","sha1":"ef2510957f6715268b2a3acb0b592ca421573db6","sha256":"35329d427fbc0b9bbb9c48db1bbb677d968aeab40f5d4c583c14e20305edfe63","sha512":"7d3b3b1a0a702b34f7b9502438bd44d22286b40e02e757e2d65d9810dae5e07a19ed950e4dc0c636c21f8f6413fc3aea35a3207be280b5ce1b0922b662f1caf5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/spy_equation_fiveeyes.yar","filename":"spy_equation_fiveeyes.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":22013,"md5":"83a787747da773479312d9efe6082cf1","sha1":"0f10478836e7bc75e6eec16bf153cf7f48c62ac9","sha256":"8d6949cd45216213b92265a19d8b1d33af6143ce434f607e61d9f1deb1de2e32","sha512":"c1f50bf82d714d89708039a18117c3735d0d139bdc5928a1b8b7a93dc94b05a45997b202ab14bb6df73a2fff832f4da35cd1c1ec197648bf74d1985dea21693d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect the EquationLaser malware","trigger":"signature-base-master/yara/spy_equation_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"copyright":"Kaspersky Lab","description":"Rule to detect the EquationLaser malware","last_modified":"2015-02-16","reference":"https://securelist.com/blog/","rule":"apt_equation_equationlaser_runtimeclasses","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","trigger":"signature-base-master/yara/spy_equation_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems) @4nc4p","date":"2015/03/11","description":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","hash":"ff2b50f371eb26f22eb8a2118e9ab0e015081500","reference":"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/","rule":"EquationDrug_HDDSSD_Op"}}]}},{"path":"signature-base-master/yara/spy_querty_fiveeyes.yar","filename":"spy_querty_fiveeyes.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":12051,"md5":"ace2af19cd615224e35a4ce7bae34913","sha1":"d7dc3e6587b172abe1119cee7a96b6948351c0c4","sha256":"f3ab27a8ad92628ed433af5b62ebc17f214f5e470332ca877449a8305b690044","sha512":"10ec8c0f7499ed567982d0293d0516027fac653a628eae94583f5c1361ce6b0d0db3f27bc7efa78eb78a19e353981ec8c6c65bc872c867b57d67988696c0c136","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"FiveEyes QUERTY Malware - file 20123_cmdDef.xml","trigger":"signature-base-master/yara/spy_querty_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20123_cmdDef.xml","hash":"7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20123_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"FiveEyes QUERTY Malware - file 20123.xml","trigger":"signature-base-master/yara/spy_querty_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20123.xml","hash":"edc7228b2e27df9e7ff9286bddbf4e46adb51ed9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwareqwerty_20123"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"FiveEyes QUERTY Malware - file 20120_cmdDef.xml","trigger":"signature-base-master/yara/spy_querty_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20120_cmdDef.xml","hash":"cda9ceaf0a39d6b8211ce96307302a53dfbd71ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20120_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"FiveEyes QUERTY Malware - file 20121_cmdDef.xml","trigger":"signature-base-master/yara/spy_querty_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20121_cmdDef.xml","hash":"64ac06aa4e8d93ea6063eade7ce9687b1d035907","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20121_cmdDef"}}]}},{"path":"signature-base-master/yara/spy_regin_fiveeyes.yar","filename":"spy_regin_fiveeyes.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":13951,"md5":"79a137f486d3db31a00e7c4f599b0ed6","sha1":"65a5aded6045713659aac12a5428b6171427fedd","sha256":"ba7a8695fff1eddbeda2f6a156685610b00af5c48439fa55cb0a541c5e6ba37a","sha512":"65793f66d26c60042affce19a9195ea299ab3efa95641de9ab07ba683d2bab6dc5182046772be90aa2ac0a3b2d618da8b8f7fff3a09bb605019b96fb7c3c5a9a","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware Sample - maybe Regin related","trigger":"signature-base-master/yara/spy_regin_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Malware Sample - maybe Regin related","hash":"76c355bfeb859a347e38da89e3d30a6ff1f94229","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"Regin_Related_Malware","score":"70"}}]}},{"path":"signature-base-master/yara/susp_bat_obfusc_jul24.yar","filename":"susp_bat_obfusc_jul24.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1607,"md5":"f6002bb0be014431b48371b9a16ac2d4","sha1":"e63781a5d748ded2eaf00739b1b42d4abe7503e2","sha256":"836babdf9f33741936649046f35c550b7cb373aa4307ff24519ccd408e0f5cbd","sha512":"29bde33ccbfb8259e5ab2b73b5c5d4e7c9d83a47bfcbc0260a6603deb1f5b4b7bdacdad6a6f20ed77011a6cddd58f2dbe78c2685eeb5c46ce5afa7fdae220bc9","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/susp_vulndriver_hp_hardware_diagnostics_etdsupp_may23.yar","filename":"susp_vulndriver_hp_hardware_diagnostics_etdsupp_may23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1118,"md5":"3659a5c72f2e035316e0eac7542934f9","sha1":"5b8019885a485d23bf2a4dc6781f32274d180c12","sha256":"b9ed1341bef9e183a95c4497389bc7b7129a87ef815481578552487cd4af9484","sha512":"42ab1389e578aabb70c69afb2ed009aa7b2970907e9993fd203f3a127db41799baa2fca4e8d025a4ef4a15aa0883c51a5660f7296905fbbd3bb7f175bf0ba102","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/thor-hacktools.yar","filename":"thor-hacktools.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":184955,"md5":"71a2f5ba6e03013e00dea0fc7d13ed80","sha1":"6e6203f8623200362192b52b4e87caf89e22b100","sha256":"084dee8086f5e3c3c00b7b86d765f4696563cb6b0b16514f03ab4359698a56d2","sha512":"cd2a431c6b6f247dd20e7a088424e0751df52ca48641c2a935d5841ce83de4cf4c6490d7d8945efcfe31e596332aaac1c33de69e4dec89113f32926fe0081f33","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Invoke-Mimikatz String","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-03","description":"Detects Invoke-Mimikatz String","hash1":"f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz","rule":"Invoke_Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Windows Credential Editor","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Windows Credential Editor","rule":"WindowsCredentialEditor","score":"90","threat_level":"10"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Amplia Security Tool like Windows Credential Editor","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2013-01-01","description":"Detects Amplia Security Tool like Windows Credential Editor","modified":"2023-02-14","nodeepdive":"1","rule":"HKTL_Amplia_Security_Tool","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PwDump 6 variant","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Marc Stroebel","date":"2014-04-24","description":"PwDump 6 variant","rule":"PwDump","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PScan - Port Scanner","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"F. Roth","description":"PScan - Port Scanner","rule":"PScan_Portscan_1","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hacktool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Hacktool","rule":"HackTool_Samples","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This signature detects the Fierce2 domain scanner","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the Fierce2 domain scanner","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Fierce2","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This signature detects the Ncrack brute force tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the Ncrack brute force tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Ncrack","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This signature detects the SQLMap SQL injection tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the SQLMap SQL injection tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"SQLMap","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file PortScanner.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file PortScanner.exe","hash":"b381b9212282c0c650cb4b0323436c63","rule":"PortScanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file NetBIOS Name Scanner.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file NetBIOS Name Scanner.exe","hash":"888ba1d391e14c0a9c829f5a1964ca2c","rule":"NetBIOS_Name_Scanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file ipscan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ipscan.exe","hash":"6c1bcf0b1297689c8c4c12cc70996a75","rule":"FeliksPack3___Scanners_ipscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file IP Stealing Utilities.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file IP Stealing Utilities.exe","hash":"65646e10fb15a2940a37c5ab9f59c7fc","rule":"IP_Stealing_Utilities"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file PortRacer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file PortRacer.exe","hash":"2834a872a0a8da5b1be5db65dfdef388","rule":"PortRacer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file scanarator.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file scanarator.exe","hash":"848bd5a518e0b6c05bd29aceb8536c46","rule":"scanarator"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file =Bitchin Threads=.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file =Bitchin Threads=.exe","hash":"7491b138c1ee5a0d9d141fbfd1f0071b","rule":"_Bitchin_Threads_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file portscan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file portscan.exe","hash":"a8bfdb2a925e89a281956b1e3bb32348","rule":"portscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file ProPort.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ProPort.exe","hash":"c1937a86939d4d12d10fc44b7ab9ab27","rule":"ProPort_zip_Folder_ProPort"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe","hash":"7c0f2cab134534cd35964fe4c6a1ff00","rule":"StealthWasp_s_Basic_PortScanner_v1_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file BluesPortScan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file BluesPortScan.exe","hash":"6292f5fc737511f91af5e35643fc9eef","rule":"BluesPortScan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file iis.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file iis.exe","hash":"3a8fc02c62c8dd65e038cc03e5451b6e","rule":"scanarator_iis"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file ipscan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ipscan.exe","hash":"70cf2c09776a29c3e837cb79d291514a","rule":"Angry_IP_Scanner_v2_08_ipscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file Loader.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file Loader.exe","hash":"f4f79358a6c600c1f0ba1f7e4879a16d","rule":"crack_Loader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects the backdoor Beastdoor","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Detects the backdoor Beastdoor","hash":"5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Beastdoor_Backdoor","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Powershell version of the Netcat network hacking tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"10.10.2014","description":"Detects a Powershell version of the Netcat network hacking tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Powershell_Netcat","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a chinese Portscanner named MilkT","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"12.10.2014","description":"Detects a chinese Portscanner named MilkT","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"CN_Hacktool_MilkT_Scanner","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Modified (packed) version of Windows Credential Editor","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Modified (packed) version of Windows Credential Editor","hash":"09a412ac3c85cedce2642a19e99d8f903a2e0354","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WCE_Modified_1_1014","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"iKAT hack tools set agent - file ikat.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"05.11.14","description":"iKAT hack tools set agent - file ikat.exe","hash":"c802ee1e49c0eae2a3fc22d2e82589d857f96d94","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://ikat.ha.cked.net/Windows/functions/ikatfiles.html","rule":"iKAT_command_lines_agent","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"05.11.14","description":"Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe","hash":"0cac59b80b5427a8780168e1b85c540efffaf74f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://ikat.ha.cked.net/Windows/functions/ikatfiles.html","rule":"iKAT_startbar","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file BypassUac2.zip","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator","description":"Auto-generated rule - file BypassUac2.zip","hash":"ef3e7dd2d1384ecec1a37254303959a43695df61","rule":"BypassUac2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file BypassUac.zip","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator","description":"Auto-generated rule - file BypassUac.zip","hash":"93c2375b2e4f75fc780553600fbdfd3cb344e69d","rule":"BypassUac_9"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"APT Malware - Proxy","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FRoth","date":"2014-11-10","description":"APT Malware - Proxy","hash":"6b6a86ceeab64a6cb273debfa82aec58","rule":"APT_Proxy_Malware_Packed_dev","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file nc.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file nc.exe","hash":"001c0c01c96fa56216159f83f6f298755366e528","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Ncat_Hacktools_CN","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file cs.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file cs.exe","hash":"a3e9e0655447494253a1a60dbc763d9661181322","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"MS08_067_Exploit_Hacktools_CN","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file sql.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file sql.exe","hash":"d5139b865e99b7a276af7ae11b14096adb928245","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_sql","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file 445TOOL.rar","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file 445TOOL.rar","hash":"92050ba43029f914696289598cf3b18e34457a11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Panda_445TOOL","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file s.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file s.exe","hash":"7665011742ce01f57e8dc0a85d35ec556035145d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_WinEggDrop","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file Burst.rar","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file Burst.rar","hash":"ce8e3d95f89fb887d284015ff2953dbdb1f16776","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Panda_Burst","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file GOGOGO.bat","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file GOGOGO.bat","hash":"4bd4f5b070acf7fe70460d7eefb3623366074bbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_GOGOGO_Bat","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file pass.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file pass.txt","hash":"55a05cf93dbd274355d798534be471dff26803f9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_pass","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file JoHor_Posts_Killer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file JoHor_Posts_Killer.exe","hash":"d157f9a76f9d72dba020887d7b861a05f2e56b6a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_JoHor_Posts_Killer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file Start.bat - DoS tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014-11-17","description":"Disclosed hacktool set - file Start.bat - DoS tool","hash":"75d194d53ccc37a68286d246f2a84af6b070e30c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","rule":"Hacktools_CN_Burst_Start","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file Blast.bat","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file Blast.bat","hash":"b07702a381fa2eaee40b96ae2443918209674051","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_Blast","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"22.11.14","description":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe","hash":"166fa8c5a0ebb216c832ab61bf8872da556576a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"VUBrute_VUBrute","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"22.11.14","description":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini","hash":"b9f66b9265d2370dab887604921167c11f7d93e9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/xiIphp","rule":"VUBrute_config","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file listip.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file listip.exe","hash":"f32a0c5bf787c10eb494eb3b83d0c7a035e7172b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_listip","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll","hash":"4867214a3d96095d14aa8575f0adbb81a9381e6c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ArtTrayHookDll","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file EditServer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditServer.exe","hash":"87b29c9121cac6ae780237f7e04ee3bc1a9777d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file letmein.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file letmein.exe","hash":"74d223a56f97b223a640e4139bb9b94d8faa895d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_letmein","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file token.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file token.exe","hash":"c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_token","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file webget.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file webget.exe","hash":"36b5a5dee093aa846f906bbecf872a4e66989e42","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_webget","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file ASPack Chinese.ini","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file ASPack Chinese.ini","hash":"02a9394bc2ec385876c4b4f61d72471ac8251a8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ASPack_Chinese","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt","hash":"dfa90540b0e58346f4b6ea12e30c1404e15fbe5a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditKeyLogReadMe","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file readme.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file readme.txt","hash":"a52545ae62ddb0ea52905cbb61d895a51bfe9bcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer_zip_Folder_readme","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file EditKeyLog.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditKeyLog.exe","hash":"a450c31f13c23426b24624f53873e4fc3777dc6b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditKeyLog","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file PassSniffer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file PassSniffer.exe","hash":"dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file InjectT.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InjectT.exe","hash":"80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"UnPack_rar_Folder_InjectT","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt","hash":"820674b59f32f2cf72df50ba4411d7132d863ad2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Jc_WinEggDrop_Shell","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file TBack.DLL","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file TBack.DLL","hash":"30fc9b00c093cec54fcbd753f96d0ca9e1b2660f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"UnPack_rar_Folder_TBack","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file Inject.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file Inject.exe","hash":"34f564301da528ce2b3e5907fd4b1acb7cb70728","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ByPassFireWall_zip_Folder_Inject","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file sqlcmd.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file sqlcmd.exe","hash":"b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_sqlcmd","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file 2323.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file 2323.exe","hash":"21812186a9e92ee7ddc6e91e4ec42991f0143763","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_2323","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file CleanIISLog.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file CleanIISLog.exe","hash":"827cd898bfe8aa7e9aaefbe949d26298f9e24094","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"CleanIISLog","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file sqlcheck.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file sqlcheck.exe","hash":"5a5778ac200078b627db84fdc35bf5bcee232dc7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sqlcheck","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file RunAsEx.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file RunAsEx.exe","hash":"a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_RunAsEx","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file splitjoin.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file splitjoin.exe","hash":"21409117b536664a913dcd159d6f4d8758f43435","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"SplitJoin_V1_3_3_rar_Folder_3","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file InstGina.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InstGina.exe","hash":"5317fbc39508708534246ef4241e78da41a4f31c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"InstGina","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file findoor.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file findoor.exe","hash":"cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_findoor","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file InjectT.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InjectT.exe","hash":"516e80e4a25660954de8c12313e2d7642bdb79dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WinEggDropShellFinal_zip_Folder_InjectT","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file gina.dll","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file gina.dll","hash":"e0429e1b59989cbab6646ba905ac312710f5ed30","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"gina_zip_Folder_gina","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file xsniff.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file xsniff.exe","hash":"d61d7329ac74f66245a92c4505a327c85875c577","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_xsniff","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file fscan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file fscan.exe","hash":"d5646e86b5257f9c83ea23eca3d86de336224e55","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_fscan","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe","hash0":"9d4e7611a328eb430a8bb6dc7832440713926f5f","hash1":"ae23522a3529d3313dd883727c341331a1fb1ab9","hash2":"7ffc496cd4a1017485dfb571329523a52c9032d8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"_FsHttp_FsPop_FsSniffer","score":"60","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/12/22","description":"Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe","hash1":"b130611c92788337c4f6bb9e9454ff06eb409166","hash2":"07539abb2623fe24b9a05e240f675fa2d15268cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/gkAg2E","rule":"Ammyy_Admin_AA_v3","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Linux hack tools - file scanssh","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file scanssh","hash":"467398a6994e2c1a66a3d39859cde41f090623ad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_scanssh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Linux hack tools - file pscan2","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file pscan2","hash":"56b476cba702a4423a2d805a412cae8ef4330905","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_pscan2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Linux hack tools - file a","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file a","hash":"458ada1e37b90569b0b36afebba5ade337ea8695","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_a"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Linux hack tools - file mass","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file mass","hash":"2054cb427daaca9e267b252307dad03830475f15","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_mass"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll","hash0":"af419603ac28257134e39683419966ab3d600ed2","hash1":"c5cb4f75cf241f5a9aea324783193433a42a13b0","hash2":"135f6a28e958c8f6a275d8677cfa7cb502c8a822","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset__XScanLib_XScanLib_XScanLib","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe","hash":"a931d65de66e1468fe2362f7f2e0ee546f225c4e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset_NTscan_PipeCmd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe","hash":"8542c7fb8291b02db54d2dc58cd608e612bfdc57","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset_sig_1433_135_sqlr","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-10-01","description":"Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"VSSown_VBS","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Network domain enumeration tool - often used by attackers - file Nv.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Network domain enumeration tool - often used by attackers - file Nv.exe","hash":"52cec98839c3b7d9608c865cfebc904b4feae0bada058c2e8cdbd561cfa1420a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mubix/netview","rule":"Netview_Hacktool","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Network domain enumeration tool output - often used by attackers - file filename.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Network domain enumeration tool output - often used by attackers - file filename.txt","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mubix/netview","rule":"Netview_Hacktool_Output","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Linux Port Scanner Shark","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-01","description":"Detects Linux Port Scanner Shark","hash1":"5f80bd2db608a47e26290f3385eeb5bfc939d63ba643f06c4156704614def986","hash2":"90af44cbb1c8a637feda1889d301d82fff7a93b0c1a09534909458a64d8d8558","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35","rule":"Linux_Portscan_Shark_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects dnscat2 - from files dnscat, dnscat2.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-15","description":"Detects dnscat2 - from files dnscat, dnscat2.exe","hash1":"8bc8d6c735937c9c040cbbdcfc15f17720a7ecef202a19a7bf43e9e1c66fe66a","hash2":"4a882f013419695c8c0ac41d8a0fde1cf48172a89e342c504138bc6f1d13c7c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://downloads.skullsecurity.org/dnscat2/","rule":"dnscat2_Hacktool","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Windows Credential Editor (WCE) in memory (and also on disk)","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-28","description":"Detects Windows Credential Editor (WCE) in memory (and also on disk)","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"WCE_in_memory","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups - file pstgdump.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file pstgdump.exe","hash1":"65d48a2f868ff5757c10ed796e03621961954c523c71eac1c5e044862893a106","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"pstgdump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups","hash1":"efa66f6391ec471ca52cd053159c8a8778f11f921da14e6daf76387f8c9afcd5","hash2":"e0327c1218fd3723e20acc780e20135f41abca35c35e0f97f7eccac265f4f44e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"lsremora"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups - file fgexec.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file fgexec.exe","hash1":"8697897bee415f213ce7bc24f22c14002d660b8aaffab807490ddbf4f3f20249","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"fgexec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe","hash1":"cf58ca5bf8c4f87bb67e6a4e1fb9e8bada50157dacbd08a92a4a779e40d569c4","hash2":"e38edac8c838a043d0d9d28c71a96fe8f7b7f61c5edf69f1ce0c13e141be281f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"cachedump","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups - file PwDump.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file PwDump.exe","hash1":"3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"PwDump_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an XML that executes Mimikatz on an endpoint via MSBuild","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-07","description":"Detects an XML that executes Mimikatz on an endpoint via MSBuild","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml","rule":"MSBuild_Mimikatz_Execution_via_XML"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects POC code from disclosed 0day hacktool set","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-07","description":"Detects POC code from disclosed 0day hacktool set","hash1":"ba0e2119b2a6bad612e86662b643a404426a07444d476472a71452b7e9f94041","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed 0day Repos","rule":"Disclosed_0day_POCs_injector"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a process injection utility that can be used ofr good and bad purposes","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-23","description":"Detects a process injection utility that can be used ofr good and bad purposes","hash1":"456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c","rule":"ProcessInjector_Gen","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Lazagne PW Dumper","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Markus Neis / Florian Roth","date":"2018-03-22","description":"Detects Lazagne PW Dumper","reference":"https://github.com/AlessandroZ/LaZagne/releases/","rule":"Lazagne_PW_Dumper","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects susupicious bash command","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Tobias Michalski","date":"2018-05-18","description":"Detects susupicious bash command","hash1":"36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b","reference":"https://github.com/0x00-0x00/ShellPop","rule":"SUSP_shellpop_Bash"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Lazagne password extractor hacktool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-11","description":"Detects Lazagne password extractor hacktool","hash1":"51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf","license":"https://creativecommons.org/licenses/by-nc/4.0/","reference":"https://github.com/AlessandroZ/LaZagne","rule":"HKTL_Lazagne_Gen_18","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects NoPowerShell hack tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-28","description":"Detects NoPowerShell hack tool","hash1":"2dad091dd00625762a7590ce16c3492cbaeb756ad0e31352a42751deb7cf9e70","modified":"2022-12-21","reference":"https://github.com/bitsadmin/nopowershell","rule":"HKTL_NoPowerShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pnscan port scanner","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-05-27","description":"Detects Pnscan port scanner","reference":"https://github.com/ptrrkssn/pnscan","rule":"HKTL_LNX_Pnscan","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies Impacket, a collection of Python classes for working with network protocols.","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-08-01","description":"Identifies Impacket, a collection of Python classes for working with network protocols.","fingerprint":"3c84db45525bc8981b832617b35c0b81193827313b23c7fede0b00badc3670f4","first_imported":"2021-12-30","id":"4slxMFaVQR9nCS6mQxIQj","last_modified":"2021-12-30","mitre_att":"S0357","reference":"https://github.com/SecureAuthCorp/impacket","rule":"Impacket","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"IMPACKET","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies LaZagne, credentials recovery project.","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-01-01","description":"Identifies LaZagne, credentials recovery project.","fingerprint":"81ef321369e94e5cb5bbf735ab7db8c6aafc1fc7564c76d53b3f0e0adb9e5c81","first_imported":"2021-12-30","id":"3DeKZTrvc1lTK9vNaoj7LG","last_modified":"2021-12-30","mitre_att":"S0349","reference":"https://github.com/AlessandroZ/LaZagne","rule":"LaZagne","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"LAZAGNE","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Mimikatz","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Detection for Invoke-Mimikatz","fingerprint":"9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135","id":"355d5d3a-e50e-4614-9a84-0da668c40852","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96","rule":"Windows_Hacktool_Mimikatz_355d5d3a","scan_context":"file, memory","severity":"90","threat_name":"Windows.Hacktool.Mimikatz"}}]}},{"path":"signature-base-master/yara/thor-webshells.yar","filename":"thor-webshells.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"HTML document, ASCII text","size":392641,"md5":"5770c8034da9717dc49c9c4f9e89bb76","sha1":"f000d1cbec983da3f9cb2a6ddb4338a8f45dd3a1","sha256":"d93b6e42280dd68f086f7d8898b823b0a748f798967e6a2daee0f36bb7ddc64b","sha512":"8c392215ad99ebb3a57468cfeaeea5e49b908bcf6e6c9016cd8ea3a7d92034615c049d7acbee411db6e7b3ef5fd2615f3499c04a4a2cec502a767973427c48c0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and using a callback to execute the payload. restricted to small files or would give lots of false positives","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and using a callback to execute the payload. restricted to small files or would give lots of false positives","hash":"e98889690101b59260e871c49263314526f2093f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_generic_callback"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell which directly eval()s obfuscated string","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/12","description":"PHP webshell which directly eval()s obfuscated string","hash":"49e5bc75a1ec36beeff4fbaeb16b322b08cf192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_gzinflated"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/02/07","description":"PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-19","rule":"webshell_php_dynamic_big","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/09","description":"Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","hash":"7b6471774d14510cf6fa312a496eed72b614f6fc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_by_string_known_webshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file iMHaPFtp.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file iMHaPFtp.php","hash":"12911b73bc6a5d313b494102abcf5c57","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_iMHaPFtp_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file guo.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file guo.php","hash":"9e69a8f499c660ee0b4796af14dc08f0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_guo","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file redcod.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file redcod.php","hash":"5c1c8120d82f46ff9d813fbe3354bac5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_redcod","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file server.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file server.php","hash":"d87b019e74064aa90e2bb143e5e16cfa","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_sh_server","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file cihshell_fix.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cihshell_fix.php","hash":"3823ac218032549b86ee7c26f10c4cb5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_cihshell_fix","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file up.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.php","hash":"7edefb8bd0876c41906f4b39b52cd0ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file EFSO_2.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file EFSO_2.asp","hash":"a341270f9ebd01320a7490c12cb2e64c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_EFSO_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file up.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.jsp","hash":"515a5dd86fe48f673b72422cccf5a585","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file Server Variables.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Server Variables.asp","hash":"47fb8a647e441488b30f92b4d39003d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Server_Variables","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file ice.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file ice.php","hash":"1d6335247f58e0a5b03e17977888f5f2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_ice_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file phpspy2010.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file phpspy2010.php","hash":"14ae0e4f5349924a5047fed9f3b105c5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpspy2010","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file ice.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file ice.asp","hash":"d141e011a92f48da72728c35f1934a2b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_ice","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file 404.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.asp","hash":"d9fa1e8513dbf59fa5d130f389032a2d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file webshell-cnseay02-1.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file webshell-cnseay02-1.php","hash":"95fc76081a42c4f26912826cb1bd24b1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshell_cnseay02_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file fbi.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file fbi.php","hash":"1fb32f8e58c8deb168c06297a04a21f1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_fbi","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file B374k.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file B374k.php","hash":"bed7388976f8f1d90422e8795dff1ea6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_B374kPHP_B374k","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file list.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file list.php","hash":"922b128ddd90e1dc2f73088956c548ed","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_list","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file 404.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.php","hash":"ee94952dc53d9a29bdf4ece54c7a7aa7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file aspydrv.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file aspydrv.asp","hash":"de0a58f7d1e200d0b2c801a94ebce330","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_ASP_aspydrv","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file Dx.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Dx.php","hash":"9cfe372d49fe8bf2fac8e1c534153d9b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Dx_Dx","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file MySQL Web Interface Version 0.8.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file MySQL Web Interface Version 0.8.php","hash":"36d4f34d0a22080f47bb1cb94107c60f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_MySQL_Web_Interface_Version_0_8","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file odd.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file odd.php","hash":"594d1b1311bbef38a0eb3d6cbb1ab538","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpkit_1_0_odd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file idc.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file idc.php","hash":"7c5b1b30196c51f1accbffb80296395f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_wsb_idc","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file 404.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.php","hash":"ced050df5ca42064056a7ad610a191b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file webshell-cnseay-x.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file webshell-cnseay-x.php","hash":"a0f9f7f5cd405a514a7f3be329f380e5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshell_cnseay_x","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file up.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.asp","hash":"f775e721cfe85019fe41c34f47c0d67c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file odd.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file odd.php","hash":"3c30399e7480c09276f412271f60ed01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpkit_0_1a_odd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file k81.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file k81.jsp","hash":"41efc5c71b6885add9c1d516371bd6af","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_k81","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file cmdjsp.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cmdjsp.jsp","hash":"b815611cc39f17f05a73444d699341d4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_cmdjsp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file Java Shell.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Java Shell.jsp","hash":"36403bc776eb12e8b7cc0eb47c8aac83","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Java_Shell","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file r57142.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file r57142.php","hash":"0911b6e6b8f4bcb05599b2885a7fe8a8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_r57142","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file simple-backdoor.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file simple-backdoor.php","hash":"f091d1b9274c881f8e41b2f96e6b9936","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_simple_backdoor","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file cmd.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cmd.php","hash":"c38ae5ba61fd84f6bbbab98d89d8a346","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_cmd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file co.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file co.php","hash":"62199f5ac721a0cb9b28f465a513874c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_co","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file 150.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 150.php","hash":"400c4b0bed5c90f048398e1d268ce4dc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_150","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file c37.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file c37.php","hash":"d01144c04e7a46870a8dd823eb2fe5c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_c37","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file b37.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file b37.php","hash":"0421445303cfd0ec6bc20b3846e30ff0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_b37","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file bug (1).php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file bug (1).php","hash":"91c5fae02ab16d51fc5af9354ac2f015","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_bug_1_","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files ghost_source.php, icesword.php, silic.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files ghost_source.php, icesword.php, silic.php","hash0":"cbf64a56306c1b5d98898468fc1fdbd8","hash1":"6e20b41c040efb453d57780025a292ae","hash2":"437d30c94f8eef92dc2f064de4998695","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_ghost_source_icesword_silic","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"37603e44ee6dc1c359feb68a0d566f76","hash1":"a7e25b8ac605753ed0c438db93f6c498","hash10":"e9a5280f77537e23da2545306f6a19ad","hash11":"598eef7544935cf2139d1eada4375bb5","hash12":"fa87bbd7201021c1aefee6fcc5b8e25a","hash2":"fb8c6c3a69b93e5e7193036fd31a958d","hash3":"36331f2c81bad763528d0ae00edf55be","hash4":"793b3d0a740dbf355df3e6f68b8217a4","hash5":"8979594423b68489024447474d113894","hash6":"ec482fc969d182e5440521c913bab9bd","hash7":"f98d2b33cd777e160d1489afed96de39","hash8":"4b4c12b3002fad88ca6346a873855209","hash9":"4cc68fa572e88b669bce606c7ace0ae9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"1b5102bdc41a7bc439eea8f0010310a5","hash1":"f8a6d5306fb37414c5c772315a27832f","hash2":"37cb1db26b1b0161a4bf678a6b4565bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp","hash0":"8b0e6779f25a17f0ffb3df14122ba594","hash1":"ea87f0c1f0535610becadf5a98aca2fc","hash2":"7d5e9732766cf5b8edca9b7ae2b6028f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_reverse_jsp_reverse_jspbd","score":"50","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"a2516ac6ee41a7cf931cbaef1134a9e4","hash1":"ef43fef943e9df90ddb6257950b3538f","hash10":"6fcc283470465eed4870bcc3e2d7f14d","hash2":"ae025c886fbe7f9ed159f49593674832","hash3":"911195a9b7c010f61b66439d9048f400","hash4":"697dae78c040150daff7db751fc0c03c","hash5":"513b7be8bd0595c377283a7c87b44b2e","hash6":"1d912c55b96e2efe8ca873d6040e3b30","hash7":"e5b2131dd1db0dbdb43b53c5ce99016a","hash8":"4108f28a9792b50d95f95b9e5314fa1e","hash9":"41af6fd253648885c7ad2ed524e0692d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php","hash0":"8ae9d2b50dc382f0571cd7492f079836","hash1":"e2830d3286001d1455479849aacbbb38","hash2":"bd6d3b2763c705a01cc2b3f105a25fa4","hash3":"40c6ecf77253e805ace85f119fe1cebb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_itsec_PHPJackal_itsecteam_shell_jHn","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"0b19e9de790cd2f4325f8c24b22af540","hash1":"f3ca29b7999643507081caab926e2e74","hash2":"527cf81f9272919bf872007e21c4bdda","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"3e4ba470d4c38765e4b16ed930facf2c","hash1":"aa17b71bb93c6789911bd1c9df834ff9","hash2":"b68bfafc6059fd26732fa07fb6f7f640","hash3":"40a1f840111996ff7200d18968e42cfe","hash4":"e0202adff532b28ef1ba206cf95962f2","hash5":"802f5cae46d394b297482fd0c27cb2fc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp","hash0":"2eeb8bf151221373ee3fd89d58ed4d38","hash1":"059058a27a7b0059e2c2f007ad4675ef","hash2":"8b457934da3821ba58b06a113e0d53d9","hash3":"d44df8b1543b837e57cc8f25a0a68d92","hash4":"e0354099bee243702eb11df8d0e046df","hash5":"90a5ba0c94199269ba33a58bc6a4ad99","hash6":"655722eaa6c646437c8ae93daac46ae0","hash7":"591ca89a25f06cf01e4345f98a22845c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php","hash0":"ae025c886fbe7f9ed159f49593674832","hash1":"513b7be8bd0595c377283a7c87b44b2e","hash2":"1d912c55b96e2efe8ca873d6040e3b30","hash3":"4108f28a9792b50d95f95b9e5314fa1e","hash4":"3f71175985848ee46cc13282fbed2269","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"2eeb8bf151221373ee3fd89d58ed4d38","hash1":"059058a27a7b0059e2c2f007ad4675ef","hash10":"341298482cf90febebb8616426080d1d","hash11":"29aebe333d6332f0ebc2258def94d57e","hash12":"42654af68e5d4ea217e6ece5389eb302","hash13":"88fc87e7c58249a398efd5ceae636073","hash14":"4a812678308475c64132a9b56254edbc","hash15":"9626eef1a8b9b8d773a3b2af09306a10","hash16":"e0354099bee243702eb11df8d0e046df","hash17":"344f9073576a066142b2023629539ebd","hash18":"32dea47d9c13f9000c4c807561341bee","hash19":"90a5ba0c94199269ba33a58bc6a4ad99","hash2":"ae76c77fb7a234380cd0ebb6fe1bcddf","hash20":"655722eaa6c646437c8ae93daac46ae0","hash21":"b9744f6876919c46a29ea05b1d95b1c3","hash22":"6acc82544be056580c3a1caaa4999956","hash23":"6aa32a6392840e161a018f3907a86968","hash24":"591ca89a25f06cf01e4345f98a22845c","hash25":"349ec229e3f8eda0f9eb918c74a8bf4c","hash26":"3ea688e3439a1f56b16694667938316d","hash27":"ab77e4d1006259d7cbc15884416ca88c","hash28":"71097537a91fac6b01f46f66ee2d7749","hash29":"2434a7a07cb47ce25b41d30bc291cacc","hash3":"76037ebd781ad0eac363d56fc81f4b4f","hash30":"7a4b090619ecce6f7bd838fe5c58554b","hash4":"8b457934da3821ba58b06a113e0d53d9","hash5":"d44df8b1543b837e57cc8f25a0a68d92","hash6":"fc44f6b4387a2cb50e1a63c66a8cb81c","hash7":"14e9688c86b454ed48171a9d4f48ace8","hash8":"b330a6c2d49124ef0729539761d6ef0b","hash9":"d71716df5042880ef84427acee8b121e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_000_403_807_a_c5_config_css_dm_he1p_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php","hash0":"b68bfafc6059fd26732fa07fb6f7f640","hash1":"42f211cec8032eb0881e87ebdb3d7224","hash2":"40a1f840111996ff7200d18968e42cfe","hash3":"0712e3dc262b4e1f98ed25760b206836","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"38fd7e45f9c11a37463c3ded1c76af4c","hash1":"9c34adbc8fd8d908cbb341734830f971","hash10":"b8f261a3cdf23398d573aaf55eaf63b5","hash11":"0d2c2c151ed839e6bafc7aa9c69be715","hash12":"41af6fd253648885c7ad2ed524e0692d","hash13":"6fcc283470465eed4870bcc3e2d7f14d","hash2":"ef43fef943e9df90ddb6257950b3538f","hash3":"ae025c886fbe7f9ed159f49593674832","hash4":"911195a9b7c010f61b66439d9048f400","hash5":"697dae78c040150daff7db751fc0c03c","hash6":"513b7be8bd0595c377283a7c87b44b2e","hash7":"1d912c55b96e2efe8ca873d6040e3b30","hash8":"e5b2131dd1db0dbdb43b53c5ce99016a","hash9":"4108f28a9792b50d95f95b9e5314fa1e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_c99_locus7s_c99_w4cking_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files r57shell127.php, r57_kartal.php, r57.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files r57shell127.php, r57_kartal.php, r57.php","hash0":"ae025c886fbe7f9ed159f49593674832","hash1":"1d912c55b96e2efe8ca873d6040e3b30","hash2":"4108f28a9792b50d95f95b9e5314fa1e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_r57shell127_r57_kartal_r57","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file con2.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file con2.asp","hash":"d3584159ab299d546bd77c9654932ae3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_con2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file Expdoor.com ASP.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file Expdoor.com ASP.asp","hash":"caef01bb8906d909f24d1fa109ea18a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Expdoor_com_ASP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file php2.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php2.php","hash":"fbf2e76e6f897f6f42b896c855069276","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file bypass-iisuser-p.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file bypass-iisuser-p.asp","hash":"924d294400a64fa888a79316fb3ccd90","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_bypass_iisuser_p","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file 404super.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file 404super.php","hash":"7ed63176226f83d36dce47ce82507b28","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_sig_404super","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file JSP.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file JSP.jsp","hash":"495f1a0a4c82f986f4bdf51ae1898ee7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_JSP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file webshell-123.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014-03-28","description":"Web shells - generated from file webshell-123.php","hash":"2782bb170acaed3829ea9a04f0ac7218","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","rule":"webshell_webshell_123","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file dev_core.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file dev_core.php","hash":"55ad9309b006884f660c41e53150fc2e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_dev_core","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file pHp.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file pHp.php","hash":"b0e842bdf83396c3ef8c71ff94e64167","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_pHp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file pppp.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file pppp.php","hash":"cf01cb6e09ee594545693c5d327bdd50","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_pppp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file code.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file code.php","hash":"a444014c134ff24c0be5a05c02b81a79","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_code","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file xxxx.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file xxxx.php","hash":"5bcba70b2137375225d8eedcde2c0ebb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_xxxx","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file PHP1.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file PHP1.php","hash":"14c7281fdaf2ae004ca5fec8753ce3cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_PHP1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file asp1.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file asp1.asp","hash":"b63e708cd58ae1ec85cf784060b69cad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_asp1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file php6.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php6.php","hash":"ea75280224a735f1e445d244acdfeb7b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php6","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file GetPostpHp.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file GetPostpHp.php","hash":"20ede5b8182d952728d594e6f2bb5c76","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_GetPostpHp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file php5.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php5.php","hash":"cf2ab009cbd2576a806bfefb74906fdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php5","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file PHP.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file PHP.php","hash":"a524e7ae8d71e37d2fd3e5fbdab405ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_PHP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file Asp.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file Asp.asp","hash":"32c87744ea404d0ea0debd55915010b7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_Asp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file perlbot.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file perlbot.pl.txt","hash":"7e4deb9884ffffa5d82c22f8dc533a45","rule":"perlbot_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file php-backdoor.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file php-backdoor.php.txt","hash":"2b5cb105c4ea9b5ebc64705b4bd86bf7","rule":"php_backdoor_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","hash":"c6eeacbe779518ea78b8f7ed5f63fc11","rule":"Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file shankar.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file shankar.php.php.txt","hash":"6eb9db6a3974e511b7951b8f7e7136bb","rule":"shankar_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Casus15.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Casus15.php.php.txt","hash":"5e2ede2d1c4fa1fcc3cbfe0c005d7b13","rule":"Casus15_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file small.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file small.php.php.txt","hash":"fcee6226d09d150bfa5f103bee61fbde","rule":"small_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file shellbot.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file shellbot.pl.txt","hash":"b2a883bc3c03a35cfd020dd2ace4bab8","rule":"shellbot_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file fuckphpshell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file fuckphpshell.php.txt","hash":"554e50c1265bb0934fcc8247ec3b9052","rule":"fuckphpshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file ngh.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file ngh.php.php.txt","hash":"c372b725419cdfd3f8a6371cfeebc2fd","rule":"ngh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file jsp-reverse.jsp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file jsp-reverse.jsp.txt","hash":"8b0e6779f25a17f0ffb3df14122ba594","rule":"jsp_reverse_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Tool.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Tool.asp.txt","hash":"8febea6ca6051ae5e2ad4c78f4b9c1f2","rule":"Tool_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file NT Addy.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file NT Addy.asp.txt","hash":"2e0d1bae844c9a8e6e351297d77a1fec","rule":"NT_Addy_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt","hash":"089ff24d978aeff2b4b2869f0c7d38a3","rule":"SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file phvayvv.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file phvayvv.php.php.txt","hash":"35fb37f3c806718545d97c6559abd262","rule":"phvayvv_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file r57shell.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file r57shell.php.php.txt","hash":"d28445de424594a5f14d0fe2a7c4e94f","rule":"r57shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file rst_sql.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file rst_sql.php.php.txt","hash":"0961641a4ab2b8cb4d2beca593a92010","rule":"rst_sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file wh_bindshell.py.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file wh_bindshell.py.txt","hash":"fab20902862736e24aaae275af5e049c","rule":"wh_bindshell_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file lurm_safemod_on.cgi.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file lurm_safemod_on.cgi.txt","hash":"5ea4f901ce1abdf20870c214b3231db3","rule":"lurm_safemod_on_cgi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file c99madshell_v2.0.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file c99madshell_v2.0.php.php.txt","hash":"d27292895da9afa5b60b9d3014f39294","rule":"c99madshell_v2_0_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file w3d.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file w3d.php.php.txt","hash":"987f66b29bfb209a0b4f097f84f57c3b","rule":"w3d_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file WinX Shell.html.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file WinX Shell.html.txt","hash":"17ab5086aef89d4951fe9b7c7a561dda","rule":"WinX_Shell_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Dx.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Dx.php.php.txt","hash":"9cfe372d49fe8bf2fac8e1c534153d9b","rule":"Dx_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file csh.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file csh.php.php.txt","hash":"194a9d3f3eac8bc56d9a7c55c016af96","rule":"csh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file pHpINJ.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file pHpINJ.php.php.txt","hash":"d7a4b0df45d34888d5a09f745e85733f","rule":"pHpINJ_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file 2008.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file 2008.php.php.txt","hash":"3e4ba470d4c38765e4b16ed930facf2c","rule":"sig_2008_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file ak74shell.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file ak74shell.php.php.txt","hash":"7f83adcb4c1111653d30c6427a94f66f","rule":"ak74shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Rem View.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Rem View.php.php.txt","hash":"29420106d9a81553ef0d1ca72b9934d9","rule":"Rem_View_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Java Shell.js.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Java Shell.js.txt","hash":"36403bc776eb12e8b7cc0eb47c8aac83","rule":"Java_Shell_js"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file STNC.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file STNC.php.php.txt","hash":"2e56cfd5b5014cbbf1c1e3f082531815","rule":"STNC_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt","hash":"26b2d3943395682e36da06ed493a3715","rule":"aZRaiLPhp_v1_0_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file zacosmall.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file zacosmall.php.txt","hash":"5295ee8dc2f5fd416be442548d68f7a6","rule":"zacosmall_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file CmdAsp.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file CmdAsp.asp.txt","hash":"64f24f09ec6efaa904e2492dffc518b9","rule":"CmdAsp_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file simple-backdoor.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file simple-backdoor.php.txt","hash":"f091d1b9274c881f8e41b2f96e6b9936","rule":"simple_backdoor_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file mysql_shell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file mysql_shell.php.txt","hash":"d42aec2891214cace99b3eb9f3e21a63","rule":"mysql_shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt","hash":"1b5102bdc41a7bc439eea8f0010310a5","rule":"Dive_Shell_1_0___Emperor_Hacking_Team_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Asmodeus v0.1.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Asmodeus v0.1.pl.txt","hash":"0978b672db0657103c79505df69cb4bb","rule":"Asmodeus_v0_1_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Reader.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Reader.asp.txt","hash":"ad1a362e0a24c4475335e3e891a01731","rule":"Reader_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file phpshell17.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file phpshell17.php.txt","hash":"9a928d741d12ea08a624ee9ed5a8c39d","rule":"phpshell17_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt","hash":"37cb1db26b1b0161a4bf678a6b4565bd","rule":"SimShell_1_0___Simorgh_Security_MGZ_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file jspshall.jsp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file jspshall.jsp.txt","hash":"efe0f6edaa512c4e1fdca4eeda77b7ee","rule":"jspshall_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file rootshell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file rootshell.php.txt","hash":"265f3319075536030e59ba2f9ef3eac6","rule":"rootshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file connectback2.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file connectback2.pl.txt","hash":"473b7d226ea6ebaacc24504bd740822e","rule":"connectback2_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file wso.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file wso.txt","hash":"33e2891c13b78328da9062fbfcf898b6","rule":"shells_PHP_wso"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file backdoor1.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file backdoor1.php.txt","hash":"e1adda1f866367f52de001257b4d6c98","rule":"backdoor1_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file elmaliseker.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file elmaliseker.asp.txt","hash":"b32d1730d23a660fd6aa8e60c3dc549f","rule":"elmaliseker_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt","hash":"c2e8346a5515c81797af36e7e4a3828e","rule":"s72_Shell_v1_1_Coding_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file kacak.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file kacak.asp.txt","hash":"907d95d46785db21331a0324972dda8c","rule":"kacak_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt","hash":"57fcd9560dac244aeaf95fd606621900","rule":"PHP_Backdoor_Connect_pl_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt","hash":"cbe9eafbc4d86842a61a54d98e5b61f1","rule":"Antichat_Socks5_Server_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Antichat Shell v1.3.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Antichat Shell v1.3.php.txt","hash":"40d0abceba125868be7f3f990f031521","rule":"Antichat_Shell_v1_3_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt","hash":"49ad9117c96419c35987aaa7e2230f63","rule":"Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file cyberlords_sql.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file cyberlords_sql.php.php.txt","hash":"03b06b4183cb9947ccda2c3d636406d4","rule":"cyberlords_sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt","hash":"8a8c8bb153bd1ee097559041f2e5cf0a","rule":"Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file EFSO_2.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file EFSO_2.asp.txt","hash":"b5fde9682fd63415ae211d53c6bfaa4d","rule":"EFSO_2_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file lamashell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file lamashell.php.txt","hash":"de9abc2e38420cad729648e93dfc6687","rule":"lamashell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt","hash":"93d1a2e13a3368a2472043bd6331afe9","rule":"Ajax_PHP_Command_Shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file JspWebshell 1.2.jsp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file JspWebshell 1.2.jsp.txt","hash":"70a0ee2624e5bbe5525ccadc467519f6","rule":"JspWebshell_1_2_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Sincap.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Sincap.php.php.txt","hash":"b68b90ff6012a103e57d141ed38a7ee9","rule":"Sincap_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Phyton Shell.py.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Phyton Shell.py.txt","hash":"92b3c897090867c65cc169ab037a0f55","rule":"Phyton_Shell_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file sh.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file sh.php.php.txt","hash":"330af9337ae51d0bac175ba7076d6299","rule":"sh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file phpjackal.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file phpjackal.php.txt","hash":"ab230817bcc99acb9bdc0ec6d264d76f","rule":"phpjackal_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file sql.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file sql.php.php.txt","hash":"8334249cbb969f2d33d678fec2b680c5","rule":"sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file cgi-python.py.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file cgi-python.py.txt","hash":"0a15f473e2232b89dae1075e1afdac97","rule":"cgi_python_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file ru24_post_sh.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file ru24_post_sh.php.php.txt","hash":"5b334d494564393f419af745dc1eeec7","rule":"ru24_post_sh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file telnetd.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file telnetd.pl.txt","hash":"5f61136afd17eb025109304bd8d6d414","rule":"telnetd_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file php-include-w-shell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file php-include-w-shell.php.txt","hash":"4e913f159e33867be729631a7ca46850","rule":"php_include_w_shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","hash":"6163b30600f1e80d2bb5afaa753490b6","rule":"Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file shell.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file shell.php.php.txt","hash":"1a95f0163b6dea771da1694de13a3d8d","rule":"shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file telnet.cgi.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file telnet.cgi.txt","hash":"dee697481383052980c20c48de1598d1","rule":"telnet_cgi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file ironshell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file ironshell.php.txt","hash":"8bfa2eeb8a3ff6afc619258e39fded56","rule":"ironshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file backdoorfr.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file backdoorfr.php.txt","hash":"91e4afc7444ed258640e85bcaf0fecfc","rule":"backdoorfr_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file aspydrv.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file aspydrv.asp.txt","hash":"1c01f8a88baee39aa1cebec644bbcb99","rule":"aspydrv_asp","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file cmdjsp.jsp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file cmdjsp.jsp.txt","hash":"b815611cc39f17f05a73444d699341d4","rule":"cmdjsp_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt","hash":"06ed0b2398f8096f1bebf092d0526137","rule":"h4ntu_shell__powered_by_tsoi_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Ajan.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Ajan.asp.txt","hash":"b6f468252407efc2318639da22b08af0","rule":"Ajan_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file PHANTASMA.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file PHANTASMA.php.txt","hash":"52779a27fa377ae404761a7ce76a5da7","rule":"PHANTASMA_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt","hash":"36d4f34d0a22080f47bb1cb94107c60f","rule":"MySQL_Web_Interface_Version_0_8_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt","hash0":"ddaf9f1986d17284de83a17fe5f9fd94","hash1":"17a07bb84e137b8aa60f87cd6bfab748","hash2":"4745d510fed4378e4b1730f56f25e569","rule":"_nst_php_php_img_php_php_nstview_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt","hash0":"acdbba993a5a4186fd864c5e4ea0ba4f","hash1":"2601b6fc1579f263d2f3960ce775df70","hash2":"401fbae5f10283051c39e640b77e4c26","rule":"_network_php_php_xinfo_php_php_nfm_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated ","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"eddf7a8fde1e50a7f2a817ef7cece24f","hash3":"8023394542cddf8aee5dec6072ed02b5","hash4":"eed14de3907c9aa2550d95550d1a2d5f","hash5":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"9c5bb5e3a46ec28039e8986324e42792","hash2":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_wacking_php_php_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"eddf7a8fde1e50a7f2a817ef7cece24f","rule":"_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt","hash0":"9c5bb5e3a46ec28039e8986324e42792","hash1":"44542e5c3e9790815c49d5f9beffbbf2","hash2":"09609851caa129e40b0d56e90dfc476c","hash3":"38fd7e45f9c11a37463c3ded1c76af4c","rule":"_wacking_php_php_1_SpecialShell_99_php_php_c100_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"eddf7a8fde1e50a7f2a817ef7cece24f","hash2":"8023394542cddf8aee5dec6072ed02b5","hash3":"eed14de3907c9aa2550d95550d1a2d5f","hash4":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files multiple_php_webshells","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files multiple_php_webshells","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"be0f67f3e995517d18859ed57b4b4389","hash3":"eddf7a8fde1e50a7f2a817ef7cece24f","hash4":"8023394542cddf8aee5dec6072ed02b5","hash5":"eed14de3907c9aa2550d95550d1a2d5f","hash6":"817671e1bdc85e04cc3440bbd9288800","hash7":"7101fe72421402029e2629f3aaed6de7","hash8":"f618f41f7ebeb5e5076986a66593afd1","rule":"multiple_php_webshells","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated ","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","hash3":"d8ae5819a0a2349ec552cbcf3a62c975","hash4":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt","hash0":"ddaf9f1986d17284de83a17fe5f9fd94","hash1":"ef8828e0bc0641a655de3932199c0527","hash2":"17a07bb84e137b8aa60f87cd6bfab748","hash3":"4745d510fed4378e4b1730f56f25e569","rule":"_nst_php_php_cybershell_php_php_img_php_php_nstview_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated ","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","hash3":"44542e5c3e9790815c49d5f9beffbbf2","hash4":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"eddf7a8fde1e50a7f2a817ef7cece24f","hash2":"eed14de3907c9aa2550d95550d1a2d5f","hash3":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_r57_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated ","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"40a3e86a63d3d7f063a86aab5b5f92c6","hash1":"d8ae5819a0a2349ec552cbcf3a62c975","hash2":"9e9ae0332ada9c3797d6cee92c2ede62","hash3":"f3ca29b7999643507081caab926e2e74","rule":"_nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/xFvioC","rule":"PHP_Cloaked_Webshell_SuperFetchExec","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php","hash":"1b2a4a7174ca170b4e3a8cdf4814c92695134c8a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_dC3_Security_Crew_Shell_PRiV"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file simattacker.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file simattacker.php","hash":"258297b62aeaf4650ce04642ad5f19be25ec29c9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_simattacker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file DTool Pro.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file DTool Pro.php","hash":"e2ee1c7ba7b05994f65710b7bbf935954f2c3353","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_DTool_Pro"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file ironshell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file ironshell.php","hash":"d47b8ba98ea8061404defc6b3a30839c4444a262","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_ironshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file b374k-mini-shell-php.php.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file b374k-mini-shell-php.php.php","hash":"afb88635fbdd9ebe86b650cc220d3012a8c35143","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_b374k_mini_shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Sincap 1.0.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Sincap 1.0.php","hash":"9b72635ff1410fa40c4e15513ae3a496d54f971c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Sincap_1_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file b374k.php.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file b374k.php.php","hash":"04c99efd187cf29dc4e5603c51be44170987bce2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_b374k_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php","hash":"6454cc5ab73143d72cf0025a81bd1fe710351b44","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php","hash":"cbca8cd000e705357e2a7e0cf8262678706f18f9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_h4ntu_shell__powered_by_tsoi_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file MyShell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file MyShell.php","hash":"42e283c594c4d061f80a18f5ade0717d3fb2f76d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_MyShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file pws.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file pws.php","hash":"7a405f1c179a84ff8ac09a42177a2bcd8a1a481b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_pws"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file reader.asp.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file reader.asp.php.txt","hash":"70656f3495e2b3ad391a77d5208eec0fb9e2d931","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_reader_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php","hash":"b2b797707e09c12ff5e632af84b394ad41a46fa4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file php-backdoor.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file php-backdoor.php","hash":"b190c03af4f3fb52adc20eb0f5d4d151020c74fe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file pHpINJ.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file pHpINJ.php","hash":"75116bee1ab122861b155cc1ce45a112c28b9596","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_pHpINJ"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file NGH.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NGH.php","hash":"c05b5deecfc6de972aa4652cb66da89cfb3e1645","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_NGH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file matamu.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file matamu.php","hash":"d477aae6bd2f288b578dbf05c1c46b3aaa474733","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_matamu"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file ru24_post_sh.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file ru24_post_sh.php","hash":"d2c18766a1cd4dda928c12ff7b519578ccec0769","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_ru24_post_sh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file hiddens shell v1.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file hiddens shell v1.php","hash":"1674bd40eb98b48427c547bf9143aa7fbe2f4a59","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_hiddens_shell_v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file c99_locus7s.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file c99_locus7s.php","hash":"d413d4700daed07561c9f95e1468fb80238fbf3c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_c99_locus7s"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file safe0ver.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file safe0ver.php","hash":"366639526d92bd38ff7218b8539ac0f154190eb8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_safe0ver"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file kral.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file kral.php","hash":"4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_kral"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file cgitelnet.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file cgitelnet.php","hash":"72e5f0e4cd438e47b6454de297267770a36cbeb3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_cgitelnet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file NTDaddy v1.9.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NTDaddy v1.9.php","hash":"79519aa407fff72b7510c6a63c877f2e07d7554b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_NTDaddy_v1_9"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file lamashell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lamashell.php","hash":"b71181e0d899b2b07bc55aebb27da6706ea1b560","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_lamashell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php","hash":"03f6215548ed370bec0332199be7c4f68105274e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Simple_PHP_backdoor_by_DK"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file CmdAsp.asp.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file CmdAsp.asp.php.txt","hash":"cb18e1ac11e37e236e244b96c2af2d313feda696","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_CmdAsp_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file NCC-Shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NCC-Shell.php","hash":"64d4495875a809b2730bd93bec2e33902ea80a53","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_NCC_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file README.md","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file README.md","hash":"ef2c567b4782c994db48de0168deb29c812f7204","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_README"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file backupsql.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file backupsql.php","hash":"863e017545ec8e16a0df5f420f2d708631020dd4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_backupsql"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php","hash":"c90b0ba575f432ecc08f8f292f3013b5532fe2c4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_AK_74_Security_Team_Web_Shell_Beta_Version"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file cpanel.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file cpanel.php","hash":"433dab17106b175c7cf73f4f094e835d453c0874","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_cpanel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file 529.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file 529.php","hash":"ba3fb2995528307487dff7d5b624d9f4c94c75d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_529"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file qsd-php-backdoor.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file qsd-php-backdoor.php","hash":"4856bce45fc5b3f938d8125f7cdd35a8bbae380f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_qsd_php_backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php","hash":"5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Gamma Web Shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Gamma Web Shell.php","hash":"7ef773df7a2f221468cc8f7683e1ace6b1e8139a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Gamma_Web_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file WinX Shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file WinX Shell.php","hash":"a94d65c168344ad9fa406d219bdf60150c02010e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_WinX_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file php-include-w-shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file php-include-w-shell.php","hash":"1a7f4868691410830ad954360950e37c582b0292","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_include_w_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file PhpSpy Ver 2006.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file PhpSpy Ver 2006.php","hash":"34a89e0ab896c3518d9a474b71ee636ca595625d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_PhpSpy_Ver_2006"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file myshell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file myshell.php","hash":"5bd52749872d1083e7be076a5e65ffcde210e524","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_myshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file lolipop.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lolipop.php","hash":"86f23baabb90c93465e6851e40104ded5a5164cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_lolipop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file simple_cmd.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file simple_cmd.php","hash":"466a8caf03cdebe07aa16ad490e54744f82e32c2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_simple_cmd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file go-shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file go-shell.php","hash":"3dd85981bec33de42c04c53d081c230b5fc0e94f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_go_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file aZRaiLPhp v1.0.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file aZRaiLPhp v1.0.php","hash":"a2c609d1a8c8ba3d706d1d70bef69e63f239782b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_aZRaiLPhp_v1_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Github Archive - file zehir4","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Github Archive - file zehir4","hash":"788928ae87551f286d189e163e55410acbb90a64","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_webshells_zehir4","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file zehir4.asp.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file zehir4.asp.php.txt","hash":"1d9b78b5b14b821139541cc0deb4cbbd994ce157","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_zehir4_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file lostDC.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lostDC.php","hash":"d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_lostDC"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file CasuS 1.5.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file CasuS 1.5.php","hash":"7eee8882ad9b940407acc0146db018c302696341","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_CasuS_1_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php","hash0":"fa11deaee821ca3de7ad1caafa2a585ee1bc8d82","hash1":"c0a4ba3e834fb63e0a220a43caaf55c654f97429","hash2":"16fa789b20409c1f2ffec74484a30d0491904064","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php","hash0":"b148ead15d34a55771894424ace2a92983351dda","hash1":"e4ba288f6d46dc77b403adf7d411a280601c635b","hash2":"e5713d6d231c844011e9a74175a77e8eb835c856","hash3":"1b836517164c18caf2c92ee2a06c645e26936a0c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php","hash0":"335a0851304acedc3f117782b61479bbc0fd655a","hash1":"6eb4ab630bd25bec577b39fb8a657350bf425687","hash2":"03f88f494654f2ad0361fb63e805b6bbfc0c86de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__CrystalShell_v_1_erne_stres","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php","hash0":"5622c9841d76617bfc3cd4cab1932d8349b7044f","hash1":"4a20f36035bbae8e342aab0418134e750b881d05","hash2":"40dbdc0bdf5218af50741ba011c5286a723fa9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__findsock_php_findsock_shell_php_reverse_shell","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive","hash0":"1a08f5260c4a2614636dfc108091927799776b13","hash1":"335a0851304acedc3f117782b61479bbc0fd655a","hash2":"ca9fcfb50645dc0712abdf18d613ed2196e66241","hash3":"36d8782d749638fdcaeed540d183dd3c8edc6791","hash4":"03f88f494654f2ad0361fb63e805b6bbfc0c86de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Generic_PHP_6","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Injectt.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Injectt.exe","hash":"8a5d2158a566c87edc999771e12d42c5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Unpack_Injectt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file ssh.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ssh.php","hash":"1aa5307790d72941589079989b4f900e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_ssh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Client.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Client.exe","hash":"5f91a5b46d155cacf0cc6673a2a5461b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"bin_Client"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file ZXshell.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ZXshell.exe","hash":"246ce44502d2f6002d720d350e26c288","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_ZXshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file RkNTLoad.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file RkNTLoad.exe","hash":"262317c95ced56224f136ba532b8b34f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"RkNTLoad"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file binder2.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file binder2.exe","hash":"d594e90ad23ae0bc0b65b59189c12f11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"binder2_binder2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file orice2.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file orice2.php","hash":"aa63ffb27bde8d03d00dda04421237ae","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"thelast_orice2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file sendmail.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file sendmail.exe","hash":"75b86f4a21d8adefaf34b3a94629bd17","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sendmail"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file zehir4.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file zehir4.asp","hash":"5b496a61363d304532bcf52ee21f5d55","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_zehir4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file hkshell.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkshell.exe","hash":"168cab58cee59dc4706b3be988312580","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkshell_hkshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file DarkSpy105.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file DarkSpy105.exe","hash":"f0b85e7bec90dba829a3ede1ab7d8722","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DarkSpy105"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file EditServer.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file EditServer.exe","hash":"f945de25e0eba3bdaf1455b3a62b9832","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer_EXE"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file reader.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file reader.asp","hash":"b598c8b662f2a1f6cc61f291fb0a6fa2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_reader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file svchostdll.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file svchostdll.dll","hash":"0f6756c8cb0b454c452055f189e4c3f4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"svchostdll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file server.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file server.asp","hash":"1d38526a215df13c7373da4635541b43","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_DevPack_server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file vanquish.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file vanquish.dll","hash":"684450adde37a93e8bb362994efc898c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"vanquish"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Client.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Client.exe","hash":"9f0a74ec81bc2f26f16c5c172b80eca7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"BIN_Client"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Simple_PHP_BackDooR.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Simple_PHP_BackDooR.php","hash":"a401132363eecc3a1040774bec9cb24f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Simple_PHP_BackDooR"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file hkrmv.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkrmv.exe","hash":"bd3a0b7a6b5536f8d96f50956560e9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkshell_hkrmv"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file phpft.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file phpft.php","hash":"60ef80175fcc6a879ca57c54226646b1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_phpft"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file bdcli100.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file bdcli100.exe","hash":"b12163ac53789fb4f62e4f17a8c2e028","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"bdcli100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file rdrbs084.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file rdrbs084.exe","hash":"ed30327b255816bdd7590bf891aa0020","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rdrbs084"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file 2005.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file 2005.exe","hash":"8bf667ee9e21366bc0bd3491cb614f41","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_CaseSwitch_2005"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file casus15.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file casus15.php","hash":"8d155b4239d922367af5d0a1b89533a3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_casus15_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file installer.cmd","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file installer.cmd","hash":"a507919ae701cf7e42fa441d3ad95f8f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"installer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file elmaliseker.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file elmaliseker.asp","hash":"ccf48af0c8c09bbd038e610a49c9862e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"elmaliseker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file resolve.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file resolve.exe","hash":"69bf9aa296238610a0e05f99b5540297","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_resolve"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Fport.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Fport.exe","hash":"dbb75488aa2fa22ba6950aead1ef30d5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_Fport"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file upload.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file upload.asp","hash":"b09852bda534627949f0259828c967de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_DevPack_upload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file PasswordReminder.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file PasswordReminder.exe","hash":"ea49d754dc609e8bfa4c0f95d14ef9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PasswordReminder"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file RkNT.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file RkNT.dll","hash":"5f97386dfde148942b7584aeb6512b85","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rknt_zip_Folder_RkNT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file dbgntboot.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dbgntboot.dll","hash":"4d87543d4d7f73c1529c9f8066b475ab","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"dbgntboot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file shell.php","hash":"45e8a00567f8a34ab1cccc86b4bc74b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PHP_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file rdrbs100.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file rdrbs100.exe","hash":"7c752bcd6da796d80a6830c61a632bff","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rdrbs100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Mithril.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Mithril.exe","hash":"017191562d72ab0ca551eb89256650bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_Mithril"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file hkdoordll.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkdoordll.dll","hash":"b715c009d47686c0e62d0981efce2552","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkdoordll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file dllTest.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dllTest.dll","hash":"1b9e518aaa62b15079ff6edb412b21e9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_v1_45_dllTest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file dbgiis6cli.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dbgiis6cli.exe","hash":"3044dceb632b636563f66fee3aaaf8f3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"dbgiis6cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file cress.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file cress.exe","hash":"36a416186fe010574c9be68002a7286a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Debug_cress"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file usr.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file usr.php","hash":"ade3357520325af50c9098dc8a21a024","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_usr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file phpinj.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file phpinj.php","hash":"dd39d17e9baca0363cc1c3664e608929","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_phpinj"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file db.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file db.asp","hash":"cb62e2ec40addd4b9930a9e270f5b318","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"xssshell_db"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file EditServer.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file EditServer.exe","hash":"5c1f25a4d206c83cdfb006b3eb4c09ba","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file by064cli.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file by064cli.exe","hash":"10e0dff366968b770ae929505d2a9885","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"by064cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file dllTest.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dllTest.dll","hash":"a8d25d794d8f08cd4de0c3d6bf389e6d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_dllTest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file connector.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file connector.asp","hash":"3ba1827fca7be37c8296cd60be9dc884","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"connector"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file HideRun.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file HideRun.exe","hash":"45436d9bfd8ff94b71eeaeb280025afe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_HideRun"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file PHP_Shell_v1.7.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file PHP_Shell_v1.7.php","hash":"b5978501c7112584532b4ca6fb77cba5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PHP_Shell_v1_7"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file save.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file save.asp","hash":"865da1b3974e940936fe38e8e1964980","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"xssshell_save"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file screencap.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file screencap.exe","hash":"51139091dea7a9418a50f2712ea72aa6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"screencap"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file zxrecv.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file zxrecv.exe","hash":"5d3d12a39f41d51341ef4cb7ce69d30f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_zxrecv"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file deploy.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file deploy.exe","hash":"2c9f9c58999256c73a5ebdb10a9be269","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"_root_040_zip_Folder_deploy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file by063cli.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file by063cli.exe","hash":"49ce26eb97fd13b6d92a5e5d169db859","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"by063cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file asp.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file asp.asp","hash":"2c412400b146b7b98d6e7755f7159bb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"icyfox007v1_10_rar_Folder_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file ntboot.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ntboot.dll","hash":"cb9eb5a6ff327f4d6c46aacbbe9dda9d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"byshell063_ntboot_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file xwhois.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file xwhois.exe","hash":"0bc98bd576c80d921a3460f8be8816b4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_xwhois"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file vanquish.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file vanquish.exe","hash":"2dcb9055785a2ee01567f52b5a62b071","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"vanquish_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file nc.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file nc.exe","hash":"2cd1bf15ae84c5f6917ddb128827ae8b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_nc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Server.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Server.exe","hash":"1d5aa9cbf1429bb5b8bf600335916dcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"BIN_Server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file 2006.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file 2006.asp","hash":"c19d6f4e069188f19b08fa94d44bc283","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop2006_rar_Folder_2006"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file HDConfig.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file HDConfig.exe","hash":"7d60e552fdca57642fd30462416347bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HDConfig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell and Exploit Code in relation with APT against Honk Kong protesters","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"10.10.2014","description":"Webshell and Exploit Code in relation with APT against Honk Kong protesters","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Webshell_and_Exploit_CN_APT_HK","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"13.01.2015","description":"Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/7dbyZs","rule":"Pastebin_Webshell","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects C99 Webshell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-11","description":"Detects C99 Webshell","hash1":"2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4","hash10":"615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966","hash11":"bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96","hash12":"ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f","hash13":"a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5","hash14":"1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd","hash2":"0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092","hash3":"d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5","hash4":"5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c","hash5":"21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06","hash6":"c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596","hash7":"816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9","hash8":"383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1","hash9":"07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/nikicat/web-malware-collection","rule":"Webshell_c99_4","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ...","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-11","description":"Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ...","hash1":"e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6","hash10":"0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f","hash11":"ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92","hash2":"f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba","hash3":"16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2","hash4":"59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88","hash5":"6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a","hash6":"5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94","hash7":"1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8","hash8":"c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f","hash9":"59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/nikicat/web-malware-collection","rule":"Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Webshell - rule generated from from files c100 v. 777shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-11","description":"Detects Webshell - rule generated from from files c100 v. 777shell","hash1":"0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092","hash2":"d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5","hash3":"21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06","hash4":"c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596","hash5":"816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9","hash6":"bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96","hash7":"ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/nikicat/web-malware-collection","rule":"Webshell_c100","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a web shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-10","description":"Detects a web shell","hash1":"027544baa10259939780e97dc908bd43f0fb940510119fc4cce0883f3dd88275","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/bartblaze/PHP-backdoors","rule":"webshell_e8eaf8da94012e866e51547cd63bb996379690bf"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a simple cloaked PHP web shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-28","description":"Detects a simple cloaked PHP web shell","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127","rule":"PHP_Webshell_1_Feb17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects web shell often used by Iranian APT groups","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-21","description":"Detects web shell often used by Iranian APT groups","hash1":"a39d8823d54c55e60a7395772e50d116408804c1a5368391a1e5871dbdc83547","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research - APT33","rule":"ALFA_SHELL"}}]}},{"path":"signature-base-master/yara/thor_inverse_matches.yar","filename":"thor_inverse_matches.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":21469,"md5":"d0b40f1f24b1bdd044ff18a91292656c","sha1":"ca500c716cf96010282c41f5d49d656b097a60ad","sha256":"7c77115352339c69aa10d307daff9ceae66a184c0604a8464520d4d8ed8769f5","sha512":"6206e4e037dba313e813b415b377ba39a5a339e2ecc3f2a5445a1d958103c06510b2de647d362ae157e7edb03e4227f1eb66bcc56db247289072c5f0110525a7","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/threat_lenovo_superfish.yar","filename":"threat_lenovo_superfish.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":957,"md5":"177d11f693725892ca9ed016df81cd67","sha1":"77ac741e9d616ba33831fdbd13eb846db1d6c88a","sha256":"033816552f69226f9fa62cf3bbbd0b5e4013c9a9e1ae14b7071f0dd9de923f00","sha512":"05c2d49680907d1b4957ecca53e6ed0e4662c6da4bb943f570f4a128fd3a0a5cb030b267f7390943e30cd8bdfbeb48dc5d58b0dfc2d9d32457692e4fc38ccb45","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vul_backdoor_antitheftweb.yar","filename":"vul_backdoor_antitheftweb.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1168,"md5":"025bcddf2c11629885d9bdd508999eb1","sha1":"5a8f3db46feb5f9b04437f61a122c0e05614d7ce","sha256":"17f8e066a4b44e6a33ba4cee7262adb70ed4d398095b6753b8b64bc7071f3421","sha512":"889f67ce9d63fcb69c3b624c799bdaf2c264a476a1b8f7275742115ec84bad9df3b1bc08abe9d30170c043177b7d57d587693b3bd4c3315f0e6e849dc9a8e221","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vul_confluence_questions_plugin_cve_2022_26138.yar","filename":"vul_confluence_questions_plugin_cve_2022_26138.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1165,"md5":"3070aa806f0155cb4ee940653afb9670","sha1":"ad8970724bf92517761cb0fbea154c8b319ddbcc","sha256":"acb5deb548fac70be49042535b5e394932af6bfd12e3afcb00ae6f7044ba5ebd","sha512":"6f2b0042b5e4c7158bb88cbe5ca735dc881574660d0c44eab98fd15312ef845376b3ffd4b9603dd1597ee638fcfcd52484eb9244dfbed8492c5c1ab2d2a064b9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138","trigger":"signature-base-master/yara/vul_confluence_questions_plugin_cve_2022_26138.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-07-21","description":"Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138","reference":"https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/","rule":"VULN_Confluence_Questions_Plugin_CVE_2022_26138_Jul22_1","score":"50"}}]}},{"path":"signature-base-master/yara/vul_cve_2020_0688.yar","filename":"vul_cve_2020_0688.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":629,"md5":"e088bf0d42568cfb04980b7b773844cb","sha1":"3b3851f9db63ae0f6a91d8815c38fca1271e83b7","sha256":"58fff070b2fb6a163ac201878fb6bd72156a015310a0eb54e131127e004278eb","sha512":"ef70a2201512b61af65358c96b58cbbb15ca5d0fe2579640ce5f6c6a5076f9a04445fee5657c49210f486286f726e9a7a10763061ffcdcd2d1f25f3594a25f82","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vul_cve_2020_1938.yar","filename":"vul_cve_2020_1938.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"exported SGML document, ASCII text","size":894,"md5":"8eea962adf4cb9048611bef5e350fa63","sha1":"304edb61b22ddb15aff38eb4770b07fd1869b50c","sha256":"4e96c277b5145701ff8fac97f4e8d8b6d35b30004a90d56182171fdd58afe077","sha512":"7446e8ca990baca13c3e52d654ca55f3c6f9d8c11cdb5e71f0d04956b07dc19db7a6764a6b4a89321f5b95bf8deb9f0972f0f7f31ce165e7e75a67bcc49c3694","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vul_cve_2021_3438_printdriver.yar","filename":"vul_cve_2021_3438_printdriver.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":841,"md5":"27f0b9aaec72c9b050040680e0fe4592","sha1":"ccfbb31bc047d5913f63785ea019f999362a97df","sha256":"dba98802e5ae2ecc7c1ac2635b4ad1f939a36daf7da5a584f2511bd0d1661163","sha512":"54e428ff42ddb7e8219c682e845c3d46a82e8002a544e94670469f1f8367c64460ed384c3d6fbba86246843e0f03cd86c8a9baf97cd0ce27eb23cb3324320a52","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vul_cve_2021_386471_omi.yar","filename":"vul_cve_2021_386471_omi.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1349,"md5":"904e494a65e1eb258037a2b8d286ad0f","sha1":"af6dc607ebdf21a0cab5461b835cf7f857179aa8","sha256":"61a9c9c80b92a2da99504e65e2d217710c48cb54619d8171aaaed7196662f7fa","sha512":"df3195adeb1a81ffdd01287dec330ba644d13bb5465e0cc3b5bca35907863a32117a01bdf9b857a0c7953acdd20a7b8eb519010e531c7eaa3c7a014a5ebdf37b","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vul_dell_bios_upd_driver.yar","filename":"vul_dell_bios_upd_driver.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":963,"md5":"0a43a3042aeb3b1cfd4d6ad87cc87587","sha1":"beb6597c59d7a87c78c602a8d4ea401433a3a006","sha256":"e080783be311b24b7e099e071504e35cc93508368608f448dcb6ca44f5e73c7b","sha512":"55c3465803c7f26935945c1406cfc9a60f9f10666dda72aba4c07dbd0e5273a4217e7d8161ce7638072c4da81454ff80467979dc4671639df89654d937f4e410","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vul_drivecrypt.yar","filename":"vul_drivecrypt.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1399,"md5":"dc59a5b4e1116f2f7f3abec182b3036c","sha1":"97413db90539e96ea0b693b485faf6f67be4475b","sha256":"719da7a6a77f2886b4a79afee9edbe11fe4ed55929a360c662a5919c395ae156","sha512":"1c163f5bd7ca6b38a52461f541d11a6f511d1c19cc1a458c1c8c06f8a4a0acf2dc80b6a22ae97e22f15354b62ba021d1151270717d6457dca0ec0399054ac3b4","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vul_jquery_fileupload_cve_2018_9206.yar","filename":"vul_jquery_fileupload_cve_2018_9206.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":848,"md5":"287d20a5ff7a7f6b49ed3642fcabacd9","sha1":"54aa4769e235a77e59c0fa649de2fb0414f9cd82","sha256":"70e9d58f05d067a22f7a39d705ceaea45d8294e0d3912db77e4033742821e3bd","sha512":"297ae12c5becd71760f4aad9573725ed0547994620e98ed9a057aa78daca746805845f000fdf71e14e6bacdbaffaca9b561b42f74040b7797cd1a4547554617c","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JQuery File Upload vulnerability CVE-2018-9206","trigger":"signature-base-master/yara/vul_jquery_fileupload_cve_2018_9206.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-10-19","description":"Detects JQuery File Upload vulnerability CVE-2018-9206","reference":"https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/","reference2":"https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f","reference3":"https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html","rule":"VUL_JQuery_FileUpload_CVE_2018_9206"}}]}},{"path":"signature-base-master/yara/vul_php_zlib_backdoor.yar","filename":"vul_php_zlib_backdoor.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":561,"md5":"28c0b9f981bfcac2b186416f8e711271","sha1":"e58bb51eb84c028846f8bbcffcbfc5cf6e0bdd87","sha256":"b3da6044dddb604c6eb1b6d516ed7c292606039f8c88f3e456aa23fa777cfe8c","sha512":"822d1c87007abb9f7dc8c1a5ab86b130d954f46abdb0488175c8daa76bfb0d7560cc6c7da303312408f6b903ce1362c591123e0be150893d050b246eb6465434","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects backdoored PHP zlib version","trigger":"signature-base-master/yara/vul_php_zlib_backdoor.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-29","description":"Detects backdoored PHP zlib version","reference":"https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/","rule":"VULN_PHP_Hack_Backdoored_Zlib_Zerodium_Mar21_1"}}]}},{"path":"signature-base-master/yara/vuln_gigabyte_driver.yar","filename":"vuln_gigabyte_driver.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":1715,"md5":"b1608b4fda05b971b6f7a89edacc009b","sha1":"a0c2316f8b8b67b183b46b98a32771e23db2e506","sha256":"619bed15b514e82ecf260f50680d532358b8b1fa1e2c8204649ec5ba30a479b8","sha512":"33e7b9dcfc86eb3906917a4d937ea5aa413a6ed07d99ec52a216cf09ced89319e9dc7a22d519bf2cfe847a0a4b8336fc8b56e6d8c98d6b1169fdfb6f673b8ff3","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a vulnerable GIGABYTE driver sometimes used by malicious actors to escalate privileges","trigger":"signature-base-master/yara/vuln_gigabyte_driver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-07-25","description":"Detects a vulnerable GIGABYTE driver sometimes used by malicious actors to escalate privileges","hash1":"31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427","reference":"https://twitter.com/malmoeb/status/1551449425842786306","rule":"VULN_PUA_GIGABYTE_Driver_Jul22_1","score":"65"}}]}},{"path":"signature-base-master/yara/vuln_keepass_brute_forcible.yar","filename":"vuln_keepass_brute_forcible.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (370)","size":974,"md5":"e0e3be1ef6dc20784a2e965b7dbb442c","sha1":"3cfcd77abeb0265c377d4dd223c25e669df8cd92","sha256":"82e92fc436681389e7d5029d4e1161717780a2bc8cc6cd0ba08b89bfa061fb29","sha512":"4f5932ac162d587824e411bf8851621b0fbc5e33df487ab23cc52600cd76d0d34e8b54c5ed8be7d10b77225fedfcf7524d7230222bdc5c3ff8b9ccd268f65eb5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vuln_moveit_0day_jun23.yar","filename":"vuln_moveit_0day_jun23.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3800,"md5":"11a5d2b6e23435e858e2ea344b612f9a","sha1":"c29129c8b433e3c237093559877f50884599db5e","sha256":"fe6df466074bd5762fe0a3a14f10a1b3c2ac171b4f5146ca4b1a40ffc1b32e1f","sha512":"16d7152346693486c3ebc1ac5687190c95035b70317f2c7e571768290ad18b9a2766b34dcffc35e5a5b7540861b33cb30a77d56eab1ee337eb26018f8c236af0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ASPX web shells as being used in MOVEit Transfer exploitation","trigger":"signature-base-master/yara/vuln_moveit_0day_jun23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-01","description":"Detects ASPX web shells as being used in MOVEit Transfer exploitation","hash1":"2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5","hash2":"48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a","hash3":"e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e","reference":"https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/","rule":"WEBSHELL_ASPX_MOVEit_Jun23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a potential compromise indicator found in MOVEit Transfer logs","trigger":"signature-base-master/yara/vuln_moveit_0day_jun23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-01","description":"Detects a potential compromise indicator found in MOVEit Transfer logs","reference":"https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a potential compromise indicator found in MOVEit Transfer logs","trigger":"signature-base-master/yara/vuln_moveit_0day_jun23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-03","description":"Detects a potential compromise indicator found in MOVEit Transfer logs","reference":"https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a potential compromise indicator found in MOVEit DMZ Web API logs","trigger":"signature-base-master/yara/vuln_moveit_0day_jun23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nasreddine Bencherchali","date":"2023-06-13","description":"Detects a potential compromise indicator found in MOVEit DMZ Web API logs","reference":"https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_3","score":"70"}}]}},{"path":"signature-base-master/yara/vuln_paloalto_cve_2024_3400_apr24.yar","filename":"vuln_paloalto_cve_2024_3400_apr24.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":3449,"md5":"dc730bfc22f0922bc4931e21abfca88e","sha1":"6d73511884fff0dc75be969022fbbb05974939df","sha256":"cee1ffd89f1a2f197e3d323fa7094ed6e1e40c0268c27f75ee9c9c4478aa3a5d","sha512":"b7d177abdaf9c80af238c2d502ce8f2265e1b18e0a776e34e4d89e7cfc939623f2b380b46cfc84f1c2abcd585de9c9e6868a06adc678cea179ee7a68b4580fb1","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/vuln_proxynotshell_cve_2022_41040.yar","filename":"vuln_proxynotshell_cve_2022_41040.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":731,"md5":"0c926ca44571ab411c610408ac3a3c3f","sha1":"1a1b643cf959b624f7ec38b9c15cefb502d5503e","sha256":"8260f897439415a34b05927ae3584d92cadc2f6ae903b8049f8a4986bc3ecf7d","sha512":"98192050e21380b9ff9e811c45e8112b8b418d8a7681b21935e7828d4dab14fc2fd73fec6be73f67cbb30b359d2edf0f3cd6c67c6330acdfedbabaef52bdebab","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers","trigger":"signature-base-master/yara/vuln_proxynotshell_cve_2022_41040.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-11-17","description":"Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers","reference":"https://github.com/testanull/ProxyNotShell-PoC","rule":"LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22","score":"70"}}]}},{"path":"signature-base-master/yara/webshell_regeorg.yar","filename":"webshell_regeorg.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":677,"md5":"f7c160344180c05d1d946931c2aae479","sha1":"ddf0df28200e7e072e3d279a3e9cb3d3ad7311ce","sha256":"c138b217948712c379dd0bd7e8fb7c781daaecea0edad5f6f005d39ab7ea2241","sha512":"115d51a75f848b95a998fdb6375785974d4d796db77abab83a88d9dbc9641a5dc390cb6ebeedb529d292a81f53c7d4a737617c205dbae2f753b8424f4d3cf1b0","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"REGEORG_Tuneller_generic","trigger":"signature-base-master/yara/webshell_regeorg.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Mandiant","date":"2021-12-20","date_modified":"2021-12-20","hash":"ba22992ce835dadcd06bff4ab7b162f9","reference":"https://www.mandiant.com/resources/unc3524-eye-spy-email","rule":"REGEORG_Tuneller_generic"}}]}},{"path":"signature-base-master/yara/webshell_xsl_transform.yar","filename":"webshell_xsl_transform.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":704,"md5":"d8ff322a6b3beb712d3e63f8065a2cdd","sha1":"ae3e46419cfe044d00b5a7c8dd6f3a4809b8f71a","sha256":"2443298ee304f2433ae0a7a30a7237f0bd3987489a6087adce027d9f2f65c31c","sha512":"718bc6e126c2b3810198cb135526a9ed65ace5dcfefaf3cfeced1dc33d4282dadf70814ef910d09e5dcb682585d0c24e3f8f06324ec2b48a1b1638b5dd717c84","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/yara-rules_mal_drivers.yar","filename":"yara-rules_mal_drivers.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (338)","size":50871,"md5":"276687a2c231911aceaf395c69345b14","sha1":"dfd1073518f9bab8cc83c08b6e00c7bfb8fcc021","sha256":"efe73f7d0ff11b7a6040390dc149e062abc721632bbe2f910a658c21162fd965","sha512":"6f4380f06ce59c15f7f9e4c0c75bf71934be128aac2864ece6e2bfe1b55b0f1b46e79af6261c168ccb3b635d04246fe118f7070c471786093ebadb6c8dbe0715","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/yara-rules_vuln_drivers_strict.yar","filename":"yara-rules_vuln_drivers_strict.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (668)","size":984345,"md5":"9d599f536be474ceb66dd79fd0c5603a","sha1":"b0decc8a9e94dbba9f768f05762285ff8b60b676","sha256":"d714ff3be9d06dced1ede70b4ac135dd129898c5ae657d7ae02b4756c9a1dd73","sha512":"fd230c8bf2d6f40b57d94cd625489b0cdb8b4ae6bce3dffb3f91fe04abb4aa1be3f6c319e04d739a8d4e37ab71da3315a11c56d9e4c7ab01c172953f886a54d5","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/yara-rules_vuln_drivers_strict_renamed.yar","filename":"yara-rules_vuln_drivers_strict_renamed.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text, with very long lines (668)","size":1014906,"md5":"253dab51ef3f0fd08ef29d8f2ce836ee","sha1":"2eaef31bcecebb81f2d276f472cf265b03b12dd0","sha256":"2137fceefce04d1608379ebf15758cb0f571175f836c45fc6d4c16b778df36b0","sha512":"a0bac5ef0828e300bd54d2237f0b916fa4a5eb4cf56660e945471b9f678205c767f3c9e5054a9488c025cc84067d219417408c6eaf07c4a41f358a03e9a2eba2","alerts":{"urlquery":null,"analyzer":null}},{"path":"signature-base-master/yara/yara_mixed_ext_vars.yar","filename":"yara_mixed_ext_vars.yar","modified":"","Modified":"2024-09-18T07:49:50-07:00","magic":"ASCII text","size":20853,"md5":"33999399cc1f4c7f37aefeab37fd7f85","sha1":"4668a0b6d0e21284f8e933ffdb4388064ecff433","sha256":"dc37a79cb8bb0d8cbbfd6f2099108d88c09d362713f4e71691c8d17eed8d71b9","sha512":"3f5ccf82e35f3b60b7b17d7cf45af840c8b66a2e7d3c0324bf45d6d2658d052ca6a37f2c9706b465527bd0a494815736d4d6c86debff5e144e71cf3f8583b28b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/yara_mixed_ext_vars.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"APT 10 / Cloud Hopper malware campaign","trigger":"signature-base-master/iocs/c2-iocs.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-06","description":"APT 10 / Cloud Hopper malware campaign","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html","rule":"APT10_Malware_Sample_Gen","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"signature-base-master/iocs/filename-iocs.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","trigger":"signature-base-master/iocs/filename-iocs.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Socket_Path","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","trigger":"signature-base-master/iocs/hash-iocs.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems) @4nc4p","date":"2015/03/11","description":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","hash":"ff2b50f371eb26f22eb8a2118e9ab0e015081500","reference":"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/","rule":"EquationDrug_HDDSSD_Op"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/iocs/keywords.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-27","description":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","hash1":"19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Invoke_OSiRis"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems) @4nc4p","date":"2015/03/11","description":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","hash":"ff2b50f371eb26f22eb8a2118e9ab0e015081500","reference":"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/","rule":"EquationDrug_HDDSSD_Op"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file readme.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file readme.txt","hash":"a52545ae62ddb0ea52905cbb61d895a51bfe9bcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer_zip_Folder_readme","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","hash":"c6eeacbe779518ea78b8f7ed5f63fc11","rule":"Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file shankar.php.php.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file shankar.php.php.txt","hash":"6eb9db6a3974e511b7951b8f7e7136bb","rule":"shankar_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file STNC.php.php.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file STNC.php.php.txt","hash":"2e56cfd5b5014cbbf1c1e3f082531815","rule":"STNC_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","hash":"6163b30600f1e80d2bb5afaa753490b6","rule":"Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt","trigger":"signature-base-master/sig-base-rules.csv","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt","hash":"06ed0b2398f8096f1bebf092d0526137","rule":"h4ntu_shell__powered_by_tsoi_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Turla Agent.BTZ","trigger":"signature-base-master/yara/apt_agent_btz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-06-16","description":"Detects Turla Agent.BTZ","hash1":"c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615","reference":"Internal Research","rule":"APT_Turla_Agent_BTZ_Gen_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JavaDropper RAT","trigger":"signature-base-master/yara/apt_alienspy_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.10.2015","description":"Detects JavaDropper RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/JavaDropper","rule":"RAT_JavaDropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"APT 10 / Cloud Hopper malware campaign","trigger":"signature-base-master/yara/apt_apt10.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-06","description":"APT 10 / Cloud Hopper malware campaign","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html","rule":"APT10_Malware_Sample_Gen","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Find generic data potentially relating to AP15 tools","trigger":"signature-base-master/yara/apt_apt15.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"David Cannings","description":"Find generic data potentially relating to AP15 tools","rule":"malware_apt15_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_apt19.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/apt_apt19.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Attempts to detect Cobalt Strike based on strings found in BEACON","fingerprint":"e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71","id":"ee756db7-e177-41f0-af99-c44646d334f7","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_ee756db7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"HyperBro Stage 3 C2 path and user agent detection - also tested in memory","trigger":"signature-base-master/yara/apt_apt27_hyperbro.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Marc Stroebel","date":"2022-02-07","description":"HyperBro Stage 3 C2 path and user agent detection - also tested in memory","hash1":"624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8","license":"https://creativecommons.org/licenses/by-nc/4.0/","reference":"https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27","rule":"HvS_APT27_HyperBro_Stage3_C2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based","trigger":"signature-base-master/yara/apt_apt28_drovorub.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NSA / FBI","date":"2020-08-13","description":"Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based","reference":"https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/","rule":"APT_APT28_drovorub_unique_network_comms_strings","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_apt29_grizzly_steppe.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-29","description":"Auto-generated rule","hash1":"9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0","hash2":"55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/WVflzO","rule":"GRIZZLY_STEPPE_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/apt_apt29_grizzly_steppe.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic PHP webshell which uses any eval/exec function in the same line with user input","trigger":"signature-base-master/yara/apt_apt29_grizzly_steppe.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic PHP webshell which uses any eval/exec function in the same line with user input","hash":"90c5cc724ec9cf838e4229e5e08955eec4d7bf95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2021-10-29","rule":"webshell_php_generic_eval"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-05-25","description":"A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.","hash":"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330","reference":"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/","rule":"APT_APT29_Win_FlipFlop_LDR"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-05-27","description":"The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.","hash":"ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c","reference":"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/","rule":"APT_APT28_Win_FreshFire"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EnvyScout deobfuscator code as used by NOBELIUM group","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-29","description":"Detects EnvyScout deobfuscator code as used by NOBELIUM group","reference":"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/","rule":"APT_APT29_NOBELIUM_JS_EnvyScout_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects NV Link as used by NOBELIUM group","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-29","description":"Detects NV Link as used by NOBELIUM group","reference":"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/","rule":"APT_APT29_NOBELIUM_LNK_NV_Link_May21_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BoomBox malware as described in APT29 NOBELIUM report","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-27","description":"Detects BoomBox malware as described in APT29 NOBELIUM report","reference":"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/","rule":"APT_APT29_NOBELIUM_BoomBox_May21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects stageless loader as used by APT29 / NOBELIUM","trigger":"signature-base-master/yara/apt_apt29_nobelium_may21.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-29","description":"Detects stageless loader as used by APT29 / NOBELIUM","hash1":"a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf","hash2":"c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78","reference":"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/","rule":"APT_APT29_NOBELIUM_Stageless_Loader_May21_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects APT 34 malware","trigger":"signature-base-master/yara/apt_apt34.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-07","description":"Detects APT 34 malware","hash1":"f6fa94cc8efea0dbd7d4d4ca4cf85ac6da97ee5cf0c59d16a6aafccd2b9d8b9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html","rule":"APT34_Malware_HTA"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"North Korean origin malware which uses a custom Google App for c2 communications.","trigger":"signature-base-master/yara/apt_apt37_bluelight.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-06-21","description":"North Korean origin malware which uses a custom Google App for c2 communications.","hash1":"837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed","license":"See license at https://github.com/volexity/threat-intel/LICENSE.txt","reference":"https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/","rule":"APT_MAL_Win_BlueLight_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Speculoos Backdoor used by APT41","trigger":"signature-base-master/yara/apt_apt41.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-14","description":"Detects Speculoos Backdoor used by APT41","hash1":"6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167","hash2":"99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28","reference":"https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/","rule":"APT_APT41_CN_ELF_Speculoos_Backdoor","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule written for 2 malware samples that communicated to APT6 C2 servers","trigger":"signature-base-master/yara/apt_apt6_malware.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-09","description":"Rule written for 2 malware samples that communicated to APT6 C2 servers","hash1":"321ec239bfa6927d39155ef5f10741ed786219489bbbb1dc8fee66e22f9f8e80","hash2":"7aef130b19d1f940e4c4cee6efe0f190f1402d2e0f741ee605c77518a04cb6d7","modified":"2023-01-06","reference":"https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/","rule":"APT6_Malware_Sample_Gen","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"signature-base-master/yara/apt_aus_parl_compromise.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","hash1":"1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b","hash2":"510375f8142b3651df67d42c3eff8d2d880987c0e057fc75a5583f36de34bf0e","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_LazyCat_LogEraser"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"signature-base-master/yara/apt_aus_parl_compromise.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_PowerKatz_Feb19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs a tool used in the Australian Parliament House network compromise","trigger":"signature-base-master/yara/apt_aus_parl_compromise.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-18","description":"Detetcs a tool used in the Australian Parliament House network compromise","reference":"https://twitter.com/cyb3rops/status/1097423665472376832","rule":"HKTL_Unknown_Feb19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Custome SSH backdoor based on python and paramiko - file server.py","trigger":"signature-base-master/yara/apt_backdoor_ssh_python.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-05-14","description":"Custome SSH backdoor based on python and paramiko - file server.py","hash":"0953b6c2181249b94282ca5736471f85d80d41c9","modified":"2022-08-18","reference":"https://goo.gl/S46L3o","rule":"custom_ssh_backdoor_server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo","trigger":"signature-base-master/yara/apt_casper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/06","description":"Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/VRJNLo","rule":"Casper_Included_Strings","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo","trigger":"signature-base-master/yara/apt_casper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/06","description":"Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/VRJNLo","rule":"Casper_SystemInformation_Output","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/apt_cloudatlas.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Contains_Shortcut_OtherURIhandlers","score":"35"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from the Proofpoint CN APT ZeroT incident","trigger":"signature-base-master/yara/apt_cn_pp_zerot.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-03","description":"Detects malware from the Proofpoint CN APT ZeroT incident","hash1":"ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"PP_CN_APT_ZeroT_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from the Proofpoint CN APT ZeroT incident","trigger":"signature-base-master/yara/apt_cn_pp_zerot.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-03","description":"Detects malware from the Proofpoint CN APT ZeroT incident","hash1":"74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"PP_CN_APT_ZeroT_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll","trigger":"signature-base-master/yara/apt_cn_pp_zerot.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll","hash1":"266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx","rule":"CN_APT_ZeroT_extracted_Mcutil"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Red Delta samples","trigger":"signature-base-master/yara/apt_cn_reddelta.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-10-14","description":"Detects Red Delta samples","hash1":"30b2bbce0ca4cb066721c94a64e2c37b7825dd72fc19c20eb0ab156bea0f8efc","hash2":"42ed73b1d5cc49e09136ec05befabe0860002c97eb94e9bad145e4ea5b8be2e2","hash3":"480a8c883006232361c5812af85de9799b1182f1b52145ccfced4fa21b6daafa","hash4":"7ea7c6406c5a80d3c15511c4d97ec1e45813e9c58431f386710d0486c4898b98","reference":"https://twitter.com/JAMESWT_MHT/status/1316387482708119556","rule":"APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Red Delta samples","trigger":"signature-base-master/yara/apt_cn_reddelta.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-10-14","description":"Detects Red Delta samples","hash1":"260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b","hash2":"9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5","hash3":"b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429","reference":"https://twitter.com/JAMESWT_MHT/status/1316387482708119556","rule":"APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Identifies strings used in Cobalt Strike Beacon DLL","trigger":"signature-base-master/yara/apt_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Elastic","date":"2021-03-16","description":"Identifies strings used in Cobalt Strike Beacon DLL","reference":"https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures","rule":"HKTL_CobaltStrike_Beacon_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"CAPEv2 YARA detection rules","scan_date":"2024-09-27","alert":"Cobalt Strike Beacon Payload","trigger":"signature-base-master/yara/apt_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/kevoreilly/CAPEv2/tree/master/data/yara","meta":{"author":"ditekshen, enzo \u0026 Elastic","cape_type":"CobaltStrikeBeacon Payload","description":"Cobalt Strike Beacon Payload","rule":"CobaltStrikeBeacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unmodified CobaltStrike beacon DLL","trigger":"signature-base-master/yara/apt_cobaltstrike_evasive.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yara@s3c.za.net","date":"2019-08-16","description":"Detects unmodified CobaltStrike beacon DLL","rule":"CobaltStrike_Unmodifed_Beacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CobaltStrike payloads","trigger":"signature-base-master/yara/apt_cobaltstrike_evasive.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Beacon_Encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Codoso APT CustomTCP Malware","trigger":"signature-base-master/yara/apt_codoso.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT CustomTCP Malware","hash1":"ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0","hash2":"130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8","hash3":"3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa","hash4":"02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_CustomTCP_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Codoso APT Gh0st Malware","trigger":"signature-base-master/yara/apt_codoso.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT Gh0st Malware","hash":"bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_Gh0st_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Codoso APT Gh0st Malware","trigger":"signature-base-master/yara/apt_codoso.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT Gh0st Malware","hash1":"5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841","hash2":"7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8","hash3":"d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_Gh0st_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Codoso APT PGV PVID Malware","trigger":"signature-base-master/yara/apt_codoso.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-30","description":"Detects Codoso APT PGV PVID Malware","hash1":"41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824","hash2":"58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3","hash3":"934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7","hash4":"ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266","hash5":"e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1","reference":"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks","rule":"Codoso_PGV_PVID_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a malware sysdll.exe from the Rocket Kitten APT","trigger":"signature-base-master/yara/apt_coreimpact_agent.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"27.12.2014","description":"Detects a malware sysdll.exe from the Rocket Kitten APT","hash":"f89a4d4ae5cca6d69a5256c96111e707","modified":"2023-01-06","rule":"CoreImpact_sysdll_exe","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects trojan from APT report named http.exe","trigger":"signature-base-master/yara/apt_danti_svcmondr.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-25","description":"Detects trojan from APT report named http.exe","hash1":"ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://goo.gl/13Wgy1","rule":"Mal_http_EXE","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a malicious PotPlayer.dll","trigger":"signature-base-master/yara/apt_danti_svcmondr.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-25","description":"Detects a malicious PotPlayer.dll","hash1":"705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/13Wgy1","rule":"Mal_PotPlayer_DLL","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - lot1.tmp-pwdump","trigger":"signature-base-master/yara/apt_deeppanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - lot1.tmp-pwdump","hash":"5d201a0fb0f4a96cefc5f73effb61acff9c818e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_lot1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - htran-exe","trigger":"signature-base-master/yara/apt_deeppanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hacktool","trigger":"signature-base-master/yara/apt_deeppanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Hacktool","rule":"HackTool_Samples","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DTRACK malware","trigger":"signature-base-master/yara/apt_dtrack.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects DTRACK malware","hash1":"c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c","hash2":"a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68","hash3":"93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9","hash4":"3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682","hash5":"bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364","hash6":"58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb","hash7":"9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21","rule":"APT_MAL_DTRACK_Oct19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file create_dns_injection.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file create_dns_injection.py","hash1":"488f3cc21db0688d09e13eb85a197a1d37902612c3e302132c84e07bc42b1c32","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_create_dns_injection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file screamingplow.sh","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file screamingplow.sh","hash1":"c7f4104c4607a03a1d27c832e1ebfc6ab252a27a1709015b5f1617b534f0090a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_screamingplow"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file MixText.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file MixText.py","hash1":"e4d24e30e6cc3a0aa0032dbbd2b68c60bac216bef524eaf56296430aa05b3795","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_MixText"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file tunnel_state_reader","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file tunnel_state_reader","hash1":"49d48ca1ec741f462fde80da68b64dfa5090855647520d29e345ef563113616c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_tunnel_state_reader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file payload.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file payload.py","hash1":"21bed6d699b1fbde74cbcec93575c9694d5bea832cd191f59eb3e4140e5c5e07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_payload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file eligiblecandidate.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file eligiblecandidate.py","hash1":"c4567c00734dedf1c875ecbbd56c1561a1610bedb4621d9c8899acec57353d86","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_eligiblecandidate"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BUSURPER-2211-724.exe","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BUSURPER-2211-724.exe","hash1":"d809d6ff23a9eee53d2132d2c13a9ac5d0cb3037c60e229373fc59a4f14bc744","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BUSURPER_2211_724"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file networkProfiler_orderScans.sh","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file networkProfiler_orderScans.sh","hash1":"ea986ddee09352f342ac160e805312e3a901e58d2beddf79cd421443ba8c9898","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_networkProfiler_orderScans"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py","hash1":"4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_epicbanana_2_1_0_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file sniffer_xml2pcap","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file sniffer_xml2pcap","hash1":"f5e5d75cfcd86e5c94b0e6f21bbac886c7e540698b1556d88a83cc58165b8e42","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sniffer_xml2pcap"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BananaAid","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BananaAid","hash1":"7a4fb825e63dc612de81bc83313acf5eccaa7285afc05941ac1fef199279519f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BananaAid"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file config_jp1_UA.pl","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file config_jp1_UA.pl","hash1":"2f50b6e9891e4d7fd24cc467e7f5cfe348f56f6248929fec4bbee42a5001ae56","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_config_jp1_UA"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file userscript.FW","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file userscript.FW","hash1":"5098ff110d1af56115e2c32f332ff6e3973fb7ceccbd317637c9a72a3baa43d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_userscript"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BUSURPER-3001-724.exe","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BUSURPER-3001-724.exe","hash1":"6b558a6b8bf3735a869365256f9f2ad2ed75ccaa0eefdc61d6274df4705e978b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BUSURPER_3001_724"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file workit.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file workit.py","hash1":"fb533b4d255b4e6072a4fa2e1794e38a165f9aa66033340c2f4f8fd1da155fac","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"Research","rule":"EQGRP_workit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file tinyhttp_setup.sh","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file tinyhttp_setup.sh","hash1":"3d12c83067a9f40f2f5558d3cf3434bbc9a4c3bb9d66d0e3c0b09b9841c766a0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_tinyhttp_setup"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file EPBA.script","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file EPBA.script","hash1":"53e1af1b410ace0934c152b5df717d8a5a8f5fdd8b9eb329a44d94c39b066ff7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_EPBA"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file jetplow.sh","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file jetplow.sh","hash1":"ee266f84a1a4ccf2e789a73b0a11242223ed6eba6868875b5922aea931a2199c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_jetplow_SH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py","hash1":"59d60835fe200515ece36a6e87e642ee8059a40cb04ba5f4b9cce7374a3e7735","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_extrabacon"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file sploit.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file sploit.py","hash1":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sploit_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file uninstallPBD.bat","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file uninstallPBD.bat","hash1":"692fdb449f10057a114cf2963000f52ce118d9a40682194838006c66af159bd0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_uninstallPBD"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BICECREAM-2140","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BICECREAM-2140","hash1":"4842076af9ba49e6dfae21cf39847b4172c06a0bd3d2f1ca6f30622e14b77210","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BICECREAM"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BFLEA-2201.exe","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BFLEA-2201.exe","hash1":"15e8c743770e44314496c5f27b6297c5d7a4af09404c4aa507757e0cc8edc79e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BFLEA_2201"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file StoreFc.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file StoreFc.py","hash1":"f155cce4eecff8598243a721389046ae2b6ca8ba6cb7b4ac00fd724601a56108","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_StoreFc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe","hash1":"498fc9f20b938b8111adfa3ca215325f265a08092eefd5300c4168876deb7bf6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BBALL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100","hash1":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash2":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BARPUNCH_BPICKER","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash3":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash4":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash5":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash6":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash7":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","hash8":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen5","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit","hash1":"1214e282ac7258e616ebd76f912d4b2455d1b415b7216823caa3fc0d09045a5f","hash2":"c8a151df7605cb48feb8be2ab43ec965b561d2b6e2a837d645fdf6a6191ab5fe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_pandarock","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BananaUsurper_writeJetPlow","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120","hash1":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash2":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash3":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash4":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash2":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash3":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash4":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash5":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash6":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230","hash1":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash2":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_BLIAR_BLIQUER","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files sploit.py, sploit.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files sploit.py, sploit.py","hash1":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","hash2":"0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_sploit","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash3":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash4":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash5":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash6":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall","hash1":"3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119","hash2":"830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc","hash3":"05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4","hash4":"d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939","hash5":"8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2","hash6":"6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3","hash7":"d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f","hash8":"ee3e3487a9582181892e27b4078c5a3cb47bb31fc607634468cc67753f7e61d7","hash9":"464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Implants_Gen1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - from files ssh.py, telnet.py","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - from files ssh.py, telnet.py","hash1":"630d464b1d08c4dfd0bd50552bee2d6a591fb0b5597ecebaa556a3c3d4e0aa4e","hash2":"07f4c60505f4d5fb5c4a76a8c899d9b63291444a3980d94c06e1d5889ae85482","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_ssh_telnet_29","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - Callback addresses","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Callback addresses","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_callbacks"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - Extrabacon exploit output","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Extrabacon exploit output","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Extrabacon_Output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EQGRP Toolset Firewall - Unique strings","trigger":"signature-base-master/yara/apt_eqgrp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-16","description":"EQGRP Toolset Firewall - Unique strings","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research","rule":"EQGRP_Unique_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner","hash1":"8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_Auditcleaner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file elgingamble","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file elgingamble","hash1":"0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_elgingamble"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file cmsd","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file cmsd","hash1":"634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_cmsd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5","hash1":"eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ebbshave"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file eggbasket","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file eggbasket","hash1":"b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_eggbasket"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file sambal","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file sambal","hash1":"2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_sambal"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file cmsex","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file cmsex","hash1":"2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_cmsex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file DUL","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file DUL","hash1":"24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_DUL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file slugger2","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file slugger2","hash1":"a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_slugger2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file ebbisland","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ebbisland","hash1":"eba07c98c7e960bb6c71dafde85f5da9f74fd61bc87793c87e04b1ae2d77e977","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ebbisland"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file jackpop","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file jackpop","hash1":"0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_jackpop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file parsescan","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file parsescan","hash1":"942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_parsescan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1","hash1":"eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_epoxyresin_v1_0_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit","hash1":"707ecc234ed07c16119644742ebf563b319b515bf57fd43b669d3791a1c5e220","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_estopmoonlit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file envoytomato","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file envoytomato","hash1":"9bd001057cc97b81fdf2450be7bf3b34f1941379e588a7173ab7fffca41d4ad5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_envoytomato"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file smash","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file smash","hash1":"1dc94b46aaff06d65a3bf724c8701e5f095c1c9c131b65b2f667e11b1f0129a6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_smash"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file ratload","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ratload","hash1":"4a4a8f2f90529bee081ce2188131bac4e658a374a270007399f80af74c16f398","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ratload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file ys.auto","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file ys.auto","hash1":"a6387307d64778f8d9cfc60382fdcf0627cde886e952b8d73cc61755ed9fde15","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_ys"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file estesfox","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file estesfox","hash1":"33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_estesfox"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- file scanner","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- file scanner","hash1":"dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_scanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","hash1":"9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893","hash2":"0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ftshell_ftshell_v3_10_3_0","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2","hash1":"dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222","hash2":"9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__scanner_scanner_v2_1_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86","hash1":"d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1","hash2":"82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ghost_sparc_ghost_x86_3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan","hash1":"8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984","hash2":"942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__jparsescan_parsescan_5","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-08","description":"Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7","hash1":"9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893","hash4":"0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup__ftshell","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Equation Group hack tool set","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-09","description":"Equation Group hack tool set","hash1":"3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1","rule":"EquationGroup_noclient_3_3_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EquationGroup Tool - April Leak","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d","hash2":"b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17_Eternalromance","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EquationGroup Tool - April Leak","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5","hash2":"561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e","hash3":"f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b","hash4":"8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EquationGroup Tool - April Leak","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927","hash2":"5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EquationGroup Tool - April Leak","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-15","description":"Detects EquationGroup Tool - April Leak","hash1":"3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6","hash2":"c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd","hash3":"9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556","hash4":"c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674","hash5":"5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation","rule":"EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects output generated by EQGRP scanner.exe","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-17","description":"Detects output generated by EQGRP scanner.exe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"EquationGroup_scanner_output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings derived from the ShadowBroker's leak of Windows tools/exploits","trigger":"signature-base-master/yara/apt_eqgrp_apr17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-08","description":"Detects strings derived from the ShadowBroker's leak of Windows tools/exploits","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message7/","rule":"FVEY_ShadowBrokers_Jan17_Screen_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This rule is UNTESTED against a large dataset and is for hunting purposes only.","trigger":"signature-base-master/yara/apt_eqgrp_sparc_sbz_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"netadr, modified by Florian Roth for performance reasons","date":"2023-04-02","description":"This rule is UNTESTED against a large dataset and is for hunting purposes only.","modified":"2023-05-08","reference":"https://netadr.github.io/blog/a-quick-glimpse-sbz/","rule":"SUSP_ELF_SPARC_Hunting_SBZ_UniqueStrings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware Redosdru - file systemHome.exe","trigger":"signature-base-master/yara/apt_eternalblue_non_wannacry.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-04","description":"Detects malware Redosdru - file systemHome.exe","hash1":"4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/OOB3mH","rule":"Backdoor_Redosdru_Jun17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group","trigger":"signature-base-master/yara/apt_f5_bigip_expl_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-07","description":"Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group","reference":"https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/","rule":"MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a string found in memory of malware cedt370r(3).exe","trigger":"signature-base-master/yara/apt_fidelis_phishing_plain_sight.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-09","description":"Detects a string found in memory of malware cedt370r(3).exe","reference":"http://goo.gl/ZjJyti","rule":"Fidelis_Advisory_cedt370"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from FIN7 report in August 2018","trigger":"signature-base-master/yara/apt_fin7.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-08-01","description":"Detects strings from FIN7 report in August 2018","hash1":"b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html","rule":"APT_FIN7_Strings_Aug18_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JavaScript obfuscation as used in MalDocs by FIN7 group","trigger":"signature-base-master/yara/apt_fin7.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-07","description":"Detects JavaScript obfuscation as used in MalDocs by FIN7 group","reference":"https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor","rule":"SUSP_OBFUSC_JS_Sept21_2","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Word Dropper from Proofpoint FIN7 Report","trigger":"signature-base-master/yara/apt_fin7_backdoor.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-04","description":"Detects Word Dropper from Proofpoint FIN7 Report","reference":"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor","rule":"FIN7_Backdoor_Aug17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects FourElementSword Malware","trigger":"signature-base-master/yara/apt_four_element_sword.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-18","description":"Detects FourElementSword Malware","hash":"f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/","rule":"FourElementSword_Config_File"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects FourElementSword Malware","trigger":"signature-base-master/yara/apt_four_element_sword.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-18","description":"Detects FourElementSword Malware","hash":"9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/","rule":"FourElementSword_ElevateDLL_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"String from the ShodowBroker Files Screenshots - Dec 2016","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"String from the ShodowBroker Files Screenshots - Dec 2016","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Auct_Dez16_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file violetspirit.README","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file violetspirit.README","hash1":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_violetspirit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file gr.notes","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file gr.notes","hash1":"b2b60dce7a4cfdddbd3d3f1825f1885728956bae009de3a307342fbdeeafcb79","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_gr_gr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.yellowspirit.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.yellowspirit.COMMON","hash1":"a7c4b718fa92934a9182567288146ffa3312d9f3edc3872478c90e0e2814078c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_yellowspirit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file opscript.se","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file opscript.se","hash1":"275c91531a9ac5a240336714093b6aa146b8d7463cb2780cfeeceaea4c789682","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_opscript"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.epichero.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.epichero.COMMON","hash1":"679d194c32cbaead7281df9afd17bca536ee9d28df917b422083ae8ed5b5c484","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_epichero"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.elatedmonkey","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.elatedmonkey","hash1":"98ae935dd9515529a34478cb82644828d94a2d273816d50485665535454e37cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.dubmoat.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.dubmoat.COMMON","hash1":"bcd4ee336050488f5ffeb850d8eaa11eec34d8ba099b370d94d2c83f08a4d881","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_dubmoat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file strifeworld.1","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file strifeworld.1","hash1":"222b00235bf143645ad0d55b2b6839febc5b570e3def00b77699915a7c9cb670","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_strifeworld"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.pork.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.pork.COMMON","hash1":"9c400aab74e75be8770387d35ca219285e2cedc0c7895225bbe567ce9c9dc078","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_pork"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.ebbisland.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.ebbisland.COMMON","hash1":"390e776ae15fadad2e3825a5e2e06c4f8de6d71813bef42052c7fd8494146222","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_ebbisland"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.elgingamble.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.elgingamble.COMMON","hash1":"4130284727ddef4610d63bfa8330cdafcb6524d3d2e7e8e0cb34fde8864c8118","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_elgingamble"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file README.cup.NOPEN","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file README.cup.NOPEN","hash1":"98aaad31663b89120eb781b25d6f061037aecaeb20cf5e32c36c68f34807e271","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_README_cup"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file oneshot.example","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file oneshot.example","hash1":"a85b260d6a53ceec63ad5f09e1308b158da31062047dc0e4d562d2683a82bf9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_nopen_oneshot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.earlyshovel.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.earlyshovel.COMMON","hash1":"504e7a376c21ffbfb375353c5451dc69a35a10d7e2a5d0358f9ce2df34edf256","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_earlyshovel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file user.tool.envisioncollision.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - file user.tool.envisioncollision.COMMON","hash1":"2f04f078a8f0fdfc864d3d2e37d123f55ecc1d5e401a87eccd0c3846770f9e02","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_user_tool_envisioncollision"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule","hash1":"4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de","hash2":"64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7","hash3":"a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON","hash1":"18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728","hash2":"f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule","hash1":"18dfd74c3e0bfb1c21127cf3382ba1d9812efdf3e992bd666d513aaf3519f728","hash2":"4b236b066ac7b8386a13270dcb7fdff2dda81365d03f53867eb72e29d5e496de","hash3":"3fe78949a9f3068db953b475177bcad3c76d16169469afd72791b4312f60cfb3","hash4":"64c24bbf42f15dcac04371aef756feabb7330f436c20f33cb25fbc8d0ff014c7","hash5":"a237a2bd6aec429f9941d6de632aeb9729880aa3d5f6f87cf33a76d6caa30619","hash6":"89748906d1c574a75fe030645c7572d7d4145b143025aa74c9b5e2be69df8773","hash7":"f4b728c93dba20a163b59b4790f29aed1078706d2c8b07dc7f4e07a6f3ecbe93","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files violetspirit.README, violetspirit.README","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_dec16.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-17","description":"Auto-generated rule - from files violetspirit.README, violetspirit.README","hash1":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","hash2":"a55fec73595f885e43b27963afb17aee8f8eefe811ca027ef0d7721d073e67ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message6/","rule":"FVEY_ShadowBroker_Gen_Readme4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings derived from the ShadowBroker's leak of Windows tools/exploits","trigger":"signature-base-master/yara/apt_fvey_shadowbroker_jan17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-08","description":"Detects strings derived from the ShadowBroker's leak of Windows tools/exploits","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://bit.no.com:43110/theshadowbrokers.bit/post/message7/","rule":"FVEY_ShadowBrokers_Jan17_Screen_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","trigger":"signature-base-master/yara/apt_ghostdragon_gh0st_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-23","description":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","hash1":"f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197","hash2":"99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2","hash3":"6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df","hash4":"b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/the-ghost-dragon","rule":"GhostDragon_Gh0stRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","trigger":"signature-base-master/yara/apt_ghostdragon_gh0st_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-23","description":"Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report","hash1":"71a52058f6b5cef66302c19169f67cf304507b4454cca83e2c36151da8da1d97","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/the-ghost-dragon","rule":"GhostDragon_Gh0stRAT_Sample2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects export from Gold Dragon - February 2018","trigger":"signature-base-master/yara/apt_golddragon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-02-03","description":"Detects export from Gold Dragon - February 2018","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/","rule":"GoldDragon_Aux_File","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ISMDoor Backdoor","trigger":"signature-base-master/yara/apt_greenbug.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Detects ISMDoor Backdoor","hash1":"308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f","hash2":"82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/urp4CD","rule":"Greenbug_Malware_4","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_greenbug.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Auto-generated rule","hash1":"308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f","hash2":"44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49","hash3":"7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c","hash4":"82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://goo.gl/urp4CD","rule":"Greenbug_Malware_5","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"X-Agent/CHOPSTICK Implant by APT28","trigger":"signature-base-master/yara/apt_grizzlybear_uscert.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"X-Agent/CHOPSTICK Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_3_v1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"BlackEnergy / Voodoo Bear Implant by APT28","trigger":"signature-base-master/yara/apt_grizzlybear_uscert.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"BlackEnergy / Voodoo Bear Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_4_v9","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Unidentified Implant by APT29","trigger":"signature-base-master/yara/apt_grizzlybear_uscert.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"Unidentified Implant by APT29","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"Unidentified_Malware_Two","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artefacts found in HAFNIUM intrusions","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects forensic artefacts found in HAFNIUM intrusions","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","rule":"APT_HAFNIUM_Forensic_Artefacts_Mar21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PowerCat hacktool","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects PowerCat hacktool","hash1":"c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2","reference":"https://github.com/besimorhino/powercat","rule":"HKTL_PS1_PowerCat_Mar21"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PowerShell Oneliner in Nishang's repository","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-03","description":"Detects PowerShell Oneliner in Nishang's repository","hash1":"2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32","reference":"https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1","rule":"HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"variation on reGeorgtunnel","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-03-01","description":"variation on reGeorgtunnel","hash":"406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928","reference":"https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx","rule":"WEBSHELL_ASPX_reGeorgTunnel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-03-01","description":"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.","hash":"2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a","reference":"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/","rule":"WEBSHELL_ASPX_SportsBall"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Joe Hannon, Microsoft Threat Intelligence Center (MSTIC)","date":"2021-03-05","description":"Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","rule":"WEBSHELL_CVE_2021_27065_Webshells"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CVE-2021-27065 Webshellz","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"CISA Code \u0026 Media Analysis","date":"2021-03-17","description":"Detects CVE-2021-27065 Webshellz","hash":"c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5","reference":"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a","rule":"WEBSHELL_HAFNIUM_CISA_10328929_01"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Chopper like ASPX Webshells","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-31","description":"Detects Chopper like ASPX Webshells","hash1":"a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75","reference":"Internal Research","rule":"WEBSHELL_ASPX_FileExplorer_Mar21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Chopper like ASPX Webshells","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-31","description":"Detects Chopper like ASPX Webshells","hash1":"ac44513e5ef93d8cbc17219350682c2246af6d5eb85c1b4302141d94c3b06c90","reference":"Internal Research","rule":"WEBSHELL_ASPX_Chopper_Like_Mar21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/apt_hafnium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065","trigger":"signature-base-master/yara/apt_hafnium_log_sigs.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-02","description":"Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065","reference":"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/","rule":"EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting","trigger":"signature-base-master/yara/apt_hafnium_log_sigs.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-08","description":"Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting","reference":"https://twitter.com/jdferrell3/status/1368626281970024448","rule":"LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity","trigger":"signature-base-master/yara/apt_hafnium_log_sigs.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Zach Stanford - @svch0st, Florian Roth","date":"2021-03-10","description":"Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity","modified":"2021-03-15","reference":"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log","reference_2":"https://www.praetorian.com/blog/reproducing-proxylogon-exploit/","rule":"EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Tofu Trojan","trigger":"signature-base-master/yara/apt_ham_tofu_chches.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance","date":"2017-02-28","description":"Detects Tofu Trojan","reference":"https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html","rule":"Tofu_Backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"detection for Hellsing implants","trigger":"signature-base-master/yara/apt_hellsing_kaspersky.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Costin Raiu, Kaspersky Lab","copyright":"Kaspersky Lab","date":"2015-04-07","description":"detection for Hellsing implants","filetype":"PE","rule":"apt_hellsing_implantstrings","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects HOPLIGHT malware used by HiddenCobra APT group","trigger":"signature-base-master/yara/apt_hidden_cobra.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-13","description":"Detects HOPLIGHT malware used by HiddenCobra APT group","hash1":"d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39","reference":"https://www.us-cert.gov/ncas/analysis-reports/AR19-100A","rule":"APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Industroyer related custom port scaner output file","trigger":"signature-base-master/yara/apt_industroyer.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-13","description":"Detects Industroyer related custom port scaner output file","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/x81cSy","rule":"Industroyer_Portscan_3_Output"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Industroyer related malware","trigger":"signature-base-master/yara/apt_industroyer.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-13","description":"Detects Industroyer related malware","hash1":"7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/x81cSy","rule":"Industroyer_Malware_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects IronGate APT Malware - Step7ProSim DLL","trigger":"signature-base-master/yara/apt_irongate.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-04","description":"Detects IronGate APT Malware - Step7ProSim DLL","hash1":"0539af1a0cc7f231af8f135920a990321529479f6534c3b64e571d490e1514c3","hash2":"fa8400422f3161206814590768fc1a27cf6420fc5d322d52e82899ac9f49e14f","hash3":"5ab1672b15de9bda84298e0bb226265af09b70a9f0b26d6dfb7bdd6cbaed192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/Mr6M2J","rule":"IronGate_APT_Step7ProSim_Gen","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - htran-exe","trigger":"signature-base-master/yara/apt_irontiger.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Iron Panda malware DnsTunClient - file named.exe","trigger":"signature-base-master/yara/apt_irontiger.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-16","description":"Iron Panda malware DnsTunClient - file named.exe","hash":"a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/E4qia9","rule":"IronPanda_DNSTunClient","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Iron Panda Malware Htran","trigger":"signature-base-master/yara/apt_irontiger.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-16","description":"Iron Panda Malware Htran","hash":"7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/E4qia9","rule":"IronPanda_Malware_Htran"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"ASPXSpy detection. It might be used by other fraudsters","trigger":"signature-base-master/yara/apt_irontiger_trendmicro.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cyber Safety Solutions, Trend Micro","description":"ASPXSpy detection. It might be used by other fraudsters","reference":"http://goo.gl/T5fSJC","rule":"IronTiger_ASPXSpy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Iron Tiger Tool - wmi.vbs detection","trigger":"signature-base-master/yara/apt_irontiger_trendmicro.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cyber Safety Solutions, Trend Micro","description":"Iron Tiger Tool - wmi.vbs detection","reference":"http://goo.gl/T5fSJC","rule":"IronTiger_wmiexec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Keylogger - generic rule for a Chinese variant","trigger":"signature-base-master/yara/apt_keylogger_cn.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Keylogger - generic rule for a Chinese variant","hash":"3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Keylogger_CN_APT","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Laudanum Injector Tools - file shell.php","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-22","description":"Laudanum Injector Tools - file shell.php","hash":"dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://laudanum.inguardians.com/","rule":"php_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Laudanum Injector Tools","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-22","description":"Laudanum Injector Tools","hash0":"076aa781a004ecb2bf545357fd36dcbafdd68b1a","hash1":"885e1783b07c73e7d47d3283be303c9719419b92","hash10":"5570d10244d90ef53b74e2ac287fc657e38200f0","hash11":"42bcb491a11b4703c125daf1747cf2a40a1b36f3","hash12":"83e4eaaa2cf6898d7f83ab80158b64b1d48096f4","hash13":"dec7ea322898690a7f91db9377f035ad7072b8d7","hash14":"a2272b8a4221c6cc373915f0cc555fe55d65ac4d","hash15":"588739b9e4ef2dbb0b4cf630b73295d8134cc801","hash16":"43320dc23fb2ed26b882512e7c0bfdc64e2c1849","hash2":"01d5d16d876c55d77e094ce2b9c237de43b21a16","hash3":"7421d33e8007c92c8642a36cba7351c7f95a4335","hash4":"f49291aef9165ee4904d2d8c3cf5a6515ca0794f","hash5":"c0dee56ee68719d5ec39e773621ffe40b144fda5","hash6":"f32b9c2cc3a61fa326e9caebce28ef94a7a00c9a","hash7":"dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6","hash8":"fd498c8b195967db01f68776ff5e36a06c9dfbfe","hash9":"b50ae35fcf767466f6ca25984cc008b7629676b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://laudanum.inguardians.com/","rule":"Laudanum_Tools_Generic","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/09","description":"JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","hash":"06b42d4707e7326aff402ecbb585884863c6351a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_by_string"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files Dive Shell 1.0","trigger":"signature-base-master/yara/apt_laudanum_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/04/06","description":"PHP Webshells Github Archive - from files Dive Shell 1.0","hash0":"3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b","hash1":"2558e728184b8efcdb57cfab918d95b06d45de04","hash2":"203a8021192531d454efbc98a3bbb8cabe09c85c","hash3":"b79709eb7801a28d02919c41cc75ac695884db27","modified":"2022-12-06","rule":"WebShell_Generic_PHP_1","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Lazarus malware from incident in Dec 2017","trigger":"signature-base-master/yara/apt_lazarus_dec17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-20","description":"Detects Lazarus malware from incident in Dec 2017","hash1":"db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8U6fY2","rule":"Lazarus_Dec_17_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_leviathan.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.","trigger":"signature-base-master/yara/apt_leviathan.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-12-01","description":"Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.","fingerprint":"6c78cbc1250afb36970d87d8ee2fe8409f57c9d34251d6e3908454e6643f92e3","first_imported":"2021-12-30","id":"3xg5wneq3ZntsMg61ltshS","last_modified":"2021-12-30","rule":"MalScript_Tricks","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/apt_leviathan.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Attempts to detect Cobalt Strike based on strings found in BEACON","fingerprint":"e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71","id":"ee756db7-e177-41f0-af99-c44646d334f7","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_ee756db7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects LinaDoor Linux Rootkit","trigger":"signature-base-master/yara/apt_lnx_linadoor_rootkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-05-19","description":"Detects LinaDoor Linux Rootkit","hash1":"25ff1efe36eb15f8e19411886217d4c9ec30b42dca072b1bf22f041a04049cd9","hash2":"4792e22d4c9996af1cb58ed54fee921a7a9fdd19f7a5e7f268b6793cdd1ab4e7","hash3":"9067230a0be61347c0cf5c676580fc4f7c8580fc87c932078ad0c3f425300fb7","hash4":"940b79dc25d1988dabd643e879d18e5e47e25d0bb61c1f382f9c7a6c545bfcff","hash5":"a1df5b7e4181c8c1c39de976bbf6601a91cde23134deda25703bc6d9cb499044","hash6":"c4eea99658cd82d48aaddaec4781ce0c893de42b33376b6c60a949008a3efb27","hash7":"c5651add0c7db3bbfe0bbffe4eafe9cd5aa254d99be7e3404a2054d6e07d20e7","modified":"2023-05-16","reference":"Internal Research","rule":"MAL_LNX_LinaDoor_Rootkit_May22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pupy RAT","trigger":"signature-base-master/yara/apt_magichound.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-17","description":"Detects Pupy RAT","hash1":"8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations","rule":"APT_PupyRAT_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)","trigger":"signature-base-master/yara/apt_mal_gopuram_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-04-03","description":"Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)","hash1":"69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf","hash3":"bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9","hash4":"dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9","hash5":"fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e","reference":"https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/","rule":"APT_NK_MAL_DLL_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021","trigger":"signature-base-master/yara/apt_mal_ilo_board_elf.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-28","description":"Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021","reference":"https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/","rule":"APT_MAL_HP_iLO_Firmware_Dec21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware sample mentioned in Microcin technical report by Kaspersky","trigger":"signature-base-master/yara/apt_microcin.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-26","description":"Malware sample mentioned in Microcin technical report by Kaspersky","hash1":"b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf","rule":"Microcin_Sample_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"CommentCrew Malware MiniASP APT","trigger":"signature-base-master/yara/apt_miniasp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"CommentCrew Malware MiniASP APT","hash0":"0af4360a5ae54d789a8814bf7791d5c77136d625","hash1":"777bf8def279942a25750feffc11d8a36cc0acf9","hash2":"173f20b126cb57fc8ab04d01ae223071e2345f97","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_CommentCrew_MiniASP","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ShimRat and the ShimRat loader","trigger":"signature-base-master/yara/apt_mofang.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)","date":"20/11/2015","description":"Detects ShimRat and the ShimRat loader","rule":"shimrat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ShimRatReporter","trigger":"signature-base-master/yara/apt_mofang.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)","date":"20/11/2015","description":"Detects ShimRatReporter","rule":"shimratreporter"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Molerats sample - July 2017","trigger":"signature-base-master/yara/apt_molerats_jul17.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-07","description":"Detects Molerats sample - July 2017","hash1":"ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html","rule":"Molerats_Jul17_Sample_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-15","description":"Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings","hash":"e59f92aadb6505f29a9f368ab803082e","last_modified":"2017-03-22","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_customlokitools","version":"1.1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze sniffer tools","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-15","description":"Rule to detect Moonlight Maze sniffer tools","hash":"927426b558888ad680829bd34b0ad0e7","original_filename":"ora;tdn","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_customsniffer","version":"1.1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool","hash":"8b56e8552a74133da4bc5939b5f74243","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_de_tool","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze 'cle' log cleaning tool","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'cle' log cleaning tool","hash":"647d7b711f7b4434145ea30d0ef207b0","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_cle_tool","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect Moonlight Maze 'xk' keylogger","trigger":"signature-base-master/yara/apt_moonlightmaze.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kaspersky Lab","date":"2017-03-27","description":"Rule to detect Moonlight Maze 'xk' keylogger","last_modified":"2017-03-27","reference":"https://en.wikipedia.org/wiki/Moonlight_Maze","rule":"apt_RU_MoonlightMaze_xk_keylogger","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs the Nanocore RAT and similar malware","trigger":"signature-base-master/yara/apt_nanocore_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-22","description":"Detetcs the Nanocore RAT and similar malware","hash1":"e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/","rule":"Nanocore_RAT_Gen_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detetcs the Nanocore RAT","trigger":"signature-base-master/yara/apt_nanocore_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-22","description":"Detetcs the Nanocore RAT","hash1":"755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/","rule":"Nanocore_RAT_Gen_2","score":"100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.Nanocore","trigger":"signature-base-master/yara/apt_nanocore_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-13","fingerprint":"e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4","id":"d8c4e3c5-8bcc-43d2-9104-fa3774282da5","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd","rule":"Windows_Trojan_Nanocore_d8c4e3c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Nanocore"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects user function string from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects user function string from NCSC report","hash":"b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"User_Function_String"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious batch file from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects malicious batch file from NCSC report","hash":"b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Batch_Script_To_Run_PsExec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious batch file from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects malicious batch file from NCSC report","hash":"0a6b1b29496d4514f6485e78680ec4cd0296ef4d21862d8bf363900a4f8e3fd2","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Batch_Powershell_Invoke_Inveigh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects RDP brute forcer from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects RDP brute forcer from NCSC report","hash":"8234bf8a1b53efd2a452780a69666d1aedcec9eb1bb714769283ccc2c2bdcc65","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"RDP_Brute_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Z Webshell from NCSC report","trigger":"signature-base-master/yara/apt_ncsc_report_04_2018.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC","date":"2018/04/06","description":"Detects Z Webshell from NCSC report","hash":"ace12552f3a980f1eed4cadb02afe1bfb851cafc8e58fb130e1329719a07dbf0","reference":"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control","rule":"Z_WebShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a string also used in Netwire RAT auxilliary","trigger":"signature-base-master/yara/apt_netwire_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-05","description":"Detects a string also used in Netwire RAT auxilliary","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://pastebin.com/8qaiyPxs","rule":"Suspicious_BAT_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a string also used in Netwire RAT auxilliary","trigger":"signature-base-master/yara/apt_netwire_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-05","description":"Detects a string also used in Netwire RAT auxilliary","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://pastebin.com/8qaiyPxs","rule":"Malicious_BAT_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Ruby loader seen loading the ROKRAT malware family.","trigger":"signature-base-master/yara/apt_nk_inkysquid.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-06-22","description":"Ruby loader seen loading the ROKRAT malware family.","hash1":"5bc52f6c1c0d0131cee30b4f192ce738ad70bcb56e84180f464a5125d1a784b2","license":"See license at https://github.com/volexity/threat-intel/LICENSE.txt","reference":"https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/","rule":"APT_RUBY_RokRat_Loader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in POOLRAT malware","trigger":"signature-base-master/yara/apt_nk_tradingtech_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Mandiant","date":"2023-04-20","description":"Detects strings found in POOLRAT malware","disclaimer":"This rule is meant for hunting and is not tested to run in a production environment","hash1":"451c23709ecd5a8461ad060f6346930c","old_rule_name":"APT_NK_MAL_M_Hunting_POOLRAT","reference":"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise","rule":"SUSP_NK_MAL_M_Hunting_POOLRAT","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Oilrig malware samples","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-12","description":"Detects Oilrig malware samples","hash1":"c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d","hash2":"293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb","modified":"2023-01-07","reference":"https://goo.gl/QMRZ8K","rule":"OilRig_Malware_Campaign_Gen2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects OilRig malware","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Eyal Sela (slightly modified by Florian Roth)","date":"2018-01-19","description":"Detects OilRig malware","reference":"Internal Research","rule":"Oilrig_IntelSecurityManager_macro"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects OilRig malware","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Eyal Sela","date":"2018-01-19","description":"Detects OilRig malware","reference":"Internal Research","rule":"Oilrig_IntelSecurityManager"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects APT34 PowerShell malware","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-17","description":"Detects APT34 PowerShell malware","hash1":"b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768","reference":"https://twitter.com/0xffff0800/status/1118406371165126656","rule":"APT_APT34_PS_Malware_Apr19_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects APT34 PowerShell malware","trigger":"signature-base-master/yara/apt_oilrig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-17","description":"Detects APT34 PowerShell malware","hash1":"27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed","modified":"2023-01-06","reference":"https://twitter.com/0xffff0800/status/1118406371165126656","rule":"APT_APT34_PS_Malware_Apr19_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Powershell CnC using DNS queries","trigger":"signature-base-master/yara/apt_oilrig_chafer_mar18.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Markus Neis","date":"2018-03-22","description":"Powershell CnC using DNS queries","hash1":"9198c29a26f9c55317b4a7a722bf084036e93a41ba4466cbb61ea23d21289cfa","reference":"https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf","rule":"Oilrig_PS_CnC"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups","trigger":"signature-base-master/yara/apt_onhat_proxy.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-12","description":"Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups","hash1":"30b2de0a802a65b4db3a14593126301e6949c1249e68056158b2cc74798bac97","hash2":"94bda24559713c7b8be91368c5016fc7679121fea5d565d3d11b2bb5d5529340","hash3":"a26e75fec3b9f7d5a1c3d0ce1e89e4b0befb7a601da0c69a4cf96301921771dd","hash4":"c202e9d5b99f6137c7c07305c7314e55f52bae832d460c44efc8f2a90ff03615","hash5":"dded62ad85c0bdd68bcc96f88d8ba42d5ad0ef999911ebdea3f561a4491ebbc6","hash6":"f0954774c91603fc2595f0ba0727b9af4e80f6f9be7bb629e7fb6ba4309ed4ea","hash7":"f3906be01d51e2e1ae9b03cd09702b6e0794b9c9fd7dc04024f897e96bb13232","hash8":"f65ae9ccf988a06a152f27a4c0d7992100a2d9d23d80efe8d8c2a5c9bd78a3a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/p32Ozf","rule":"ONHAT_Proxy_Hacktool","score":"100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Keylogger used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Keylogger used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_BackDoorLogger","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"ARP cache poisoner used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"ARP cache poisoner used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_Jasus","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Shell Creator used by attackers in Operation Cleaver to create ASPX web shells","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Shell Creator used by attackers in Operation Cleaver to create ASPX web shells","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_ShellCreator2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware or hack tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Malware or hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_SmartCopy2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware or hack tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Malware or hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_SynFlooder","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Tiny Bot used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Tiny Bot used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_TinyZBot","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Keywords used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Keywords used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_ZhoupinExploitCrew","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_antivirusdetector","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Backdoor used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Backdoor used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_csext","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Backdoor used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Backdoor used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_kagent","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Mimikatz Wrapper used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Mimikatz Wrapper used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_mimikatzWrapper","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Parviz tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Parviz tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_pvz_in","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack tool used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Hack tool used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_zhLookUp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Mimikatz wrapper used by attackers in Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance Inc.","date":"2014/12/02","description":"Mimikatz wrapper used by attackers in Operation Cleaver","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_zhmimikatz","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"CCProxy config known from Operation Cleaver","trigger":"signature-base-master/yara/apt_op_cleaver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/12/02","description":"CCProxy config known from Operation Cleaver","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf","rule":"OPCLEAVER_CCProxy_Config","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from Operation Cloud Hopper","trigger":"signature-base-master/yara/apt_op_cloudhopper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-03","description":"Detects malware from Operation Cloud Hopper","hash1":"beb1bc03bb0fba7b0624f8b2330226f8a7da6344afd68c5bc526f9d43838ef01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html","rule":"OpCloudHopper_Malware_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware related to Operation Cloud Hopper - Page 25","trigger":"signature-base-master/yara/apt_op_cloudhopper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Malware related to Operation Cloud Hopper - Page 25","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf","rule":"OpCloudHopper_WmiDLL_inMemory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Tools related to Operation Cloud Hopper","trigger":"signature-base-master/yara/apt_op_cloudhopper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Tools related to Operation Cloud Hopper","hash1":"21bc328ed8ae81151e7537c27c0d6df6d47ba8909aebd61333e32155d01f3b11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/maaaaz/impacket-examples-windows","rule":"VBS_WMIExec_Tool_Apr17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from CSharp version of Agent","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from CSharp version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_Agent_Csharp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from PowerShell dropper of CSharp version of Agent","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from PowerShell dropper of CSharp version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_powershell_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Piece of Base64 encoded data from Agent CSharp version","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from Agent CSharp version","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_powershell_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from Python version of Agent","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from Python version of Agent","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Piece of Base64 encoded data from Agent Python version","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from Agent Python version","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_agent_py_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from Python keylogger","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from Python keylogger","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_keylogger_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the CSharp version of XServer","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the CSharp version of XServer","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_csharp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Piece of Base64 encoded data from the XServer PowerShell dropper","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Piece of Base64 encoded data from the XServer PowerShell dropper","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_powershell_b64encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the PowerShell dropper of XServer","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the PowerShell dropper of XServer","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_xserver_powershell_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Process injector/launcher","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Process injector/launcher","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_injector_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Timeliner utility","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Timeliner utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_timeliner_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Checkadmin utility","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Checkadmin utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_checkadmin_bin"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Python getos utility","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Python getos utility","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_getos_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the information grabber VBS","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the information grabber VBS","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_info_vbs"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the console.jsp webshell","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the console.jsp webshell","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_console_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings from the ver.jsp webshell","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Strings from the ver.jsp webshell","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_ver_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic strings from webinfo.war webshells","trigger":"signature-base-master/yara/apt_op_wocao.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Fox-IT SRT","description":"Generic strings from webinfo.war webshells","reference":"https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","rule":"APT_MAL_CN_Wocao_webshell_webinfo"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PassCV Malware mentioned in Cylance Report","trigger":"signature-base-master/yara/apt_passcv.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-20","description":"PassCV Malware mentioned in Cylance Report","hash1":"475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4","hash2":"009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78","hash3":"92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b","hash4":"0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies","rule":"PassCV_Sabre_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PoisonIvy RAT sample set","trigger":"signature-base-master/yara/apt_poisonivy.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects PoisonIvy RAT sample set","hash1":"8c2630ab9b56c00fd748a631098fa4339f46d42b","hash2":"36b4cbc834b2f93a8856ff0e03b7a6897fb59bd3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"PoisonIvy_Sample_6","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Poseidon Group Malware","trigger":"signature-base-master/yara/apt_poseidon_group.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-09","description":"Detects Poseidon Group Malware","hash1":"337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4","hash2":"344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3","hash3":"432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61","hash4":"8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47","hash5":"d090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f","hash6":"d7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb","hash7":"ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/","rule":"PoseidonGroup_Malware","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects","trigger":"signature-base-master/yara/apt_poshspy.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-15","description":"Detects","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html","rule":"POSHSPY_Malware"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects scripts (mostly LUA) from Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects scripts (mostly LUA) from Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_Scripts"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Dsniff hack tool","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-02-19","description":"Detects Dsniff hack tool","reference":"https://goo.gl/eFoP4A","rule":"HKTL_Dsniff","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from arping module - Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from arping module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_arping_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from kblogi module - Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from kblogi module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_kblogi_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from basex module - Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from basex module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_basex_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from dext module - Project Sauron report by Kaspersky","trigger":"signature-base-master/yara/apt_project_sauron_extras.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-08","description":"Detects strings from dext module - Project Sauron report by Kaspersky","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/eFoP4A","rule":"APT_Project_Sauron_dext_module"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PROMETHIUM and NEODYMIUM malware","trigger":"signature-base-master/yara/apt_promethium_neodymium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects PROMETHIUM and NEODYMIUM malware","hash1":"1aef507c385a234e8b10db12852ad1bd66a04730451547b2dcb26f7fae16e01f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8abDE6","rule":"PROMETHIUM_NEODYMIUM_Malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PROMETHIUM and NEODYMIUM malware","trigger":"signature-base-master/yara/apt_promethium_neodymium.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects PROMETHIUM and NEODYMIUM malware","hash1":"2f98ac11c78ad1b4c5c5c10a88857baf7af43acb9162e8077709db9d563bcf02","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/8abDE6","rule":"PROMETHIUM_NEODYMIUM_Malware_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an APT malware related to PutterPanda","trigger":"signature-base-master/yara/apt_putterpanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects an APT malware related to PutterPanda","hash":"5367e183df155e3133d916f7080ef973f7741d34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_PutterPanda_Rel","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Malware related to PutterPanda","trigger":"signature-base-master/yara/apt_putterpanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Detects Malware related to PutterPanda","hash0":"71a8378fa8e06bcf8ee9f019c807c6bfc58dca0c","hash1":"8fdd6e5ed9d69d560b6fdd5910f80e0914893552","hash2":"3c4a762175326b37035a9192a981f7f4cc2aa5f0","hash3":"598430b3a9b5576f03cc4aed6dc2cd8a43324e1e","hash4":"6522b81b38747f4aa09c98fdaedaed4b00b21689","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"APT_Malware_PutterPanda_Gen4","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects all QuarksPWDump versions","trigger":"signature-base-master/yara/apt_quarkspwdump.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-29","description":"Detects all QuarksPWDump versions","hash1":"2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa","hash2":"87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f","hash3":"a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9","hash4":"c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab","hash5":"677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa","hash6":"d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674","hash7":"8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"QuarksPwDump_Gen","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Quasar RAT","trigger":"signature-base-master/yara/apt_quasar_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Detects Quasar RAT","hash1":"0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740","hash2":"515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89","hash3":"f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf","rule":"Quasar_RAT_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators found in DarkBit ransomware","trigger":"signature-base-master/yara/apt_ransom_darkbit_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-13","description":"Detects indicators found in DarkBit ransomware","reference":"https://twitter.com/idonaor1/status/1624703255770005506?s=12\u0026t=mxHaauzwR6YOj5Px8cIeIw","rule":"MAL_RANSOM_DarkBit_Feb23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from Rehashed RAT incident","trigger":"signature-base-master/yara/apt_rehashed_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-08","description":"Detects malware from Rehashed RAT incident","hash1":"49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations","rule":"Rehashed_RAT_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects RevengeRAT malware","trigger":"signature-base-master/yara/apt_revenge_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-04","description":"Detects RevengeRAT malware","hash1":"2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a","hash2":"7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213","hash3":"fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2020-07-27","reference":"Internal Research","rule":"RevengeRAT_Sep17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Reveal-MemoryCredentials.ps1","trigger":"signature-base-master/yara/apt_rwmc_powershell_creddump.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-31","description":"Auto-generated rule - file Reveal-MemoryCredentials.ps1","hash":"893c26818c424d0ff549c1fbfa11429f36eecd16ee69330c442c59a82ce6adea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/giMini/RWMC/","rule":"Reveal_MemoryCredentials"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Sakula malware - strings after unpacking (memory rule)","trigger":"signature-base-master/yara/apt_sakula.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"David Cannings","description":"Sakula malware - strings after unpacking (memory rule)","md5":"b3852b9e7f2b8954be447121bb6b65c3","rule":"malware_sakula_memory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an archive file created by P.A.S. for download operation","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO (modified by Florian Roth)","date":"2021-02-15","description":"Detects an archive file created by P.A.S. for download operation","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"WEBSHELL_PAS_webshell_ZIPArchiveFile","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SQL dump file created by P.A.S. webshell","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects SQL dump file created by P.A.S. webshell","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"WEBSHELL_PAS_webshell_SQLDumpFile","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Configuration_Key","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects path of the unix socket created to prevent concurrent executions in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Socket_Path","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects names of the tasks received from the CC server in Exaramel malware","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO","date":"2021-02-15","description":"Detects names of the tasks received from the CC server in Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Task_Names","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Strings used by Exaramel malware","trigger":"signature-base-master/yara/apt_sandworm_centreon.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FR/ANSSI/SDO (composed from 4 saparate rules by Florian Roth)","date":"2021-02-15","description":"Detects Strings used by Exaramel malware","reference":"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf","rule":"APT_MAL_Sandworm_Exaramel_Strings","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects commands used by Sandworm group to exploit critical vulernability CVE-2019-10149 in Exim","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects commands used by Sandworm group to exploit critical vulernability CVE-2019-10149 in Exim","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_Sandworm_Keywords_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SSH key used by Sandworm on exploited machines","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects SSH key used by Sandworm on exploited machines","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_Sandworm_SSH_Key_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ssh config entry inserted by Sandworm on compromised machines","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects ssh config entry inserted by Sandworm on compromised machines","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_Sandworm_SSHD_Config_Modification_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects mysql init script used by Sandworm on compromised machines","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects mysql init script used by Sandworm on compromised machines","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_Sandworm_InitFile_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects shell script used by Sandworm in attack against Exim mail server","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects shell script used by Sandworm in attack against Exim mail server","hash1":"dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730","hash2":"538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e","reference":"https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf","rule":"APT_SH_Sandworm_Shell_Script_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Sandworm Python loader","trigger":"signature-base-master/yara/apt_sandworm_exim_expl.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-05-28","description":"Detects Sandworm Python loader","hash1":"c025008463fdbf44b2f845f2d82702805d931771aea4b506573b83c8f58bccca","reference":"https://twitter.com/billyleonard/status/1266054881225236482","rule":"APT_RU_Sandworm_PY_May20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP","trigger":"signature-base-master/yara/apt_scanbox_deeppanda.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/28","description":"Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP","hash1":"8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9","hash2":"d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d","hash3":"3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference1":"http://goo.gl/MUUfjv","reference2":"http://goo.gl/WXUQcP","rule":"ScanBox_Malware_Generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware from Sednit Delphi Downloader report","trigger":"signature-base-master/yara/apt_sednit_delphidownloader.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-24","description":"Detects malware from Sednit Delphi Downloader report","hash1":"53aef1e8b281a00dea41387a24664655986b58d61d39cfbde7e58d8c2ca3efda","hash2":"657c83297cfcc5809e89098adf69c206df95aee77bfc1292898bbbe1c44c9dc4","hash3":"5427ecf4fa37e05a4fbab8a31436f2e94283a832b4e60a3475182001b9739182","hash4":"0458317893575568681c86b83e7f9c916540f0f58073b386d4419517c57dcb8f","hash5":"72aa4905598c9fb5a1e3222ba8daa3efb52bbff09d89603ab0911e43e15201f3","reference":"https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/","rule":"MAL_Sednit_DelphiDownloader_Apr18_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim","trigger":"signature-base-master/yara/apt_sharptongue.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"threatintel@volexity.com","date":"2021-09-14","description":"A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim","hash1":"1c9664513fe226beb53268b58b11dacc35b80a12c50c22b76382304badf4eb00","hash2":"6025c66c2eaae30c0349731beb8a95f8a5ba1180c5481e9a49d474f4e1bb76a4","hash3":"6594b75939bcdab4253172f0fa9066c8aee2fa4911bd5a03421aeb7edcd9c90c","license":"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt","memory_suitable":"1","reference":"https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/","rule":"APT_SharpTongue_JS_SharpExt_Chrome_Extension","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a ","trigger":"signature-base-master/yara/apt_shellcrew_streamex.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Cylance","date":"2017-02-09","description":"Detects a ","reference":"https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar","rule":"StreamEx_ShellCrew","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware sample mentioned in the Silence report on Securelist","trigger":"signature-base-master/yara/apt_silence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-11-01","description":"Detects malware sample mentioned in the Silence report on Securelist","hash1":"75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://securelist.com/the-silence/83009/","rule":"Silence_malware_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Sofacy Fysbis Linux Backdoor","trigger":"signature-base-master/yara/apt_sofacy_fysbis.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-13","description":"Detects Sofacy Fysbis Linux Backdoor","hash1":"02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592","hash2":"8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/","rule":"Sofacy_Fybis_ELF_Backdoor_Gen1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"X-Agent/CHOPSTICK Implant by APT28","trigger":"signature-base-master/yara/apt_sofacy_xtunnel_bundestag.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US CERT","date":"2017-02-10","description":"X-Agent/CHOPSTICK Implant by APT28","reference":"https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE","rule":"IMPLANT_3_v1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Sofacy Bundestags APT Batch Script","trigger":"signature-base-master/yara/apt_sofacy_xtunnel_bundestag.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-19","description":"Sofacy Bundestags APT Batch Script","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://dokumente.linksfraktion.de/inhalt/report-orig.pdf","rule":"Sofacy_Bundestag_Batch","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects webshell access mentioned in FireEye's SUNBURST report","trigger":"signature-base-master/yara/apt_solarwinds_susp_sunburst.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-12-21","description":"Detects webshell access mentioned in FireEye's SUNBURST report","reference":"https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/","rule":"LOG_APT_WEBSHELL_Solarwinds_SUNBURST_Report_Webshell_Dec20_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"STUXSHOP_config","trigger":"signature-base-master/yara/apt_stuxshop.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"JAG-S (turla@chronicle.security)","desc":"Stuxshop standalone sample configuration","hash":"c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579","reference":"https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0","rule":"STUXSHOP_config"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects mutex names in SUNSPOT","trigger":"signature-base-master/yara/apt_sunspot.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"actor":"StellarParticle","copyright":"(c) 2021 CrowdStrike Inc.","date":"2021-01-08","description":"Detects mutex names in SUNSPOT","malware_family":"SUNSPOT","reference":"https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/","rule":"CrowdStrike_SUNSPOT_02","version":"202101081448"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"inveigh pen testing tools \u0026 related artifacts","trigger":"signature-base-master/yara/apt_ta17_293A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"US-CERT Code Analysis Team (modified by Florian Roth)","date":"2017/07/17","description":"inveigh pen testing tools \u0026 related artifacts","hash0":"61C909D2F625223DB2FB858BBDF42A76","hash1":"A07AA521E7CAFB360294E56969EDA5D6","hash10":"4595DBE00A538DF127E0079294C87DA0","hash2":"BA756DD64C1147515BA2298B6A760260","hash3":"8943E71A8C73B5E343AA9D2E19002373","hash4":"04738CA02F59A5CD394998A99FCD9613","hash5":"038A97B4E2F37F34B255F0643E49FC9D","hash6":"65A1A73253F04354886F375B59550B46","hash7":"AA905A3508D9309A93AD5C0EC26EBC9B","hash8":"5DBEF7BDDAF50624E840CCBCE2816594","hash9":"722154A36F32BA10E98020A8AD758A7A","reference":"https://www.us-cert.gov/ncas/alerts/TA17-293A","rule":"TA17_293A_malware_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_ta17_293A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-10-21","description":"Auto-generated rule","hash1":"72a28efb6e32e653b656ca32ccd44b3111145a695f6f6161965deebbdc437076","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.us-cert.gov/ncas/alerts/TA17-293A","rule":"TA17_293A_Hacktool_PS_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule","trigger":"signature-base-master/yara/apt_ta17_293A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-10-21","description":"Auto-generated rule","hash1":"9b97290300abb68fb48480718e6318ee2cdd4f099aa6438010fb2f44803e0b58","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.us-cert.gov/ncas/alerts/TA17-293A","rule":"TA17_293A_Hacktool_Exploit_MS16_032"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from scripts in the PowerShell-Suite repo","trigger":"signature-base-master/yara/apt_ta17_293A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-27","description":"Detects strings from scripts in the PowerShell-Suite repo","hash1":"79071ba5a984ee05903d566130467483c197cbc2537f25c1e3d7ae4772211fe0","hash10":"5608f25930f99d78804be8c9c39bd33f4f8d14360dd1e4cc88139aa34c27376d","hash11":"68b6c0b5479ecede3050a2f44f8bb8783a22beeef4a258c4ff00974f5909b714","hash12":"da25010a22460bbaabff0f7004204aae7d830348e8a4543177b1f3383b2c3100","hash2":"db31367410d0a9ffc9ed37f423a4b082639591be7f46aca91f5be261b23212d5","hash3":"4f51e7676a4d54c1962760ca0ac81beb28008451511af96652c31f4f40e8eb8e","hash4":"17ac9bb0c46838c65303f42a4a346fcba838ebd5833b875e81dd65c82701d8a8","hash5":"fa33aef619e620a88ecccb990e71c1e11ce2445f799979d23be2d1ad4321b6c6","hash6":"5542bd89005819bc4eef8dfc8a158183e5fd7a1438c84da35102588f5813a225","hash7":"c6a99faeba098eb411f0a9fcb772abac2af438fc155131ebfc93a00e3dcfad50","hash8":"a8e06ecf5a8c25619ce85f8a23f2416832cabb5592547609cfea8bd7fcfcc93d","hash9":"6aa5abf58904d347d441ac8852bd64b2bad3b5b03b518bdd06510931a6564d08","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/FuzzySecurity/PowerShell-Suite","rule":"PowerShell_Suite_Hacktools_Gen_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Volgmer malware as reported in US CERT TA17-318B","trigger":"signature-base-master/yara/apt_ta17_318B.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-11-15","description":"Detects Volgmer malware as reported in US CERT TA17-318B","hash1":"ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd","hash2":"8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b","hash3":"eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5","hash4":"e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11","hash5":"6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1","hash6":"fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9","hash7":"53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d","hash8":"1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.us-cert.gov/ncas/alerts/TA17-318B","rule":"Volgmer_Malware"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware mentioned in TA18-074A","trigger":"signature-base-master/yara/apt_ta18_074A.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-03-16","description":"Detects malware mentioned in TA18-074A","hash1":"2f159b71183a69928ba8f26b76772ec504aefeac71021b012bd006162e133731","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-18","reference":"https://www.us-cert.gov/ncas/alerts/TA18-074A","rule":"TA18_074A_scripts"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects TeleBots malware - IntercepterNG","trigger":"signature-base-master/yara/apt_telebots.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-12-14","description":"Detects TeleBots malware - IntercepterNG","hash1":"5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/4if3HG","rule":"TeleBots_IntercepterNG"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Certutil Decode","trigger":"signature-base-master/yara/apt_telebots.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-29","description":"Certutil Decode","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Certutil_Decode_OR_Download","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Liudoor daemon backdoor","trigger":"signature-base-master/yara/apt_terracotta_liudoor.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"RSA FirstWatch","date":"2015-07-23","description":"Detects Liudoor daemon backdoor","hash0":"78b56bc3edbee3a425c96738760ee406","hash1":"5aa0510f6f1b0e48f0303b9a4bfc641e","hash2":"531d30c8ee27d62e6fbe855299d0e7de","hash3":"2be2ac65fd97ccc97027184f0310f2f3","hash4":"6093505c7f7ec25b1934d3657649ef07","rule":"APT_Liudoor","type":"Win32 DLL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Unique code from Jetriz, Swid \u0026 Jeniva of the Tetris framework","trigger":"signature-base-master/yara/apt_tetris.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@imp0rtp3 (modified by Florian Roth)","date":"2020-09-06","description":"Unique code from Jetriz, Swid \u0026 Jeniva of the Tetris framework","reference":"https://imp0rtp3.wordpress.com/2021/08/12/tetris","rule":"apt_CN_Tetris_JS_advanced_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Code and strings of plugins from the Tetris framework loaded by Swid","trigger":"signature-base-master/yara/apt_tetris.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@imp0rtp3","date":"2020-09-06","description":"Code and strings of plugins from the Tetris framework loaded by Swid","reference":"https://imp0rtp3.wordpress.com/2021/08/12/tetris","rule":"apt_CN_Tetrisplugins_JS"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Threat Group 3390 APT - Strings","trigger":"signature-base-master/yara/apt_threatgroup_3390.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Threat Group 3390 APT - Strings","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://snip.ly/giNB","rule":"ThreatGroup3390_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/apt_threatgroup_3390.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"TRITON framework recovered during Mandiant ICS incident response","trigger":"signature-base-master/yara/apt_triton.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"nicholas.carr @itsreallynick","description":"TRITON framework recovered during Mandiant ICS incident response","hash":"0face841f7b2953e7c29c064d6886523","reference":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html","rule":"TRITON_ICS_FRAMEWORK"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Turla malware (based on sample used in the RUAG APT case)","trigger":"signature-base-master/yara/apt_turla.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects Turla malware (based on sample used in the RUAG APT case)","family":"Turla","hash1":"0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4","hash10":"2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2","hash2":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash3":"fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd","hash4":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","hash5":"b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4","hash6":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","hash7":"8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a","hash8":"8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98","hash9":"0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"Turla_APT_Malware_Gen1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware used in the RUAG APT case","trigger":"signature-base-master/yara/apt_turla.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects malware used in the RUAG APT case","hash1":"0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4","hash2":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash3":"fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd","hash4":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","modified":"2023-01-06","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"RUAG_APT_Malware_Gen2","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Turla malware (based on sample used in the RUAG APT case)","trigger":"signature-base-master/yara/apt_turla.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-09","description":"Detects Turla malware (based on sample used in the RUAG APT case)","family":"Turla","hash1":"c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4","hash2":"b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4","hash3":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","hash4":"8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a","hash5":"8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98","hash6":"0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f","hash7":"2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2","hash8":"7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9","hash9":"edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case","rule":"Turla_APT_Malware_Gen3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Turla malicious script","trigger":"signature-base-master/yara/apt_turla.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-19","description":"Detects Turla malicious script","hash1":"180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://ghostbin.com/paste/jsph7","rule":"Turla_Mal_Script_Jan18_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule for detection of Nautilus related strings","trigger":"signature-base-master/yara/apt_turla_neuron.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"NCSC UK / Florian Roth","date":"2017/11/23","description":"Rule for detection of Nautilus related strings","reference":"https://www.ncsc.gov.uk/alerts/turla-group-malware","rule":"Nautilus_forensic_artificats","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects artefacts found in Hermetic Wiper malware related intrusions","trigger":"signature-base-master/yara/apt_ua_hermetic_wiper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-02-25","description":"Detects artefacts found in Hermetic Wiper malware related intrusions","reference":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia","rule":"APT_UA_Hermetic_Wiper_Artefacts_Feb22_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects scheduled task pattern found in Hermetic Wiper malware related intrusions","trigger":"signature-base-master/yara/apt_ua_hermetic_wiper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-02-25","description":"Detects scheduled task pattern found in Hermetic Wiper malware related intrusions","reference":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia","rule":"APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SombRAT samples from UNC2447 campaign","trigger":"signature-base-master/yara/apt_unc2447_sombrat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-01","description":"Detects SombRAT samples from UNC2447 campaign","hash1":"61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9","hash2":"99baffcd7a6b939b72c99af7c1e88523a50053ab966a079d9bf268aff884426e","modified":"2023-01-07","reference":"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html","rule":"APT_UNC2447_MAL_SOMBRAT_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects WARPRISM PowerShell samples from UNC2447 campaign","trigger":"signature-base-master/yara/apt_unc2447_sombrat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-01","description":"Detects WARPRISM PowerShell samples from UNC2447 campaign","hash1":"3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80","hash2":"63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806","hash3":"b41a303a4caa71fa260dd601a796033d8bfebcaa6bd9dfd7ad956fac5229a735","reference":"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html","rule":"APT_UNC2447_PS1_WARPRISM_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DEWMODE webshells","trigger":"signature-base-master/yara/apt_unc2546_dewmode.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-02-22","description":"Detects DEWMODE webshells","hash1":"2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7","hash2":"5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b","reference":"https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html","rule":"WEBSHELL_APT_PHP_DEWMODE_UNC2546_Feb21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong","trigger":"signature-base-master/yara/apt_unit78020_malware.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-09-24","description":"Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong","hash1":"2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac","hash2":"5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://threatconnect.com/camerashy/?utm_campaign=CameraShy","rule":"Unit78020_Malware_Gen3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES \u0026 PlugX","trigger":"signature-base-master/yara/apt_uscert_ta17-1117a.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"USG","description":"Detects a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES \u0026 PlugX","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"Dropper_DeploysMalwareViaSideLoading","true_positive":"5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. "}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Strings identifying the core REDLEAVES RAT in its deobfuscated state","trigger":"signature-base-master/yara/apt_uscert_ta17-1117a.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"USG","description":"Strings identifying the core REDLEAVES RAT in its deobfuscated state","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"REDLEAVES_CoreImplant_UniqueStrings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects specific RedLeaves and PlugX binaries","trigger":"signature-base-master/yara/apt_uscert_ta17-1117a.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"MD5_1":"598FF82EA4FB52717ACAFB227C83D474","MD5_2":"7D10708A518B26CC8C3CBFBAA224E032","MD5_3":"AF406D35C77B1E0DF17F839E36BCE630","MD5_4":"6EB9E889B091A5647F6095DCD4DE7C83","MD5_5":"566291B277534B63EAFC938CDAAB8A399E41AF7D","author":"US-CERT Code Analysis Team","date":"2017-04-03","description":"Detects specific RedLeaves and PlugX binaries","incident":"10118538","reference":"https://www.us-cert.gov/ncas/alerts/TA17-117A","rule":"PLUGX_RedLeaves"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Venom Linux Rootkit","trigger":"signature-base-master/yara/apt_venom_linux_rootkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-12","description":"Venom Linux Rootkit","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://security.web.cern.ch/security/venom.shtml","rule":"Venom_Rootkit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component","trigger":"signature-base-master/yara/apt_waterbug.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Symantec Security Response","date":"22.01.2015","description":"Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component","reference":"http://t.co/rF35OaAXrl","rule":"WaterBug_wipbot_2013_dll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects powershell script used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects powershell script used in Operation Wilted Tulip","hash1":"e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_powershell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Windows scheduled task as used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects a Windows scheduled task as used in Operation Wilted Tulip","hash1":"4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_Windows_UM_Task"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects hack tool used in Operation Wilted Tulip - Windows Tasks","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects hack tool used in Operation Wilted Tulip - Windows Tasks","hash1":"c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c","hash2":"340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d","hash3":"b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01","hash4":"5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a","hash5":"984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_WindowsTask"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects powershell tool call Get_AD_Users_Logon_History used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects powershell tool call Get_AD_Users_Logon_History used in Operation Wilted Tulip","hash1":"c75906dbc3078ff81092f6a799c31afc79b1dece29db696b2ecf27951a86a1b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_SilverlightMSI"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","trigger":"signature-base-master/yara/apt_wilted_tulip.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-10","description":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","reference":"Internal Research","rule":"SUSP_PS1_JAB_Pattern_Jun22_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PlugX Malware Samples from June 2016","trigger":"signature-base-master/yara/apt_win_plugx.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-08","description":"Detects PlugX Malware Samples from June 2016","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Research","rule":"PlugX_J16_Gen2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Winnti sample - file NlaifSvc.dll","trigger":"signature-base-master/yara/apt_winnti_ms_report_201701.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-25","description":"Winnti sample - file NlaifSvc.dll","hash1":"964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/VbvJtL","rule":"Winnti_NlaifSvc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","trigger":"signature-base-master/yara/apt_woolengoldfish.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/25","description":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","hash":"7ad0eb113bc575363a058f4bf21dbab8c8f7073a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/NpJpVZ","rule":"WoolenGoldfish_Sample_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","trigger":"signature-base-master/yara/apt_woolengoldfish.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/25","description":"Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ","hash1":"86222ef166474e53f1eb6d7e6701713834e6fee7","hash2":"e8dbcde49c7f760165ebb0cb3452e4f1c24981f5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/NpJpVZ","rule":"WoolenGoldfish_Generic_3","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a ZxShell - CN threat group","trigger":"signature-base-master/yara/apt_zxshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-08","description":"Detects a ZxShell - CN threat group","hash1":"5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blogs.rsa.com/cat-phishing/","rule":"ZxShell_Jul17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Script from disclosed CN Honker Pentest Toolset - file pr","trigger":"signature-base-master/yara/cn_pentestset_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Script from disclosed CN Honker Pentest Toolset - file pr","hash":"583cf6dc2304121d835f2879803a22fea76930f3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_portRecall_pr","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - htran-exe","trigger":"signature-base-master/yara/cn_pentestset_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file php6.txt","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file php6.txt","hash":"a60a599c6c8b6a6c0d9da93201d116af257636d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_PHP_BlackSky","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file sniff.txt","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file sniff.txt","hash":"e246256696be90189e6d50a4ebc880e6d9e28dfd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_ASPX_sniff","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file udf.php","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file udf.php","hash":"df63372ccab190f2f1d852f709f6b97a8d9d22b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_udf_udf","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file 2.6.9","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file 2.6.9","hash":"ec22fac0510d0dc2c29d56c55ff7135239b0aeee","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_Linux_2_6_Exploit","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file php7.txt","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file php7.txt","hash":"05a3f93dbb6c3705fd5151b6ffb64b53bc555575","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_PHP_php7","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell from CN Honker Pentest Toolset - file asp1.txt","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-23","description":"Webshell from CN Honker Pentest Toolset - file asp1.txt","hash":"78b5889b363043ed8a60bed939744b4b19503552","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed CN Honker Pentest Toolset","rule":"CN_Honker_Webshell_ASP_asp1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Chinese Hacktool Set - file templatr.php","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-13","description":"Chinese Hacktool Set - file templatr.php","hash":"759df470103d36a12c7d8cf4883b0c58fe98156b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://tools.zjqhr.com/","rule":"templatr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic PHP webshell which uses any eval/exec function in the same line with user input","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic PHP webshell which uses any eval/exec function in the same line with user input","hash":"90c5cc724ec9cf838e4229e5e08955eec4d7bf95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2021-10-29","rule":"webshell_php_generic_eval"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell which directly eval()s obfuscated string","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/12","description":"PHP webshell which directly eval()s obfuscated string","hash":"49e5bc75a1ec36beeff4fbaeb16b322b08cf192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_gzinflated"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/cn_pentestset_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"BernhardPOS Credit Card dumping tool","trigger":"signature-base-master/yara/crime_bernhard_pos.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Hoffman / Jeremy Humble","description":"BernhardPOS Credit Card dumping tool","last_update":"2015-07-14","md5":"e49820ef02ba5308ff84e4c8c12e7c3d","reference":"http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick","rule":"BernhardPOS","score":"70","source":"Morphick Inc."}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Bluenoroff POS malware - hkp.dll","trigger":"signature-base-master/yara/crime_bluenoroff_pos.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"http://blog.trex.re.kr/","date":"2018-06-07","description":"Bluenoroff POS malware - hkp.dll","reference":"http://blog.trex.re.kr/3?category=737685","rule":"BluenoroffPoS_DLL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Crypto Miner strings","trigger":"signature-base-master/yara/crime_cn_group_btc.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-01-31","description":"Detects Crypto Miner strings","hash1":"ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05","reference":"Internal Research","rule":"PUA_CryptoMiner_Jan19_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Find documents saved from the same potential Cobalt Gang PDF template","trigger":"signature-base-master/yara/crime_cobalt_gang_pdf.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Palo Alto Networks Unit 42","date":"2018-10-25","description":"Find documents saved from the same potential Cobalt Gang PDF template","reference":"https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/","rule":"Cobaltgang_PDF_Metadata_Rev_A"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Script Dropper of Cobalt Gang used in August 2017","trigger":"signature-base-master/yara/crime_cobaltgang.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-09","description":"Detects Script Dropper of Cobalt Gang used in August 2017","hash1":"fc0fad39b461eb1cfc6be57932993fcea94fca650564271d1b74dd850c81602f","hash2":"1c845bb0f6b9a96404af97dcafdc77f1629246e840c01dd9f1580a341f554926","hash3":"6206e372870ea4f363be53557477f9748f1896831a0cdef3b8450a7fb65b86e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"CobaltStrike_CN_Group_BeaconDropper_Aug17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious statements in JavaScript files","trigger":"signature-base-master/yara/crime_cobaltgang.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-02","description":"Detects suspicious statements in JavaScript files","hash1":"fc0fad39b461eb1cfc6be57932993fcea94fca650564271d1b74dd850c81602f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research on Leviathan https://goo.gl/MZ7dRg","rule":"Suspicious_JS_script_content","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects helper script used in a crypto miner campaign","trigger":"signature-base-master/yara/crime_crypto_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-12-31","description":"Detects helper script used in a crypto miner campaign","hash1":"3298dbd985c341d57e3219e80839ec5028585d0b0a737c994363443f4439d7a5","reference":"https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/","rule":"SUSP_LNX_SH_CryptoMiner_Indicators_Dec20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects command line parameters often used by crypto mining software","trigger":"signature-base-master/yara/crime_crypto_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-24","description":"Detects command line parameters often used by crypto mining software","reference":"https://www.poolwatch.io/coin/monero","rule":"PUA_Crypto_Mining_CommandLine_Indicators_Oct21","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Triggers on strings of known DearCry samples","trigger":"signature-base-master/yara/crime_dearcry_ransom.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nils Kuhnert","date":"2021-03-12","description":"Triggers on strings of known DearCry samples","hash1":"2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff","hash2":"e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6","hash3":"feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede","reference":"https://twitter.com/phillip_misner/status/1370197696280027136","rule":"MAL_RANSOM_Crime_DearCry_Mar2021_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unpacked SystemBC module as used by Emotet in March 2022","trigger":"signature-base-master/yara/crime_emotet.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Thomas Barabosch, Deutsche Telekom Security","date":"2022-03-11","description":"Detects unpacked SystemBC module as used by Emotet in March 2022","hash1":"c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5","malpedia_reference":"https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc","reference":"https://twitter.com/Cryptolaemus1/status/1502069552246575105","reference2":"https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6","rule":"EXT_MAL_SystemBC_Mar22_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies SystemBC RAT, decrypted config.","trigger":"signature-base-master/yara/crime_emotet.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-07-01","description":"Identifies SystemBC RAT, decrypted config.","fingerprint":"8de029e2f4fc81742a3e04976a58360e403ce5737098c14e0a007c306a1e0f01","first_imported":"2021-12-30","id":"70WDDM1D5xtPBqsUdBiPTK","last_modified":"2021-12-30","malware_type":"RAT","rule":"SystemBC_Config","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects EternalRocks Malware - file taskhost.exe","trigger":"signature-base-master/yara/crime_eternalrocks.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-05-18","description":"Detects EternalRocks Malware - file taskhost.exe","hash1":"cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/stamparm/status/864865144748298242","rule":"EternalRocks_taskhost"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Fireball malware - file clearlog.dll","trigger":"signature-base-master/yara/crime_fireball.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-02","description":"Detects Fireball malware - file clearlog.dll","hash1":"14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/4pTkGQ","rule":"clearlog"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"2021 loader for Bokbot / Icedid core (license.dat)","trigger":"signature-base-master/yara/crime_icedid.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Thomas Barabosch, Telekom Security","date":"2021-04-13","description":"2021 loader for Bokbot / Icedid core (license.dat)","reference":"https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240","rule":"MAL_IcedId_Core_LDR_202104"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.IcedID","trigger":"signature-base-master/yara/crime_icedid.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-02-16","fingerprint":"155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e","id":"11d24d35-6bff-4fac-83d8-4d152aa0be57","last_modified":"2022-04-06","license":"Elastic License v2","os":"windows","reference_sample":"b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982","rule":"Windows_Trojan_IcedID_11d24d35","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.IcedID"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Match protocol, process injects and windows exploit present in KINS dropper","trigger":"signature-base-master/yara/crime_kins_dropper.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"AlienVault Labs aortega@alienvault.com","description":"Match protocol, process injects and windows exploit present in KINS dropper","reference":"http://goo.gl/arPhm3","rule":"KINS_dropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a string also used in Netwire RAT auxilliary","trigger":"signature-base-master/yara/crime_malware_generic.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-05","description":"Detects a string also used in Netwire RAT auxilliary","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://pastebin.com/8qaiyPxs","rule":"Suspicious_BAT_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Trojan Downloader - Flash Exploit Feb15","trigger":"signature-base-master/yara/crime_malware_generic.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/11","description":"Trojan Downloader - Flash Exploit Feb15","hash":"5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/wJ8V1I","rule":"TrojanDownloader","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unspecified malware sample","trigger":"signature-base-master/yara/crime_malware_generic.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-19","description":"Detects unspecified malware sample","hash1":"f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"MAL_unspecified_Jan18_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CVE-2018-4878","trigger":"signature-base-master/yara/crime_ole_loadswf_cve_2018_4878.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"actor":"Purported North Korean actors","affected_versions":"Adobe Flash 28.0.0.137 and earlier versions","author":"Vitali Kremez, Flashpoint","description":"Detects CVE-2018-4878","mitigation0":"Implement Protected View for Office documents","mitigation1":"Disable Adobe Flash","reference":"hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998","rule":"crime_ole_loadswf_cve_2018_4878","version":"1.1","vuln_impact":"Use-after-free","vuln_type":"Remote Code Execution","weaponization":"Embedded in Microsoft Office first payloads"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Darkside Ransomware","trigger":"signature-base-master/yara/crime_ransom_darkside.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-05-10","description":"Detects Darkside Ransomware","hash1":"ec368752c2cf3b23efbfa5705f9e582fc9d6766435a7b8eea8ef045082c6fbce","reference":"https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/","rule":"MAL_RANSOM_Darkside_May21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies Darkside ransomware.","trigger":"signature-base-master/yara/crime_ransom_darkside.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2021-05-01","description":"Identifies Darkside ransomware.","fingerprint":"57bc5c7353c8c518e057456b2317e1dbf59ee17ce69cd336f1bacaf627e9efd5","first_imported":"2021-12-30","id":"5qjcs58k9iHd3EU3xv66sV","last_modified":"2021-12-30","malware":"DARKSIDE","malware_type":"RANSOMWARE","rule":"Darkside","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies RagnarLocker ransomware unpacked or in memory.","trigger":"signature-base-master/yara/crime_ransom_ragna_locker.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-07-01","description":"Identifies RagnarLocker ransomware unpacked or in memory.","fingerprint":"fd403ea38a9c6c269ff7b72dea1525010f44253a41e72bf3fce55fa4623245a3","first_imported":"2021-12-30","id":"5066KiqBNrcicJGfWPfDx5","last_modified":"2021-12-30","malware":"RAGNAR LOCKER","malware_type":"RANSOMWARE","mitre_att":"S0481","rule":"RagnarLocker","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SocGholish fake update Javascript files 22.02.2022","trigger":"signature-base-master/yara/crime_socgholish.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Wojciech Cieślak","date":"2022-02-22","description":"Detects SocGholish fake update Javascript files 22.02.2022","hash":"d08a2350df5abbd8fd530cff8339373e","rule":"SocGholish_JS_22_02_2022"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects XBash malware","trigger":"signature-base-master/yara/crime_xbash.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-09-18","description":"Detects XBash malware","hash1":"f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8","modified":"2023-01-06","reference":"https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/","rule":"MAL_Xbash_JS_Sep18"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","trigger":"signature-base-master/yara/expl_adselfservice_cve_2021_40539.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-20","description":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","reference":"https://us-cert.cisa.gov/ncas/alerts/aa21-259a","rule":"LOG_EXPL_ADSelfService_CVE_2021_40539_ADSLOG_Sep21","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","trigger":"signature-base-master/yara/expl_adselfservice_cve_2021_40539.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-20","description":"Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539","reference":"https://us-cert.cisa.gov/ncas/alerts/aa21-259a","rule":"LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects payloads used in Shitrix exploitation CVE-2019-19781","trigger":"signature-base-master/yara/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-01-13","description":"Detects payloads used in Shitrix exploitation CVE-2019-19781","reference":"https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/","rule":"EXPL_Shitrix_Exploit_Code_Jan20_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-27","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"signature-base-master/yara/expl_connectwise_screenconnect_vuln_feb24.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084","trigger":"signature-base-master/yara/expl_cve_2021_26084_confluence_log.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-01","description":"Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084","reference":"https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md","rule":"LOG_EXPL_Confluence_RCE_CVE_2021_26084_Sep21","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious office reference files including an obfuscated MHTML reference exploiting CVE-2021-40444","trigger":"signature-base-master/yara/expl_cve_2021_40444.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-18","description":"Detects suspicious office reference files including an obfuscated MHTML reference exploiting CVE-2021-40444","hash":"84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69","reference":"https://twitter.com/decalage2/status/1438946225190014984?s=20","rule":"EXPL_MAL_MalDoc_OBFUSCT_MHTML_Sep21_1","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents","trigger":"signature-base-master/yara/expl_cve_2021_40444.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-18","description":"Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents","reference":"https://twitter.com/sudosev/status/1439205606129377282","rule":"SUSP_OBFUSC_Indiators_XML_OfficeDoc_Sep21_2","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious entries in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055","trigger":"signature-base-master/yara/expl_keepass_cve_2023_24055.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-25","description":"Detects suspicious entries in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055","reference":"https://github.com/alt3kx/CVE-2023-24055_PoC","rule":"EXPL_Keepass_CVE_2023_24055_Jan23","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious triggers defined in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055","trigger":"signature-base-master/yara/expl_keepass_cve_2023_24055.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-25","description":"Detects suspicious triggers defined in the Keepass configuration file, which could be indicator of the exploitation of CVE-2023-24055","reference":"https://github.com/alt3kx/CVE-2023-24055_PoC","rule":"SUSP_Keepass_CVE_2023_24055_Jan23","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228","trigger":"signature-base-master/yara/expl_log4j_cve_2021_44228.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-12","description":"Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228","reference":"https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b","rule":"EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation","trigger":"signature-base-master/yara/expl_log4j_cve_2021_44228.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-10","description":"Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation","modified":"2021-12-17","reference":"https://twitter.com/marcioalm/status/1470361495405875200?s=20","rule":"SUSP_JDNIExploit_Error_Indicators_Dec21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects POCs that exploit privilege escalation vulnerability CVE-2022-46689 on macOS","trigger":"signature-base-master/yara/expl_macos_switcharoo_dec22.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-12-19","description":"Detects POCs that exploit privilege escalation vulnerability CVE-2022-46689 on macOS","hash1":"64acd79a37b6f8443250dd33e95bd933ee39fc6d4f35ba6a987dae878d017386","hash2":"6c2ace75000de8a7e8786f28b1b41eed72816991a0961475c6800753bfe9278c","hash3":"6ce080b236ea3aa3b4c992d12af99445ab800abc709c6abbef852a9f0cf219b6","hash4":"83cc4d72686aedf5218f07e60e759b4849b368975b70352dbba6fac4e8cde72b","hash5":"a7b7fcfd609ff653d32c133417c0d3ffd9f581fb6de05ddbdead4d36cb6e3cc2","hash6":"b2a97edb0ddc30ecc1a0b0c0739820bbef787394b44ab997393475de2ebf7b60","hash7":"c7a64c6da5cf5046ae5c683d0264a32027110a2736b4c1b0df294e29a061a865","hash8":"d517cde0d45e6930336538c89b310d5d540a66c921bf6f6f9b952e721b2f6a11","hash9":"d53a559ea9131fe42eacf51431da3adde5a8fd5c2f3198f0d5451ef62ed33888","reference":"Internal Research","rule":"EXPL_HKTL_macOS_Switcharoo_CVE_2022_46689_Dec22","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3","trigger":"signature-base-master/yara/expl_manageengine_jan23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-13","description":"Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3","reference":"https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/","rule":"EXPL_ManageEngine_CVE_2022_47966_Jan23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unknown malicious loaders noticed in August 2021","trigger":"signature-base-master/yara/expl_proxyshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-08-25","description":"Detects unknown malicious loaders noticed in August 2021","reference":"https://twitter.com/VirITeXplorer/status/1430206853733097473","rule":"WEBSHELL_ASPX_ProxyShell_Exploitation_Aug21_1","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects webshells dropped by DropHell malware","trigger":"signature-base-master/yara/expl_proxyshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-11-01","description":"Detects webshells dropped by DropHell malware","reference":"https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside","rule":"WEBSHELL_ProxyShell_Exploitation_Nov21_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JSP webshells","trigger":"signature-base-master/yara/expl_spring4shell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-11-23","description":"Detects JSP webshells","reference":"https://www.ic3.gov/Media/News/2021/211117-2.pdf","rule":"WEBSHELL_JSP_Nov21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators found after SpringCore exploitation attempts and in the POC script","trigger":"signature-base-master/yara/expl_spring4shell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-03-30","description":"Detects indicators found after SpringCore exploitation attempts and in the POC script","reference":"https://twitter.com/vxunderground/status/1509170582469943303","rule":"EXPL_POC_SpringCore_0day_Indicators_Mar22_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects webshell found after SpringCore exploitation attempts POC script","trigger":"signature-base-master/yara/expl_spring4shell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-03-30","description":"Detects webshell found after SpringCore exploitation attempts POC script","reference":"https://twitter.com/vxunderground/status/1509170582469943303","rule":"EXPL_POC_SpringCore_0day_Webshell_Mar22_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious files related to CVE-2017-8759","trigger":"signature-base-master/yara/exploit_cve_2017_8759.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-15","description":"Detects malicious files related to CVE-2017-8759","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/buffaloverflow/status/908455053345869825","rule":"CVE_2017_8759_SOAP_Excel","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a CVE-2017-9800 exploitation attempt","trigger":"signature-base-master/yara/exploit_cve_2017_9800.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-11","description":"Detects a CVE-2017-9800 exploitation attempt","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/mzbat/status/895811803325898753","rule":"git_CVE_2017_9800_poc","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system","trigger":"signature-base-master/yara/exploit_cve_2021_33766_proxytoken.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-08-30","description":"Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system","reference":"https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server","rule":"LOG_EXPL_ProxyToken_Exploitation_Aug21_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954","trigger":"signature-base-master/yara/exploit_cve_2022_22954_vmware_workspace_one.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-04-08","description":"Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954","modified":"2022-04-12","reference":"https://github.com/sherlocksecurity/VMware-CVE-2022-22954","reference2":"https://twitter.com/rwincey/status/1512241638994853891/photo/1","rule":"EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup","trigger":"signature-base-master/yara/exploit_f5_bigip_cve_2021_22986_log.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-20","description":"Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup","reference":"https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/","rule":"LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects signs of exploitation of GitLab CE CVE-2021-22205","trigger":"signature-base-master/yara/exploit_gitlab_cve_2021_22205.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-26","description":"Detects signs of exploitation of GitLab CE CVE-2021-22205","reference":"https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/","rule":"EXPL_GitLab_CE_RCE_CVE_2021_22205","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects payloads used in Shitrix exploitation CVE-2019-19781","trigger":"signature-base-master/yara/exploit_shitrix.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-01-13","description":"Detects payloads used in Shitrix exploitation CVE-2019-19781","reference":"https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/","rule":"EXPL_Shitrix_Exploit_Code_Jan20_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detection for Dimorf ransomeware","trigger":"signature-base-master/yara/gen_100days_of_yara_2023.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Silas Cutler","date":"2023-01-03","description":"Detection for Dimorf ransomeware","reference":"https://github.com/Ort0x36/Dimorf","rule":"MAL_PY_Dimorf","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators found in LockBit ransomware","trigger":"signature-base-master/yara/gen_100days_of_yara_2023.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects indicators found in LockBit ransomware","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Armitage component","trigger":"signature-base-master/yara/gen_armitage.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-24","description":"Detects Armitage component","hash1":"b258b2f12f57ed05d8eafd29e9ecc126ae301ead9944a616b87c240bf1e71f9a","hash2":"144cb6b1cf52e60f16b45ddf1633132c75de393c2705773b9f67fce334a3c8b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Armitage_MeterpreterSession_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Armitage component","trigger":"signature-base-master/yara/gen_armitage.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-24","description":"Detects Armitage component","hash1":"2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af","hash2":"b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Armitage_OSX"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hack Deep Panda - htran-exe","trigger":"signature-base-master/yara/gen_cn_hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/02/08","description":"Hack Deep Panda - htran-exe","hash":"38e21f0b87b3052b536408fdf59185f8b3d210b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DeepPanda_htran_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Exploit.Dcom","trigger":"signature-base-master/yara/gen_cn_hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"0abae84599e490056412d5a5ce1868ea118551243377d59cbb6ebd83701769b8","id":"7a1bcec7-e177-4adf-97a7-0d876bf65abc","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5","rule":"Windows_Exploit_Dcom_7a1bcec7","scan_context":"file","severity":"100","threat_name":"Windows.Exploit.Dcom"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Chinese Hacktool Set - file templatr.php","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-13","description":"Chinese Hacktool Set - file templatr.php","hash":"759df470103d36a12c7d8cf4883b0c58fe98156b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://tools.zjqhr.com/","rule":"templatr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Chinese Hacktool Set - Webshells - file php.html","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-14","description":"Chinese Hacktool Set - Webshells - file php.html","hash":"a7d5fcbd39071e0915c4ad914d31e00c7127bcfc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://tools.zjqhr.com/","rule":"Txt_php_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic PHP webshell which uses any eval/exec function in the same line with user input","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic PHP webshell which uses any eval/exec function in the same line with user input","hash":"90c5cc724ec9cf838e4229e5e08955eec4d7bf95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2021-10-29","rule":"webshell_php_generic_eval"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell which directly eval()s obfuscated string","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/12","description":"PHP webshell which directly eval()s obfuscated string","hash":"49e5bc75a1ec36beeff4fbaeb16b322b08cf192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_gzinflated"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell in c#","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/11","description":"Webshell in c#","hash":"b6721683aadc4b4eba4f081f2bc6bc57adfc0e378f6d80e2bfa0b1e3e57c85c7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_csharp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","trigger":"signature-base-master/yara/gen_cn_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/09","description":"JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","hash":"06b42d4707e7326aff402ecbb585884863c6351a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_by_string"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CobaltStrike payloads","trigger":"signature-base-master/yara/gen_cobaltstrike_by_avast.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Payload_Encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CobaltStrike payloads","trigger":"signature-base-master/yara/gen_cobaltstrike_by_avast.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Avast Threat Intel Team","description":"Detects CobaltStrike payloads","reference":"https://github.com/avast/ioc","rule":"Cobaltbaltstrike_Beacon_Encoded"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Base64 encoded PS1 Shellcode","trigger":"signature-base-master/yara/gen_cobaltstrike_by_avast.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Carr, David Ledbetter","date":"2018-11-14","description":"Detects Base64 encoded PS1 Shellcode","reference":"https://twitter.com/ItsReallyNick/status/1062601684566843392","rule":"Base64_PS1_Shellcode","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects WDS file used to circumvent Device Guard","trigger":"signature-base-master/yara/gen_deviceguard_evasion.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-01-01","description":"Detects WDS file used to circumvent Device Guard","modified":"2023-01-06","reference":"http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html","rule":"SUSP_DeviceGuard_WDS_Evasion","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nasreddine Bencherchali, Christian Burkard","date":"2022-05-31","description":"Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation","modified":"2022-07-08","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"SUSP_PS1_Msdt_Execution_May22","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Tobias Michalski, Christian Burkard, Wojciech Cieslak","date":"2022-05-30","description":"Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation","hash":"62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0","modified":"2022-06-20","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"SUSP_Doc_WordXMLRels_May22","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Tobias Michalski, Christian Burkard","date":"2022-05-30","description":"Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation","hash1":"4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784","hash2":"778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07","modified":"2022-07-18","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Christian Burkard","date":"2022-06-01","description":"Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments","hash":"4abc20e5130b59639e20bd6b8ad759af18eb284f46e99a5cc6b4f16f09456a68","reference":"Internal Research","rule":"SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious pattern in RTF files which downloads external resources as seen in CVE-2022-30190 / Follina exploitation inside e-mail attachment","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Christian Burkard","date":"2022-06-01","description":"Detects a suspicious pattern in RTF files which downloads external resources as seen in CVE-2022-30190 / Follina exploitation inside e-mail attachment","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"SUSP_DOC_RTF_ExternalResource_EMAIL_Jun22","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-27","alert":"Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation","trigger":"signature-base-master/yara/gen_doc_follina.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Tobias Michalski, Christian Burkard, Wojciech Cieslak","date":"2022-05-30","description":"Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation","hash":"62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0","modified":"2022-06-02","reference":"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e","rule":"SUSP_Doc_WordXMLRels_May22","score":"70","techniques":"File and Directory","yarahub_license":"CC0 1.0","yarahub_reference_md5":"5f15a9b76ad6ba5229cb427ad7c7a4f6","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"a9aad367-682e-440c-8732-dc414274b5c3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Get-SecurityPackages.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Get-SecurityPackages.ps1","hash1":"5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Get_SecurityPackages"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-PowerDump.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-PowerDump.ps1","hash1":"095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_PowerDump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-ShellcodeMSIL.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-ShellcodeMSIL.ps1","hash1":"9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_ShellcodeMSIL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-SmbScanner.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-SmbScanner.ps1","hash1":"9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_SmbScanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-EgressCheck.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-EgressCheck.ps1","hash1":"e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_EgressCheck"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-PostExfil.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-PostExfil.ps1","hash1":"00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_PostExfil"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-SMBAutoBrute.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-SMBAutoBrute.ps1","hash1":"7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_SMBAutoBrute"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Get-Keystrokes.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Get-Keystrokes.ps1","hash1":"c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Get_Keystrokes"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file Invoke-DllInjection.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file Invoke-DllInjection.ps1","hash1":"304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_DllInjection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - file KeePassConfig.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - file KeePassConfig.ps1","hash1":"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_KeePassConfig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash2":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash3":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","hash4":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash5":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerShell_Framework_Gen1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1","hash1":"ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerUp_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash3":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash5":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","hash6":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash8":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_PowerShell_Framework_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1","hash2":"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_KeePassConfig_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1","hash2":"cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_Portscan_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1","hash1":"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8","hash2":"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-11-05","description":"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1","hash1":"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28","hash2":"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4","hash3":"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/adaptivethreat/Empire","rule":"Empire_Invoke_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/gen_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.","md5":"7af24305a409a2b8f83ece27bb0f7900","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"Hunting_GadgetToJScript_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"HackTool_MSIL_SharPersist_2","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","md5":"98ecf58d48a3eae43899b45cec0fc6b7","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"HackTool_MSIL_SharPersist_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"CredTheft_MSIL_ADPassHunt_2","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","md5":"6efb58cf54d1bb45c057efcfbbd68a93","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"CredTheft_MSIL_ADPassHunt_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Identifies GoRat malware in memory based on strings.","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"Identifies GoRat malware in memory based on strings.","md5":"3b926b5762e13ceec7ac3a61e85c93bb","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Backdoor_Win_GoRat_Memory"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects FireEye's Python Redflar","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","date":"2020-11-27","description":"Detects FireEye's Python Redflar","md5":"d0a830403e56ebaa4bfbe87dbfdee44f","modified":"2020-11-27","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"APT_Builder_PY_REDFLARE_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Rubeus","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"fbc2f67f394a4d21cac532b42c6749002cb7284b4a3912e18672881e6e74765d","id":"43f18623-6024-4608-8019-e3fecd54cf84","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"b7b4691ad1cdad7663c32d07e911a03d9cc8b104f724c2825fd4957007649235","rule":"Windows_Hacktool_Rubeus_43f18623","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Rubeus"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SafetyKatz","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"f0d11341fc91d2c45c07c6079aad24a11da03320286216be0a68461b6bf55b02","id":"072b7370-517b-45dc-af23-ba3adbd32fbd","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9","rule":"Windows_Hacktool_SafetyKatz_072b7370","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SafetyKatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Seatbelt","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cdbafa7507cb723f20ad0c7a288750a0d95792c8fe5ceb5e48c62fd45f2ffc0b","id":"674fd535-f188-4b20-8b5e-69a111bf08e5","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"a0e467aacd383727d46e766f1c45b424a6d46248118c155c22c538e8773b3ae7","rule":"Windows_Hacktool_Seatbelt_674fd535","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Seatbelt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Sharpersist","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"44fd3f1146d81c34051f8ef4619db369d364e809799e7ca57bea93fb8fef5d4c","id":"06606812-2be2-4155-a82b-6ab4629c5b5a","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8","rule":"Windows_Hacktool_SharPersist_06606812","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Sharpersist"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpHound","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"53d295223e2330a973f9495a7ca625c1e9429bc5daf7dda1b84b2aaeca5ea898","id":"5adf9d6d-b6db-43ea-95bd-e9747b82a36d","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4","rule":"Windows_Hacktool_SharpHound_5adf9d6d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpHound"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpView","trigger":"signature-base-master/yara/gen_fireeye_redteam_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"379606da5cf6adb58d6a8e693d379252f7987ff295f838df092ce2246da08354","id":"2c7603ad-27f4-49fc-9fab-f4284620452f","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93","rule":"Windows_Hacktool_SharpView_2c7603ad","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpView"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Armitage component","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-24","description":"Detects Armitage component","hash1":"2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af","hash2":"b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Armitage_OSX"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","hash":"d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_Py_v3_3_to_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","hash":"ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Identifies UAC Bypass module from Cobalt Strike","fingerprint":"70224e28a223d09f2211048936beb9e2d31c0312c97a80e22c85e445f1937c10","id":"c851687a-aac6-43e7-a0b6-6aed36dcf12e","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_c851687a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2023-05-09","fingerprint":"c375492960a6277bf665bea86302cec774c0d79506e5cb2e456ce59f5e68aa2e","id":"7f8da98a-3336-482b-91da-82c7cef34c62","last_modified":"2023-06-13","license":"Elastic License v2","os":"windows","reference_sample":"e3bc2bec4a55ad6cfdf49e5dbd4657fc704af1758ca1d6e31b83dcfb8bf0f89d","rule":"Windows_Trojan_CobaltStrike_7f8da98a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-09-27","alert":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x","hash":"d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_Py_v3_3_to_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-09-27","alert":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","trigger":"signature-base-master/yara/gen_gcti_cobaltstrike.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13","hash":"ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CactusTorch Hacktool","trigger":"signature-base-master/yara/gen_gen_cactustorch.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-31","description":"Detects CactusTorch Hacktool","hash1":"314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c","hash2":"0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea","hash3":"a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mdsecactivebreach/CACTUSTORCH","rule":"CACTUSTORCH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Rubeus","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"fbc2f67f394a4d21cac532b42c6749002cb7284b4a3912e18672881e6e74765d","id":"43f18623-6024-4608-8019-e3fecd54cf84","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"b7b4691ad1cdad7663c32d07e911a03d9cc8b104f724c2825fd4957007649235","rule":"Windows_Hacktool_Rubeus_43f18623","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Rubeus"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SafetyKatz","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"f0d11341fc91d2c45c07c6079aad24a11da03320286216be0a68461b6bf55b02","id":"072b7370-517b-45dc-af23-ba3adbd32fbd","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9","rule":"Windows_Hacktool_SafetyKatz_072b7370","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SafetyKatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Seatbelt","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cdbafa7507cb723f20ad0c7a288750a0d95792c8fe5ceb5e48c62fd45f2ffc0b","id":"674fd535-f188-4b20-8b5e-69a111bf08e5","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"a0e467aacd383727d46e766f1c45b424a6d46248118c155c22c538e8773b3ae7","rule":"Windows_Hacktool_Seatbelt_674fd535","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Seatbelt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Sharpersist","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"44fd3f1146d81c34051f8ef4619db369d364e809799e7ca57bea93fb8fef5d4c","id":"06606812-2be2-4155-a82b-6ab4629c5b5a","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8","rule":"Windows_Hacktool_SharPersist_06606812","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Sharpersist"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpDump","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"cf1e23fc0a317959fceadae8984240b174dac22a1bcabccf43c34f0186a3ac23","id":"7c17d8b1-35cf-440e-8f4e-44abdc2054bb","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"14c3ea569a1bd9ac3aced4f8dd58314532dbf974bfa359979e6c7b6a4bbf41ca","rule":"Windows_Hacktool_SharpDump_7c17d8b1","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpDump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpHound","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"53d295223e2330a973f9495a7ca625c1e9429bc5daf7dda1b84b2aaeca5ea898","id":"5adf9d6d-b6db-43ea-95bd-e9747b82a36d","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4","rule":"Windows_Hacktool_SharpHound_5adf9d6d","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpHound"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpMove","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"634efb2dedbb181a31ea41ff34d1d0810d1ab4823c8611737d68cb56601a052d","id":"05e28928-6109-4afe-bd86-908d354ddd80","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"051f60f9f4665b96f764810defe9525ae7b4f9898249b83a23094cee63fa0c3b","rule":"Windows_Hacktool_SharpMove_05e28928","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpMove"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpRDP","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"a7eb084004fce79efc39781044bad501a731163fa3ad6f9b8b334611d03f5379","id":"80895fcb-b98e-4865-a1f6-87cbea327cea","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"6e909861781a8812ee01bc59435fd73fd34da23fa9ad6d699eefbf9f84629876","rule":"Windows_Hacktool_SharpRDP_80895fcb","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpRDP"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpStay","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"346e6cf9d85c737b171914b331bb1837f90696301dbe144cbf8996b8a8cb3adb","id":"eac706c5-975e-43f2-b106-149f884a2e9a","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"498d201f65b57a007a79259ce7015eb7eb1bba660d44deafea716e36316a9caa","rule":"Windows_Hacktool_SharpStay_eac706c5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpStay"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpUp","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"4c6e70b7ce3eb3fc05966af6c3847f4b7282059e05c089c20f39f226efb9bf87","id":"e5c87c9a-6b4d-49af-85d1-6bb60123c057","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"45e92b991b3633b446473115f97366d9f35acd446d00cd4a05981a056660ad27","rule":"Windows_Hacktool_SharpUp_e5c87c9a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpUp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpView","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"379606da5cf6adb58d6a8e693d379252f7987ff295f838df092ce2246da08354","id":"2c7603ad-27f4-49fc-9fab-f4284620452f","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93","rule":"Windows_Hacktool_SharpView_2c7603ad","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpView"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.SharpWMI","trigger":"signature-base-master/yara/gen_github_net_redteam_tools_guids.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-10-20","fingerprint":"20719ea15d4dee90c95b474689752172a6b6fb941dced81803f9f726ddc26d29","id":"a67d6fe5-3ce5-4e63-979e-3fb799d9d173","last_modified":"2022-11-24","license":"Elastic License v2","os":"windows","reference_sample":"2134a5e1a5eece1336f831a7686c5ea3b6ca5aaa63ab7e7820be937da0678e15","rule":"Windows_Hacktool_SharpWMI_a67d6fe5","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SharpWMI"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects URL mentioned in report on compromised Github repositories in August 2022","trigger":"signature-base-master/yara/gen_github_repo_compromise_myjino_ru.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-08-03","description":"Detects URL mentioned in report on compromised Github repositories in August 2022","reference":"https://twitter.com/stephenlacy/status/1554697077430505473","rule":"MAL_Github_Repo_Compromise_MyJino_Ru_Aug22","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects HawkEye Keylogger Reborn","trigger":"signature-base-master/yara/gen_hawkeye.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-10","description":"Detects HawkEye Keylogger Reborn","hash1":"b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad","reference":"https://twitter.com/James_inthe_box/status/1072116224652324870","rule":"MAL_HawkEye_Keylogger_Gen_Dec18"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Venom - a library that meant to perform evasive communication using stolen browser socket","trigger":"signature-base-master/yara/gen_hktl_venom_lib.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Ido Veltzman, Florian Roth","date":"2022-12-17","description":"Detects Venom - a library that meant to perform evasive communication using stolen browser socket","reference":"https://github.com/Idov31/Venom","rule":"HKTL_Venom_LIB_Dec22","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Compiled Impacket Tools","trigger":"signature-base-master/yara/gen_impacket_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-07","description":"Compiled Impacket Tools","hash1":"4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3","hash10":"4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a","hash11":"47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d","hash12":"7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2","hash13":"9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f","hash14":"d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7","hash15":"8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699","hash16":"efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769","hash17":"e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b","hash18":"19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4","hash19":"2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086","hash2":"d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3","hash20":"202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094","hash3":"2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1","hash4":"ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6","hash5":"e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742","hash6":"27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364","hash7":"dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98","hash8":"0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b","hash9":"21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/maaaaz/impacket-examples-windows","rule":"Impacket_Tools_Generic_1","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies Impacket, a collection of Python classes for working with network protocols.","trigger":"signature-base-master/yara/gen_impacket_tools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-08-01","description":"Identifies Impacket, a collection of Python classes for working with network protocols.","fingerprint":"3c84db45525bc8981b832617b35c0b81193827313b23c7fede0b00badc3670f4","first_imported":"2021-12-30","id":"4slxMFaVQR9nCS6mQxIQj","last_modified":"2021-12-30","mitre_att":"S0357","reference":"https://github.com/SecureAuthCorp/impacket","rule":"Impacket","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"IMPACKET","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Invoke-Mimikatz String","trigger":"signature-base-master/yara/gen_invoke_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-03","description":"Detects Invoke-Mimikatz String","hash1":"f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz","rule":"Invoke_Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/gen_invoke_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Mimikatz","trigger":"signature-base-master/yara/gen_invoke_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Detection for Invoke-Mimikatz","fingerprint":"9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135","id":"355d5d3a-e50e-4614-9a84-0da668c40852","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96","rule":"Windows_Hacktool_Mimikatz_355d5d3a","scan_context":"file, memory","severity":"90","threat_name":"Windows.Hacktool.Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a command to execute PowerShell from String","trigger":"signature-base-master/yara/gen_invoke_psimage.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-16","description":"Detects a command to execute PowerShell from String","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/peewpw/Invoke-PSImage","rule":"Invoke_PSImage"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Invoke-WmiExec or Invoke-SmbExec","trigger":"signature-base-master/yara/gen_invoke_thehash.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-14","description":"Detects Invoke-WmiExec or Invoke-SmbExec","hash1":"674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Kevin-Robertson/Invoke-TheHash","rule":"Invoke_SMBExec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Invoke-WmiExec or Invoke-SmbExec","trigger":"signature-base-master/yara/gen_invoke_thehash.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-14","description":"Detects Invoke-WmiExec or Invoke-SmbExec","hash1":"140c23514dbf8043b4f293c501c2f9046efcc1c08630621f651cfedb6eed8b97","hash2":"7565d376665e3cd07d859a5cf37c2332a14c08eb808cc5d187a7f0533dc69e07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Kevin-Robertson/Invoke-TheHash","rule":"Invoke_WMIExec_Gen_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file kerberoast.py","trigger":"signature-base-master/yara/gen_kerberoast.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-21","description":"Auto-generated rule - file kerberoast.py","hash1":"73155949b4344db2ae511ec8cab85da1ccbf2dfec3607fb9acdc281357cdf380","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/skelsec/PyKerberoast","rule":"kerberoast_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Khepri C2 framework beacons","trigger":"signature-base-master/yara/gen_khepri.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-09-08","description":"Detects Khepri C2 framework beacons","hash1":"86c48679db5f4c085fd741ebec5235bc6cf0cdf8ef2d98fd8a689ceb5088f431","reference":"https://github.com/geemion/Khepri/","rule":"HKTL_Khepri_Beacon_Sep21_1","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Reflective DLL Loader","trigger":"signature-base-master/yara/gen_loaders.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader","hash1":"f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Reflective DLL Loader - suspicious - Possible FP could be program crack","trigger":"signature-base-master/yara/gen_loaders.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader - suspicious - Possible FP could be program crack","hash1":"c2a7a2d0b05ad42386a2bedb780205b7c0af76fe9ee3d47bbe217562f627fcae","hash2":"b90831aaf8859e604283e5292158f08f100d4a2d4e1875ea1911750a6cb85fe0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_2","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Reflective DLL Loader","trigger":"signature-base-master/yara/gen_loaders.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects Reflective DLL Loader","hash1":"d10e4b3f1d00f4da391ac03872204dc6551d867684e0af2a4ef52055e771f474","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-12-21","reference":"Internal Research","rule":"Reflective_DLL_Loader_Aug17_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PowerShell AMSI Bypass","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-19","description":"Detects PowerShell AMSI Bypass","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1","rule":"PS_AMSI_Bypass","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects MSHTA Bypass","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-19","description":"Detects MSHTA Bypass","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/ItsReallyNick/status/887705105239343104","rule":"JS_Suspicious_MSHTA_Bypass","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious Javascript Run command","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-23","description":"Detects a suspicious Javascript Run command","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/craiu/status/900314063560998912","rule":"JavaScript_Run_Suspicious","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Certutil Decode","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-29","description":"Certutil Decode","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Certutil_Decode_OR_Download","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious statements in JavaScript files","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-02","description":"Detects suspicious statements in JavaScript files","hash1":"fc0fad39b461eb1cfc6be57932993fcea94fca650564271d1b74dd850c81602f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Research on Leviathan https://goo.gl/MZ7dRg","rule":"Suspicious_JS_script_content","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious obfuscated VBS observed in February 2018","trigger":"signature-base-master/yara/gen_mal_scripts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-02-12","description":"Detects malicious obfuscated VBS observed in February 2018","hash1":"06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab","hash2":"c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036","hash3":"e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/zPsn83","rule":"VBS_Obfuscated_Mal_Feb18_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","trigger":"signature-base-master/yara/gen_malware_set_qa.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-23","description":"Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip","hash1":"1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904","hash2":"1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a","hash3":"a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f","hash4":"cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0","hash5":"eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.clearskysec.com/tulip","rule":"WiltedTulip_ReflectiveLoader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"VT Research QA uploaded malware - file vqgk.dll","trigger":"signature-base-master/yara/gen_malware_set_qa.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-29","description":"VT Research QA uploaded malware - file vqgk.dll","hash1":"99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-12-21","reference":"VT Research QA","rule":"Malware_QA_vqgk","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.CobaltStrike","trigger":"signature-base-master/yara/gen_malware_set_qa.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-03-23","description":"Attempts to detect Cobalt Strike based on strings found in BEACON","fingerprint":"e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71","id":"ee756db7-e177-41f0-af99-c44646d334f7","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_CobaltStrike_ee756db7","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.CobaltStrike"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Merlin agent","trigger":"signature-base-master/yara/gen_merlin_agent.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Hilko Bengen","date":"2017-12-26","description":"Detects Merlin agent","filetype":"pe, elf, mach","reference":"https://github.com/Ne0nd0g/merlin","rule":"merlinAgent"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Metasploit Loader by RSMudge - file loader.exe","trigger":"signature-base-master/yara/gen_metasploit_loader_rsmudge.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-20","description":"Detects a Metasploit Loader by RSMudge - file loader.exe","hash1":"afe34bfe2215b048915b1d55324f1679d598a0741123bc24274d4edc6e395a8d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/rsmudge/metasploit-loader","rule":"Metasploit_Loader_RSMudge"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf.sh","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.sh","hash1":"320a01ec4e023fb5fbbaef963a2b57229e4f918847e5a49c7a3f631cb556e96c","modified":"2022-08-18","reference":"Internal Research","rule":"Msfpayloads_msf"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf-psh.vba","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-psh.vba","hash1":"5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_psh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf-exe.vba","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-exe.vba","hash1":"321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_exe"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf.psh","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.psh","hash1":"335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf.aspx","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf.aspx","hash1":"26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf-cmd.ps1","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-cmd.ps1","hash1":"9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_cmd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Metasploit Payloads - file msf-ref.ps1","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-09","description":"Metasploit Payloads - file msf-ref.ps1","hash1":"4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Msfpayloads_msf_ref"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Trojan.Metasploit","trigger":"signature-base-master/yara/gen_metasploit_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Identifies Meterpreter DLL used by Metasploit","fingerprint":"4fc7c309dca197f4626d6dba8afcd576e520dbe2a2dd6f7d38d7ba33ee371d55","id":"dd5ce989-3925-4e27-97c1-3b8927c557e9","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference":"https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/","reference_sample":"86cf98bf854b01a55e3f306597437900e11d429ac6b7781e090eeda3a5acb360","rule":"Windows_Trojan_Metasploit_dd5ce989","scan_context":"file, memory","severity":"90","threat_name":"Windows.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PowerShell with PE Reflective Injection","trigger":"signature-base-master/yara/gen_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Benjamin DELPY (gentilkiwi)","description":"PowerShell with PE Reflective Injection","rule":"power_pe_injection"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a log file generated by malicious hack tool mimikatz","trigger":"signature-base-master/yara/gen_mimikatz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/31","description":"Detects a log file generated by malicious hack tool mimikatz","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mimikatz_Logfile","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Mimikittenz - file Invoke-mimikittenz.ps1","trigger":"signature-base-master/yara/gen_mimikittenz.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-07-19","description":"Detects Mimikittenz - file Invoke-mimikittenz.ps1","hash1":"14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/putterpanda/mimikittenz","rule":"Invoke_mimikittenz","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Mimipenguin Password Extractor - Linux","trigger":"signature-base-master/yara/gen_mimipenguin.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-04-01","description":"Detects Mimipenguin Password Extractor - Linux","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/huntergregal/mimipenguin","rule":"Mimipenguin_SH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious OneNote attachment that embeds suspicious payload, e.g. an executable (FPs possible if the PE is attached separately)","trigger":"signature-base-master/yara/gen_onenote_phish.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2023-01-27","description":"Detects suspicious OneNote attachment that embeds suspicious payload, e.g. an executable (FPs possible if the PE is attached separately)","reference":"Internal Research","rule":"SUSP_Email_Suspicious_OneNote_Attachment_Jan23_1","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Bella MacOS/OSX backdoor","trigger":"signature-base-master/yara/gen_osx_backdoor_bella.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"John Lambert @JohnLaTwC","date":"2018-02-23","description":"Bella MacOS/OSX backdoor","hash":"4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be","reference":"https://twitter.com/JohnLaTwC/status/911998777182924801","rule":"OSX_backdoor_Bella"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EvilOSX MacOS/OSX backdoor","trigger":"signature-base-master/yara/gen_osx_evilosx.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"John Lambert @JohnLaTwC","date":"2018-02-23","description":"EvilOSX MacOS/OSX backdoor","hash":"89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a","reference":"https://github.com/Marten4n6/EvilOSX, https://twitter.com/JohnLaTwC/status/966139336436498432","rule":"OSX_backdoor_EvilOSX"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs","hash1":"6a3ba991d3b5d127c4325bc194b3241dde5b3a5853b78b4df1bce7cbe87c0fdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedPowerCat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs","hash1":"aff2b694a01b48ef96c82daf387b25845abbe01073b76316f1aab3142fdb235b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedPotato"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs","hash1":"54548e7848e742566f5596d8f02eca1fd2cbfeae88648b01efb7bab014b9301b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedExploits"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs","hash1":"fd7014625b58d00c6e54ad0e587c6dba5d50f8ca4b0f162d5af3357c2183c7a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedBinaries"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs","hash1":"345e8e6f38b2914f4533c4c16421d372d61564a4275537e674a2ac3360b19284","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedAmsiBypass"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs","trigger":"signature-base-master/yara/gen_p0wnshell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-01-14","description":"p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"p0wnedShell_outputs","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments","trigger":"signature-base-master/yara/gen_phish_attachments.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-29","description":"Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments","hash1":"caaa5c5733fca95804fffe70af82ee505a8ca2991e4cc05bc97a022e5f5b331c","hash2":"a746d8c41609a70ce10bc69d459f9abb42957cc9626f2e83810c1af412cb8729","reference":"https://twitter.com/0xtoxin/status/1540524891623014400?s=12\u0026t=IQ0OgChk8tAIdTHaPxh0Vg","rule":"SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pirpi Backdoor - and other malware (generic rule)","trigger":"signature-base-master/yara/gen_pirpi.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects Pirpi Backdoor - and other malware (generic rule)","hash1":"2a5a0bc350e774bd784fc25090518626b65a3ce10c7401f44a1616ea2ae32f4c","hash2":"8caa179ec20b6e3938d17132980e0b9fe8ef753a70052f7e857b339427eb0f78","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"Pirpi_1609_A"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pirpi Backdoor","trigger":"signature-base-master/yara/gen_pirpi.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects Pirpi Backdoor","hash1":"498b98c02e19f4b03dc6a3a8b6ff8761ef2c0fedda846ced4b6f1c87b52468e7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"Pirpi_1609_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects hack tool PowerShdll","trigger":"signature-base-master/yara/gen_powershdll.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-03","description":"Detects hack tool PowerShdll","hash1":"4d33bc7cfa79d7eefc5f7a99f1b052afdb84895a411d7c30045498fd4303898a","hash2":"f999db9cc3a0719c19f35f0e760f4ce3377b31b756d8cd91bb8270acecd7be7d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/p3nt4/PowerShdll","rule":"PowerShdll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1","hash":"ab0f900a6915b7497313977871a64c3658f3e6f73f11b03d2d33ca61305dc6a8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/PowerShellEmpire/Empire","rule":"Empire_Invoke_BypassUAC","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1","hash":"ae8875f7fcb8b4de5cf9721a9f5a9f7782f7c436c86422060ecdc5181e31092f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/PowerShellEmpire/Empire","rule":"Empire_Persistence","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1","hash":"fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/PowerShellEmpire/Empire","rule":"Empire_Invoke_Shellcode","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-08-06","description":"Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1","hash":"c5481864b757837ecbc75997fa24978ffde3672b8a144a55478ba9a864a19466","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/PowerShellEmpire/Empire","rule":"Empire_Invoke_Mimikatz","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Mimikatz","trigger":"signature-base-master/yara/gen_powershell_empire.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Detection for Invoke-Mimikatz","fingerprint":"9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135","id":"355d5d3a-e50e-4614-9a84-0da668c40852","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96","rule":"Windows_Hacktool_Mimikatz_355d5d3a","scan_context":"file, memory","severity":"90","threat_name":"Windows.Hacktool.Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects PowerShell ISESteroids obfuscation","trigger":"signature-base-master/yara/gen_powershell_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-23","description":"Detects PowerShell ISESteroids obfuscation","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/danielhbohannon/status/877953970437844993","rule":"PowerShell_ISESteroids_Obfuscation"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators often found in obfuscated PowerShell scripts","trigger":"signature-base-master/yara/gen_powershell_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-27","description":"Detects indicators often found in obfuscated PowerShell scripts","reference":"https://github.com/corneacristian/mimikatz-bypass/","rule":"SUSP_OBFUSC_PowerShell_True_Jun20_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings from scripts in the PowerShell-Suite repo","trigger":"signature-base-master/yara/gen_powershell_suite.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-12-27","description":"Detects strings from scripts in the PowerShell-Suite repo","hash1":"79071ba5a984ee05903d566130467483c197cbc2537f25c1e3d7ae4772211fe0","hash10":"5608f25930f99d78804be8c9c39bd33f4f8d14360dd1e4cc88139aa34c27376d","hash11":"68b6c0b5479ecede3050a2f44f8bb8783a22beeef4a258c4ff00974f5909b714","hash12":"da25010a22460bbaabff0f7004204aae7d830348e8a4543177b1f3383b2c3100","hash2":"db31367410d0a9ffc9ed37f423a4b082639591be7f46aca91f5be261b23212d5","hash3":"4f51e7676a4d54c1962760ca0ac81beb28008451511af96652c31f4f40e8eb8e","hash4":"17ac9bb0c46838c65303f42a4a346fcba838ebd5833b875e81dd65c82701d8a8","hash5":"fa33aef619e620a88ecccb990e71c1e11ce2445f799979d23be2d1ad4321b6c6","hash6":"5542bd89005819bc4eef8dfc8a158183e5fd7a1438c84da35102588f5813a225","hash7":"c6a99faeba098eb411f0a9fcb772abac2af438fc155131ebfc93a00e3dcfad50","hash8":"a8e06ecf5a8c25619ce85f8a23f2416832cabb5592547609cfea8bd7fcfcc93d","hash9":"6aa5abf58904d347d441ac8852bd64b2bad3b5b03b518bdd06510931a6564d08","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/FuzzySecurity/PowerShell-Suite","rule":"PowerShell_Suite_Hacktools_Gen_Strings"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects obfuscated PowerShell hacktools","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-11","description":"Detects obfuscated PowerShell hacktools","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-06-12","reference":"https://twitter.com/danielhbohannon/status/905096106924761088","rule":"PowerShell_Case_Anomaly","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious PowerShell code","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-22","description":"Detects suspicious PowerShell code","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Suspicious_PowerShell_Code_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects base464 encoded $ sign at the beginning of a string","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-02","description":"Detects base464 encoded $ sign at the beginning of a string","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/ItsReallyNick/status/980915287922040832","rule":"PowerShell_JAB_B64","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious base64 encoded PowerShell expressions","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-01-25","description":"Detects suspicious base64 encoded PowerShell expressions","reference":"https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639","rule":"SUSP_PS1_FromBase64String_Content_Indicator"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.","trigger":"signature-base-master/yara/gen_powershell_susp.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-12-01","description":"Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.","fingerprint":"6c78cbc1250afb36970d87d8ee2fe8409f57c9d34251d6e3908454e6643f92e3","first_imported":"2021-12-30","id":"3xg5wneq3ZntsMg61ltshS","last_modified":"2021-12-30","rule":"MalScript_Tricks","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious PowerShell code that downloads from web sites","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-22","description":"Detects suspicious PowerShell code that downloads from web sites","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-07-27","nodeepdive":"1","reference":"Internal Research","rule":"Suspicious_PowerShell_WebDownload_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Invoke-Shellcode.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-Shellcode.ps1","hash1":"24abe9f3f366a3d269f8681be80c99504dea51e50318d83ee42f9a4c7435999a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Shellcode","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Invoke-Mimikatz.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-Mimikatz.ps1","hash1":"5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Mimikatz","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Invoke-RelfectivePEInjection.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Invoke-RelfectivePEInjection.ps1","hash1":"510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_RelfectivePEInjection","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file Persistence.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - file Persistence.ps1","hash1":"e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Persistence","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1","hash1":"5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8","hash2":"510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection","score":"80","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files Inveigh-BruteForce.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Inveigh-BruteForce.ps1","hash1":"a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Inveigh_BruteForce_2","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files Persistence.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Persistence.ps1","hash1":"e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Persistence_2","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - from files Inveigh-BruteForce.ps1","trigger":"signature-base-master/yara/gen_powershell_toolkit.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-04","description":"Auto-generated rule - from files Inveigh-BruteForce.ps1","hash3":"a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/vysec/ps1-toolkit","rule":"ps1_toolkit_Inveigh_BruteForce_3","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Base64 encoded PS1 Shellcode","trigger":"signature-base-master/yara/gen_ps1_shellcode.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nick Carr, David Ledbetter","date":"2018-11-14","description":"Detects Base64 encoded PS1 Shellcode","reference":"https://twitter.com/ItsReallyNick/status/1062601684566843392","rule":"Base64_PS1_Shellcode","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","trigger":"signature-base-master/yara/gen_ps_osiris.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-27","description":"Osiris Device Guard Bypass - file Invoke-OSiRis.ps1","hash1":"19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Invoke_OSiRis"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pupy RAT","trigger":"signature-base-master/yara/gen_pupy_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-17","description":"Detects Pupy RAT","hash1":"8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations","rule":"APT_PupyRAT_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pupy backdoor","trigger":"signature-base-master/yara/gen_pupy_rat.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-11","description":"Detects Pupy backdoor","hash1":"ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153","hash2":"83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4","hash3":"90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc","hash4":"20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8","hash5":"06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e","hash6":"be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2","hash7":"8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/n1nj4sec/pupy-binaries","rule":"Pupy_Backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects reverse connect TCP PTY shell","trigger":"signature-base-master/yara/gen_python_pty_shell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Jeff Beley","date":"2019-10-19","description":"Detects reverse connect TCP PTY shell","hash1":"cae9833292d3013774bdc689d4471fd38e4a80d2d407adf9fa99bc8cde3319bf","reference":"https://github.com/infodox/python-pty-shells/blob/master/tcp_pty_backconnect.py","rule":"HKTL_Reverse_Connect_TCP_PTY_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Adzok RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"Versions":"Free 1.0.0.3,","author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.05.2015","description":"Detects Adzok RAT","filetype":"jar","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Adzok","rule":"RAT_Adzok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Ap0calypse RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Ap0calypse RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Ap0calypse","rule":"RAT_Ap0calypse"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BlackShades RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Brian Wallace (@botnet_hunter)","date":"01.04.2014","description":"Detects BlackShades RAT","family":"blackshades","reference":"http://blog.cylance.com/a-study-in-bots-blackshades-net","rule":"RAT_BlackShades"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BlueBanana RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects BlueBanana RAT","filetype":"Java","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/BlueBanana","rule":"RAT_BlueBanana"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Bozok RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Bozok RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Bozok","rule":"RAT_Bozok"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ClientMesh RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.06.2014","description":"Detects ClientMesh RAT","family":"torct","reference":"http://malwareconfig.com/stats/ClientMesh","rule":"RAT_ClientMesh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DarkComet RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects DarkComet RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/DarkComet","rule":"RAT_DarkComet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects DarkRAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects DarkRAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/DarkRAT","rule":"RAT_DarkRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JavaDropper RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.10.2015","description":"Detects JavaDropper RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/JavaDropper","rule":"RAT_JavaDropper"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects LostDoor RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects LostDoor RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/LostDoor","rule":"RAT_LostDoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Paradox RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Paradox RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Paradox","rule":"RAT_Paradox"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects QRAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen @KevTheHermit","date":"01.08.2015","description":"Detects QRAT","filetype":"jar","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com","rule":"RAT_QRat"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ShadowTech RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects ShadowTech RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/ShadowTech","rule":"RAT_ShadowTech"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Sub7Nation RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e (slightly modified by Florian Roth to improve performance)","date":"01.04.2014","description":"Detects Sub7Nation RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Sub7Nation","rule":"RAT_Sub7Nation"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Vertex RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Vertex RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/Vertex","rule":"RAT_Vertex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Adwind RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects Adwind RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/adWind","rule":"RAT_adWind"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects unrecom RAT","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Kevin Breen \u003ckevin@techanarchy.net\u003e","date":"01.04.2014","description":"Detects unrecom RAT","filetype":"exe","maltype":"Remote Access Trojan","reference":"http://malwareconfig.com/stats/unrecom","rule":"RAT_unrecom"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-27","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"signature-base-master/yara/gen_rats_malwareconfig.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects outputs of many different commands often used for reconnaissance purposes","trigger":"signature-base-master/yara/gen_recon_indicators.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-04","description":"Detects outputs of many different commands often used for reconnaissance purposes","reference":"https://securelist.com/cycldek-bridging-the-air-gap/97157/","rule":"SUSP_Recon_Outputs_Jun20_1","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Red Sails Hacktool - Python","trigger":"signature-base-master/yara/gen_redsails.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-10-02","description":"Detects Red Sails Hacktool - Python","hash1":"6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661","hash2":"5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/BeetleChunks/redsails","rule":"redSails_PY"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects code which uses the python lib sectools","trigger":"signature-base-master/yara/gen_susp_hacktool.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2023-01-27","description":"Detects code which uses the python lib sectools","hash":"8cd205d5380278cff6673520439057e78fb8bf3d2b1c3c9be8463e949e5be4a1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/p0dalirius/sectools","rule":"HKTL_Python_sectools","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an executable that has been encoded with base64 twice","trigger":"signature-base-master/yara/gen_susp_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-29","description":"Detects an executable that has been encoded with base64 twice","hash1":"1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9","reference":"https://twitter.com/TweeterCyber/status/1189073238803877889","rule":"SUSP_Double_Base64_Encoded_Executable"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an base64 encoded executable with reversed characters","trigger":"signature-base-master/yara/gen_susp_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-06","description":"Detects an base64 encoded executable with reversed characters","hash1":"7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8","reference":"Internal Research","rule":"SUSP_Reversed_Base64_Encoded_EXE","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious path traversal into a Windows folder","trigger":"signature-base-master/yara/gen_susp_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-10","description":"Detects a suspicious path traversal into a Windows folder","reference":"https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/","rule":"SUSP_Reversed_Hacktool_Author","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious base64 encoded keyword","trigger":"signature-base-master/yara/gen_susp_obfuscation.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-10","description":"Detects a suspicious base64 encoded keyword","reference":"https://twitter.com/cyb3rops/status/1270626274826911744","rule":"SUSP_Base64_Encoded_Hacktool_Dev","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious ","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-20","description":"Detects a suspicious ","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100","rule":"Suspicious_Script_Running_from_HTTP","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious string in executables","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-10-24","description":"Detects suspicious string in executables","hash1":"7bd7cec82ee98feed5872325c2f8fd9f0ea3a2f6cd0cd32bcbe27dbbfd0d7da1","reference":"https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739","rule":"SUSP_Win32dll_String"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious command line with netsh and the portproxy command","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-04-20","description":"Detects a suspicious command line with netsh and the portproxy command","hash1":"9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09","reference":"https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy","rule":"SUSP_Netsh_PortProxy_Command","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects method to disable ETW in ENV vars before executing a program","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-06-06","description":"Detects method to disable ETW in ENV vars before executing a program","reference":"https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3","rule":"SUSP_Disable_ETW_Jun20_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"signature-base-master/yara/gen_suspicious_strings.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_Encoded_Discord_Attachment_Oct21_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects base464 encoded $ sign at the beginning of a string","trigger":"signature-base-master/yara/gen_unicorn_obfuscated_powershell.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-02","description":"Detects base464 encoded $ sign at the beginning of a string","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://twitter.com/ItsReallyNick/status/980915287922040832","rule":"PowerShell_JAB_B64","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects local script usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)","date":"27.09.2019","description":"Detects local script usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Suspicious_Shortcut_Local_URL","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This is the syntax used for NTLM hash stealing via Responder - https://www.securify.nl/nl/blog/SFY20180501/living-off-the-land_-stealing-netntlm-hashes.html","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"This is the syntax used for NTLM hash stealing via Responder - https://www.securify.nl/nl/blog/SFY20180501/living-off-the-land_-stealing-netntlm-hashes.html","reference":"https://twitter.com/ItsReallyNick/status/1176241449148588032","rule":"Methodology_Suspicious_Shortcut_IconRemote_SMBorLocal","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Suspicious_Shortcut_BaseURLSyntax","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Contains_Shortcut_OtherURIhandlers","score":"35"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/ItsReallyNick/status/1176229087196696577","rule":"Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Suspicious_Shortcut_WorkingDirRemote_HTTP","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_persitence.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Suspicious_Shortcut_WorkingDirRemote_SMB","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects possible shortcut usage for .URL persistence","trigger":"signature-base-master/yara/gen_url_to_local_exe.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@itsreallynick (Nick Carr)","date":"27.09.2019","description":"Detects possible shortcut usage for .URL persistence","reference":"https://twitter.com/cglyer/status/1176184798248919044","rule":"Methodology_Contains_Shortcut_OtherURIhandlers","score":"35"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell obfuscated by encoding of mixed hex and dec","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/18","description":"PHP webshell obfuscated by encoding of mixed hex and dec","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_obfuscated_encoding_mixed_dec_and_hex"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell which eval()s obfuscated string","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/12","description":"PHP webshell which eval()s obfuscated string","hash":"a698441f817a9a72908a0d93a34133469f33a7b34972af3e351bdccae0737d99","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_obfuscated_fopo"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/09","description":"Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","hash":"7b6471774d14510cf6fa312a496eed72b614f6fc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_by_string_known_webshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell regeorg JSP version","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/24","description":"Webshell regeorg JSP version","hash":"6db49e43722080b5cd5f07e058a073ba5248b584","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/sensepost/reGeorg","rule":"webshell_jsp_regeorg"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell with base64 encoded payload","trigger":"signature-base-master/yara/gen_webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/24","description":"Generic JSP webshell with base64 encoded payload","hash":"1b916afdd415dfa4e77cecf47321fd676ba2184d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic_base64"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic PHP webshell which uses any eval/exec function in the same line with user input","trigger":"signature-base-master/yara/gen_webshells_ext_vars.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic PHP webshell which uses any eval/exec function in the same line with user input","hash":"90c5cc724ec9cf838e4229e5e08955eec4d7bf95","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2021-10-29","rule":"webshell_php_generic_eval"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe","trigger":"signature-base-master/yara/gen_win_privesc.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-02","description":"Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe","hash1":"7d34e214ef2ca33516875fb91a72d5798f89b9ea8964d3990f99863c79530c06","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/","rule":"Win_PrivEsc_gp3finder_v4_0","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool that can be used for privilege escalation - file folderperm.ps1","trigger":"signature-base-master/yara/gen_win_privesc.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-02","description":"Detects a tool that can be used for privilege escalation - file folderperm.ps1","hash1":"1aa87df34826b1081c40bb4b702750587b32d717ea6df3c29715eb7fc04db755","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.greyhathacker.net/?p=738","rule":"Win_PrivEsc_folderperm","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects WinPayloads PowerShell Payload","trigger":"signature-base-master/yara/gen_winpayloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-11","description":"Detects WinPayloads PowerShell Payload","hash1":"011eba8f18b66634f6eb47527b4ceddac2ae615d6861f89a35dbb9fc591cae8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/nccgroup/Winpayloads","rule":"WinPayloads_PowerShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects simple Windows shell - file s3.exe","trigger":"signature-base-master/yara/gen_winshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - file s3.exe","hash":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_s3"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects simple Windows shell - file s1.exe","trigger":"signature-base-master/yara/gen_winshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - file s1.exe","hash":"4a397497cfaf91e05a9b9d6fa6e335243cca3f175d5d81296b96c13c624818bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindosShell_s1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe","trigger":"signature-base-master/yara/gen_winshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe","hash1":"a7c3d85eabac01e7a7ec914477ea9f17e3020b3b2f8584a46a98eb6a2a7611c5","hash2":"4a397497cfaf91e05a9b9d6fa6e335243cca3f175d5d81296b96c13c624818bd","hash3":"df0693caae2e5914e63e9ee1a14c1e9506f13060faed67db5797c9e61f3907f0","hash4":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","hash5":"f00a1af494067b275407c449b11dfcf5cb9b59a6fac685ebd3f0eb193337e1d6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_Gen","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects simple Windows shell - from files s3.exe, s4.exe","trigger":"signature-base-master/yara/gen_winshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-26","description":"Detects simple Windows shell - from files s3.exe, s4.exe","hash1":"344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d","hash2":"f00a1af494067b275407c449b11dfcf5cb9b59a6fac685ebd3f0eb193337e1d6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/odzhan/shells/","rule":"WindowsShell_Gen2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file WMImplant.ps1","trigger":"signature-base-master/yara/gen_wmi_implant.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-03-24","description":"Auto-generated rule - file WMImplant.ps1","hash1":"860d7c237c2395b4f51b8c9bd0ee6cab06af38fff60ce3563d160d50c11d2f78","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html","rule":"WMImplant"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Ysoserial Payloads - file Spring1.bin","trigger":"signature-base-master/yara/gen_ysoserial_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads - file Spring1.bin","hash1":"bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703","hash2":"9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a","hash3":"8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8","hash4":"5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c","hash5":"95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1","hash6":"1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187","hash7":"adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload_Spring1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Ysoserial Payloads","trigger":"signature-base-master/yara/gen_ysoserial_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads","hash1":"9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a","hash10":"0143fee12fea5118be6dcbb862d8ba639790b7505eac00a9f1028481f874baa8","hash11":"8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8","hash12":"bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703","hash13":"f756c88763d48cb8d99e26b4773eb03814d0bd9bd467cc743ebb1479b2c4073e","hash2":"adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7","hash3":"1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187","hash4":"5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c","hash5":"747ba6c6d88470e4d7c36107dfdff235f0ed492046c7ec8a8720d169f6d271f4","hash6":"f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929","hash7":"5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56","hash8":"95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1","hash9":"1fea8b54bb92249203d68d5564a01599b42b46fc3a828fe0423616ee2a2f2d99","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin","trigger":"signature-base-master/yara/gen_ysoserial_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-04","description":"Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin","hash1":"f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929","hash2":"5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/frohoff/ysoserial","rule":"Ysoserial_Payload_3","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects lines in log lines of Zoho products that indicate RCE fixes (silent removal of evidence)","trigger":"signature-base-master/yara/gen_zoho_rcef_logs.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-12-06","description":"Detects lines in log lines of Zoho products that indicate RCE fixes (silent removal of evidence)","reference":"https://twitter.com/cyb3rops/status/1467784104930385923","rule":"EXPL_Zoho_RCE_Fix_Lines_Dec21_1","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Certutil Decode","trigger":"signature-base-master/yara/general_cloaking.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-08-29","description":"Certutil Decode","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Certutil_Decode_OR_Download","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"NTML Hash Dump output file - John/LC format","trigger":"signature-base-master/yara/generic_dumps.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-10-01","description":"NTML Hash Dump output file - John/LC format","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"NTLM_Dump_Output","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects payload generated by exe2hex","trigger":"signature-base-master/yara/generic_exe2hex_payload.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-15","description":"Detects payload generated by exe2hex","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/g0tmi1k/exe2hex","rule":"Payload_Exe2Hex","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hunts for known strings used in Badger till release v1.2.9 when not in an encrypted state","trigger":"signature-base-master/yara/hktl_bruteratel_c4.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"@ninjaparanoid","date":"2022-11-19","description":"Hunts for known strings used in Badger till release v1.2.9 when not in an encrypted state","reference":"https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara","rule":"brc4_core","version":"first version"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects NatBypass tool (also used by APT41)","trigger":"signature-base-master/yara/hktl_natbypass.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-12-27","description":"Detects NatBypass tool (also used by APT41)","hash1":"4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff","reference":"https://github.com/cw1997/NATBypass","rule":"HKTL_NATBypass_Dec22_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout","trigger":"signature-base-master/yara/log_teamviewer_keyboard_layouts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-12","description":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout","limit":"Logscan","modified":"2020-12-16","reference":"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs","rule":"LOG_TeamViewer_Connect_Chinese_Keyboard_Layout","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout","trigger":"signature-base-master/yara/log_teamviewer_keyboard_layouts.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-12","description":"Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout","limit":"Logscan","modified":"2022-12-07","reference":"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs","rule":"LOG_TeamViewer_Connect_Russian_Keyboard_Layout","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)","trigger":"signature-base-master/yara/mal_lnx_barracuda_cve_2023_2868.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-07","description":"Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)","hash1":"601f44cc102ae5a113c0b5fe5d18350db8a24d780c0ff289880cc45de28e2b80","reference":"https://www.barracuda.com/company/legal/esg-vulnerability","rule":"MAL_ELF_SALTWATER_Jun23_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BPFDoor malware","trigger":"signature-base-master/yara/mal_lnx_implant_may22.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-05-11","description":"Detects BPFDoor malware","hash1":"afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7","reference":"https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game","rule":"MAL_LNX_RedMenshen_BPFDoor_May23_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BPFDoor implants used by Chinese actor Red Menshen","trigger":"signature-base-master/yara/mal_lnx_implant_may22.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-05-08","description":"Detects BPFDoor implants used by Chinese actor Red Menshen","hash1":"144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3","hash2":"fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73","reference":"https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896","rule":"APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects BPFDoor/Tricephalic Hellkeeper passive implant","trigger":"signature-base-master/yara/mal_lnx_implant_may22.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Exatrack","date":"2022-05-09","description":"Detects BPFDoor/Tricephalic Hellkeeper passive implant","reference":"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf","rule":"APT_MAL_LNX_RedMenshen_BPFDoor_Tricephalic_Implant_May22","score":"90"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects LockBit ransomware samples for Linux and macOS","trigger":"signature-base-master/yara/mal_lockbit_lnx_macos_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-15","description":"Detects LockBit ransomware samples for Linux and macOS","hash1":"0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e","hash2":"9ebcbaf3c9e2bbce6b2331238ab584f95f7ced326ca4aba2ddcc8aa8ee964f66","hash3":"a405d034c01a357a89c9988ffe8a46a165915df18fd297469b2bcaaf97578442","hash4":"c9cac06c9093e9026c169adc3650b018d29c8b209e3ec511bbe34cbe1638a0d8","hash5":"dc3d08480f5e18062a0643f9c4319e5c3f55a2e7e93cd8eddd5e0c02634df7cf","hash6":"e77124c2e9b691dbe41d83672d3636411aaebc0aff9a300111a90017420ff096","hash7":"0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde","hash8":"3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79","reference":"https://twitter.com/malwrhunterteam/status/1647384505550876675?s=20","rule":"MAL_RANSOM_LNX_macOS_LockBit_Apr23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects indicators found in LockBit ransomware log files","trigger":"signature-base-master/yara/mal_lockbit_lnx_macos_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects indicators found in LockBit ransomware log files","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_Locker_LOG_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects forensic artifacts found in LockBit intrusions","trigger":"signature-base-master/yara/mal_lockbit_lnx_macos_apr23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-04-17","description":"Detects forensic artifacts found in LockBit intrusions","reference":"https://objective-see.org/blog/blog_0x75.html","rule":"MAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects double encoded PKZIP headers as seen in HTML files used by QBot","trigger":"signature-base-master/yara/mal_qbot_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-10-07","description":"Detects double encoded PKZIP headers as seen in HTML files used by QBot","hash1":"4f384bcba31fda53e504d0a6c85cee0ce3ea9586226633d063f34c53ddeaca3f","hash2":"8e61c2b751682becb4c0337f5a79b2da0f5f19c128b162ec8058104b894cae9b","hash3":"c5d23d991ce3fbcf73b177bc6136d26a501ded318ccf409ca16f7c664727755a","hash4":"5072d91ee0d162c28452123a4d9986f3df6b3244e48bf87444ce88add29dd8ed","hash5":"ff4e21f788c36aabe6ba870cf3b10e258c2ba6f28a2d359a25d5a684c92a0cad","reference":"https://twitter.com/ankit_anubhav/status/1578257383133876225?s=20\u0026t=Bu3CCJCzImpTGOQX_KGsdA","rule":"MAL_QBot_HTML_Smuggling_Indicators_Oct22_1","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-27","alert":"Detects QBOT HTML smuggling variants","trigger":"signature-base-master/yara/mal_qbot_payloads.yar","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Ankit Anubhav - ankitanubhav.info","date":"2022-06-26","description":"Detects QBOT HTML smuggling variants","malpedia_family":"win.qakbot","rule":"QBOT_HTMLSmuggling_a","yarahub_author_email":"ankit.yara@inbox.ru","yarahub_author_twitter":"@ankit_anubhav","yarahub_license":"CC0 1.0","yarahub_reference_link":"https://twitter.com/ankit_anubhav","yarahub_reference_md5":"1807f10ee386d0702bbfcd1a4da76fd1","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"8db8aecd-53ae-4772-8d9c-38b121cfe0e0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh","trigger":"signature-base-master/yara/mal_ransom_esxi_attacks_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-04","description":"Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh","hash1":"10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459","reference":"https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14","rule":"MAL_RANSOM_SH_ESXi_Attacks_Feb23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ransomware exploiting and encrypting ESXi servers","trigger":"signature-base-master/yara/mal_ransom_esxi_attacks_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-02-04","description":"Detects ransomware exploiting and encrypting ESXi servers","hash1":"11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66","reference":"https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14","rule":"MAL_RANSOM_ELF_ESXi_Attacks_Feb23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Python backdoor found on ESXi servers","trigger":"signature-base-master/yara/mal_ransom_esxi_attacks_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-12-14","description":"Detects Python backdoor found on ESXi servers","reference":"https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers","rule":"APT_PY_ESXi_Backdoor_Dec22","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects malicious script found on ESXi servers","trigger":"signature-base-master/yara/mal_ransom_esxi_attacks_feb23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2022-12-14","description":"Detects malicious script found on ESXi servers","reference":"https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers","rule":"APT_SH_ESXi_Backdoor_Dec22","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects mining pool protocol string in Executable","trigger":"signature-base-master/yara/pua_cryptocoin_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-04","description":"Detects mining pool protocol string in Executable","modified":"2021-10-26","nodeepdive":"1","reference":"https://minergate.com/faq/what-pool-address","rule":"CoinMiner_Strings","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects CoinHive - JavaScript Crypto Miner","trigger":"signature-base-master/yara/pua_cryptocoin_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-01-04","description":"Detects CoinHive - JavaScript Crypto Miner","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://coinhive.com/documentation/miner","rule":"CoinHive_Javascript_MoneroMiner","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Crypto Miner strings","trigger":"signature-base-master/yara/pua_cryptocoin_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-01-31","description":"Detects Crypto Miner strings","hash1":"ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05","reference":"Internal Research","rule":"PUA_CryptoMiner_Jan19_1","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects command line parameters often used by crypto mining software","trigger":"signature-base-master/yara/pua_cryptocoin_miner.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-24","description":"Detects command line parameters often used by crypto mining software","reference":"https://www.poolwatch.io/coin/monero","rule":"PUA_Crypto_Mining_CommandLine_Indicators_Oct21","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Rule to detect the EquationLaser malware","trigger":"signature-base-master/yara/spy_equation_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"copyright":"Kaspersky Lab","description":"Rule to detect the EquationLaser malware","last_modified":"2015-02-16","reference":"https://securelist.com/blog/","rule":"apt_equation_equationlaser_runtimeclasses","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","trigger":"signature-base-master/yara/spy_equation_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems) @4nc4p","date":"2015/03/11","description":"EquationDrug - HDD/SSD firmware operation - nls_933w.dll","hash":"ff2b50f371eb26f22eb8a2118e9ab0e015081500","reference":"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/","rule":"EquationDrug_HDDSSD_Op"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"FiveEyes QUERTY Malware - file 20123_cmdDef.xml","trigger":"signature-base-master/yara/spy_querty_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20123_cmdDef.xml","hash":"7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20123_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"FiveEyes QUERTY Malware - file 20123.xml","trigger":"signature-base-master/yara/spy_querty_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20123.xml","hash":"edc7228b2e27df9e7ff9286bddbf4e46adb51ed9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwareqwerty_20123"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"FiveEyes QUERTY Malware - file 20120_cmdDef.xml","trigger":"signature-base-master/yara/spy_querty_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20120_cmdDef.xml","hash":"cda9ceaf0a39d6b8211ce96307302a53dfbd71ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20120_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"FiveEyes QUERTY Malware - file 20121_cmdDef.xml","trigger":"signature-base-master/yara/spy_querty_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/18","description":"FiveEyes QUERTY Malware - file 20121_cmdDef.xml","hash":"64ac06aa4e8d93ea6063eade7ce9687b1d035907","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://www.spiegel.de/media/media-35668.pdf","rule":"FiveEyes_QUERTY_Malwaresig_20121_cmdDef"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Malware Sample - maybe Regin related","trigger":"signature-base-master/yara/spy_regin_fiveeyes.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-06-03","description":"Malware Sample - maybe Regin related","hash":"76c355bfeb859a347e38da89e3d30a6ff1f94229","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"VT Analysis","rule":"Regin_Related_Malware","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Invoke-Mimikatz String","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-03","description":"Detects Invoke-Mimikatz String","hash1":"f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz","rule":"Invoke_Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects strings found in Runspace Post Exploitation Toolkit","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2017-01-14","description":"Detects strings found in Runspace Post Exploitation Toolkit","hash1":"e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-02-10","nodeepdive":"1","reference":"https://github.com/Cn33liz/p0wnedShell","rule":"Hacktool_Strings_p0wnedShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic JSP webshell","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic JSP webshell","hash":"ee9408eb923f2d16f606a5aaac7e16b009797a07","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Windows Credential Editor","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Windows Credential Editor","rule":"WindowsCredentialEditor","score":"90","threat_level":"10"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Amplia Security Tool like Windows Credential Editor","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2013-01-01","description":"Detects Amplia Security Tool like Windows Credential Editor","modified":"2023-02-14","nodeepdive":"1","rule":"HKTL_Amplia_Security_Tool","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PwDump 6 variant","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Marc Stroebel","date":"2014-04-24","description":"PwDump 6 variant","rule":"PwDump","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PScan - Port Scanner","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"F. Roth","description":"PScan - Port Scanner","rule":"PScan_Portscan_1","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Hacktool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"description":"Hacktool","rule":"HackTool_Samples","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This signature detects the Fierce2 domain scanner","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the Fierce2 domain scanner","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Fierce2","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This signature detects the Ncrack brute force tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the Ncrack brute force tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Ncrack","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"This signature detects the SQLMap SQL injection tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"01.07.2014","description":"This signature detects the SQLMap SQL injection tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"SQLMap","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file PortScanner.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file PortScanner.exe","hash":"b381b9212282c0c650cb4b0323436c63","rule":"PortScanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file NetBIOS Name Scanner.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file NetBIOS Name Scanner.exe","hash":"888ba1d391e14c0a9c829f5a1964ca2c","rule":"NetBIOS_Name_Scanner"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file ipscan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ipscan.exe","hash":"6c1bcf0b1297689c8c4c12cc70996a75","rule":"FeliksPack3___Scanners_ipscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file IP Stealing Utilities.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file IP Stealing Utilities.exe","hash":"65646e10fb15a2940a37c5ab9f59c7fc","rule":"IP_Stealing_Utilities"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file PortRacer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file PortRacer.exe","hash":"2834a872a0a8da5b1be5db65dfdef388","rule":"PortRacer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file scanarator.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file scanarator.exe","hash":"848bd5a518e0b6c05bd29aceb8536c46","rule":"scanarator"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file =Bitchin Threads=.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file =Bitchin Threads=.exe","hash":"7491b138c1ee5a0d9d141fbfd1f0071b","rule":"_Bitchin_Threads_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file portscan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file portscan.exe","hash":"a8bfdb2a925e89a281956b1e3bb32348","rule":"portscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file ProPort.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ProPort.exe","hash":"c1937a86939d4d12d10fc44b7ab9ab27","rule":"ProPort_zip_Folder_ProPort"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe","hash":"7c0f2cab134534cd35964fe4c6a1ff00","rule":"StealthWasp_s_Basic_PortScanner_v1_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file BluesPortScan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file BluesPortScan.exe","hash":"6292f5fc737511f91af5e35643fc9eef","rule":"BluesPortScan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file iis.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file iis.exe","hash":"3a8fc02c62c8dd65e038cc03e5451b6e","rule":"scanarator_iis"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file ipscan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file ipscan.exe","hash":"70cf2c09776a29c3e837cb79d291514a","rule":"Angry_IP_Scanner_v2_08_ipscan"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule on file Loader.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator by Florian Roth","description":"Auto-generated rule on file Loader.exe","hash":"f4f79358a6c600c1f0ba1f7e4879a16d","rule":"crack_Loader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects the backdoor Beastdoor","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Detects the backdoor Beastdoor","hash":"5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Beastdoor_Backdoor","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Powershell version of the Netcat network hacking tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"10.10.2014","description":"Detects a Powershell version of the Netcat network hacking tool","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Powershell_Netcat","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a chinese Portscanner named MilkT","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"12.10.2014","description":"Detects a chinese Portscanner named MilkT","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"CN_Hacktool_MilkT_Scanner","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Modified (packed) version of Windows Credential Editor","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Modified (packed) version of Windows Credential Editor","hash":"09a412ac3c85cedce2642a19e99d8f903a2e0354","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WCE_Modified_1_1014","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"iKAT hack tools set agent - file ikat.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"05.11.14","description":"iKAT hack tools set agent - file ikat.exe","hash":"c802ee1e49c0eae2a3fc22d2e82589d857f96d94","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://ikat.ha.cked.net/Windows/functions/ikatfiles.html","rule":"iKAT_command_lines_agent","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"05.11.14","description":"Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe","hash":"0cac59b80b5427a8780168e1b85c540efffaf74f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://ikat.ha.cked.net/Windows/functions/ikatfiles.html","rule":"iKAT_startbar","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file BypassUac2.zip","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator","description":"Auto-generated rule - file BypassUac2.zip","hash":"ef3e7dd2d1384ecec1a37254303959a43695df61","rule":"BypassUac2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Auto-generated rule - file BypassUac.zip","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"yarGen Yara Rule Generator","description":"Auto-generated rule - file BypassUac.zip","hash":"93c2375b2e4f75fc780553600fbdfd3cb344e69d","rule":"BypassUac_9"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"APT Malware - Proxy","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FRoth","date":"2014-11-10","description":"APT Malware - Proxy","hash":"6b6a86ceeab64a6cb273debfa82aec58","rule":"APT_Proxy_Malware_Packed_dev","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file nc.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file nc.exe","hash":"001c0c01c96fa56216159f83f6f298755366e528","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Ncat_Hacktools_CN","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file cs.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file cs.exe","hash":"a3e9e0655447494253a1a60dbc763d9661181322","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"MS08_067_Exploit_Hacktools_CN","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file sql.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file sql.exe","hash":"d5139b865e99b7a276af7ae11b14096adb928245","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_sql","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file 445TOOL.rar","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file 445TOOL.rar","hash":"92050ba43029f914696289598cf3b18e34457a11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Panda_445TOOL","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file s.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file s.exe","hash":"7665011742ce01f57e8dc0a85d35ec556035145d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_WinEggDrop","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file Burst.rar","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file Burst.rar","hash":"ce8e3d95f89fb887d284015ff2953dbdb1f16776","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Panda_Burst","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file GOGOGO.bat","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file GOGOGO.bat","hash":"4bd4f5b070acf7fe70460d7eefb3623366074bbd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_GOGOGO_Bat","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file pass.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file pass.txt","hash":"55a05cf93dbd274355d798534be471dff26803f9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_pass","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file JoHor_Posts_Killer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file JoHor_Posts_Killer.exe","hash":"d157f9a76f9d72dba020887d7b861a05f2e56b6a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_JoHor_Posts_Killer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file Start.bat - DoS tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014-11-17","description":"Disclosed hacktool set - file Start.bat - DoS tool","hash":"75d194d53ccc37a68286d246f2a84af6b070e30c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","rule":"Hacktools_CN_Burst_Start","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set - file Blast.bat","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"17.11.14","description":"Disclosed hacktool set - file Blast.bat","hash":"b07702a381fa2eaee40b96ae2443918209674051","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Hacktools_CN_Burst_Blast","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"22.11.14","description":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe","hash":"166fa8c5a0ebb216c832ab61bf8872da556576a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"VUBrute_VUBrute","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"22.11.14","description":"PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini","hash":"b9f66b9265d2370dab887604921167c11f7d93e9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/xiIphp","rule":"VUBrute_config","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file listip.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file listip.exe","hash":"f32a0c5bf787c10eb494eb3b83d0c7a035e7172b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_listip","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll","hash":"4867214a3d96095d14aa8575f0adbb81a9381e6c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ArtTrayHookDll","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file EditServer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditServer.exe","hash":"87b29c9121cac6ae780237f7e04ee3bc1a9777d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file letmein.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file letmein.exe","hash":"74d223a56f97b223a640e4139bb9b94d8faa895d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_letmein","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file token.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file token.exe","hash":"c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_token","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file webget.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file webget.exe","hash":"36b5a5dee093aa846f906bbecf872a4e66989e42","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_webget","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file ASPack Chinese.ini","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file ASPack Chinese.ini","hash":"02a9394bc2ec385876c4b4f61d72471ac8251a8e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ASPack_Chinese","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt","hash":"dfa90540b0e58346f4b6ea12e30c1404e15fbe5a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditKeyLogReadMe","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file readme.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file readme.txt","hash":"a52545ae62ddb0ea52905cbb61d895a51bfe9bcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer_zip_Folder_readme","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file EditKeyLog.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file EditKeyLog.exe","hash":"a450c31f13c23426b24624f53873e4fc3777dc6b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditKeyLog","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file PassSniffer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file PassSniffer.exe","hash":"dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PassSniffer","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file InjectT.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InjectT.exe","hash":"80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"UnPack_rar_Folder_InjectT","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt","hash":"820674b59f32f2cf72df50ba4411d7132d863ad2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Jc_WinEggDrop_Shell","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file TBack.DLL","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file TBack.DLL","hash":"30fc9b00c093cec54fcbd753f96d0ca9e1b2660f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"UnPack_rar_Folder_TBack","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file Inject.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file Inject.exe","hash":"34f564301da528ce2b3e5907fd4b1acb7cb70728","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ByPassFireWall_zip_Folder_Inject","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file sqlcmd.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file sqlcmd.exe","hash":"b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_sqlcmd","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file 2323.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file 2323.exe","hash":"21812186a9e92ee7ddc6e91e4ec42991f0143763","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_2323","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file CleanIISLog.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file CleanIISLog.exe","hash":"827cd898bfe8aa7e9aaefbe949d26298f9e24094","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"CleanIISLog","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file sqlcheck.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file sqlcheck.exe","hash":"5a5778ac200078b627db84fdc35bf5bcee232dc7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sqlcheck","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file RunAsEx.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file RunAsEx.exe","hash":"a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_RunAsEx","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file splitjoin.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file splitjoin.exe","hash":"21409117b536664a913dcd159d6f4d8758f43435","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"SplitJoin_V1_3_3_rar_Folder_3","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file InstGina.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InstGina.exe","hash":"5317fbc39508708534246ef4241e78da41a4f31c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"InstGina","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file findoor.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file findoor.exe","hash":"cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_findoor","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file InjectT.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file InjectT.exe","hash":"516e80e4a25660954de8c12313e2d7642bdb79dd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WinEggDropShellFinal_zip_Folder_InjectT","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file gina.dll","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file gina.dll","hash":"e0429e1b59989cbab6646ba905ac312710f5ed30","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"gina_zip_Folder_gina","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file xsniff.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file xsniff.exe","hash":"d61d7329ac74f66245a92c4505a327c85875c577","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_xsniff","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - file fscan.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - file fscan.exe","hash":"d5646e86b5257f9c83ea23eca3d86de336224e55","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sig_238_fscan","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"23.11.14","description":"Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe","hash0":"9d4e7611a328eb430a8bb6dc7832440713926f5f","hash1":"ae23522a3529d3313dd883727c341331a1fb1ab9","hash2":"7ffc496cd4a1017485dfb571329523a52c9032d8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"_FsHttp_FsPop_FsSniffer","score":"60","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/12/22","description":"Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe","hash1":"b130611c92788337c4f6bb9e9454ff06eb409166","hash2":"07539abb2623fe24b9a05e240f675fa2d15268cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/gkAg2E","rule":"Ammyy_Admin_AA_v3","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Linux hack tools - file scanssh","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file scanssh","hash":"467398a6994e2c1a66a3d39859cde41f090623ad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_scanssh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Linux hack tools - file pscan2","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file pscan2","hash":"56b476cba702a4423a2d805a412cae8ef4330905","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_pscan2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Linux hack tools - file a","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file a","hash":"458ada1e37b90569b0b36afebba5ade337ea8695","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_a"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Linux hack tools - file mass","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/01/19","description":"Linux hack tools - file mass","hash":"2054cb427daaca9e267b252307dad03830475f15","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"LinuxHacktool_eyes_mass"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll","hash0":"af419603ac28257134e39683419966ab3d600ed2","hash1":"c5cb4f75cf241f5a9aea324783193433a42a13b0","hash2":"135f6a28e958c8f6a275d8677cfa7cb502c8a822","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset__XScanLib_XScanLib_XScanLib","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe","hash":"a931d65de66e1468fe2362f7f2e0ee546f225c4e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset_NTscan_PipeCmd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015/03/30","description":"Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe","hash":"8542c7fb8291b02db54d2dc58cd608e612bfdc57","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://qiannao.com/ls/905300366/33834c0c/","rule":"CN_Toolset_sig_1433_135_sqlr","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2015-10-01","description":"Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"VSSown_VBS","score":"75"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Network domain enumeration tool - often used by attackers - file Nv.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Network domain enumeration tool - often used by attackers - file Nv.exe","hash":"52cec98839c3b7d9608c865cfebc904b4feae0bada058c2e8cdbd561cfa1420a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mubix/netview","rule":"Netview_Hacktool","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Network domain enumeration tool output - often used by attackers - file filename.txt","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-03-07","description":"Network domain enumeration tool output - often used by attackers - file filename.txt","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/mubix/netview","rule":"Netview_Hacktool_Output","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Linux Port Scanner Shark","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-04-01","description":"Detects Linux Port Scanner Shark","hash1":"5f80bd2db608a47e26290f3385eeb5bfc939d63ba643f06c4156704614def986","hash2":"90af44cbb1c8a637feda1889d301d82fff7a93b0c1a09534909458a64d8d8558","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35","rule":"Linux_Portscan_Shark_2","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects dnscat2 - from files dnscat, dnscat2.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-05-15","description":"Detects dnscat2 - from files dnscat, dnscat2.exe","hash1":"8bc8d6c735937c9c040cbbdcfc15f17720a7ecef202a19a7bf43e9e1c66fe66a","hash2":"4a882f013419695c8c0ac41d8a0fde1cf48172a89e342c504138bc6f1d13c7c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://downloads.skullsecurity.org/dnscat2/","rule":"dnscat2_Hacktool","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Windows Credential Editor (WCE) in memory (and also on disk)","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-08-28","description":"Detects Windows Credential Editor (WCE) in memory (and also on disk)","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"WCE_in_memory","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups - file pstgdump.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file pstgdump.exe","hash1":"65d48a2f868ff5757c10ed796e03621961954c523c71eac1c5e044862893a106","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"pstgdump"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups","hash1":"efa66f6391ec471ca52cd053159c8a8778f11f921da14e6daf76387f8c9afcd5","hash2":"e0327c1218fd3723e20acc780e20135f41abca35c35e0f97f7eccac265f4f44e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"lsremora"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups - file fgexec.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file fgexec.exe","hash1":"8697897bee415f213ce7bc24f22c14002d660b8aaffab807490ddbf4f3f20249","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"fgexec"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe","hash1":"cf58ca5bf8c4f87bb67e6a4e1fb9e8bada50157dacbd08a92a4a779e40d569c4","hash2":"e38edac8c838a043d0d9d28c71a96fe8f7b7f61c5edf69f1ce0c13e141be281f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"cachedump","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a tool used by APT groups - file PwDump.exe","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-08","description":"Detects a tool used by APT groups - file PwDump.exe","hash1":"3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/igxLyF","rule":"PwDump_B"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects an XML that executes Mimikatz on an endpoint via MSBuild","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-07","description":"Detects an XML that executes Mimikatz on an endpoint via MSBuild","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml","rule":"MSBuild_Mimikatz_Execution_via_XML"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects POC code from disclosed 0day hacktool set","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-07","description":"Detects POC code from disclosed 0day hacktool set","hash1":"ba0e2119b2a6bad612e86662b643a404426a07444d476472a71452b7e9f94041","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Disclosed 0day Repos","rule":"Disclosed_0day_POCs_injector"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a process injection utility that can be used ofr good and bad purposes","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-04-23","description":"Detects a process injection utility that can be used ofr good and bad purposes","hash1":"456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c","rule":"ProcessInjector_Gen","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Lazagne PW Dumper","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Markus Neis / Florian Roth","date":"2018-03-22","description":"Detects Lazagne PW Dumper","reference":"https://github.com/AlessandroZ/LaZagne/releases/","rule":"Lazagne_PW_Dumper","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects susupicious bash command","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Tobias Michalski","date":"2018-05-18","description":"Detects susupicious bash command","hash1":"36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b","reference":"https://github.com/0x00-0x00/ShellPop","rule":"SUSP_shellpop_Bash"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Lazagne password extractor hacktool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-11","description":"Detects Lazagne password extractor hacktool","hash1":"51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf","license":"https://creativecommons.org/licenses/by-nc/4.0/","reference":"https://github.com/AlessandroZ/LaZagne","rule":"HKTL_Lazagne_Gen_18","score":"80"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects NoPowerShell hack tool","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-28","description":"Detects NoPowerShell hack tool","hash1":"2dad091dd00625762a7590ce16c3492cbaeb756ad0e31352a42751deb7cf9e70","modified":"2022-12-21","reference":"https://github.com/bitsadmin/nopowershell","rule":"HKTL_NoPowerShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Pnscan port scanner","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-05-27","description":"Detects Pnscan port scanner","reference":"https://github.com/ptrrkssn/pnscan","rule":"HKTL_LNX_Pnscan","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies Impacket, a collection of Python classes for working with network protocols.","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-08-01","description":"Identifies Impacket, a collection of Python classes for working with network protocols.","fingerprint":"3c84db45525bc8981b832617b35c0b81193827313b23c7fede0b00badc3670f4","first_imported":"2021-12-30","id":"4slxMFaVQR9nCS6mQxIQj","last_modified":"2021-12-30","mitre_att":"S0357","reference":"https://github.com/SecureAuthCorp/impacket","rule":"Impacket","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"IMPACKET","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-09-27","alert":"Identifies LaZagne, credentials recovery project.","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"TOOL","creation_date":"2020-01-01","description":"Identifies LaZagne, credentials recovery project.","fingerprint":"81ef321369e94e5cb5bbf735ab7db8c6aafc1fc7564c76d53b3f0e0adb9e5c81","first_imported":"2021-12-30","id":"3DeKZTrvc1lTK9vNaoj7LG","last_modified":"2021-12-30","mitre_att":"S0349","reference":"https://github.com/AlessandroZ/LaZagne","rule":"LaZagne","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","tool":"LAZAGNE","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-27","alert":"Windows.Hacktool.Mimikatz","trigger":"signature-base-master/yara/thor-hacktools.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-14","description":"Detection for Invoke-Mimikatz","fingerprint":"9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135","id":"355d5d3a-e50e-4614-9a84-0da668c40852","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96","rule":"Windows_Hacktool_Mimikatz_355d5d3a","scan_context":"file, memory","severity":"90","threat_name":"Windows.Hacktool.Mimikatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","hash":"bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-22","rule":"webshell_php_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"php webshell having some kind of input and using a callback to execute the payload. restricted to small files or would give lots of false positives","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/14","description":"php webshell having some kind of input and using a callback to execute the payload. restricted to small files or would give lots of false positives","hash":"e98889690101b59260e871c49263314526f2093f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_generic_callback"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell which directly eval()s obfuscated string","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/12","description":"PHP webshell which directly eval()s obfuscated string","hash":"49e5bc75a1ec36beeff4fbaeb16b322b08cf192d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_gzinflated"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/02/07","description":"PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-19","rule":"webshell_php_dynamic_big","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/09","description":"Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.","hash":"7b6471774d14510cf6fa312a496eed72b614f6fc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_by_string_known_webshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file iMHaPFtp.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file iMHaPFtp.php","hash":"12911b73bc6a5d313b494102abcf5c57","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_iMHaPFtp_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file guo.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file guo.php","hash":"9e69a8f499c660ee0b4796af14dc08f0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_guo","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file redcod.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file redcod.php","hash":"5c1c8120d82f46ff9d813fbe3354bac5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_redcod","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file server.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file server.php","hash":"d87b019e74064aa90e2bb143e5e16cfa","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_sh_server","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file cihshell_fix.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cihshell_fix.php","hash":"3823ac218032549b86ee7c26f10c4cb5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_cihshell_fix","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file up.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.php","hash":"7edefb8bd0876c41906f4b39b52cd0ef","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file EFSO_2.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file EFSO_2.asp","hash":"a341270f9ebd01320a7490c12cb2e64c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_EFSO_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file up.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.jsp","hash":"515a5dd86fe48f673b72422cccf5a585","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file Server Variables.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Server Variables.asp","hash":"47fb8a647e441488b30f92b4d39003d7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Server_Variables","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file ice.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file ice.php","hash":"1d6335247f58e0a5b03e17977888f5f2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_ice_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file phpspy2010.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file phpspy2010.php","hash":"14ae0e4f5349924a5047fed9f3b105c5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpspy2010","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file ice.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file ice.asp","hash":"d141e011a92f48da72728c35f1934a2b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_ice","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file 404.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.asp","hash":"d9fa1e8513dbf59fa5d130f389032a2d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file webshell-cnseay02-1.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file webshell-cnseay02-1.php","hash":"95fc76081a42c4f26912826cb1bd24b1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshell_cnseay02_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file fbi.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file fbi.php","hash":"1fb32f8e58c8deb168c06297a04a21f1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_fbi","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file B374k.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file B374k.php","hash":"bed7388976f8f1d90422e8795dff1ea6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_B374kPHP_B374k","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file list.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file list.php","hash":"922b128ddd90e1dc2f73088956c548ed","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_list","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file 404.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.php","hash":"ee94952dc53d9a29bdf4ece54c7a7aa7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_caidao_shell_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file aspydrv.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file aspydrv.asp","hash":"de0a58f7d1e200d0b2c801a94ebce330","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_ASP_aspydrv","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file Dx.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Dx.php","hash":"9cfe372d49fe8bf2fac8e1c534153d9b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Dx_Dx","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file MySQL Web Interface Version 0.8.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file MySQL Web Interface Version 0.8.php","hash":"36d4f34d0a22080f47bb1cb94107c60f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_MySQL_Web_Interface_Version_0_8","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file odd.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file odd.php","hash":"594d1b1311bbef38a0eb3d6cbb1ab538","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpkit_1_0_odd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file idc.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file idc.php","hash":"7c5b1b30196c51f1accbffb80296395f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_wsb_idc","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file 404.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 404.php","hash":"ced050df5ca42064056a7ad610a191b3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_404","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file webshell-cnseay-x.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file webshell-cnseay-x.php","hash":"a0f9f7f5cd405a514a7f3be329f380e5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshell_cnseay_x","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file up.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file up.asp","hash":"f775e721cfe85019fe41c34f47c0d67c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_up","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file odd.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file odd.php","hash":"3c30399e7480c09276f412271f60ed01","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpkit_0_1a_odd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file k81.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file k81.jsp","hash":"41efc5c71b6885add9c1d516371bd6af","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_k81","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file cmdjsp.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cmdjsp.jsp","hash":"b815611cc39f17f05a73444d699341d4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_cmdjsp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file Java Shell.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file Java Shell.jsp","hash":"36403bc776eb12e8b7cc0eb47c8aac83","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Java_Shell","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file r57142.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file r57142.php","hash":"0911b6e6b8f4bcb05599b2885a7fe8a8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_r57142","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file simple-backdoor.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file simple-backdoor.php","hash":"f091d1b9274c881f8e41b2f96e6b9936","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_simple_backdoor","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file cmd.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file cmd.php","hash":"c38ae5ba61fd84f6bbbab98d89d8a346","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_cmd","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file co.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file co.php","hash":"62199f5ac721a0cb9b28f465a513874c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_co","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file 150.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file 150.php","hash":"400c4b0bed5c90f048398e1d268ce4dc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_150","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file c37.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file c37.php","hash":"d01144c04e7a46870a8dd823eb2fe5c8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_c37","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file b37.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file b37.php","hash":"0421445303cfd0ec6bc20b3846e30ff0","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_b37","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - file bug (1).php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - file bug (1).php","hash":"91c5fae02ab16d51fc5af9354ac2f015","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_PHP_bug_1_","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files ghost_source.php, icesword.php, silic.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files ghost_source.php, icesword.php, silic.php","hash0":"cbf64a56306c1b5d98898468fc1fdbd8","hash1":"6e20b41c040efb453d57780025a292ae","hash2":"437d30c94f8eef92dc2f064de4998695","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_ghost_source_icesword_silic","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"37603e44ee6dc1c359feb68a0d566f76","hash1":"a7e25b8ac605753ed0c438db93f6c498","hash10":"e9a5280f77537e23da2545306f6a19ad","hash11":"598eef7544935cf2139d1eada4375bb5","hash12":"fa87bbd7201021c1aefee6fcc5b8e25a","hash2":"fb8c6c3a69b93e5e7193036fd31a958d","hash3":"36331f2c81bad763528d0ae00edf55be","hash4":"793b3d0a740dbf355df3e6f68b8217a4","hash5":"8979594423b68489024447474d113894","hash6":"ec482fc969d182e5440521c913bab9bd","hash7":"f98d2b33cd777e160d1489afed96de39","hash8":"4b4c12b3002fad88ca6346a873855209","hash9":"4cc68fa572e88b669bce606c7ace0ae9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"1b5102bdc41a7bc439eea8f0010310a5","hash1":"f8a6d5306fb37414c5c772315a27832f","hash2":"37cb1db26b1b0161a4bf678a6b4565bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp","hash0":"8b0e6779f25a17f0ffb3df14122ba594","hash1":"ea87f0c1f0535610becadf5a98aca2fc","hash2":"7d5e9732766cf5b8edca9b7ae2b6028f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_jsp_reverse_jsp_reverse_jspbd","score":"50","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"a2516ac6ee41a7cf931cbaef1134a9e4","hash1":"ef43fef943e9df90ddb6257950b3538f","hash10":"6fcc283470465eed4870bcc3e2d7f14d","hash2":"ae025c886fbe7f9ed159f49593674832","hash3":"911195a9b7c010f61b66439d9048f400","hash4":"697dae78c040150daff7db751fc0c03c","hash5":"513b7be8bd0595c377283a7c87b44b2e","hash6":"1d912c55b96e2efe8ca873d6040e3b30","hash7":"e5b2131dd1db0dbdb43b53c5ce99016a","hash8":"4108f28a9792b50d95f95b9e5314fa1e","hash9":"41af6fd253648885c7ad2ed524e0692d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php","hash0":"8ae9d2b50dc382f0571cd7492f079836","hash1":"e2830d3286001d1455479849aacbbb38","hash2":"bd6d3b2763c705a01cc2b3f105a25fa4","hash3":"40c6ecf77253e805ace85f119fe1cebb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_itsec_PHPJackal_itsecteam_shell_jHn","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"0b19e9de790cd2f4325f8c24b22af540","hash1":"f3ca29b7999643507081caab926e2e74","hash2":"527cf81f9272919bf872007e21c4bdda","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"3e4ba470d4c38765e4b16ed930facf2c","hash1":"aa17b71bb93c6789911bd1c9df834ff9","hash2":"b68bfafc6059fd26732fa07fb6f7f640","hash3":"40a1f840111996ff7200d18968e42cfe","hash4":"e0202adff532b28ef1ba206cf95962f2","hash5":"802f5cae46d394b297482fd0c27cb2fc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp","hash0":"2eeb8bf151221373ee3fd89d58ed4d38","hash1":"059058a27a7b0059e2c2f007ad4675ef","hash2":"8b457934da3821ba58b06a113e0d53d9","hash3":"d44df8b1543b837e57cc8f25a0a68d92","hash4":"e0354099bee243702eb11df8d0e046df","hash5":"90a5ba0c94199269ba33a58bc6a4ad99","hash6":"655722eaa6c646437c8ae93daac46ae0","hash7":"591ca89a25f06cf01e4345f98a22845c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php","hash0":"ae025c886fbe7f9ed159f49593674832","hash1":"513b7be8bd0595c377283a7c87b44b2e","hash2":"1d912c55b96e2efe8ca873d6040e3b30","hash3":"4108f28a9792b50d95f95b9e5314fa1e","hash4":"3f71175985848ee46cc13282fbed2269","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"2eeb8bf151221373ee3fd89d58ed4d38","hash1":"059058a27a7b0059e2c2f007ad4675ef","hash10":"341298482cf90febebb8616426080d1d","hash11":"29aebe333d6332f0ebc2258def94d57e","hash12":"42654af68e5d4ea217e6ece5389eb302","hash13":"88fc87e7c58249a398efd5ceae636073","hash14":"4a812678308475c64132a9b56254edbc","hash15":"9626eef1a8b9b8d773a3b2af09306a10","hash16":"e0354099bee243702eb11df8d0e046df","hash17":"344f9073576a066142b2023629539ebd","hash18":"32dea47d9c13f9000c4c807561341bee","hash19":"90a5ba0c94199269ba33a58bc6a4ad99","hash2":"ae76c77fb7a234380cd0ebb6fe1bcddf","hash20":"655722eaa6c646437c8ae93daac46ae0","hash21":"b9744f6876919c46a29ea05b1d95b1c3","hash22":"6acc82544be056580c3a1caaa4999956","hash23":"6aa32a6392840e161a018f3907a86968","hash24":"591ca89a25f06cf01e4345f98a22845c","hash25":"349ec229e3f8eda0f9eb918c74a8bf4c","hash26":"3ea688e3439a1f56b16694667938316d","hash27":"ab77e4d1006259d7cbc15884416ca88c","hash28":"71097537a91fac6b01f46f66ee2d7749","hash29":"2434a7a07cb47ce25b41d30bc291cacc","hash3":"76037ebd781ad0eac363d56fc81f4b4f","hash30":"7a4b090619ecce6f7bd838fe5c58554b","hash4":"8b457934da3821ba58b06a113e0d53d9","hash5":"d44df8b1543b837e57cc8f25a0a68d92","hash6":"fc44f6b4387a2cb50e1a63c66a8cb81c","hash7":"14e9688c86b454ed48171a9d4f48ace8","hash8":"b330a6c2d49124ef0729539761d6ef0b","hash9":"d71716df5042880ef84427acee8b121e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_000_403_807_a_c5_config_css_dm_he1p_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php","hash0":"b68bfafc6059fd26732fa07fb6f7f640","hash1":"42f211cec8032eb0881e87ebdb3d7224","hash2":"40a1f840111996ff7200d18968e42cfe","hash3":"0712e3dc262b4e1f98ed25760b206836","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell","hash0":"38fd7e45f9c11a37463c3ded1c76af4c","hash1":"9c34adbc8fd8d908cbb341734830f971","hash10":"b8f261a3cdf23398d573aaf55eaf63b5","hash11":"0d2c2c151ed839e6bafc7aa9c69be715","hash12":"41af6fd253648885c7ad2ed524e0692d","hash13":"6fcc283470465eed4870bcc3e2d7f14d","hash2":"ef43fef943e9df90ddb6257950b3538f","hash3":"ae025c886fbe7f9ed159f49593674832","hash4":"911195a9b7c010f61b66439d9048f400","hash5":"697dae78c040150daff7db751fc0c03c","hash6":"513b7be8bd0595c377283a7c87b44b2e","hash7":"1d912c55b96e2efe8ca873d6040e3b30","hash8":"e5b2131dd1db0dbdb43b53c5ce99016a","hash9":"4108f28a9792b50d95f95b9e5314fa1e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_c99_locus7s_c99_w4cking_xxx","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web Shell - from files r57shell127.php, r57_kartal.php, r57.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/01/28","description":"Web Shell - from files r57shell127.php, r57_kartal.php, r57.php","hash0":"ae025c886fbe7f9ed159f49593674832","hash1":"1d912c55b96e2efe8ca873d6040e3b30","hash2":"4108f28a9792b50d95f95b9e5314fa1e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_r57shell127_r57_kartal_r57","score":"70","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file con2.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file con2.asp","hash":"d3584159ab299d546bd77c9654932ae3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_con2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file Expdoor.com ASP.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file Expdoor.com ASP.asp","hash":"caef01bb8906d909f24d1fa109ea18a7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_Expdoor_com_ASP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file php2.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php2.php","hash":"fbf2e76e6f897f6f42b896c855069276","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file bypass-iisuser-p.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file bypass-iisuser-p.asp","hash":"924d294400a64fa888a79316fb3ccd90","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_bypass_iisuser_p","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file 404super.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file 404super.php","hash":"7ed63176226f83d36dce47ce82507b28","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_sig_404super","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file JSP.jsp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file JSP.jsp","hash":"495f1a0a4c82f986f4bdf51ae1898ee7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_JSP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file webshell-123.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014-03-28","description":"Web shells - generated from file webshell-123.php","hash":"2782bb170acaed3829ea9a04f0ac7218","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","rule":"webshell_webshell_123","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file dev_core.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file dev_core.php","hash":"55ad9309b006884f660c41e53150fc2e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_dev_core","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file pHp.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file pHp.php","hash":"b0e842bdf83396c3ef8c71ff94e64167","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_pHp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file pppp.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file pppp.php","hash":"cf01cb6e09ee594545693c5d327bdd50","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_pppp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file code.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file code.php","hash":"a444014c134ff24c0be5a05c02b81a79","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_code","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file xxxx.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file xxxx.php","hash":"5bcba70b2137375225d8eedcde2c0ebb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_xxxx","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file PHP1.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file PHP1.php","hash":"14c7281fdaf2ae004ca5fec8753ce3cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_PHP1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file asp1.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file asp1.asp","hash":"b63e708cd58ae1ec85cf784060b69cad","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_asp1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file php6.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php6.php","hash":"ea75280224a735f1e445d244acdfeb7b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php6","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file GetPostpHp.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file GetPostpHp.php","hash":"20ede5b8182d952728d594e6f2bb5c76","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_GetPostpHp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file php5.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file php5.php","hash":"cf2ab009cbd2576a806bfefb74906fdf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_php5","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file PHP.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file PHP.php","hash":"a524e7ae8d71e37d2fd3e5fbdab405ea","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_PHP","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Web shells - generated from file Asp.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2014/03/28","description":"Web shells - generated from file Asp.asp","hash":"32c87744ea404d0ea0debd55915010b7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_webshells_new_Asp","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file perlbot.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file perlbot.pl.txt","hash":"7e4deb9884ffffa5d82c22f8dc533a45","rule":"perlbot_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file php-backdoor.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file php-backdoor.php.txt","hash":"2b5cb105c4ea9b5ebc64705b4bd86bf7","rule":"php_backdoor_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt","hash":"c6eeacbe779518ea78b8f7ed5f63fc11","rule":"Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file shankar.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file shankar.php.php.txt","hash":"6eb9db6a3974e511b7951b8f7e7136bb","rule":"shankar_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Casus15.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Casus15.php.php.txt","hash":"5e2ede2d1c4fa1fcc3cbfe0c005d7b13","rule":"Casus15_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file small.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file small.php.php.txt","hash":"fcee6226d09d150bfa5f103bee61fbde","rule":"small_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file shellbot.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file shellbot.pl.txt","hash":"b2a883bc3c03a35cfd020dd2ace4bab8","rule":"shellbot_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file fuckphpshell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file fuckphpshell.php.txt","hash":"554e50c1265bb0934fcc8247ec3b9052","rule":"fuckphpshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file ngh.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file ngh.php.php.txt","hash":"c372b725419cdfd3f8a6371cfeebc2fd","rule":"ngh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file jsp-reverse.jsp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file jsp-reverse.jsp.txt","hash":"8b0e6779f25a17f0ffb3df14122ba594","rule":"jsp_reverse_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Tool.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Tool.asp.txt","hash":"8febea6ca6051ae5e2ad4c78f4b9c1f2","rule":"Tool_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file NT Addy.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file NT Addy.asp.txt","hash":"2e0d1bae844c9a8e6e351297d77a1fec","rule":"NT_Addy_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt","hash":"089ff24d978aeff2b4b2869f0c7d38a3","rule":"SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file phvayvv.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file phvayvv.php.php.txt","hash":"35fb37f3c806718545d97c6559abd262","rule":"phvayvv_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file r57shell.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file r57shell.php.php.txt","hash":"d28445de424594a5f14d0fe2a7c4e94f","rule":"r57shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file rst_sql.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file rst_sql.php.php.txt","hash":"0961641a4ab2b8cb4d2beca593a92010","rule":"rst_sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file wh_bindshell.py.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file wh_bindshell.py.txt","hash":"fab20902862736e24aaae275af5e049c","rule":"wh_bindshell_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file lurm_safemod_on.cgi.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file lurm_safemod_on.cgi.txt","hash":"5ea4f901ce1abdf20870c214b3231db3","rule":"lurm_safemod_on_cgi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file c99madshell_v2.0.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file c99madshell_v2.0.php.php.txt","hash":"d27292895da9afa5b60b9d3014f39294","rule":"c99madshell_v2_0_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file w3d.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file w3d.php.php.txt","hash":"987f66b29bfb209a0b4f097f84f57c3b","rule":"w3d_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file WinX Shell.html.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file WinX Shell.html.txt","hash":"17ab5086aef89d4951fe9b7c7a561dda","rule":"WinX_Shell_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Dx.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Dx.php.php.txt","hash":"9cfe372d49fe8bf2fac8e1c534153d9b","rule":"Dx_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file csh.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file csh.php.php.txt","hash":"194a9d3f3eac8bc56d9a7c55c016af96","rule":"csh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file pHpINJ.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file pHpINJ.php.php.txt","hash":"d7a4b0df45d34888d5a09f745e85733f","rule":"pHpINJ_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file 2008.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file 2008.php.php.txt","hash":"3e4ba470d4c38765e4b16ed930facf2c","rule":"sig_2008_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file ak74shell.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file ak74shell.php.php.txt","hash":"7f83adcb4c1111653d30c6427a94f66f","rule":"ak74shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Rem View.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Rem View.php.php.txt","hash":"29420106d9a81553ef0d1ca72b9934d9","rule":"Rem_View_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Java Shell.js.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Java Shell.js.txt","hash":"36403bc776eb12e8b7cc0eb47c8aac83","rule":"Java_Shell_js"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file STNC.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file STNC.php.php.txt","hash":"2e56cfd5b5014cbbf1c1e3f082531815","rule":"STNC_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt","hash":"26b2d3943395682e36da06ed493a3715","rule":"aZRaiLPhp_v1_0_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file zacosmall.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file zacosmall.php.txt","hash":"5295ee8dc2f5fd416be442548d68f7a6","rule":"zacosmall_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file CmdAsp.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file CmdAsp.asp.txt","hash":"64f24f09ec6efaa904e2492dffc518b9","rule":"CmdAsp_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file simple-backdoor.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file simple-backdoor.php.txt","hash":"f091d1b9274c881f8e41b2f96e6b9936","rule":"simple_backdoor_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file mysql_shell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file mysql_shell.php.txt","hash":"d42aec2891214cace99b3eb9f3e21a63","rule":"mysql_shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt","hash":"1b5102bdc41a7bc439eea8f0010310a5","rule":"Dive_Shell_1_0___Emperor_Hacking_Team_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Asmodeus v0.1.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Asmodeus v0.1.pl.txt","hash":"0978b672db0657103c79505df69cb4bb","rule":"Asmodeus_v0_1_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Reader.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Reader.asp.txt","hash":"ad1a362e0a24c4475335e3e891a01731","rule":"Reader_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file phpshell17.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file phpshell17.php.txt","hash":"9a928d741d12ea08a624ee9ed5a8c39d","rule":"phpshell17_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt","hash":"37cb1db26b1b0161a4bf678a6b4565bd","rule":"SimShell_1_0___Simorgh_Security_MGZ_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file jspshall.jsp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file jspshall.jsp.txt","hash":"efe0f6edaa512c4e1fdca4eeda77b7ee","rule":"jspshall_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file rootshell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file rootshell.php.txt","hash":"265f3319075536030e59ba2f9ef3eac6","rule":"rootshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file connectback2.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file connectback2.pl.txt","hash":"473b7d226ea6ebaacc24504bd740822e","rule":"connectback2_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file wso.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file wso.txt","hash":"33e2891c13b78328da9062fbfcf898b6","rule":"shells_PHP_wso"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file backdoor1.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file backdoor1.php.txt","hash":"e1adda1f866367f52de001257b4d6c98","rule":"backdoor1_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file elmaliseker.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file elmaliseker.asp.txt","hash":"b32d1730d23a660fd6aa8e60c3dc549f","rule":"elmaliseker_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt","hash":"c2e8346a5515c81797af36e7e4a3828e","rule":"s72_Shell_v1_1_Coding_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file kacak.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file kacak.asp.txt","hash":"907d95d46785db21331a0324972dda8c","rule":"kacak_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt","hash":"57fcd9560dac244aeaf95fd606621900","rule":"PHP_Backdoor_Connect_pl_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt","hash":"cbe9eafbc4d86842a61a54d98e5b61f1","rule":"Antichat_Socks5_Server_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Antichat Shell v1.3.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Antichat Shell v1.3.php.txt","hash":"40d0abceba125868be7f3f990f031521","rule":"Antichat_Shell_v1_3_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt","hash":"49ad9117c96419c35987aaa7e2230f63","rule":"Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file cyberlords_sql.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file cyberlords_sql.php.php.txt","hash":"03b06b4183cb9947ccda2c3d636406d4","rule":"cyberlords_sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt","hash":"8a8c8bb153bd1ee097559041f2e5cf0a","rule":"Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file EFSO_2.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file EFSO_2.asp.txt","hash":"b5fde9682fd63415ae211d53c6bfaa4d","rule":"EFSO_2_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file lamashell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file lamashell.php.txt","hash":"de9abc2e38420cad729648e93dfc6687","rule":"lamashell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt","hash":"93d1a2e13a3368a2472043bd6331afe9","rule":"Ajax_PHP_Command_Shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file JspWebshell 1.2.jsp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file JspWebshell 1.2.jsp.txt","hash":"70a0ee2624e5bbe5525ccadc467519f6","rule":"JspWebshell_1_2_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Sincap.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Sincap.php.php.txt","hash":"b68b90ff6012a103e57d141ed38a7ee9","rule":"Sincap_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Phyton Shell.py.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Phyton Shell.py.txt","hash":"92b3c897090867c65cc169ab037a0f55","rule":"Phyton_Shell_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file sh.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file sh.php.php.txt","hash":"330af9337ae51d0bac175ba7076d6299","rule":"sh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file phpjackal.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file phpjackal.php.txt","hash":"ab230817bcc99acb9bdc0ec6d264d76f","rule":"phpjackal_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file sql.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file sql.php.php.txt","hash":"8334249cbb969f2d33d678fec2b680c5","rule":"sql_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file cgi-python.py.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file cgi-python.py.txt","hash":"0a15f473e2232b89dae1075e1afdac97","rule":"cgi_python_py"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file ru24_post_sh.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file ru24_post_sh.php.php.txt","hash":"5b334d494564393f419af745dc1eeec7","rule":"ru24_post_sh_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file telnetd.pl.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file telnetd.pl.txt","hash":"5f61136afd17eb025109304bd8d6d414","rule":"telnetd_pl"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file php-include-w-shell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file php-include-w-shell.php.txt","hash":"4e913f159e33867be729631a7ca46850","rule":"php_include_w_shell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt","hash":"6163b30600f1e80d2bb5afaa753490b6","rule":"Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file shell.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file shell.php.php.txt","hash":"1a95f0163b6dea771da1694de13a3d8d","rule":"shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file telnet.cgi.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file telnet.cgi.txt","hash":"dee697481383052980c20c48de1598d1","rule":"telnet_cgi"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file ironshell.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file ironshell.php.txt","hash":"8bfa2eeb8a3ff6afc619258e39fded56","rule":"ironshell_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file backdoorfr.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file backdoorfr.php.txt","hash":"91e4afc7444ed258640e85bcaf0fecfc","rule":"backdoorfr_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file aspydrv.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file aspydrv.asp.txt","hash":"1c01f8a88baee39aa1cebec644bbcb99","rule":"aspydrv_asp","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file cmdjsp.jsp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file cmdjsp.jsp.txt","hash":"b815611cc39f17f05a73444d699341d4","rule":"cmdjsp_jsp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt","hash":"06ed0b2398f8096f1bebf092d0526137","rule":"h4ntu_shell__powered_by_tsoi_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file Ajan.asp.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file Ajan.asp.txt","hash":"b6f468252407efc2318639da22b08af0","rule":"Ajan_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file PHANTASMA.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file PHANTASMA.php.txt","hash":"52779a27fa377ae404761a7ce76a5da7","rule":"PHANTASMA_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt","hash":"36d4f34d0a22080f47bb1cb94107c60f","rule":"MySQL_Web_Interface_Version_0_8_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt","hash0":"ddaf9f1986d17284de83a17fe5f9fd94","hash1":"17a07bb84e137b8aa60f87cd6bfab748","hash2":"4745d510fed4378e4b1730f56f25e569","rule":"_nst_php_php_img_php_php_nstview_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt","hash0":"acdbba993a5a4186fd864c5e4ea0ba4f","hash1":"2601b6fc1579f263d2f3960ce775df70","hash2":"401fbae5f10283051c39e640b77e4c26","rule":"_network_php_php_xinfo_php_php_nfm_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated ","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"eddf7a8fde1e50a7f2a817ef7cece24f","hash3":"8023394542cddf8aee5dec6072ed02b5","hash4":"eed14de3907c9aa2550d95550d1a2d5f","hash5":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"9c5bb5e3a46ec28039e8986324e42792","hash2":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_wacking_php_php_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"eddf7a8fde1e50a7f2a817ef7cece24f","rule":"_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt","hash0":"9c5bb5e3a46ec28039e8986324e42792","hash1":"44542e5c3e9790815c49d5f9beffbbf2","hash2":"09609851caa129e40b0d56e90dfc476c","hash3":"38fd7e45f9c11a37463c3ded1c76af4c","rule":"_wacking_php_php_1_SpecialShell_99_php_php_c100_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"eddf7a8fde1e50a7f2a817ef7cece24f","hash2":"8023394542cddf8aee5dec6072ed02b5","hash3":"eed14de3907c9aa2550d95550d1a2d5f","hash4":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files multiple_php_webshells","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files multiple_php_webshells","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"911195a9b7c010f61b66439d9048f400","hash2":"be0f67f3e995517d18859ed57b4b4389","hash3":"eddf7a8fde1e50a7f2a817ef7cece24f","hash4":"8023394542cddf8aee5dec6072ed02b5","hash5":"eed14de3907c9aa2550d95550d1a2d5f","hash6":"817671e1bdc85e04cc3440bbd9288800","hash7":"7101fe72421402029e2629f3aaed6de7","hash8":"f618f41f7ebeb5e5076986a66593afd1","rule":"multiple_php_webshells","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated ","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","hash3":"d8ae5819a0a2349ec552cbcf3a62c975","hash4":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt","hash0":"ddaf9f1986d17284de83a17fe5f9fd94","hash1":"ef8828e0bc0641a655de3932199c0527","hash2":"17a07bb84e137b8aa60f87cd6bfab748","hash3":"4745d510fed4378e4b1730f56f25e569","rule":"_nst_php_php_cybershell_php_php_img_php_php_nstview_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated ","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"38a3f9f2aa47c2e940695f3dba6a7bb2","hash1":"3ca5886cd54d495dc95793579611f59a","hash2":"9c5bb5e3a46ec28039e8986324e42792","hash3":"44542e5c3e9790815c49d5f9beffbbf2","hash4":"09609851caa129e40b0d56e90dfc476c","rule":"_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt","hash0":"0714f80f35c1fddef1f8938b8d42a4c8","hash1":"eddf7a8fde1e50a7f2a817ef7cece24f","hash2":"eed14de3907c9aa2550d95550d1a2d5f","hash3":"817671e1bdc85e04cc3440bbd9288800","rule":"_r577_php_php_r57_php_php_spy_php_php_s_php_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Semi-Auto-generated ","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls","description":"Semi-Auto-generated ","hash0":"40a3e86a63d3d7f063a86aab5b5f92c6","hash1":"d8ae5819a0a2349ec552cbcf3a62c975","hash2":"9e9ae0332ada9c3797d6cee92c2ede62","hash3":"f3ca29b7999643507081caab926e2e74","rule":"_nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/xFvioC","rule":"PHP_Cloaked_Webshell_SuperFetchExec","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php","hash":"1b2a4a7174ca170b4e3a8cdf4814c92695134c8a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_dC3_Security_Crew_Shell_PRiV"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file simattacker.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file simattacker.php","hash":"258297b62aeaf4650ce04642ad5f19be25ec29c9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_simattacker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file DTool Pro.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file DTool Pro.php","hash":"e2ee1c7ba7b05994f65710b7bbf935954f2c3353","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_DTool_Pro"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file ironshell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file ironshell.php","hash":"d47b8ba98ea8061404defc6b3a30839c4444a262","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_ironshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file b374k-mini-shell-php.php.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file b374k-mini-shell-php.php.php","hash":"afb88635fbdd9ebe86b650cc220d3012a8c35143","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_b374k_mini_shell_php_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Sincap 1.0.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Sincap 1.0.php","hash":"9b72635ff1410fa40c4e15513ae3a496d54f971c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Sincap_1_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file b374k.php.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file b374k.php.php","hash":"04c99efd187cf29dc4e5603c51be44170987bce2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_b374k_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php","hash":"6454cc5ab73143d72cf0025a81bd1fe710351b44","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php","hash":"cbca8cd000e705357e2a7e0cf8262678706f18f9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_h4ntu_shell__powered_by_tsoi_"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file MyShell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file MyShell.php","hash":"42e283c594c4d061f80a18f5ade0717d3fb2f76d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_MyShell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file pws.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file pws.php","hash":"7a405f1c179a84ff8ac09a42177a2bcd8a1a481b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_pws"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file reader.asp.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file reader.asp.php.txt","hash":"70656f3495e2b3ad391a77d5208eec0fb9e2d931","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_reader_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php","hash":"b2b797707e09c12ff5e632af84b394ad41a46fa4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file php-backdoor.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file php-backdoor.php","hash":"b190c03af4f3fb52adc20eb0f5d4d151020c74fe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file pHpINJ.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file pHpINJ.php","hash":"75116bee1ab122861b155cc1ce45a112c28b9596","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_pHpINJ"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file NGH.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NGH.php","hash":"c05b5deecfc6de972aa4652cb66da89cfb3e1645","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_NGH"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file matamu.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file matamu.php","hash":"d477aae6bd2f288b578dbf05c1c46b3aaa474733","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_matamu"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file ru24_post_sh.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file ru24_post_sh.php","hash":"d2c18766a1cd4dda928c12ff7b519578ccec0769","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_ru24_post_sh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file hiddens shell v1.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file hiddens shell v1.php","hash":"1674bd40eb98b48427c547bf9143aa7fbe2f4a59","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_hiddens_shell_v1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file c99_locus7s.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file c99_locus7s.php","hash":"d413d4700daed07561c9f95e1468fb80238fbf3c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_c99_locus7s"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file safe0ver.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file safe0ver.php","hash":"366639526d92bd38ff7218b8539ac0f154190eb8","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_safe0ver"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file kral.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file kral.php","hash":"4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_kral"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file cgitelnet.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file cgitelnet.php","hash":"72e5f0e4cd438e47b6454de297267770a36cbeb3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_cgitelnet"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file NTDaddy v1.9.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NTDaddy v1.9.php","hash":"79519aa407fff72b7510c6a63c877f2e07d7554b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_NTDaddy_v1_9"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file lamashell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lamashell.php","hash":"b71181e0d899b2b07bc55aebb27da6706ea1b560","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_lamashell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php","hash":"03f6215548ed370bec0332199be7c4f68105274e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Simple_PHP_backdoor_by_DK"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file CmdAsp.asp.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file CmdAsp.asp.php.txt","hash":"cb18e1ac11e37e236e244b96c2af2d313feda696","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_CmdAsp_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file NCC-Shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file NCC-Shell.php","hash":"64d4495875a809b2730bd93bec2e33902ea80a53","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_NCC_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file README.md","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file README.md","hash":"ef2c567b4782c994db48de0168deb29c812f7204","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_README"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file backupsql.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file backupsql.php","hash":"863e017545ec8e16a0df5f420f2d708631020dd4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_backupsql"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php","hash":"c90b0ba575f432ecc08f8f292f3013b5532fe2c4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_AK_74_Security_Team_Web_Shell_Beta_Version"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file cpanel.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file cpanel.php","hash":"433dab17106b175c7cf73f4f094e835d453c0874","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_cpanel"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file 529.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file 529.php","hash":"ba3fb2995528307487dff7d5b624d9f4c94c75d3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_529"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file qsd-php-backdoor.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file qsd-php-backdoor.php","hash":"4856bce45fc5b3f938d8125f7cdd35a8bbae380f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_qsd_php_backdoor"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php","hash":"5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file Gamma Web Shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file Gamma Web Shell.php","hash":"7ef773df7a2f221468cc8f7683e1ace6b1e8139a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Gamma_Web_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file WinX Shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file WinX Shell.php","hash":"a94d65c168344ad9fa406d219bdf60150c02010e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_WinX_Shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file php-include-w-shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file php-include-w-shell.php","hash":"1a7f4868691410830ad954360950e37c582b0292","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_include_w_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file PhpSpy Ver 2006.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file PhpSpy Ver 2006.php","hash":"34a89e0ab896c3518d9a474b71ee636ca595625d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_PhpSpy_Ver_2006"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file myshell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file myshell.php","hash":"5bd52749872d1083e7be076a5e65ffcde210e524","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_myshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file lolipop.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lolipop.php","hash":"86f23baabb90c93465e6851e40104ded5a5164cb","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_lolipop"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file simple_cmd.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file simple_cmd.php","hash":"466a8caf03cdebe07aa16ad490e54744f82e32c2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_simple_cmd"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file go-shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file go-shell.php","hash":"3dd85981bec33de42c04c53d081c230b5fc0e94f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_go_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file aZRaiLPhp v1.0.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file aZRaiLPhp v1.0.php","hash":"a2c609d1a8c8ba3d706d1d70bef69e63f239782b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_aZRaiLPhp_v1_0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Github Archive - file zehir4","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Github Archive - file zehir4","hash":"788928ae87551f286d189e163e55410acbb90a64","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_webshells_zehir4","score":"55"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file zehir4.asp.php.txt","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file zehir4.asp.php.txt","hash":"1d9b78b5b14b821139541cc0deb4cbbd994ce157","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_zehir4_asp_php"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file lostDC.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file lostDC.php","hash":"d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_php_webshells_lostDC"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - file CasuS 1.5.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - file CasuS 1.5.php","hash":"7eee8882ad9b940407acc0146db018c302696341","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_CasuS_1_5"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php","hash0":"fa11deaee821ca3de7ad1caafa2a585ee1bc8d82","hash1":"c0a4ba3e834fb63e0a220a43caaf55c654f97429","hash2":"16fa789b20409c1f2ffec74484a30d0491904064","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php","hash0":"b148ead15d34a55771894424ace2a92983351dda","hash1":"e4ba288f6d46dc77b403adf7d411a280601c635b","hash2":"e5713d6d231c844011e9a74175a77e8eb835c856","hash3":"1b836517164c18caf2c92ee2a06c645e26936a0c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php","hash0":"335a0851304acedc3f117782b61479bbc0fd655a","hash1":"6eb4ab630bd25bec577b39fb8a657350bf425687","hash2":"03f88f494654f2ad0361fb63e805b6bbfc0c86de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__CrystalShell_v_1_erne_stres","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php","hash0":"5622c9841d76617bfc3cd4cab1932d8349b7044f","hash1":"4a20f36035bbae8e342aab0418134e750b881d05","hash2":"40dbdc0bdf5218af50741ba011c5286a723fa9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell__findsock_php_findsock_shell_php_reverse_shell","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"PHP Webshells Github Archive","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"PHP Webshells Github Archive","hash0":"1a08f5260c4a2614636dfc108091927799776b13","hash1":"335a0851304acedc3f117782b61479bbc0fd655a","hash2":"ca9fcfb50645dc0712abdf18d613ed2196e66241","hash3":"36d8782d749638fdcaeed540d183dd3c8edc6791","hash4":"03f88f494654f2ad0361fb63e805b6bbfc0c86de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"WebShell_Generic_PHP_6","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Injectt.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Injectt.exe","hash":"8a5d2158a566c87edc999771e12d42c5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Unpack_Injectt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file ssh.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ssh.php","hash":"1aa5307790d72941589079989b4f900e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_ssh"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Client.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Client.exe","hash":"5f91a5b46d155cacf0cc6673a2a5461b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"bin_Client"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file ZXshell.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ZXshell.exe","hash":"246ce44502d2f6002d720d350e26c288","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_ZXshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file RkNTLoad.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file RkNTLoad.exe","hash":"262317c95ced56224f136ba532b8b34f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"RkNTLoad"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file binder2.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file binder2.exe","hash":"d594e90ad23ae0bc0b65b59189c12f11","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"binder2_binder2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file orice2.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file orice2.php","hash":"aa63ffb27bde8d03d00dda04421237ae","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"thelast_orice2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file sendmail.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file sendmail.exe","hash":"75b86f4a21d8adefaf34b3a94629bd17","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"sendmail"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file zehir4.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file zehir4.asp","hash":"5b496a61363d304532bcf52ee21f5d55","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_zehir4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file hkshell.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkshell.exe","hash":"168cab58cee59dc4706b3be988312580","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkshell_hkshell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file DarkSpy105.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file DarkSpy105.exe","hash":"f0b85e7bec90dba829a3ede1ab7d8722","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"DarkSpy105"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file EditServer.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file EditServer.exe","hash":"f945de25e0eba3bdaf1455b3a62b9832","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer_EXE"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file reader.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file reader.asp","hash":"b598c8b662f2a1f6cc61f291fb0a6fa2","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_reader"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file svchostdll.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file svchostdll.dll","hash":"0f6756c8cb0b454c452055f189e4c3f4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"svchostdll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file server.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file server.asp","hash":"1d38526a215df13c7373da4635541b43","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_DevPack_server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file vanquish.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file vanquish.dll","hash":"684450adde37a93e8bb362994efc898c","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"vanquish"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Client.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Client.exe","hash":"9f0a74ec81bc2f26f16c5c172b80eca7","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"BIN_Client"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Simple_PHP_BackDooR.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Simple_PHP_BackDooR.php","hash":"a401132363eecc3a1040774bec9cb24f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Simple_PHP_BackDooR"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file hkrmv.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkrmv.exe","hash":"bd3a0b7a6b5536f8d96f50956560e9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkshell_hkrmv"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file phpft.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file phpft.php","hash":"60ef80175fcc6a879ca57c54226646b1","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_phpft"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file bdcli100.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file bdcli100.exe","hash":"b12163ac53789fb4f62e4f17a8c2e028","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"bdcli100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file rdrbs084.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file rdrbs084.exe","hash":"ed30327b255816bdd7590bf891aa0020","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rdrbs084"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file 2005.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file 2005.exe","hash":"8bf667ee9e21366bc0bd3491cb614f41","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_CaseSwitch_2005"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file casus15.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file casus15.php","hash":"8d155b4239d922367af5d0a1b89533a3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_casus15_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file installer.cmd","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file installer.cmd","hash":"a507919ae701cf7e42fa441d3ad95f8f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"installer"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file elmaliseker.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file elmaliseker.asp","hash":"ccf48af0c8c09bbd038e610a49c9862e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"elmaliseker"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file resolve.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file resolve.exe","hash":"69bf9aa296238610a0e05f99b5540297","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_resolve"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Fport.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Fport.exe","hash":"dbb75488aa2fa22ba6950aead1ef30d5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_Fport"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file upload.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file upload.asp","hash":"b09852bda534627949f0259828c967de","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop_DevPack_upload"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file PasswordReminder.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file PasswordReminder.exe","hash":"ea49d754dc609e8bfa4c0f95d14ef9bf","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PasswordReminder"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file RkNT.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file RkNT.dll","hash":"5f97386dfde148942b7584aeb6512b85","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rknt_zip_Folder_RkNT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file dbgntboot.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dbgntboot.dll","hash":"4d87543d4d7f73c1529c9f8066b475ab","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"dbgntboot"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file shell.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file shell.php","hash":"45e8a00567f8a34ab1cccc86b4bc74b9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PHP_shell"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file rdrbs100.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file rdrbs100.exe","hash":"7c752bcd6da796d80a6830c61a632bff","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"rdrbs100"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Mithril.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Mithril.exe","hash":"017191562d72ab0ca551eb89256650bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_Mithril"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file hkdoordll.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file hkdoordll.dll","hash":"b715c009d47686c0e62d0981efce2552","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"hkdoordll"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file dllTest.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dllTest.dll","hash":"1b9e518aaa62b15079ff6edb412b21e9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_v1_45_dllTest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file dbgiis6cli.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dbgiis6cli.exe","hash":"3044dceb632b636563f66fee3aaaf8f3","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"dbgiis6cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file cress.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file cress.exe","hash":"36a416186fe010574c9be68002a7286a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Debug_cress"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file usr.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file usr.php","hash":"ade3357520325af50c9098dc8a21a024","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FeliksPack3___PHP_Shells_usr"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file phpinj.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file phpinj.php","hash":"dd39d17e9baca0363cc1c3664e608929","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"FSO_s_phpinj"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file db.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file db.asp","hash":"cb62e2ec40addd4b9930a9e270f5b318","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"xssshell_db"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file EditServer.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file EditServer.exe","hash":"5c1f25a4d206c83cdfb006b3eb4c09ba","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"EditServer_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file by064cli.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file by064cli.exe","hash":"10e0dff366968b770ae929505d2a9885","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"by064cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file dllTest.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file dllTest.dll","hash":"a8d25d794d8f08cd4de0c3d6bf389e6d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Mithril_dllTest"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file connector.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file connector.asp","hash":"3ba1827fca7be37c8296cd60be9dc884","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"connector"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file HideRun.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file HideRun.exe","hash":"45436d9bfd8ff94b71eeaeb280025afe","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_HideRun"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file PHP_Shell_v1.7.php","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file PHP_Shell_v1.7.php","hash":"b5978501c7112584532b4ca6fb77cba5","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"PHP_Shell_v1_7"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file save.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file save.asp","hash":"865da1b3974e940936fe38e8e1964980","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"xssshell_save"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file screencap.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file screencap.exe","hash":"51139091dea7a9418a50f2712ea72aa6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"screencap"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file zxrecv.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file zxrecv.exe","hash":"5d3d12a39f41d51341ef4cb7ce69d30f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_zxrecv"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file deploy.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file deploy.exe","hash":"2c9f9c58999256c73a5ebdb10a9be269","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"_root_040_zip_Folder_deploy"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file by063cli.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file by063cli.exe","hash":"49ce26eb97fd13b6d92a5e5d169db859","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"by063cli"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file asp.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file asp.asp","hash":"2c412400b146b7b98d6e7755f7159bb9","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"icyfox007v1_10_rar_Folder_asp"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file ntboot.dll","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file ntboot.dll","hash":"cb9eb5a6ff327f4d6c46aacbbe9dda9d","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"byshell063_ntboot_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file xwhois.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file xwhois.exe","hash":"0bc98bd576c80d921a3460f8be8816b4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"shelltools_g0t_root_xwhois"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file vanquish.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file vanquish.exe","hash":"2dcb9055785a2ee01567f52b5a62b071","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"vanquish_2"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file nc.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file nc.exe","hash":"2cd1bf15ae84c5f6917ddb128827ae8b","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"ZXshell2_0_rar_Folder_nc"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file Server.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file Server.exe","hash":"1d5aa9cbf1429bb5b8bf600335916dcd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"BIN_Server"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file 2006.asp","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file 2006.asp","hash":"c19d6f4e069188f19b08fa94d44bc283","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HYTop2006_rar_Folder_2006"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshells Auto-generated - file HDConfig.exe","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","description":"Webshells Auto-generated - file HDConfig.exe","hash":"7d60e552fdca57642fd30462416347bd","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"HDConfig"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Webshell and Exploit Code in relation with APT against Honk Kong protesters","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"10.10.2014","description":"Webshell and Exploit Code in relation with APT against Honk Kong protesters","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"Webshell_and_Exploit_CN_APT_HK","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"13.01.2015","description":"Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"http://goo.gl/7dbyZs","rule":"Pastebin_Webshell","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects C99 Webshell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-11","description":"Detects C99 Webshell","hash1":"2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4","hash10":"615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966","hash11":"bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96","hash12":"ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f","hash13":"a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5","hash14":"1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd","hash2":"0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092","hash3":"d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5","hash4":"5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c","hash5":"21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06","hash6":"c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596","hash7":"816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9","hash8":"383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1","hash9":"07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/nikicat/web-malware-collection","rule":"Webshell_c99_4","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ...","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-11","description":"Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ...","hash1":"e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6","hash10":"0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f","hash11":"ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92","hash2":"f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba","hash3":"16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2","hash4":"59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88","hash5":"6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a","hash6":"5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94","hash7":"1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8","hash8":"c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f","hash9":"59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/nikicat/web-malware-collection","rule":"Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects Webshell - rule generated from from files c100 v. 777shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-01-11","description":"Detects Webshell - rule generated from from files c100 v. 777shell","hash1":"0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092","hash2":"d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5","hash3":"21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06","hash4":"c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596","hash5":"816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9","hash6":"bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96","hash7":"ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/nikicat/web-malware-collection","rule":"Webshell_c100","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a web shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-09-10","description":"Detects a web shell","hash1":"027544baa10259939780e97dc908bd43f0fb940510119fc4cce0883f3dd88275","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://github.com/bartblaze/PHP-backdoors","rule":"webshell_e8eaf8da94012e866e51547cd63bb996379690bf"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a simple cloaked PHP web shell","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-02-28","description":"Detects a simple cloaked PHP web shell","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127","rule":"PHP_Webshell_1_Feb17"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects web shell often used by Iranian APT groups","trigger":"signature-base-master/yara/thor-webshells.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-09-21","description":"Detects web shell often used by Iranian APT groups","hash1":"a39d8823d54c55e60a7395772e50d116408804c1a5368391a1e5871dbdc83547","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research - APT33","rule":"ALFA_SHELL"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138","trigger":"signature-base-master/yara/vul_confluence_questions_plugin_cve_2022_26138.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-07-21","description":"Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138","reference":"https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/","rule":"VULN_Confluence_Questions_Plugin_CVE_2022_26138_Jul22_1","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects JQuery File Upload vulnerability CVE-2018-9206","trigger":"signature-base-master/yara/vul_jquery_fileupload_cve_2018_9206.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-10-19","description":"Detects JQuery File Upload vulnerability CVE-2018-9206","reference":"https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/","reference2":"https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f","reference3":"https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html","rule":"VUL_JQuery_FileUpload_CVE_2018_9206"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects backdoored PHP zlib version","trigger":"signature-base-master/yara/vul_php_zlib_backdoor.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-03-29","description":"Detects backdoored PHP zlib version","reference":"https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/","rule":"VULN_PHP_Hack_Backdoored_Zlib_Zerodium_Mar21_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a vulnerable GIGABYTE driver sometimes used by malicious actors to escalate privileges","trigger":"signature-base-master/yara/vuln_gigabyte_driver.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-07-25","description":"Detects a vulnerable GIGABYTE driver sometimes used by malicious actors to escalate privileges","hash1":"31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427","reference":"https://twitter.com/malmoeb/status/1551449425842786306","rule":"VULN_PUA_GIGABYTE_Driver_Jul22_1","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects ASPX web shells as being used in MOVEit Transfer exploitation","trigger":"signature-base-master/yara/vuln_moveit_0day_jun23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-01","description":"Detects ASPX web shells as being used in MOVEit Transfer exploitation","hash1":"2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5","hash2":"48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a","hash3":"e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e","reference":"https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/","rule":"WEBSHELL_ASPX_MOVEit_Jun23_1","score":"85"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a potential compromise indicator found in MOVEit Transfer logs","trigger":"signature-base-master/yara/vuln_moveit_0day_jun23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-01","description":"Detects a potential compromise indicator found in MOVEit Transfer logs","reference":"https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a potential compromise indicator found in MOVEit Transfer logs","trigger":"signature-base-master/yara/vuln_moveit_0day_jun23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-03","description":"Detects a potential compromise indicator found in MOVEit Transfer logs","reference":"https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects a potential compromise indicator found in MOVEit DMZ Web API logs","trigger":"signature-base-master/yara/vuln_moveit_0day_jun23.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Nasreddine Bencherchali","date":"2023-06-13","description":"Detects a potential compromise indicator found in MOVEit DMZ Web API logs","reference":"https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis","rule":"LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_3","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers","trigger":"signature-base-master/yara/vuln_proxynotshell_cve_2022_41040.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-11-17","description":"Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers","reference":"https://github.com/testanull/ProxyNotShell-PoC","rule":"LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"REGEORG_Tuneller_generic","trigger":"signature-base-master/yara/webshell_regeorg.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Mandiant","date":"2021-12-20","date_modified":"2021-12-20","hash":"ba22992ce835dadcd06bff4ab7b162f9","reference":"https://www.mandiant.com/resources/unc3524-eye-spy-email","rule":"REGEORG_Tuneller_generic"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-27","alert":"Generic ASP webshell which uses any eval/exec function directly on user input","trigger":"signature-base-master/yara/yara_mixed_ext_vars.yar","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/01/07","description":"Generic ASP webshell which uses any eval/exec function directly on user input","hash":"069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_asp_generic_eval_on_input"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-09-26","alert":"Scan result 20/65","trigger":"37595927254a7e153b423b3848b2fdc83d2530aaeafed8dc9f6b2c0e8ff76708","verdict":"malicious","severity":"","comment":"malicious - 20/65","link":"https://www.virustotal.com/gui/file/37595927254a7e153b423b3848b2fdc83d2530aaeafed8dc9f6b2c0e8ff76708","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-27T05:23:18.071005308Z","timestamp":1727414598071,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"EC876EDD163EA26B47C9B862C795844F5DD01452095287EA5CD920E3B512672A\"\r\nLast-Modified: Wed, 25 Sep 2024 21:19:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=2336\r\nExpires: Fri, 27 Sep 2024 06:02:14 GMT\r\nDate: Fri, 27 Sep 2024 05:23:18 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"b6ecb6018a51380d08a47460236a395c","sha1":"1ce7fe77c21188624302a660a289fe1ce6e7a9e4","sha256":"ec876edd163ea26b47c9b862c795844f5dd01452095287ea5cd920e3b512672a","sha512":"982ccad2ecd8a1cdbab07f168c596ed1267fbd853f25c546b4dcf376d4ddc2a33e035451f7b6add7d60a133d37977732d1b096f1aced155cc3613a2b106a0d5a","ssdeep":"","tlshash":"54f0055337e5b6509ae1093d24fae1561d752dfb3804a5d9655391d1f1117dc41c1408","first_seen":"2024-09-25T23:43:43Z","last_seen":"2024-10-04T11:30:57.353438Z","times_seen":41560,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-27T05:23:18.100984956Z","timestamp":1727414598100,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"AD3BF98D190E8A00B304B608273E81B0D73805059020C0E08E318194738DBE08\"\r\nLast-Modified: Wed, 25 Sep 2024 00:20:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=15606\r\nExpires: Fri, 27 Sep 2024 09:43:24 GMT\r\nDate: Fri, 27 Sep 2024 05:23:18 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"4d7d2c93c05c23af00bdd2de1aa8def8","sha1":"5d690fe96336335097f6edc39f269282fc0c03d5","sha256":"ad3bf98d190e8a00b304b608273e81b0d73805059020c0e08e318194738dbe08","sha512":"20601026ec40bd076a15d9793ea9b5b83e968701974a3028503c5bae1a534264b9b6e1396e8c281deace76e2a36a8f1ed9c0cb8711fd5d2dfcef0870708e3a1d","ssdeep":"","tlshash":"7df005a316fd7d12ebe2121218e9e7355d3475eb345047e1949407d32c143bd09c0808","first_seen":"2024-09-25T07:27:39Z","last_seen":"2024-09-28T07:52:11.580068Z","times_seen":13229,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-27T05:23:18.37395918Z","timestamp":1727414598373,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"E3A32CE3CF72D63E19B8798F97958504386B93F037F1B1C0EE9B1BACEF7B7AB7\"\r\nLast-Modified: Wed, 25 Sep 2024 02:37:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=2202\r\nExpires: Fri, 27 Sep 2024 06:00:00 GMT\r\nDate: Fri, 27 Sep 2024 05:23:18 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"c43e2541e37815678381469c9e5da2d7","sha1":"8826a1dacc67c90e98c00b0b34736b52cc7724ad","sha256":"e3a32ce3cf72d63e19b8798f97958504386b93f037f1b1c0ee9b1bacef7b7ab7","sha512":"3161d33aeca14aab0683661102de1190376f7e65d0c11d34041ef25d2ce4a140f985088bd4202f751e10742846ac04b1a96c2d38869f7fbccfe2ba1706abdf40","ssdeep":"","tlshash":"3bf0054b1369fc945ff13a007d99c713581156d538040bd6b5d4c1e0961079c574450c","first_seen":"2024-09-25T06:46:28Z","last_seen":"2024-09-28T07:52:26.204844Z","times_seen":19111,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-27T05:23:18.413088821Z","timestamp":1727414598413,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"D5C222286765E84DE5DE422E2B57D9F51173ABA2934DED5A2ED579794B7B3604\"\r\nLast-Modified: Fri, 27 Sep 2024 01:36:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=15657\r\nExpires: Fri, 27 Sep 2024 09:44:15 GMT\r\nDate: Fri, 27 Sep 2024 05:23:18 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"51a45c4d7c6a4157f0fc92c2b6e3b6fa","sha1":"da42e65eb69e43b6691b3f4cc88302d81779a8e1","sha256":"d5c222286765e84de5de422e2b57d9f51173aba2934ded5a2ed579794b7b3604","sha512":"aa8f2de006e5a56848e95231da718f97641f93cb337edba9b905bbe0fc0f1e61cdaf1776046c76e356aac0a8d68a86fcf52ea92b429bab3d9eef844a96d05499","ssdeep":"","tlshash":"c8f075150aeafa12dbe0401118e9c99d5930a2ba30121cc920e006c00a127ec4ac240c","first_seen":"2024-09-27T07:15:58Z","last_seen":"2024-09-28T07:16:29.143494Z","times_seen":6815,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"github.com/Neo23x0/signature-base/archive/master.zip","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.3","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-09-27T05:23:18.521Z","timestamp":1727414598521,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"github.com","organization":""},"issuer":{"commonName":"Sectigo ECC Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 07 Mar 2024 00:00:00 GMT","end":"Fri, 07 Mar 2025 23:59:59 GMT"},"fingerprint":{"sha1":"E7:03:5B:CC:1C:18:77:1F:79:2F:90:86:6B:6C:1D:F8:DF:AA:BD:C0","sha256":"FD:6E:9B:0E:F3:98:BC:D9:04:C3:B2:EC:16:7A:7B:0F:DA:72:01:C9:03:C5:3A:6A:6A:E5:D0:41:43:63:EF:65"}}},"request":{"raw":"GET /Neo23x0/signature-base/archive/master.zip HTTP/1.1\r\nHost: github.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 302 Found\r\nserver: GitHub.com\r\ndate: Fri, 27 Sep 2024 05:23:18 GMT\r\ncontent-type: text/html; charset=utf-8\r\nvary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With\r\nlocation: https://codeload.github.com/Neo23x0/signature-base/zip/refs/heads/master\r\ncache-control: max-age=0, private\r\nstrict-transport-security: max-age=31536000; includeSubdomains; preload\r\nx-frame-options: deny\r\nx-content-type-options: nosniff\r\nx-xss-protection: 0\r\nreferrer-policy: no-referrer-when-downgrade\r\ncontent-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/\r\ncontent-length: 0\r\nx-github-request-id: B510:2A321:B7AE1E:BD433A:66F64146\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"application/zip","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-04-05T11:47:06.182466Z","times_seen":13373545,"resource_available":true,"data":null}},"time_used":548,"timings":{"blocked":188,"dns":1,"connect":24,"send":0,"wait":170,"receive":0,"ssl":160},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"codeload.github.com/Neo23x0/signature-base/zip/refs/heads/master","fqdn":"codeload.github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.9","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-09-27T05:23:18.884Z","timestamp":1727414598884,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.github.com","organization":""},"issuer":{"commonName":"Sectigo ECC Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 07 Mar 2024 00:00:00 GMT","end":"Fri, 07 Mar 2025 23:59:59 GMT"},"fingerprint":{"sha1":"0D:F6:EC:50:FA:ED:AE:6E:13:AF:82:94:52:F7:11:1B:0A:CF:7C:20","sha256":"4D:47:6A:EF:60:3F:1C:32:FB:EF:92:CE:03:B6:EE:F3:33:CF:72:F9:BD:B0:A2:96:0C:FC:CC:02:23:33:5D:9E"}}},"request":{"raw":"GET /Neo23x0/signature-base/zip/refs/heads/master HTTP/1.1\r\nHost: codeload.github.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\naccess-control-allow-origin: https://render.githubusercontent.com\r\ncontent-disposition: attachment; filename=signature-base-master.zip\r\ncontent-length: 3928906\r\ncontent-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox\r\ncontent-type: application/zip\r\ncross-origin-resource-policy: cross-origin\r\netag: W/\"2bcfe918eb50f959d050d2c629db85fb2a59e946e8310a3e88ce5d05cd59ae4c\"\r\nstrict-transport-security: max-age=31536000\r\nvary: Authorization,Accept-Encoding,Origin\r\nx-content-type-options: nosniff\r\nx-frame-options: deny\r\nx-xss-protection: 1; mode=block\r\ndate: Fri, 27 Sep 2024 05:23:19 GMT\r\nx-github-request-id: FC54:1CC69:42114:5F4BA:66F64146\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":3928906,"size_decoded":3928906,"mime_type":"application/zip","magic":"Zip archive data, at least v1.0 to extract, compression method=store","md5":"371d71a5a44a0481e55774ad78511670","sha1":"b765576b2804762629f56b89cbd9642b8c4dae03","sha256":"37595927254a7e153b423b3848b2fdc83d2530aaeafed8dc9f6b2c0e8ff76708","sha512":"7e5257219e6d6812c419b46267e6db4bd79ab9dcc418361579a1c1a46a8b7750f69eddb6756a314a3de2e12f0583714b1026d3c83a5572aa94574e2750effe5c","ssdeep":"98304:nhE57rcbTvA/DFxkasLO1ize5dt4SXrJhBXS8X+:apeTY/xxULO0ybJXrJhBXb+","tlshash":"bb06121cf1026c33cb6b72fdd1af520adb15e042119c5d93b4c656282b2a6267f3e76e","first_seen":"2024-09-28T07:16:28.25736Z","last_seen":"2024-09-28T07:16:28.25736Z","times_seen":1,"resource_available":false,"data":null}},"time_used":1055,"timings":{"blocked":106,"dns":1,"connect":20,"send":0,"wait":326,"receive":517,"ssl":81},"alerts":{"ids":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-09-26","alert":"Scan result 20/65","trigger":"37595927254a7e153b423b3848b2fdc83d2530aaeafed8dc9f6b2c0e8ff76708","verdict":"malicious","severity":"","comment":"malicious - 20/65","link":"https://www.virustotal.com/gui/file/37595927254a7e153b423b3848b2fdc83d2530aaeafed8dc9f6b2c0e8ff76708","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-27T05:23:20.414130255Z","timestamp":1727414600414,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"5BD5F6CC031865B327CD4987C09F2266F9B994CC967EB6CF75BAB5A58BCB7230\"\r\nLast-Modified: Wed, 25 Sep 2024 02:39:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=11194\r\nExpires: Fri, 27 Sep 2024 08:29:54 GMT\r\nDate: Fri, 27 Sep 2024 05:23:20 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"c16a3fe398c09ad4d309c60911d6a6b6","sha1":"dc1148076d45d128cb6d0780ac0467aeba0902e9","sha256":"5bd5f6cc031865b327cd4987c09f2266f9b994cc967eb6cf75bab5a58bcb7230","sha512":"06add46bb918587ee4ef9c40500ad7c0717bdec77cd5a7d743110fb01ec97f05d26e4f6134d0b56362c7426296f9b3072348a2d793cd367b04d8645bf0e30e07","ssdeep":"","tlshash":"acf0c0132f61ad40857c392a9ce8d43b6521316c0c0869e169e992d3a5117ed1019704","first_seen":"2024-09-25T12:57:56Z","last_seen":"2024-09-28T07:48:18.846668Z","times_seen":21781,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-27T05:23:20.415091494Z","timestamp":1727414600415,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"5BD5F6CC031865B327CD4987C09F2266F9B994CC967EB6CF75BAB5A58BCB7230\"\r\nLast-Modified: Wed, 25 Sep 2024 02:39:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=11194\r\nExpires: Fri, 27 Sep 2024 08:29:54 GMT\r\nDate: Fri, 27 Sep 2024 05:23:20 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"c16a3fe398c09ad4d309c60911d6a6b6","sha1":"dc1148076d45d128cb6d0780ac0467aeba0902e9","sha256":"5bd5f6cc031865b327cd4987c09f2266f9b994cc967eb6cf75bab5a58bcb7230","sha512":"06add46bb918587ee4ef9c40500ad7c0717bdec77cd5a7d743110fb01ec97f05d26e4f6134d0b56362c7426296f9b3072348a2d793cd367b04d8645bf0e30e07","ssdeep":"","tlshash":"acf0c0132f61ad40857c392a9ce8d43b6521316c0c0869e169e992d3a5117ed1019704","first_seen":"2024-09-25T12:57:56Z","last_seen":"2024-09-28T07:48:18.846668Z","times_seen":21781,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-27T05:23:20.415886764Z","timestamp":1727414600415,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"5BD5F6CC031865B327CD4987C09F2266F9B994CC967EB6CF75BAB5A58BCB7230\"\r\nLast-Modified: Wed, 25 Sep 2024 02:39:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=11194\r\nExpires: Fri, 27 Sep 2024 08:29:54 GMT\r\nDate: Fri, 27 Sep 2024 05:23:20 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"c16a3fe398c09ad4d309c60911d6a6b6","sha1":"dc1148076d45d128cb6d0780ac0467aeba0902e9","sha256":"5bd5f6cc031865b327cd4987c09f2266f9b994cc967eb6cf75bab5a58bcb7230","sha512":"06add46bb918587ee4ef9c40500ad7c0717bdec77cd5a7d743110fb01ec97f05d26e4f6134d0b56362c7426296f9b3072348a2d793cd367b04d8645bf0e30e07","ssdeep":"","tlshash":"acf0c0132f61ad40857c392a9ce8d43b6521316c0c0869e169e992d3a5117ed1019704","first_seen":"2024-09-25T12:57:56Z","last_seen":"2024-09-28T07:48:18.846668Z","times_seen":21781,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}