{ "1": [ { "sample_cnt": 101429, "yara_rule_name": "pe_imphash", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:33:24" } ], "2": [ { "sample_cnt": 90676, "yara_rule_name": "unixredflags3", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Hunts for UNIX red flags", "last_hit_utc": "2026-04-27 17:45:02" } ], "3": [ { "sample_cnt": 87102, "yara_rule_name": "Skystars_Malware_Imphash", "yara_rule_author": "Skystars LightDefender", "yara_rule_reference": null, "yara_rule_description": "imphash", "last_hit_utc": "2026-04-27 18:33:24" } ], "4": [ { "sample_cnt": 79614, "yara_rule_name": "linux_generic_ipv6_catcher", "yara_rule_author": "@_lubiedo", "yara_rule_reference": null, "yara_rule_description": "ELF samples using IPv6 addresses", "last_hit_utc": "2026-04-27 19:11:49" } ], "5": [ { "sample_cnt": 78534, "yara_rule_name": "SharedStrings", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "Internal names found in LURK0/CCTV0 samples", "last_hit_utc": "2026-04-24 21:59:31" } ], "6": [ { "sample_cnt": 76712, "yara_rule_name": "Email_stealer_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "Email in files like avemaria", "last_hit_utc": "2024-06-13 01:50:03" } ], "7": [ { "sample_cnt": 74506, "yara_rule_name": "Select_from_enumeration", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "IP and port combo", "last_hit_utc": "2025-07-30 00:00:05" } ], "8": [ { "sample_cnt": 73333, "yara_rule_name": "UAC_bypass_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "UAC bypass in files like avemaria", "last_hit_utc": "2023-03-07 05:03:02" } ], "9": [ { "sample_cnt": 72615, "yara_rule_name": "Sus_Obf_Enc_Spoof_Hide_PE", "yara_rule_author": "XiAnzheng", "yara_rule_reference": null, "yara_rule_description": "Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)", "last_hit_utc": "2026-04-04 11:43:46" } ], "10": [ { "sample_cnt": 71652, "yara_rule_name": "IPPort_combo_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "IP and port combo", "last_hit_utc": "2025-12-01 20:35:14" } ], "11": [ { "sample_cnt": 70661, "yara_rule_name": "DebuggerCheck__API", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:00" } ], "12": [ { "sample_cnt": 69910, "yara_rule_name": "NET", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:33:23" } ], "13": [ { "sample_cnt": 51184, "yara_rule_name": "pe_imphash", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2026-02-22 18:15:54" } ], "14": [ { "sample_cnt": 51183, "yara_rule_name": "Skystars_Malware_Imphash", "yara_rule_author": "Skystars LightDefender", "yara_rule_reference": "", "yara_rule_description": "imphash", "last_hit_utc": "2026-02-22 18:15:54" } ], "15": [ { "sample_cnt": 45508, "yara_rule_name": "Cobalt_functions", "yara_rule_author": "@j0sm1", "yara_rule_reference": null, "yara_rule_description": "Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT", "last_hit_utc": "2023-08-23 22:19:04" } ], "16": [ { "sample_cnt": 41966, "yara_rule_name": "golang_bin_JCorn_CSC846", "yara_rule_author": "Justin Cornwell", "yara_rule_reference": null, "yara_rule_description": "CSC-846 Golang detection ruleset", "last_hit_utc": "2026-04-27 18:00:02" } ], "17": [ { "sample_cnt": 35270, "yara_rule_name": "NETexecutableMicrosoft", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:33:23" } ], "18": [ { "sample_cnt": 33782, "yara_rule_name": "Linux_Trojan_Gafgyt_28a2fe0c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:14" } ], "19": [ { "sample_cnt": 33633, "yara_rule_name": "PE_Digital_Certificate", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:03" } ], "20": [ { "sample_cnt": 33522, "yara_rule_name": "MD5_Constants", "yara_rule_author": "phoul (@phoul)", "yara_rule_reference": null, "yara_rule_description": "Look for MD5 constants", "last_hit_utc": "2026-04-27 18:00:03" } ], "21": [ { "sample_cnt": 31972, "yara_rule_name": "pe_detect_tls_callbacks", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:03" } ], "22": [ { "sample_cnt": 28953, "yara_rule_name": "cobalt_strike_tmp01925d3f", "yara_rule_author": "The DFIR Report", "yara_rule_reference": "https://thedfirreport.com", "yara_rule_description": "files - file ~tmp01925d3f.exe", "last_hit_utc": "2026-04-27 18:00:00" } ], "23": [ { "sample_cnt": 28729, "yara_rule_name": "MALWARE_Win_DLLLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects unknown DLL Loader", "last_hit_utc": "2022-07-13 08:07:22" } ], "24": [ { "sample_cnt": 28246, "yara_rule_name": "RANSOMWARE", "yara_rule_author": "ToroGuitar", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:03" } ], "25": [ { "sample_cnt": 28049, "yara_rule_name": "ach_Dridex_xls_20200528", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/420dd56b97a129b1b3369b477d614eda/", "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:14:45" } ], "26": [ { "sample_cnt": 28029, "yara_rule_name": "setsockopt", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Hunts for setsockopt() red flags", "last_hit_utc": "2026-04-27 17:45:01" } ], "27": [ { "sample_cnt": 27563, "yara_rule_name": "DridexV4", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Dridex v4 Payload", "last_hit_utc": "2025-10-01 12:56:51" } ], "28": [ { "sample_cnt": 26999, "yara_rule_name": "RIPEMD160_Constants", "yara_rule_author": "phoul (@phoul)", "yara_rule_reference": null, "yara_rule_description": "Look for RIPEMD-160 constants", "last_hit_utc": "2026-04-27 18:00:03" } ], "29": [ { "sample_cnt": 26999, "yara_rule_name": "SHA1_Constants", "yara_rule_author": "phoul (@phoul)", "yara_rule_reference": null, "yara_rule_description": "Look for SHA1 constants", "last_hit_utc": "2026-04-27 18:00:04" } ], "30": [ { "sample_cnt": 26254, "yara_rule_name": "Sus_CMD_Powershell_Usage", "yara_rule_author": "XiAnzheng", "yara_rule_reference": null, "yara_rule_description": "May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)", "last_hit_utc": "2026-04-27 18:33:25" } ], "31": [ { "sample_cnt": 25688, "yara_rule_name": "CP_Script_Inject_Detector", "yara_rule_author": "DiegoAnalytics", "yara_rule_reference": null, "yara_rule_description": "Detects attempts to inject code into another process across PE, ELF, Mach-O binaries", "last_hit_utc": "2026-04-27 18:00:00" } ], "32": [ { "sample_cnt": 25340, "yara_rule_name": "Win32_Trojan_Emotet", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Emotet trojan.", "last_hit_utc": "2026-03-24 15:29:15" } ], "33": [ { "sample_cnt": 24065, "yara_rule_name": "DridexLoader", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Dridex v4 dropper C2 parsing function", "last_hit_utc": "2021-12-26 00:03:52" } ], "34": [ { "sample_cnt": 23950, "yara_rule_name": "shellcode", "yara_rule_author": "nex", "yara_rule_reference": null, "yara_rule_description": "Matched shellcode byte patterns", "last_hit_utc": "2026-04-27 14:10:57" } ], "35": [ { "sample_cnt": 23406, "yara_rule_name": "upx_packed_elf_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 19:11:49" } ], "36": [ { "sample_cnt": 23156, "yara_rule_name": "ach_Quakbot_xlsb_20201023", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/0b9b00c3721a0656947b31125c5bdebc/", "yara_rule_description": "Detects Quakbot XLS", "last_hit_utc": "2025-01-05 16:22:04" } ], "37": [ { "sample_cnt": 22771, "yara_rule_name": "win_dridex_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-07-13 08:07:22" } ], "38": [ { "sample_cnt": 22032, "yara_rule_name": "win_sisfader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-01-19 19:02:27" } ], "39": [ { "sample_cnt": 21681, "yara_rule_name": "ELF_Mirai", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects multiple Mirai variants", "last_hit_utc": "2026-04-27 12:08:32" } ], "40": [ { "sample_cnt": 20380, "yara_rule_name": "SUSP_ELF_LNX_UPX_Compressed_File", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious ELF binary with UPX compression", "last_hit_utc": "2026-04-27 19:11:48" } ], "41": [ { "sample_cnt": 19838, "yara_rule_name": "DetectEncryptedVariants", "yara_rule_author": "Zinyth", "yara_rule_reference": null, "yara_rule_description": "Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded", "last_hit_utc": "2026-04-27 18:00:01" } ], "42": [ { "sample_cnt": 19686, "yara_rule_name": "SUSP_XORed_Mozilla_RID2DB4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious XORed keyword - Mozilla/5.0", "last_hit_utc": "2026-04-27 04:44:38" } ], "43": [ { "sample_cnt": 18716, "yara_rule_name": "win_emotet_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-11-30 06:14:03" } ], "44": [ { "sample_cnt": 18288, "yara_rule_name": "INDICATOR_SUSPICIOUS_Binary_References_Browsers", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.", "last_hit_utc": "2026-04-27 15:23:25" } ], "45": [ { "sample_cnt": 18237, "yara_rule_name": "DebuggerCheck__QueryInfo", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 15:09:51" } ], "46": [ { "sample_cnt": 18237, "yara_rule_name": "ThreadControl__Context", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:05" } ], "47": [ { "sample_cnt": 17959, "yara_rule_name": "DebuggerException__SetConsoleCtrl", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:01" } ], "48": [ { "sample_cnt": 17749, "yara_rule_name": "pdb_YARAify", "yara_rule_author": "@wowabiy314", "yara_rule_reference": null, "yara_rule_description": "PDB", "last_hit_utc": "2025-01-05 16:09:22" } ], "49": [ { "sample_cnt": 17097, "yara_rule_name": "BitcoinAddress", "yara_rule_author": "Didier Stevens (@DidierStevens)", "yara_rule_reference": null, "yara_rule_description": "Contains a valid Bitcoin address", "last_hit_utc": "2025-11-23 21:24:24" } ], "50": [ { "sample_cnt": 16742, "yara_rule_name": "SUSP_Excel4Macro_AutoOpen", "yara_rule_author": "John Lambert @JohnLaTwC", "yara_rule_reference": null, "yara_rule_description": "Detects Excel4 macro use with auto open / close", "last_hit_utc": "2025-01-05 16:08:38" } ], "51": [ { "sample_cnt": 16694, "yara_rule_name": "CP_AllMal_Detector", "yara_rule_author": "DiegoAnalytics", "yara_rule_reference": null, "yara_rule_description": "CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication", "last_hit_utc": "2026-02-13 08:23:18" } ], "52": [ { "sample_cnt": 16421, "yara_rule_name": "maldoc_find_kernel32_base_method_1", "yara_rule_author": "Didier Stevens (https://DidierStevens.com)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-30 08:18:56" } ], "53": [ { "sample_cnt": 16224, "yara_rule_name": "SHA512_Constants", "yara_rule_author": "phoul (@phoul)", "yara_rule_reference": null, "yara_rule_description": "Look for SHA384/SHA512 constants", "last_hit_utc": "2026-04-27 18:00:04" } ], "54": [ { "sample_cnt": 16217, "yara_rule_name": "PE_Potentially_Signed_Digital_Certificate", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-05 11:22:16" } ], "55": [ { "sample_cnt": 15872, "yara_rule_name": "Agenttesla_type2", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Agenttesla in memory", "last_hit_utc": "2026-04-27 15:23:25" } ], "56": [ { "sample_cnt": 15767, "yara_rule_name": "SEH__vectored", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:04" } ], "57": [ { "sample_cnt": 15708, "yara_rule_name": "Linux_Trojan_Gafgyt_ea92cca8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:15" } ], "58": [ { "sample_cnt": 15510, "yara_rule_name": "linux_generic_ipv6_catcher", "yara_rule_author": "@_lubiedo", "yara_rule_reference": "", "yara_rule_description": "ELF samples using IPv6 addresses", "last_hit_utc": "2022-11-26 05:07:03" } ], "59": [ { "sample_cnt": 15190, "yara_rule_name": "vmdetect", "yara_rule_author": "nex", "yara_rule_reference": null, "yara_rule_description": "Possibly employs anti-virtualization techniques", "last_hit_utc": "2026-04-27 12:59:26" } ], "60": [ { "sample_cnt": 15026, "yara_rule_name": "unixredflags3", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": "", "yara_rule_description": "Hunts for UNIX red flags", "last_hit_utc": "2022-11-26 13:52:04" } ], "61": [ { "sample_cnt": 14742, "yara_rule_name": "MALWARE_Win_RedLine", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RedLine infostealer", "last_hit_utc": "2026-04-22 16:10:45" } ], "62": [ { "sample_cnt": 14582, "yara_rule_name": "ach_Heodo_doc_20200916", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/67e7bef3ab55e7aa9e255729a04857ec/", "yara_rule_description": "Detects Heodo DOC", "last_hit_utc": "2022-10-31 16:12:02" } ], "63": [ { "sample_cnt": 14483, "yara_rule_name": "pe_no_import_table", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detect pe file that no import table", "last_hit_utc": "2026-04-27 16:37:43" } ], "64": [ { "sample_cnt": 14342, "yara_rule_name": "enterpriseapps2", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Enterprise apps", "last_hit_utc": "2026-04-27 17:44:58" } ], "65": [ { "sample_cnt": 14206, "yara_rule_name": "pdb_YARAify", "yara_rule_author": "@wowabiy314", "yara_rule_reference": "", "yara_rule_description": "PDB", "last_hit_utc": "2025-08-19 14:17:02" } ], "66": [ { "sample_cnt": 13980, "yara_rule_name": "Windows_Trojan_Smokeloader_3687686f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-23 17:30:03" } ], "67": [ { "sample_cnt": 13738, "yara_rule_name": "myMirai", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Mirai", "last_hit_utc": "2025-01-05 17:12:28" } ], "68": [ { "sample_cnt": 13645, "yara_rule_name": "CAP_HookExKeylogger", "yara_rule_author": "Brian C. Bell -- @biebsmalwareguy", "yara_rule_reference": "https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar", "yara_rule_description": null, "last_hit_utc": "2025-09-01 13:08:23" } ], "69": [ { "sample_cnt": 13556, "yara_rule_name": "BitcoinAddress", "yara_rule_author": "Didier Stevens (@DidierStevens)", "yara_rule_reference": "", "yara_rule_description": "Contains a valid Bitcoin address", "last_hit_utc": "2026-01-04 07:57:12" } ], "70": [ { "sample_cnt": 13406, "yara_rule_name": "meth_get_eip", "yara_rule_author": "Willi Ballenthin", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-08 15:07:42" } ], "71": [ { "sample_cnt": 12533, "yara_rule_name": "ach_Quakbot_xlsb_20201021_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/a7f9e9adabeb405d0254373049ecf3da/", "yara_rule_description": "Detects Quakbot XLS", "last_hit_utc": "2020-11-20 15:09:02" } ], "72": [ { "sample_cnt": 12059, "yara_rule_name": "FreddyBearDropper", "yara_rule_author": "Dwarozh Hoshiar", "yara_rule_reference": null, "yara_rule_description": "Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.", "last_hit_utc": "2026-04-27 18:00:01" } ], "73": [ { "sample_cnt": 11799, "yara_rule_name": "botnet_Yakuza", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Yakuza botnet", "last_hit_utc": "2026-04-27 13:33:14" } ], "74": [ { "sample_cnt": 11338, "yara_rule_name": "win_agent_tesla_w1", "yara_rule_author": "govcert_ch", "yara_rule_reference": null, "yara_rule_description": "Detect Agent Tesla based on common .NET code sequences", "last_hit_utc": "2026-03-07 09:52:18" } ], "75": [ { "sample_cnt": 11203, "yara_rule_name": "Detect_PowerShell_Obfuscation", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects obfuscated PowerShell commands commonly used in malicious scripts.", "last_hit_utc": "2026-04-27 17:44:58" } ], "76": [ { "sample_cnt": 11078, "yara_rule_name": "MALW_emotet", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect unpacked Emotet", "last_hit_utc": "2025-05-02 02:30:15" } ], "77": [ { "sample_cnt": 10890, "yara_rule_name": "AutoIT_Compiled", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.", "last_hit_utc": "2026-04-27 14:18:37" } ], "78": [ { "sample_cnt": 10441, "yara_rule_name": "Borland", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 14:10:56" } ], "79": [ { "sample_cnt": 10328, "yara_rule_name": "F01_s1ckrule", "yara_rule_author": "s1ckb017", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 17:44:58" } ], "80": [ { "sample_cnt": 9927, "yara_rule_name": "SUSP_XORed_Mozilla_Oct19", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()", "yara_rule_description": "Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.", "last_hit_utc": "2026-04-27 04:44:38" } ], "81": [ { "sample_cnt": 9845, "yara_rule_name": "ach_AgentTesla_20200929", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/b2c1cb673c61537b88826b097a160f6f/", "yara_rule_description": "Detects AgentTesla PE", "last_hit_utc": "2025-10-14 23:09:38" } ], "82": [ { "sample_cnt": 9684, "yara_rule_name": "MALWARE_Win_RedLine", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RedLine infostealer", "last_hit_utc": "2023-11-10 02:17:02" } ], "83": [ { "sample_cnt": 9605, "yara_rule_name": "detect_Redline_Stealer", "yara_rule_author": "Varp0s", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 14:58:32" } ], "84": [ { "sample_cnt": 9543, "yara_rule_name": "GoBinTest", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 17:44:59" } ], "85": [ { "sample_cnt": 9464, "yara_rule_name": "golang", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 17:44:59" } ], "86": [ { "sample_cnt": 9424, "yara_rule_name": "ach_Heodo_doc_gen_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/999c14766d1ce903e02dd0598bbf3721/", "yara_rule_description": "Detects Heodo (aka Emotet) DOC", "last_hit_utc": "2023-01-28 19:25:03" } ], "87": [ { "sample_cnt": 9393, "yara_rule_name": "ach_Heodo_doc_gen_3", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/07da434aa20819a3f728fb5f705b6493/", "yara_rule_description": "Detects Heodo (aka Emotet) DOC", "last_hit_utc": "2022-10-12 17:48:33" } ], "88": [ { "sample_cnt": 9285, "yara_rule_name": "ach_Quakbot_xlsx_20201102", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/4fa8bd8c84eb67c04c46666f7729de31/", "yara_rule_description": "Detects Quakbot XLS", "last_hit_utc": "2020-11-06 17:19:58" } ], "89": [ { "sample_cnt": 9136, "yara_rule_name": "golang_binary_string", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Golang strings present", "last_hit_utc": "2026-04-27 17:44:59" } ], "90": [ { "sample_cnt": 9105, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many email and collaboration clients. Observed in information stealers", "last_hit_utc": "2026-04-27 15:23:25" } ], "91": [ { "sample_cnt": 8832, "yara_rule_name": "maldoc_getEIP_method_1", "yara_rule_author": "Didier Stevens (https://DidierStevens.com)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-08 15:07:42" } ], "92": [ { "sample_cnt": 8828, "yara_rule_name": "Check_OutputDebugStringA_iat", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:00" } ], "93": [ { "sample_cnt": 8775, "yara_rule_name": "MALWARE_Win_Emotet", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Emotet variants", "last_hit_utc": "2021-03-28 08:00:54" } ], "94": [ { "sample_cnt": 8749, "yara_rule_name": "command_and_control", "yara_rule_author": "CD_R0M_", "yara_rule_reference": null, "yara_rule_description": "This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group", "last_hit_utc": "2026-04-27 12:50:41" } ], "95": [ { "sample_cnt": 8709, "yara_rule_name": "meth_stackstrings", "yara_rule_author": "Willi Ballenthin", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 15:02:46" } ], "96": [ { "sample_cnt": 8652, "yara_rule_name": "Disable_Defender", "yara_rule_author": "iam-py-test", "yara_rule_reference": null, "yara_rule_description": "Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen", "last_hit_utc": "2026-04-27 16:04:55" } ], "97": [ { "sample_cnt": 8530, "yara_rule_name": "SUSP_MalDoc_ExcelMacro", "yara_rule_author": "@@lazyactivist192", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-01-09 13:33:34" } ], "98": [ { "sample_cnt": 8489, "yara_rule_name": "ELF_Toriilike_persist", "yara_rule_author": "4r4", "yara_rule_reference": "Identified via researched data", "yara_rule_description": "Detects Torii IoT Botnet (stealthier Mirai alternative)", "last_hit_utc": "2026-04-27 19:11:50" } ], "99": [ { "sample_cnt": 8469, "yara_rule_name": "Mirai_Botnet_Malware_RID2EF6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Mirai Botnet Malware", "last_hit_utc": "2026-04-27 12:10:45" } ], "100": [ { "sample_cnt": 8283, "yara_rule_name": "Linux_Generic_Threat_d94e1020", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:52:27" } ], "101": [ { "sample_cnt": 8275, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers", "last_hit_utc": "2026-04-27 16:04:59" } ], "102": [ { "sample_cnt": 8219, "yara_rule_name": "Multifamily_RAT_Detection", "yara_rule_author": "Lucas Acha (http://www.lukeacha.com)", "yara_rule_reference": null, "yara_rule_description": "Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables", "last_hit_utc": "2026-04-27 16:04:59" } ], "103": [ { "sample_cnt": 8131, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many file transfer clients. Observed in information stealers", "last_hit_utc": "2026-04-27 15:23:25" } ], "104": [ { "sample_cnt": 8119, "yara_rule_name": "SUSP_EnableContent_String_Gen", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious string that asks to enable active content in Office Doc", "last_hit_utc": "2025-01-05 15:03:48" } ], "105": [ { "sample_cnt": 7839, "yara_rule_name": "BLOWFISH_Constants", "yara_rule_author": "phoul (@phoul)", "yara_rule_reference": null, "yara_rule_description": "Look for Blowfish constants", "last_hit_utc": "2026-04-27 04:44:22" } ], "106": [ { "sample_cnt": 7800, "yara_rule_name": "INDICATOR_EXE_Packed_ConfuserEx", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with ConfuserEx Mod", "last_hit_utc": "2026-04-24 21:59:30" } ], "107": [ { "sample_cnt": 7747, "yara_rule_name": "ach_Heodo_doc_20200820", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/c50bc529bbc36e68efcb389ebff74002/", "yara_rule_description": "Detects Heodo DOC", "last_hit_utc": "2022-10-12 17:48:33" } ], "108": [ { "sample_cnt": 7528, "yara_rule_name": "identity_golang", "yara_rule_author": "Eric Yocam", "yara_rule_reference": null, "yara_rule_description": "find Golang malware", "last_hit_utc": "2026-04-27 17:45:00" } ], "109": [ { "sample_cnt": 7442, "yara_rule_name": "DebuggerCheck__RemoteAPI", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 15:23:33" } ], "110": [ { "sample_cnt": 7405, "yara_rule_name": "meth_stackstrings", "yara_rule_author": "Willi Ballenthin", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-08-27 08:46:45" } ], "111": [ { "sample_cnt": 7062, "yara_rule_name": "INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detect executables with stomped PE compilation timestamp that is greater than local current time", "last_hit_utc": "2025-05-29 02:36:39" } ], "112": [ { "sample_cnt": 7015, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Windows executables referencing non-Windows User-Agents", "last_hit_utc": "2026-04-27 16:04:58" } ], "113": [ { "sample_cnt": 6931, "yara_rule_name": "Excel_Hidden_Macro_Sheet", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-02-21 12:27:07" } ], "114": [ { "sample_cnt": 6859, "yara_rule_name": "ach_Quakbot_xls_20201020", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/25e2a60557c804d17479d8cac35c7098/", "yara_rule_description": "Detects Quakbot XLS", "last_hit_utc": "2020-12-16 19:07:03" } ], "115": [ { "sample_cnt": 6852, "yara_rule_name": "SUSP_Office_Dropper_Strings", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Office droppers that include a notice to enable active content", "last_hit_utc": "2020-10-24 19:21:07" } ], "116": [ { "sample_cnt": 6780, "yara_rule_name": "SUSP_MalDoc_ExcelMacro", "yara_rule_author": "@lazyactivist192", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-11-25 16:36:18" } ], "117": [ { "sample_cnt": 6749, "yara_rule_name": "Mirai_Botnet_Malware", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Mirai Botnet Malware", "last_hit_utc": "2026-04-27 12:10:45" } ], "118": [ { "sample_cnt": 6723, "yara_rule_name": "SUSP_Excel4Macro_AutoOpen", "yara_rule_author": "John Lambert @JohnLaTwC", "yara_rule_reference": "", "yara_rule_description": "Detects Excel4 macro use with auto open / close", "last_hit_utc": "2025-02-21 12:27:07" } ], "119": [ { "sample_cnt": 6575, "yara_rule_name": "dridex_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:47:18" } ], "120": [ { "sample_cnt": 6545, "yara_rule_name": "INDICATOR_EXE_Packed_GEN01", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect packed .NET executables. Mostly AgentTeslaV4.", "last_hit_utc": "2026-04-27 15:23:25" } ], "121": [ { "sample_cnt": 6493, "yara_rule_name": "win_agent_tesla_v1", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": null, "yara_rule_description": "detects Agent Tesla", "last_hit_utc": "2025-10-14 23:09:38" } ], "122": [ { "sample_cnt": 6253, "yara_rule_name": "botnet_plaintext_c2", "yara_rule_author": "cip", "yara_rule_reference": null, "yara_rule_description": "Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.", "last_hit_utc": "2026-04-02 17:04:31" } ], "123": [ { "sample_cnt": 6181, "yara_rule_name": "telebot_framework", "yara_rule_author": "vietdx.mb", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:04" } ], "124": [ { "sample_cnt": 6063, "yara_rule_name": "myMirai", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Mirai", "last_hit_utc": "2022-11-26 13:52:04" } ], "125": [ { "sample_cnt": 6059, "yara_rule_name": "Linux_Trojan_Mirai_cc93863b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:52:29" } ], "126": [ { "sample_cnt": 6016, "yara_rule_name": "yara_template", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-22 19:28:28" } ], "127": [ { "sample_cnt": 5886, "yara_rule_name": "MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ELF malware Mirai related", "last_hit_utc": "2026-04-24 09:28:33" } ], "128": [ { "sample_cnt": 5877, "yara_rule_name": "AgentTeslaV3", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "AgentTeslaV3 infostealer payload", "last_hit_utc": "2026-04-27 15:22:47" } ], "129": [ { "sample_cnt": 5874, "yara_rule_name": "DetectGoMethodSignatures", "yara_rule_author": "Wyatt Tauber", "yara_rule_reference": null, "yara_rule_description": "Detects Go method signatures in unpacked Go binaries", "last_hit_utc": "2026-04-27 17:44:58" } ], "130": [ { "sample_cnt": 5755, "yara_rule_name": "SUSP_RANSOMWARE_Indicator_Jul20_RID31A2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "yara_rule_description": "Detects ransomware indicator", "last_hit_utc": "2026-04-15 11:33:59" } ], "131": [ { "sample_cnt": 5702, "yara_rule_name": "RansomPyShield_Antiransomware", "yara_rule_author": "XiAnzheng", "yara_rule_reference": null, "yara_rule_description": "Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)", "last_hit_utc": "2026-04-22 17:54:14" } ], "132": [ { "sample_cnt": 5693, "yara_rule_name": "with_sqlite", "yara_rule_author": "Julian J. Gonzalez ", "yara_rule_reference": "http://www.st2labs.com", "yara_rule_description": "Rule to detect the presence of SQLite data in raw image", "last_hit_utc": "2025-05-07 11:20:27" } ], "133": [ { "sample_cnt": 5657, "yara_rule_name": "INDICATOR_SUSPICIOUS_Binary_References_Browsers", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.", "last_hit_utc": "2024-03-10 22:32:05" } ], "134": [ { "sample_cnt": 5646, "yara_rule_name": "MALWARE_Win_AgentTeslaV3", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "AgentTeslaV3 infostealer payload", "last_hit_utc": "2025-09-30 09:25:33" } ], "135": [ { "sample_cnt": 5625, "yara_rule_name": "ProgramLanguage_Golang", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": "Application written in Golang programming language", "last_hit_utc": "2026-04-27 17:45:00" } ], "136": [ { "sample_cnt": 5622, "yara_rule_name": "malware_Agenttesla_type2", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Agenttesla in memory", "last_hit_utc": "2026-04-27 15:23:25" } ], "137": [ { "sample_cnt": 5603, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing Windows vault credential objects. Observed in infostealers", "last_hit_utc": "2026-04-27 15:23:25" } ], "138": [ { "sample_cnt": 5598, "yara_rule_name": "Linux_Gafgyt_Generic_A", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": "Generic Approach to Mirai/Gafgyt samples", "last_hit_utc": "2025-06-16 15:28:40" } ], "139": [ { "sample_cnt": 5497, "yara_rule_name": "SUSP_RANSOMWARE_Indicator_Jul20", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "yara_rule_description": "Detects ransomware indicator", "last_hit_utc": "2025-01-05 15:15:16" } ], "140": [ { "sample_cnt": 5477, "yara_rule_name": "win_gandcrab_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.gandcrab.", "last_hit_utc": "2022-10-17 09:03:04" } ], "141": [ { "sample_cnt": 5474, "yara_rule_name": "MAL_Envrial_Jan18_1_RID2D8C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/953313514629853184", "yara_rule_description": "Detects Encrial credential stealer malware", "last_hit_utc": "2026-04-27 05:40:44" } ], "142": [ { "sample_cnt": 5451, "yara_rule_name": "suspicious_packer_section", "yara_rule_author": "@j0sm1", "yara_rule_reference": "http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/", "yara_rule_description": "The packer/protector section names/keywords", "last_hit_utc": "2025-12-01 20:35:14" } ], "143": [ { "sample_cnt": 5426, "yara_rule_name": "UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 14:17:29" } ], "144": [ { "sample_cnt": 5425, "yara_rule_name": "Gandcrab", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Gandcrab Payload", "last_hit_utc": "2022-10-17 09:03:04" } ], "145": [ { "sample_cnt": 5349, "yara_rule_name": "Linux_Trojan_Mirai_88de437f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:52:28" } ], "146": [ { "sample_cnt": 5261, "yara_rule_name": "CVE_2017_17215", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects exploitation attempt of CVE-2017-17215", "last_hit_utc": "2026-04-26 23:43:25" } ], "147": [ { "sample_cnt": 5217, "yara_rule_name": "Chrome_stealer_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "Chrome in files like avemaria", "last_hit_utc": "2024-06-13 01:50:03" } ], "148": [ { "sample_cnt": 5176, "yara_rule_name": "DebuggerHiding__Active", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 10:41:27" } ], "149": [ { "sample_cnt": 5169, "yara_rule_name": "INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect executables with stomped PE compilation timestamp that is greater than local current time", "last_hit_utc": "2025-08-25 10:09:55" } ], "150": [ { "sample_cnt": 5168, "yara_rule_name": "ach_Quakbot_xlsx_20201029", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/7b8ec5526efe4a373f8da08c8d722f4c/", "yara_rule_description": "Detects Quakbot XLS", "last_hit_utc": "2020-10-30 17:54:33" } ], "151": [ { "sample_cnt": 5160, "yara_rule_name": "SUSP_XORed_URL_in_EXE_RID2E46", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/stvemillertime/status/1237035794973560834", "yara_rule_description": "Detects an XORed URL in an executable", "last_hit_utc": "2026-04-27 10:40:34" } ], "152": [ { "sample_cnt": 5092, "yara_rule_name": "Golangmalware", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": null, "yara_rule_description": "Malware in Golang", "last_hit_utc": "2026-04-27 11:07:29" } ], "153": [ { "sample_cnt": 5092, "yara_rule_name": "HiveRansomware", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": null, "yara_rule_description": "Yara Rule To Detect Hive V4 Ransomware", "last_hit_utc": "2026-04-27 11:07:30" } ], "154": [ { "sample_cnt": 5070, "yara_rule_name": "DebuggerException__ConsoleCtrl", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 18:00:01" } ], "155": [ { "sample_cnt": 5040, "yara_rule_name": "DebuggerHiding__Thread", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:29:43" } ], "156": [ { "sample_cnt": 5032, "yara_rule_name": "upxHook", "yara_rule_author": "@r3dbU7z", "yara_rule_reference": "https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/", "yara_rule_description": "Detect artifacts from 'upxHook' - modification of UPX packer", "last_hit_utc": "2026-04-26 23:30:29" } ], "157": [ { "sample_cnt": 5009, "yara_rule_name": "Mal_LNX_Gafgyt_Botnet_ELF", "yara_rule_author": "Phatcharadol Thangplub", "yara_rule_reference": null, "yara_rule_description": "Use to detect Gafgyt botnet, and there variants.", "last_hit_utc": "2026-04-26 16:47:36" } ], "158": [ { "sample_cnt": 4992, "yara_rule_name": "SUSP_XORed_Mozilla", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious XORed keyword - Mozilla/5.0", "last_hit_utc": "2025-01-05 14:57:16" } ], "159": [ { "sample_cnt": 4965, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_TelegramChatBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables using Telegram Chat Bot", "last_hit_utc": "2026-04-27 05:40:44" } ], "160": [ { "sample_cnt": 4925, "yara_rule_name": "TH_Generic_MassHunt_Linux_Malware_2026_CYFARE", "yara_rule_author": "CYFARE", "yara_rule_reference": "https://cyfare.net/", "yara_rule_description": "Generic Linux malware mass-hunt rule - 2026", "last_hit_utc": "2026-04-27 19:11:50" } ], "161": [ { "sample_cnt": 4884, "yara_rule_name": "Linux_Trojan_Mirai_8aa7b5d3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:52:28" } ], "162": [ { "sample_cnt": 4884, "yara_rule_name": "redline_stealer_1", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "RedLine Stealer Payload", "last_hit_utc": "2026-04-08 01:32:26" } ], "163": [ { "sample_cnt": 4870, "yara_rule_name": "golang_duffcopy_amd64", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 11:09:28" } ], "164": [ { "sample_cnt": 4790, "yara_rule_name": "MALWARE_Win_AgentTeslaV3", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "AgentTeslaV3 infostealer payload", "last_hit_utc": "2025-10-28 13:44:46" } ], "165": [ { "sample_cnt": 4782, "yara_rule_name": "Keylog_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "Contains Keylog", "last_hit_utc": "2025-12-01 20:35:14" } ], "166": [ { "sample_cnt": 4722, "yara_rule_name": "Lokibot", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Lokibot in memory", "last_hit_utc": "2026-04-23 02:11:49" } ], "167": [ { "sample_cnt": 4699, "yara_rule_name": "SUSP_ELF_LNX_UPX_Compressed_File", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious ELF binary with UPX compression", "last_hit_utc": "2025-01-05 15:35:42" } ], "168": [ { "sample_cnt": 4672, "yara_rule_name": "AgentTesla_DIFF_Common_Strings_01", "yara_rule_author": "schmidtsz", "yara_rule_reference": null, "yara_rule_description": "Identify partial Agent Tesla strings", "last_hit_utc": "2026-04-23 06:41:33" } ], "169": [ { "sample_cnt": 4538, "yara_rule_name": "SUSP_DOTNET_PE_List_AV", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detecs .NET Binary that lists installed AVs", "last_hit_utc": "2026-04-27 15:22:45" } ], "170": [ { "sample_cnt": 4514, "yara_rule_name": "MAL_ARM_LNX_Mirai_Mar13_2022", "yara_rule_author": "Mehmet Ali Kerimoglu a.k.a. CYB3RMX", "yara_rule_reference": null, "yara_rule_description": "Detects new ARM Mirai variant", "last_hit_utc": "2026-04-27 12:08:32" } ], "171": [ { "sample_cnt": 4500, "yara_rule_name": "meth_get_eip", "yara_rule_author": "Willi Ballenthin", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-12-10 20:34:12" } ], "172": [ { "sample_cnt": 4442, "yara_rule_name": "malware_shellcode_hash", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect shellcode api hash value", "last_hit_utc": "2026-04-27 04:44:32" } ], "173": [ { "sample_cnt": 4441, "yara_rule_name": "Linux_Trojan_Gafgyt_d4227dbf", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:15" } ], "174": [ { "sample_cnt": 4431, "yara_rule_name": "Linux_Trojan_Gafgyt_620087b9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:14" } ], "175": [ { "sample_cnt": 4430, "yara_rule_name": "Linux_Trojan_Gafgyt_33b4111a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:14" } ], "176": [ { "sample_cnt": 4419, "yara_rule_name": "Linux_Trojan_Gafgyt_9e9530a7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:14" } ], "177": [ { "sample_cnt": 4402, "yara_rule_name": "Linux_Shellscript_Downloader", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": "Generic Approach to Shellscript downloaders", "last_hit_utc": "2026-04-27 19:11:01" } ], "178": [ { "sample_cnt": 4402, "yara_rule_name": "Linux_Trojan_Mirai_389ee3e9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:52:28" } ], "179": [ { "sample_cnt": 4371, "yara_rule_name": "Linux_Trojan_Mirai_b14f4c5d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:52:28" } ], "180": [ { "sample_cnt": 4358, "yara_rule_name": "Njrat", "yara_rule_author": "botherder https://github.com/botherder", "yara_rule_reference": null, "yara_rule_description": "Njrat", "last_hit_utc": "2026-04-27 15:22:45" } ], "181": [ { "sample_cnt": 4256, "yara_rule_name": "Codoso_Gh0st_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT Gh0st Malware", "last_hit_utc": "2025-01-05 15:19:35" } ], "182": [ { "sample_cnt": 4207, "yara_rule_name": "informational_win_ole_protected", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": null, "yara_rule_description": "Identify OLE Project protection within documents.", "last_hit_utc": "2026-04-27 14:36:31" } ], "183": [ { "sample_cnt": 4195, "yara_rule_name": "SUSP_XORed_Mozilla", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()", "yara_rule_description": "Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.", "last_hit_utc": "2025-01-05 17:35:35" } ], "184": [ { "sample_cnt": 4189, "yara_rule_name": "Windows_Trojan_AgentTesla_ebf431a8", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla", "yara_rule_description": null, "last_hit_utc": "2026-04-27 15:23:26" } ], "185": [ { "sample_cnt": 4187, "yara_rule_name": "Linux_Generic_Threat_8299c877", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:08:32" } ], "186": [ { "sample_cnt": 4151, "yara_rule_name": "RDPWrap", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://github.com/stascorp/rdpwrap", "yara_rule_description": "Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.", "last_hit_utc": "2026-04-17 18:46:04" } ], "187": [ { "sample_cnt": 4135, "yara_rule_name": "Windows_Trojan_SnakeKeylogger_af3faa65", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 05:40:45" } ], "188": [ { "sample_cnt": 4125, "yara_rule_name": "malwareelf55503", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:34:20" } ], "189": [ { "sample_cnt": 4096, "yara_rule_name": "IceID_Bank_trojan", "yara_rule_author": "unixfreaxjp", "yara_rule_reference": null, "yara_rule_description": "Detects IcedID..adjusted several times", "last_hit_utc": "2025-02-21 21:49:14" } ], "190": [ { "sample_cnt": 4052, "yara_rule_name": "QbotStuff", "yara_rule_author": "anonymous", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-22 19:28:28" } ], "191": [ { "sample_cnt": 4028, "yara_rule_name": "Linux_Trojan_Gafgyt_807911a2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:14" } ], "192": [ { "sample_cnt": 4025, "yara_rule_name": "Ping_Del_method_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "cmd ping IP nul del", "last_hit_utc": "2025-08-14 10:22:13" } ], "193": [ { "sample_cnt": 4024, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing SQL queries to confidential data stores. Observed in infostealers", "last_hit_utc": "2026-04-26 19:33:25" } ], "194": [ { "sample_cnt": 4021, "yara_rule_name": "MAL_ELF_LNX_Mirai_Oct10_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ELF malware Mirai related", "last_hit_utc": "2026-04-24 09:28:33" } ], "195": [ { "sample_cnt": 4020, "yara_rule_name": "Qbot", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": "", "yara_rule_description": "Yara Rule to Detect Qbot", "last_hit_utc": "2025-02-21 12:27:07" } ], "196": [ { "sample_cnt": 4012, "yara_rule_name": "REMCOS_RAT_variants", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 17:52:43" } ], "197": [ { "sample_cnt": 3883, "yara_rule_name": "MAL_Envrial_Jan18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/953313514629853184", "yara_rule_description": "Detects Encrial credential stealer malware", "last_hit_utc": "2026-04-27 05:40:44" } ], "198": [ { "sample_cnt": 3868, "yara_rule_name": "malware_shellcode_hash", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "detect shellcode api hash value", "last_hit_utc": "2023-11-26 10:38:06" } ], "199": [ { "sample_cnt": 3867, "yara_rule_name": "WHIRLPOOL_Constants", "yara_rule_author": "phoul (@phoul)", "yara_rule_reference": null, "yara_rule_description": "Look for WhirlPool constants", "last_hit_utc": "2026-04-26 23:30:29" } ], "200": [ { "sample_cnt": 3775, "yara_rule_name": "ReflectiveLoader", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended", "last_hit_utc": "2025-01-05 15:26:03" } ], "201": [ { "sample_cnt": 3751, "yara_rule_name": "crime_win64_emotet_unpacked", "yara_rule_author": "Rony (r0ny_123)", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-01-19 18:51:15" } ], "202": [ { "sample_cnt": 3733, "yara_rule_name": "Linux_Trojan_Gafgyt_d996d335", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:15" } ], "203": [ { "sample_cnt": 3731, "yara_rule_name": "AgentTeslaV3", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "AgentTeslaV3 infostealer payload", "last_hit_utc": "2025-09-30 09:25:33" } ], "204": [ { "sample_cnt": 3730, "yara_rule_name": "detect_powershell", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious PowerShell activity related to malware execution", "last_hit_utc": "2026-04-27 16:04:55" } ], "205": [ { "sample_cnt": 3727, "yara_rule_name": "win_agent_tesla_v1", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": "", "yara_rule_description": "detects Agent Tesla", "last_hit_utc": "2025-09-30 09:25:33" } ], "206": [ { "sample_cnt": 3707, "yara_rule_name": "SUSP_Imphash_Mar23_3", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits", "last_hit_utc": "2026-04-23 20:44:25" } ], "207": [ { "sample_cnt": 3672, "yara_rule_name": "INDICATOR_SUSPICIOUS_ReflectiveLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects Reflective DLL injection artifacts", "last_hit_utc": "2023-06-29 20:36:03" } ], "208": [ { "sample_cnt": 3670, "yara_rule_name": "telegram_bot_api", "yara_rule_author": "rectifyq", "yara_rule_reference": null, "yara_rule_description": "Detects file containing Telegram Bot API", "last_hit_utc": "2026-04-27 05:40:44" } ], "209": [ { "sample_cnt": 3630, "yara_rule_name": "win_lokipws_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-05-07 11:20:27" } ], "210": [ { "sample_cnt": 3607, "yara_rule_name": "AgentTeslaV5", "yara_rule_author": "ClaudioWayne", "yara_rule_reference": null, "yara_rule_description": "AgentTeslaV5 infostealer payload", "last_hit_utc": "2026-04-27 15:23:25" } ], "211": [ { "sample_cnt": 3604, "yara_rule_name": "ldpreload", "yara_rule_author": "xorseed", "yara_rule_reference": "https://stuff.rop.io/", "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:34:20" } ], "212": [ { "sample_cnt": 3590, "yara_rule_name": "Emotet", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Emotet Payload", "last_hit_utc": "2023-01-19 18:59:13" } ], "213": [ { "sample_cnt": 3573, "yara_rule_name": "VECT_Ransomware", "yara_rule_author": "Mustafa Bakhit", "yara_rule_reference": null, "yara_rule_description": "Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.", "last_hit_utc": "2026-04-27 18:00:06" } ], "214": [ { "sample_cnt": 3488, "yara_rule_name": "Nanocore_RAT_Gen_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/", "yara_rule_description": "Detetcs the Nanocore RAT", "last_hit_utc": "2025-05-10 18:38:10" } ], "215": [ { "sample_cnt": 3481, "yara_rule_name": "Microsoft_XLSX_with_Macrosheet", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 10:56:03" } ], "216": [ { "sample_cnt": 3467, "yara_rule_name": "Detect_Go_GOMAXPROCS", "yara_rule_author": "Obscurity Labs LLC", "yara_rule_reference": null, "yara_rule_description": "Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata", "last_hit_utc": "2026-04-27 17:44:57" } ], "217": [ { "sample_cnt": 3463, "yara_rule_name": "Nanocore_RAT_Feb18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - T2T", "yara_rule_description": "Detects Nanocore RAT", "last_hit_utc": "2025-05-10 18:38:10" } ], "218": [ { "sample_cnt": 3461, "yara_rule_name": "upx_largefile", "yara_rule_author": "k3nr9", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 14:17:29" } ], "219": [ { "sample_cnt": 3403, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_DotNetProcHook", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables with potential process hoocking", "last_hit_utc": "2026-04-27 05:40:44" } ], "220": [ { "sample_cnt": 3367, "yara_rule_name": "INDICATOR_RTF_MalVer_Objects", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.", "last_hit_utc": "2025-11-20 13:47:26" } ], "221": [ { "sample_cnt": 3318, "yara_rule_name": "BobSoftMiniDelphiBoBBobSoft", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 05:00:45" } ], "222": [ { "sample_cnt": 3315, "yara_rule_name": "Linux_Gafgyt_Generic", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": "Generic Approach to Mirai/Gafgyt samples", "last_hit_utc": "2026-04-26 16:47:35" } ], "223": [ { "sample_cnt": 3295, "yara_rule_name": "win_gcleaner_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.gcleaner.", "last_hit_utc": "2025-05-11 02:34:14" } ], "224": [ { "sample_cnt": 3243, "yara_rule_name": "grakate_stealer_nov_2021", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 06:27:39" } ], "225": [ { "sample_cnt": 3204, "yara_rule_name": "MAL_Malware_Imphash_Mar23_1", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://yaraify.abuse.ch/statistics/", "yara_rule_description": "Detects malware by known bad imphash or rich_pe_header_hash", "last_hit_utc": "2026-04-27 14:17:28" } ], "226": [ { "sample_cnt": 3165, "yara_rule_name": "Nanocore", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Nanocore in memory", "last_hit_utc": "2026-04-27 16:01:03" } ], "227": [ { "sample_cnt": 3155, "yara_rule_name": "Linux_Trojan_Gafgyt_0cd591cd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:14" } ], "228": [ { "sample_cnt": 3155, "yara_rule_name": "Linux_Trojan_Gafgyt_a33a8363", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:15" } ], "229": [ { "sample_cnt": 3144, "yara_rule_name": "win_heodo", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-01-19 18:46:14" } ], "230": [ { "sample_cnt": 3125, "yara_rule_name": "Linux_Generic_Threat_3bcc1630", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 23:43:25" } ], "231": [ { "sample_cnt": 3063, "yara_rule_name": "MAL_ELF_LNX_Mirai_Oct10_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ELF Mirai variant", "last_hit_utc": "2026-04-26 23:43:25" } ], "232": [ { "sample_cnt": 3028, "yara_rule_name": "SEH__vba", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 07:08:42" } ], "233": [ { "sample_cnt": 3022, "yara_rule_name": "ach_NanoCore", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/a5b86db98044c4e68a3f15043e12f108/", "yara_rule_description": null, "last_hit_utc": "2026-04-27 16:01:02" } ], "234": [ { "sample_cnt": 3000, "yara_rule_name": "win_asyncrat_w0", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect AsyncRat in memory", "last_hit_utc": "2026-04-27 04:44:25" } ], "235": [ { "sample_cnt": 2988, "yara_rule_name": "crime_snake_keylogger", "yara_rule_author": "Rony (r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects Snake keylogger payload", "last_hit_utc": "2026-04-27 05:40:43" } ], "236": [ { "sample_cnt": 2973, "yara_rule_name": "DebuggerCheck__GlobalFlags", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:56:34" } ], "237": [ { "sample_cnt": 2951, "yara_rule_name": "Lumma_Stealer_Detection", "yara_rule_author": "ashizZz", "yara_rule_reference": "https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/", "yara_rule_description": "Detects a specific Lumma Stealer malware sample using unique strings and behaviors", "last_hit_utc": "2026-04-27 04:44:23" } ], "238": [ { "sample_cnt": 2932, "yara_rule_name": "dgaagas", "yara_rule_author": "Harshit", "yara_rule_reference": null, "yara_rule_description": "Uses certutil.exe to download a file named test.txt", "last_hit_utc": "2026-04-27 10:40:34" } ], "239": [ { "sample_cnt": 2929, "yara_rule_name": "ave_maria_warzone_rat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 08:46:22" } ], "240": [ { "sample_cnt": 2922, "yara_rule_name": "MALWARE_Win_AsyncRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects AsyncRAT", "last_hit_utc": "2026-04-27 16:04:59" } ], "241": [ { "sample_cnt": 2916, "yara_rule_name": "SUSP_XORed_URL_in_EXE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/stvemillertime/status/1237035794973560834", "yara_rule_description": "Detects an XORed URL in an executable", "last_hit_utc": "2025-01-05 15:36:01" } ], "242": [ { "sample_cnt": 2901, "yara_rule_name": "MALWARE_Win_SnakeKeylogger", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Snake Keylogger", "last_hit_utc": "2026-04-21 10:55:37" } ], "243": [ { "sample_cnt": 2892, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)", "last_hit_utc": "2026-04-23 17:18:34" } ], "244": [ { "sample_cnt": 2875, "yara_rule_name": "PureCrypter", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter", "yara_rule_description": "Identifies PureCrypter, .NET loader and obfuscator.", "last_hit_utc": "2026-04-27 12:56:28" } ], "245": [ { "sample_cnt": 2864, "yara_rule_name": "Detect_Malicious_VBScript_Base64", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.", "last_hit_utc": "2025-01-03 21:09:05" } ], "246": [ { "sample_cnt": 2861, "yara_rule_name": "SelfExtractingRAR", "yara_rule_author": "Xavier Mertens", "yara_rule_reference": null, "yara_rule_description": "Detects an SFX archive with automatic script execution", "last_hit_utc": "2026-04-27 04:44:26" } ], "247": [ { "sample_cnt": 2858, "yara_rule_name": "Linux_Trojan_Mirai_0bce98a2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 10:47:24" } ], "248": [ { "sample_cnt": 2850, "yara_rule_name": "MAL_Envrial_Jan18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/953313514629853184", "yara_rule_description": "Detects Encrial credential stealer malware", "last_hit_utc": "2025-01-05 15:31:12" } ], "249": [ { "sample_cnt": 2840, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features", "last_hit_utc": "2025-01-05 16:55:43" } ], "250": [ { "sample_cnt": 2831, "yara_rule_name": "Prometei_Main", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei", "yara_rule_description": "Identifies Prometei botnet main modules.", "last_hit_utc": "2026-04-22 20:38:23" } ], "251": [ { "sample_cnt": 2829, "yara_rule_name": "Golang_Find_CSC846_Simple", "yara_rule_author": "Ashar Siddiqui", "yara_rule_reference": null, "yara_rule_description": "Find Go Signatuers", "last_hit_utc": "2026-04-27 17:44:59" } ], "252": [ { "sample_cnt": 2819, "yara_rule_name": "reverse_http", "yara_rule_author": "CD_R0M_", "yara_rule_reference": null, "yara_rule_description": "Identify strings with http reversed (ptth)", "last_hit_utc": "2026-04-26 14:30:43" } ], "253": [ { "sample_cnt": 2815, "yara_rule_name": "INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.", "last_hit_utc": "2026-04-27 04:46:22" } ], "254": [ { "sample_cnt": 2805, "yara_rule_name": "Remcos", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Remcos Payload", "last_hit_utc": "2026-04-24 17:52:43" } ], "255": [ { "sample_cnt": 2800, "yara_rule_name": "win_remcos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.remcos.", "last_hit_utc": "2026-04-24 17:52:43" } ], "256": [ { "sample_cnt": 2790, "yara_rule_name": "STEALER_Lokibot", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect Lokibot stealer", "last_hit_utc": "2026-04-23 02:11:50" } ], "257": [ { "sample_cnt": 2783, "yara_rule_name": "Windows_Trojan_Smokeloader_3687686f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 15:00:51" } ], "258": [ { "sample_cnt": 2777, "yara_rule_name": "Linux_Mirai_Generic", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": "Generic Approach to Mirai/Gafgyt samples", "last_hit_utc": "2026-04-22 06:38:33" } ], "259": [ { "sample_cnt": 2765, "yara_rule_name": "INDICATOR_SUSPICIOUS_GENInfoStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing common artifcats observed in infostealers", "last_hit_utc": "2024-03-10 22:32:05" } ], "260": [ { "sample_cnt": 2759, "yara_rule_name": "SUSP_XORed_URL_In_EXE", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/stvemillertime/status/1237035794973560834", "yara_rule_description": "Detects an XORed URL in an executable", "last_hit_utc": "2026-04-27 10:40:34" } ], "261": [ { "sample_cnt": 2751, "yara_rule_name": "Linux_Generic_Threat_d2dca9e7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:10:46" } ], "262": [ { "sample_cnt": 2738, "yara_rule_name": "masslogger_gcch", "yara_rule_author": "govcert_ch", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 05:40:44" } ], "263": [ { "sample_cnt": 2725, "yara_rule_name": "HeavensGate", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Heaven's Gate: Switch from 32-bit to 64-mode", "last_hit_utc": "2026-04-26 03:12:41" } ], "264": [ { "sample_cnt": 2724, "yara_rule_name": "maldoc_OLE_file_magic_number", "yara_rule_author": "Didier Stevens (https://DidierStevens.com)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-24 07:14:27" } ], "265": [ { "sample_cnt": 2717, "yara_rule_name": "ach_202503_elf_Mirai", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects Mirai 'TSource' ELF files", "last_hit_utc": "2026-04-27 07:02:38" } ], "266": [ { "sample_cnt": 2708, "yara_rule_name": "SUSP_INDICATOR_RTF_MalVer_Objects", "yara_rule_author": "ditekSHen", "yara_rule_reference": "https://github.com/ditekshen/detection", "yara_rule_description": "Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.", "last_hit_utc": "2026-04-26 15:15:40" } ], "267": [ { "sample_cnt": 2692, "yara_rule_name": "test_Malaysia", "yara_rule_author": "rectifyq", "yara_rule_reference": null, "yara_rule_description": "Detects file containing malaysia string", "last_hit_utc": "2026-04-27 18:00:05" } ], "268": [ { "sample_cnt": 2685, "yara_rule_name": "DotNet_Reactor", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.", "last_hit_utc": "2026-04-27 12:56:28" } ], "269": [ { "sample_cnt": 2684, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many file transfer clients. Observed in information stealers", "last_hit_utc": "2024-03-10 22:32:05" } ], "270": [ { "sample_cnt": 2682, "yara_rule_name": "enterpriseapps2", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": "", "yara_rule_description": "Enterprise apps", "last_hit_utc": "2022-11-23 19:38:03" } ], "271": [ { "sample_cnt": 2653, "yara_rule_name": "enterpriseunix2", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Enterprise UNIX", "last_hit_utc": "2026-04-27 10:25:39" } ], "272": [ { "sample_cnt": 2585, "yara_rule_name": "win_nanocore_w0", "yara_rule_author": " Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-13 23:36:25" } ], "273": [ { "sample_cnt": 2563, "yara_rule_name": "Golang_Find_CSC846", "yara_rule_author": "Ashar Siddiqui", "yara_rule_reference": null, "yara_rule_description": "Find Go Signatuers", "last_hit_utc": "2026-04-27 17:44:59" } ], "274": [ { "sample_cnt": 2540, "yara_rule_name": "Detect_NSIS_Nullsoft_Installer", "yara_rule_author": "Obscurity Labs LLC", "yara_rule_reference": null, "yara_rule_description": "Detects NSIS installers by .ndata section + NSIS header string", "last_hit_utc": "2026-04-27 11:33:26" } ], "275": [ { "sample_cnt": 2528, "yara_rule_name": "infostealer_loki", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 02:12:33" } ], "276": [ { "sample_cnt": 2510, "yara_rule_name": "Windows_Generic_Threat_9f4a80b2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 15:22:47" } ], "277": [ { "sample_cnt": 2509, "yara_rule_name": "infostealer_xor_patterns", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.", "last_hit_utc": "2024-03-10 22:32:04" } ], "278": [ { "sample_cnt": 2509, "yara_rule_name": "STEALER_Lokibot", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "", "yara_rule_description": "Rule to detect Lokibot stealer", "last_hit_utc": "2024-03-10 22:32:05" } ], "279": [ { "sample_cnt": 2508, "yara_rule_name": "infostealer_loki", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2024-03-10 22:32:04" } ], "280": [ { "sample_cnt": 2508, "yara_rule_name": "Loki", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Loki Payload", "last_hit_utc": "2024-03-10 22:32:04" } ], "281": [ { "sample_cnt": 2507, "yara_rule_name": "win_lokipws_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.lokipws.", "last_hit_utc": "2024-03-10 22:32:04" } ], "282": [ { "sample_cnt": 2503, "yara_rule_name": "Loki", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Loki Payload", "last_hit_utc": "2026-04-23 02:11:49" } ], "283": [ { "sample_cnt": 2502, "yara_rule_name": "infostealer_xor_patterns", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.", "last_hit_utc": "2026-04-23 02:11:49" } ], "284": [ { "sample_cnt": 2484, "yara_rule_name": "Linux_Gafgyt_May_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Gafgyt", "last_hit_utc": "2025-01-05 17:36:07" } ], "285": [ { "sample_cnt": 2476, "yara_rule_name": "malware_Lokibot_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Lokibot in memory", "last_hit_utc": "2026-04-23 02:11:50" } ], "286": [ { "sample_cnt": 2476, "yara_rule_name": "MALWARE_Win_XWorm", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects XWorm", "last_hit_utc": "2026-04-27 15:22:45" } ], "287": [ { "sample_cnt": 2462, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion", "last_hit_utc": "2026-04-27 15:23:25" } ], "288": [ { "sample_cnt": 2454, "yara_rule_name": "meth_peb_parsing", "yara_rule_author": "Willi Ballenthin", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 08:15:52" } ], "289": [ { "sample_cnt": 2434, "yara_rule_name": "Linux_Trojan_Mirai_e0cf29e2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:15" } ], "290": [ { "sample_cnt": 2433, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many email and collaboration clients. Observed in information stealers", "last_hit_utc": "2023-04-05 14:02:02" } ], "291": [ { "sample_cnt": 2423, "yara_rule_name": "win_qakbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-21 20:34:14" } ], "292": [ { "sample_cnt": 2371, "yara_rule_name": "QakBot", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "QakBot Payload", "last_hit_utc": "2023-11-28 09:24:57" } ], "293": [ { "sample_cnt": 2338, "yara_rule_name": "Embedded_PE", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-24 07:51:44" } ], "294": [ { "sample_cnt": 2327, "yara_rule_name": "exploit_any_poppopret", "yara_rule_author": "Jeff White [karttoon@gmail.com] @noottrak", "yara_rule_reference": "", "yara_rule_description": "Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.", "last_hit_utc": "2022-10-08 11:56:40" } ], "295": [ { "sample_cnt": 2327, "yara_rule_name": "MAL_QuasarRAT_May19_1_RID2E1E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.ensilo.com/uncovering-new-activity-by-apt10", "yara_rule_description": "Detects QuasarRAT malware", "last_hit_utc": "2026-04-27 04:44:23" } ], "296": [ { "sample_cnt": 2299, "yara_rule_name": "win_remcos_w0", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects strings present in remcos rat Samples.", "last_hit_utc": "2026-04-24 17:52:43" } ], "297": [ { "sample_cnt": 2289, "yara_rule_name": "Linux_Trojan_Mirai_ae9d0fa6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:52:28" } ], "298": [ { "sample_cnt": 2284, "yara_rule_name": "yarahub_win_remcos_rat_unpacked_aug_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 17:52:43" } ], "299": [ { "sample_cnt": 2283, "yara_rule_name": "with_urls", "yara_rule_author": "Antonio Sanchez ", "yara_rule_reference": "http://laboratorio.blogs.hispasec.com/", "yara_rule_description": "Rule to detect the presence of an or several urls", "last_hit_utc": "2026-04-25 20:23:31" } ], "300": [ { "sample_cnt": 2268, "yara_rule_name": "DebuggerCheck__MemoryWorkingSet", "yara_rule_author": "Fernando Merc\u00eas", "yara_rule_reference": "http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/", "yara_rule_description": "Anti-debug process memory working set size check", "last_hit_utc": "2026-04-27 15:08:57" } ], "301": [ { "sample_cnt": 2252, "yara_rule_name": "BAZT_B5_NOCEXInvalidStream", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 14:33:31" } ], "302": [ { "sample_cnt": 2243, "yara_rule_name": "INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2026-04-15 09:37:53" } ], "303": [ { "sample_cnt": 2233, "yara_rule_name": "win_asyncrat_j1", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": null, "yara_rule_description": "detects AsyncRAT", "last_hit_utc": "2026-04-27 04:44:25" } ], "304": [ { "sample_cnt": 2221, "yara_rule_name": "ach_Quakbot_xlsb_20201021", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/a397849dd2e0dedf2b306d2cdb92e8a8/", "yara_rule_description": "Detects Quakbot XLS", "last_hit_utc": "2022-08-20 12:06:03" } ], "305": [ { "sample_cnt": 2217, "yara_rule_name": "INDICATOR_EXE_Packed_VMProtect", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with VMProtect.", "last_hit_utc": "2026-04-26 15:41:36" } ], "306": [ { "sample_cnt": 2207, "yara_rule_name": "INDICATOR_SUSPICIOUS_GENInfoStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing common artifcats observed in infostealers", "last_hit_utc": "2025-01-05 17:04:29" } ], "307": [ { "sample_cnt": 2196, "yara_rule_name": "Suspicious_Golang_Binary", "yara_rule_author": "Tim Machac", "yara_rule_reference": null, "yara_rule_description": "Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)", "last_hit_utc": "2026-04-27 17:45:01" } ], "308": [ { "sample_cnt": 2181, "yara_rule_name": "qbot_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/b89d7454-403c-4c81-95db-7ecbba38eb02", "yara_rule_description": "Qbot Qakbot", "last_hit_utc": "2021-06-04 14:26:35" } ], "309": [ { "sample_cnt": 2178, "yara_rule_name": "CAS_Malware_Hunting", "yara_rule_author": "Michael Reinprecht", "yara_rule_reference": null, "yara_rule_description": "DEMO CAS YARA Rules for sample2.exe", "last_hit_utc": "2026-04-27 18:00:00" } ], "310": [ { "sample_cnt": 2165, "yara_rule_name": "win_masslogger_w0", "yara_rule_author": "govcert_ch", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 05:40:45" } ], "311": [ { "sample_cnt": 2159, "yara_rule_name": "ByteCode_MSIL_Backdoor_AsyncRAT", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects AsyncRAT backdoor.", "last_hit_utc": "2026-04-27 15:22:44" } ], "312": [ { "sample_cnt": 2144, "yara_rule_name": "win_raccoon_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.raccoon.", "last_hit_utc": "2022-09-18 18:10:52" } ], "313": [ { "sample_cnt": 2129, "yara_rule_name": "Microsoft_XLSX_with_Macrosheet", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 07:29:14" } ], "314": [ { "sample_cnt": 2124, "yara_rule_name": "INDICATOR_EXE_Packed_SmartAssembly", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with SmartAssembly", "last_hit_utc": "2026-04-17 11:43:35" } ], "315": [ { "sample_cnt": 2115, "yara_rule_name": "UPXv20MarkusLaszloReiser", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 14:17:29" } ], "316": [ { "sample_cnt": 2113, "yara_rule_name": "INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect executables with stomped PE compilation timestamp that is greater than local current time", "last_hit_utc": "2026-04-01 20:25:16" } ], "317": [ { "sample_cnt": 2105, "yara_rule_name": "Mirai_Botnet_Malware", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Mirai Botnet Malware", "last_hit_utc": "2025-01-05 15:35:42" } ], "318": [ { "sample_cnt": 2091, "yara_rule_name": "YahLover", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "YahLover", "last_hit_utc": "2026-04-27 04:45:29" } ], "319": [ { "sample_cnt": 2080, "yara_rule_name": "INDICATOR_RTF_MalVer_Objects", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.", "last_hit_utc": "2022-11-25 07:12:04" } ], "320": [ { "sample_cnt": 2057, "yara_rule_name": "quakbot_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:51:55" } ], "321": [ { "sample_cnt": 2050, "yara_rule_name": "Windows_Trojan_Remcos_b296e965", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "yara_rule_description": null, "last_hit_utc": "2026-04-24 17:52:43" } ], "322": [ { "sample_cnt": 2049, "yara_rule_name": "win_xworm_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "Detects win.xworm.", "last_hit_utc": "2026-04-27 15:22:45" } ], "323": [ { "sample_cnt": 2046, "yara_rule_name": "MAL_ELF_LNX_Mirai_Oct10_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ELF malware Mirai related", "last_hit_utc": "2025-01-05 15:35:41" } ], "324": [ { "sample_cnt": 2046, "yara_rule_name": "SUSP_XORed_Mozilla", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()", "yara_rule_description": "Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.", "last_hit_utc": "2025-01-05 17:04:33" } ], "325": [ { "sample_cnt": 2042, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects file containing reversed ASEP Autorun registry keys", "last_hit_utc": "2026-04-27 04:44:24" } ], "326": [ { "sample_cnt": 2035, "yara_rule_name": "Macos_Infostealer_Wallets_8e469ea0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:46:22" } ], "327": [ { "sample_cnt": 2023, "yara_rule_name": "win_trickbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-05 06:26:10" } ], "328": [ { "sample_cnt": 2019, "yara_rule_name": "win_remcos_rat_unpacked", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects strings present in remcos rat Samples.", "last_hit_utc": "2026-04-24 17:52:43" } ], "329": [ { "sample_cnt": 2009, "yara_rule_name": "asyncrat", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect AsyncRat in memory", "last_hit_utc": "2026-04-27 04:44:24" } ], "330": [ { "sample_cnt": 2003, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing SQL queries to confidential data stores. Observed in infostealers", "last_hit_utc": "2025-11-25 20:47:30" } ], "331": [ { "sample_cnt": 2001, "yara_rule_name": "Linux_Trojan_Gafgyt_d0c57a2e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:15" } ], "332": [ { "sample_cnt": 1993, "yara_rule_name": "INDICATOR_SUSPICIOUS_GENInfoStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing common artifacts observed in infostealers", "last_hit_utc": "2026-04-27 04:44:23" } ], "333": [ { "sample_cnt": 1970, "yara_rule_name": "ach_RemcosRAT", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/ba1b7055651cb3b832dca2927fc5fd5c/", "yara_rule_description": null, "last_hit_utc": "2025-05-14 15:13:29" } ], "334": [ { "sample_cnt": 1964, "yara_rule_name": "MAL_QuasarRAT_May19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blog.ensilo.com/uncovering-new-activity-by-apt10", "yara_rule_description": "Detects QuasarRAT malware", "last_hit_utc": "2026-04-27 04:44:23" } ], "335": [ { "sample_cnt": 1958, "yara_rule_name": "Ins_NSIS_Buer_Nov_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": null, "yara_rule_description": "Detect NSIS installer used for Buer loader", "last_hit_utc": "2026-04-25 04:28:30" } ], "336": [ { "sample_cnt": 1956, "yara_rule_name": "win_remcos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-01-18 13:42:09" } ], "337": [ { "sample_cnt": 1947, "yara_rule_name": "xworm", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 21:55:45" } ], "338": [ { "sample_cnt": 1944, "yara_rule_name": "INDICATOR_EXE_Packed_Themida", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with Themida", "last_hit_utc": "2026-04-27 11:22:24" } ], "339": [ { "sample_cnt": 1930, "yara_rule_name": "Linux_Trojan_Mirai_6a77af0f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:15" } ], "340": [ { "sample_cnt": 1929, "yara_rule_name": "has_telegram_urls", "yara_rule_author": "Aaron DeVera", "yara_rule_reference": null, "yara_rule_description": "Detects Telegram URLs", "last_hit_utc": "2026-04-27 10:40:34" } ], "341": [ { "sample_cnt": 1928, "yara_rule_name": "Base64_Encoded_Powershell_Directives", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:36:36" } ], "342": [ { "sample_cnt": 1918, "yara_rule_name": "Mal_LNX_Mirai_Botnet_ELF", "yara_rule_author": "Phatcharadol Thangplub", "yara_rule_reference": null, "yara_rule_description": "Use to detect Mirai botnet, and there variants.", "last_hit_utc": "2026-04-23 22:11:33" } ], "343": [ { "sample_cnt": 1915, "yara_rule_name": "TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE", "yara_rule_author": "CYFARE", "yara_rule_reference": "https://cyfare.net/", "yara_rule_description": "Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments", "last_hit_utc": "2026-04-27 18:00:05" } ], "344": [ { "sample_cnt": 1896, "yara_rule_name": "MAL_QuasarRAT_May19_1", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects QuasarRAT malware", "last_hit_utc": "2026-04-27 04:44:23" } ], "345": [ { "sample_cnt": 1889, "yara_rule_name": "iexplorer_remcos", "yara_rule_author": "iam-py-test", "yara_rule_reference": null, "yara_rule_description": "Detect iexplorer being taken over by Remcos", "last_hit_utc": "2026-04-24 17:52:42" } ], "346": [ { "sample_cnt": 1889, "yara_rule_name": "MAL_AsnycRAT", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects AsnycRAT based on it's config decryption routine", "last_hit_utc": "2026-04-27 04:44:24" } ], "347": [ { "sample_cnt": 1888, "yara_rule_name": "MAL_AsyncRAT_Config_Decryption", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects AsnycRAT based on it's config decryption routine", "last_hit_utc": "2026-04-27 04:44:24" } ], "348": [ { "sample_cnt": 1876, "yara_rule_name": "adonunix2", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "AD on UNIX", "last_hit_utc": "2025-11-23 15:48:27" } ], "349": [ { "sample_cnt": 1872, "yara_rule_name": "dsc", "yara_rule_author": "Aaron DeVera", "yara_rule_reference": null, "yara_rule_description": "Discord domains", "last_hit_utc": "2026-04-27 01:34:30" } ], "350": [ { "sample_cnt": 1860, "yara_rule_name": "xworm_kingrat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 15:22:45" } ], "351": [ { "sample_cnt": 1858, "yara_rule_name": "win_emotet_a2", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-04-11 13:51:16" } ], "352": [ { "sample_cnt": 1847, "yara_rule_name": "extracted_at_0x44b", "yara_rule_author": "cb", "yara_rule_reference": "Internal Research", "yara_rule_description": "sample - file extracted_at_0x44b.exe", "last_hit_utc": "2026-04-24 21:59:30" } ], "353": [ { "sample_cnt": 1833, "yara_rule_name": "win_tofsee_w0", "yara_rule_author": "akrasuski1", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-14 10:40:20" } ], "354": [ { "sample_cnt": 1831, "yara_rule_name": "HKTL_Meterpreter_inMemory", "yara_rule_author": "netbiosX, Florian Roth", "yara_rule_reference": "https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/", "yara_rule_description": "Detects Meterpreter in-memory", "last_hit_utc": "2026-04-27 04:44:38" } ], "355": [ { "sample_cnt": 1824, "yara_rule_name": "dependsonpythonailib", "yara_rule_author": "Tim Brown", "yara_rule_reference": null, "yara_rule_description": "Hunts for dependencies on Python AI libraries", "last_hit_utc": "2026-04-26 18:07:31" } ], "356": [ { "sample_cnt": 1815, "yara_rule_name": "INDICATOR_EXE_Packed_SmartAssembly", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with SmartAssembly", "last_hit_utc": "2025-09-10 20:33:13" } ], "357": [ { "sample_cnt": 1811, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects Windows exceutables potentially bypassing UAC using eventvwr.exe", "last_hit_utc": "2026-04-25 21:37:57" } ], "358": [ { "sample_cnt": 1786, "yara_rule_name": "Suspicious_Latam_MSI_and_ZIP_Files", "yara_rule_author": "eremit4, P4nd3m1cb0y", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.", "last_hit_utc": "2025-06-16 16:30:12" } ], "359": [ { "sample_cnt": 1782, "yara_rule_name": "silentbuilder_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-14 00:53:13" } ], "360": [ { "sample_cnt": 1764, "yara_rule_name": "win_amadey_a9f4", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "matches unpacked Amadey samples", "last_hit_utc": "2026-04-13 17:36:39" } ], "361": [ { "sample_cnt": 1758, "yara_rule_name": "malware_asyncrat", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect AsyncRat in memory", "last_hit_utc": "2026-04-27 04:44:24" } ], "362": [ { "sample_cnt": 1739, "yara_rule_name": "INDICATOR_OLE_Excel4Macros_DL2", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects OLE Excel 4 Macros documents acting as downloaders", "last_hit_utc": "2022-08-10 14:15:02" } ], "363": [ { "sample_cnt": 1723, "yara_rule_name": "win_formbook_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.formbook.", "last_hit_utc": "2024-03-11 11:46:35" } ], "364": [ { "sample_cnt": 1722, "yara_rule_name": "TH_Generic_MassHunt_Win_Malware_2025_CYFARE", "yara_rule_author": "CYFARE", "yara_rule_reference": "https://cyfare.net/", "yara_rule_description": "Generic Windows malware mass-hunt rule - 2025", "last_hit_utc": "2026-04-27 04:45:29" } ], "365": [ { "sample_cnt": 1714, "yara_rule_name": "Linux_Trojan_Mirai_5f7b67b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:52:28" } ], "366": [ { "sample_cnt": 1706, "yara_rule_name": "Linux_Generic_Threat_1ac392ca", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 23:43:25" } ], "367": [ { "sample_cnt": 1699, "yara_rule_name": "nanocore_rat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 16:01:03" } ], "368": [ { "sample_cnt": 1696, "yara_rule_name": "Emotet_Botnet", "yara_rule_author": "Harish Kumar P", "yara_rule_reference": "", "yara_rule_description": "To Detect Emotet Botnet", "last_hit_utc": "2022-11-03 01:17:16" } ], "369": [ { "sample_cnt": 1692, "yara_rule_name": "setsockopt", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": "", "yara_rule_description": "Hunts for setsockopt() red flags", "last_hit_utc": "2022-11-26 05:05:03" } ], "370": [ { "sample_cnt": 1687, "yara_rule_name": "Windows_Trojan_Formbook", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-13 20:39:18" } ], "371": [ { "sample_cnt": 1672, "yara_rule_name": "NETDLLMicrosoft", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 14:30:42" } ], "372": [ { "sample_cnt": 1667, "yara_rule_name": "buerloader_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-04-03 14:52:05" } ], "373": [ { "sample_cnt": 1661, "yara_rule_name": "buerloader_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:47:25" } ], "374": [ { "sample_cnt": 1661, "yara_rule_name": "PS_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies PowerShell artefacts in shortcut (LNK) files.", "last_hit_utc": "2026-04-27 10:07:32" } ], "375": [ { "sample_cnt": 1660, "yara_rule_name": "Linux_Trojan_Gafgyt_5bf62ce4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:58:16" } ], "376": [ { "sample_cnt": 1650, "yara_rule_name": "ach_SmokeLoader_xlsb_20201112_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/737f08448ad4a56a4ded7b2e06f33a3a/", "yara_rule_description": "Detects Smoke Loader XLSB", "last_hit_utc": "2020-11-13 16:12:33" } ], "377": [ { "sample_cnt": 1649, "yara_rule_name": "Excel_Hidden_Macro_Sheet", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 21:59:48" } ], "378": [ { "sample_cnt": 1644, "yara_rule_name": "Formbook", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Formbook Payload", "last_hit_utc": "2026-04-25 20:07:12" } ], "379": [ { "sample_cnt": 1641, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_DiscordURL", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables Discord URL observed in first stage droppers", "last_hit_utc": "2023-12-22 07:00:11" } ], "380": [ { "sample_cnt": 1636, "yara_rule_name": "Formbook", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Formbook in memory", "last_hit_utc": "2026-03-13 20:39:17" } ], "381": [ { "sample_cnt": 1636, "yara_rule_name": "without_attachments", "yara_rule_author": "Antonio Sanchez ", "yara_rule_reference": "http://laboratorio.blogs.hispasec.com/", "yara_rule_description": "Rule to detect the no presence of any attachment", "last_hit_utc": "2026-04-27 14:59:27" } ], "382": [ { "sample_cnt": 1611, "yara_rule_name": "Win32_Ransomware_GandCrab", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects GandCrab ransomware.", "last_hit_utc": "2022-08-30 23:08:04" } ], "383": [ { "sample_cnt": 1605, "yara_rule_name": "SUSP_Imphash_Mar23_2", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)", "last_hit_utc": "2026-04-22 10:33:41" } ], "384": [ { "sample_cnt": 1592, "yara_rule_name": "XWorm", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects XWorm", "last_hit_utc": "2026-04-27 15:22:45" } ], "385": [ { "sample_cnt": 1587, "yara_rule_name": "botnet_dayzddos", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "dayzddos botnet", "last_hit_utc": "2026-04-26 19:50:38" } ], "386": [ { "sample_cnt": 1582, "yara_rule_name": "ach_202412_suspect_bash_script", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious Linux bash scripts", "last_hit_utc": "2026-04-26 16:46:29" } ], "387": [ { "sample_cnt": 1582, "yara_rule_name": "Indicator_MiniDumpWriteDump", "yara_rule_author": "Obscurity Labs LLC", "yara_rule_reference": null, "yara_rule_description": "Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references", "last_hit_utc": "2026-04-27 11:34:40" } ], "388": [ { "sample_cnt": 1569, "yara_rule_name": "win_quasar_rat_client", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects strings present in Quasar Rat Samples.", "last_hit_utc": "2026-04-27 04:44:24" } ], "389": [ { "sample_cnt": 1562, "yara_rule_name": "EXE_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies executable artefacts in shortcut (LNK) files.", "last_hit_utc": "2026-02-06 22:13:14" } ], "390": [ { "sample_cnt": 1557, "yara_rule_name": "iot_req_metachar", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 23:43:25" } ], "391": [ { "sample_cnt": 1551, "yara_rule_name": "Windows_Trojan_Njrat_30f3c220", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 18:36:36" } ], "392": [ { "sample_cnt": 1550, "yara_rule_name": "PyInstaller", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.", "last_hit_utc": "2026-04-26 16:32:31" } ], "393": [ { "sample_cnt": 1549, "yara_rule_name": "RC6_Constants", "yara_rule_author": "chort (@chort0)", "yara_rule_reference": "https://twitter.com/mikko/status/417620511397400576", "yara_rule_description": "Look for RC6 magic constants in binary", "last_hit_utc": "2026-04-27 04:44:23" } ], "394": [ { "sample_cnt": 1539, "yara_rule_name": "INDICATOR_EXE_Packed_Fody", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables manipulated with Fody", "last_hit_utc": "2026-04-27 04:46:22" } ], "395": [ { "sample_cnt": 1534, "yara_rule_name": "Linux_Trojan_Mirai_01e4a728", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:15" } ], "396": [ { "sample_cnt": 1533, "yara_rule_name": "Linux_Trojan_Mirai_520deeb8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 13:33:15" } ], "397": [ { "sample_cnt": 1507, "yara_rule_name": "MALWARE_Win_AgentTeslaV2", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "AgenetTesla Type 2 Keylogger payload", "last_hit_utc": "2026-04-27 15:23:26" } ], "398": [ { "sample_cnt": 1499, "yara_rule_name": "detect_tiny_vbs", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects tiny VBS delivery technique", "last_hit_utc": "2026-04-27 10:07:32" } ], "399": [ { "sample_cnt": 1499, "yara_rule_name": "msil_suspicious_use_of_strreverse", "yara_rule_author": "dr4k0nia", "yara_rule_reference": null, "yara_rule_description": "Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse", "last_hit_utc": "2026-04-27 16:04:59" } ], "400": [ { "sample_cnt": 1498, "yara_rule_name": "office_document_vba", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": "https://github.com/jipegit/", "yara_rule_description": "Office document with embedded VBA", "last_hit_utc": "2025-11-18 17:17:20" } ], "401": [ { "sample_cnt": 1494, "yara_rule_name": "zloader_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-12 16:57:39" } ], "402": [ { "sample_cnt": 1493, "yara_rule_name": "Windows_Trojan_Tofsee_26124fe4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-14 10:40:20" } ], "403": [ { "sample_cnt": 1487, "yara_rule_name": "MAL_Lokibot_Stealer", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects Lokibot Stealer Variants", "last_hit_utc": "2023-08-25 17:30:03" } ], "404": [ { "sample_cnt": 1484, "yara_rule_name": "MALWARE_Win_Tofsee", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Tofsee", "last_hit_utc": "2026-04-14 10:40:20" } ], "405": [ { "sample_cnt": 1483, "yara_rule_name": "ProgramLanguage_Rust", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": "Application written in Rust programming language", "last_hit_utc": "2026-04-27 15:00:46" } ], "406": [ { "sample_cnt": 1479, "yara_rule_name": "tofsee_yhub", "yara_rule_author": "Billy Austin", "yara_rule_reference": null, "yara_rule_description": "Detects Tofsee botnet, also known as Gheg", "last_hit_utc": "2026-04-14 10:40:20" } ], "407": [ { "sample_cnt": 1475, "yara_rule_name": "win_formbook_w0", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-13 20:39:18" } ], "408": [ { "sample_cnt": 1473, "yara_rule_name": "CN_disclosed_20180208_c_RID2E71", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyberintproject/status/961714165550342146", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2026-04-23 18:36:35" } ], "409": [ { "sample_cnt": 1473, "yara_rule_name": "crime_win32_csbeacon_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1239632822358474753", "yara_rule_description": "Detects Cobalt Strike loader", "last_hit_utc": "2026-04-27 04:44:37" } ], "410": [ { "sample_cnt": 1473, "yara_rule_name": "MALWARE_Win_QuasarStealer", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects Quasar infostealer", "last_hit_utc": "2026-04-27 04:44:23" } ], "411": [ { "sample_cnt": 1471, "yara_rule_name": "CN_disclosed_20180208_c", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyberintproject/status/961714165550342146", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2025-09-10 20:33:14" } ], "412": [ { "sample_cnt": 1471, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_TelegramChatBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables using Telegram Chat Bot", "last_hit_utc": "2022-11-25 16:52:03" } ], "413": [ { "sample_cnt": 1469, "yara_rule_name": "SUSP_obfuscated_JS_obfuscatorio", "yara_rule_author": "@imp0rtp3", "yara_rule_reference": "https://obfuscator.io", "yara_rule_description": "Detect JS obfuscation done by the js obfuscator (often malicious)", "last_hit_utc": "2026-04-27 12:36:36" } ], "414": [ { "sample_cnt": 1462, "yara_rule_name": "Windows_Trojan_Njrat_30f3c220", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 18:36:36" } ], "415": [ { "sample_cnt": 1442, "yara_rule_name": "MALWARE_Win_QakBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects variants of QakBot payload", "last_hit_utc": "2021-06-04 14:26:34" } ], "416": [ { "sample_cnt": 1440, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects Windows exceutables potentially bypassing UAC using eventvwr.exe", "last_hit_utc": "2025-08-20 16:12:50" } ], "417": [ { "sample_cnt": 1439, "yara_rule_name": "TeslaCryptPackedMalware", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 17:52:42" } ], "418": [ { "sample_cnt": 1433, "yara_rule_name": "Check_Debugger", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 20:17:33" } ], "419": [ { "sample_cnt": 1416, "yara_rule_name": "ELF_IoT_Persistence_Hunt", "yara_rule_author": "4r4", "yara_rule_reference": null, "yara_rule_description": "Hunts for ELF files with persistence and download capabilities", "last_hit_utc": "2026-04-27 06:02:31" } ], "420": [ { "sample_cnt": 1416, "yara_rule_name": "quasarrat_kingrat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:44:23" } ], "421": [ { "sample_cnt": 1408, "yara_rule_name": "INDICATOR_EXE_Packed_DotNetReactor", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with unregistered version of .NET Reactor", "last_hit_utc": "2026-04-11 08:45:41" } ], "422": [ { "sample_cnt": 1396, "yara_rule_name": "Rustyloader_mem_loose", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24", "yara_rule_description": "Corroded buerloader", "last_hit_utc": "2026-04-27 15:00:46" } ], "423": [ { "sample_cnt": 1386, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers", "last_hit_utc": "2025-01-05 16:14:13" } ], "424": [ { "sample_cnt": 1382, "yara_rule_name": "Remcos", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect Remcos in memory", "last_hit_utc": "2026-03-06 15:08:01" } ], "425": [ { "sample_cnt": 1378, "yara_rule_name": "Rooter", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Rooter", "last_hit_utc": "2026-04-26 10:50:39" } ], "426": [ { "sample_cnt": 1378, "yara_rule_name": "RooterStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Rooter Identifying Strings", "last_hit_utc": "2026-04-26 10:50:40" } ], "427": [ { "sample_cnt": 1376, "yara_rule_name": "Warp", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Warp", "last_hit_utc": "2026-04-27 12:57:33" } ], "428": [ { "sample_cnt": 1376, "yara_rule_name": "WarpStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Warp Identifying Strings", "last_hit_utc": "2026-04-27 12:57:33" } ], "429": [ { "sample_cnt": 1370, "yara_rule_name": "AutoIT_Compiled", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies compiled AutoIT script (as EXE).", "last_hit_utc": "2025-12-05 11:22:17" } ], "430": [ { "sample_cnt": 1367, "yara_rule_name": "Remcos_unpacked_PulseIntel", "yara_rule_author": "PulseIntel", "yara_rule_reference": null, "yara_rule_description": "Remcos Payload", "last_hit_utc": "2026-04-23 17:18:34" } ], "431": [ { "sample_cnt": 1361, "yara_rule_name": "REMCOS_RAT_variants", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-01-22 05:58:37" } ], "432": [ { "sample_cnt": 1356, "yara_rule_name": "Njrat", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect njRAT in memory", "last_hit_utc": "2026-04-23 18:36:36" } ], "433": [ { "sample_cnt": 1355, "yara_rule_name": "AsyncRat", "yara_rule_author": "kevoreilly, JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "AsyncRat Payload", "last_hit_utc": "2026-04-27 04:44:24" } ], "434": [ { "sample_cnt": 1349, "yara_rule_name": "ReflectiveLoader", "yara_rule_author": null, "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended", "last_hit_utc": "2022-12-20 11:43:36" } ], "435": [ { "sample_cnt": 1349, "yara_rule_name": "SUSP_Reverse_Run_Key", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects a Reversed Run Key", "last_hit_utc": "2026-04-27 04:44:25" } ], "436": [ { "sample_cnt": 1345, "yara_rule_name": "quasarrat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:44:23" } ], "437": [ { "sample_cnt": 1342, "yara_rule_name": "redline_stealer", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)", "last_hit_utc": "2023-01-22 23:15:04" } ], "438": [ { "sample_cnt": 1336, "yara_rule_name": "MALWARE_Win_SnakeKeylogger", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Snake Keylogger", "last_hit_utc": "2023-04-05 14:02:02" } ], "439": [ { "sample_cnt": 1333, "yara_rule_name": "CobaltStrike_Unmodifed_Beacon", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": null, "yara_rule_description": "Detects unmodified CobaltStrike beacon DLL", "last_hit_utc": "2026-04-27 04:44:37" } ], "440": [ { "sample_cnt": 1321, "yara_rule_name": "WiltedTulip_ReflectiveLoader", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip", "last_hit_utc": "2025-01-05 15:26:04" } ], "441": [ { "sample_cnt": 1320, "yara_rule_name": "win_isfb_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2026-03-07 13:05:25" } ], "442": [ { "sample_cnt": 1306, "yara_rule_name": "AutoIt", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "AutoIT packer", "last_hit_utc": "2026-04-27 14:18:37" } ], "443": [ { "sample_cnt": 1297, "yara_rule_name": "MAL_ELF_LNX_Mirai_Oct10_1_RID2F39", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ELF Mirai variant", "last_hit_utc": "2026-04-26 23:43:26" } ], "444": [ { "sample_cnt": 1287, "yara_rule_name": "AgentTeslaV2", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "AgenetTesla Type 2 Keylogger payload", "last_hit_utc": "2026-04-27 15:23:25" } ], "445": [ { "sample_cnt": 1287, "yara_rule_name": "Linux_Trojan_Mirai_fa3ad9d0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:58:16" } ], "446": [ { "sample_cnt": 1285, "yara_rule_name": "Windows_Generic_Threat_ce98c4bc", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 14:28:30" } ], "447": [ { "sample_cnt": 1278, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many email and collaboration clients. Observed in information stealers", "last_hit_utc": "2022-11-26 04:26:03" } ], "448": [ { "sample_cnt": 1278, "yara_rule_name": "win_asyncrat_unobfuscated", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)", "last_hit_utc": "2026-04-21 14:28:30" } ], "449": [ { "sample_cnt": 1277, "yara_rule_name": "MALWARE_Win_STOP", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects STOP ransomware", "last_hit_utc": "2022-11-18 23:09:14" } ], "450": [ { "sample_cnt": 1274, "yara_rule_name": "MSIL_SUSP_OBFUSC_XorStringsNet", "yara_rule_author": "dr4k0nia", "yara_rule_reference": "https://github.com/dr4k0nia/yara-rules", "yara_rule_description": "Detects XorStringsNET string encryption, and other obfuscators derived from it", "last_hit_utc": "2025-09-05 12:55:06" } ], "451": [ { "sample_cnt": 1273, "yara_rule_name": "crime_win32_ransom_avaddon_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1300944441390370819", "yara_rule_description": "Detects Avaddon ransomware", "last_hit_utc": "2026-04-25 20:23:29" } ], "452": [ { "sample_cnt": 1272, "yara_rule_name": "INDICATOR_EXE_Packed_MPress", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables built or packed with MPress PE compressor", "last_hit_utc": "2026-04-24 17:52:42" } ], "453": [ { "sample_cnt": 1271, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_DotNetProcHook", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables with potential process hoocking", "last_hit_utc": "2022-11-25 16:52:03" } ], "454": [ { "sample_cnt": 1269, "yara_rule_name": "html_auto_download_b64", "yara_rule_author": "Tdawg", "yara_rule_reference": null, "yara_rule_description": "html auto download", "last_hit_utc": "2026-04-25 15:10:34" } ], "455": [ { "sample_cnt": 1269, "yara_rule_name": "win_njrat_w1", "yara_rule_author": "Brian Wallace @botnet_hunter ", "yara_rule_reference": null, "yara_rule_description": "Identify njRat", "last_hit_utc": "2026-04-22 21:44:34" } ], "456": [ { "sample_cnt": 1266, "yara_rule_name": "msil_susp_obf_xorstringsnet", "yara_rule_author": "dr4k0nia", "yara_rule_reference": null, "yara_rule_description": "Detects XorStringsNET string encryption, and other obfuscators derived from it", "last_hit_utc": "2025-09-05 12:55:06" } ], "457": [ { "sample_cnt": 1265, "yara_rule_name": "Detect_SliverFox_String", "yara_rule_author": "huoji", "yara_rule_reference": null, "yara_rule_description": "Detect files is `SliverFox` malware", "last_hit_utc": "2026-04-23 07:56:29" } ], "458": [ { "sample_cnt": 1265, "yara_rule_name": "Suspicious_Process", "yara_rule_author": "Security Research Team", "yara_rule_reference": null, "yara_rule_description": "Suspicious process creation", "last_hit_utc": "2026-04-27 16:04:57" } ], "459": [ { "sample_cnt": 1259, "yara_rule_name": "LokiBot", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "LokiBot Payload", "last_hit_utc": "2022-11-25 09:50:36" } ], "460": [ { "sample_cnt": 1256, "yara_rule_name": "redline_new_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8", "yara_rule_description": "Redline stealer", "last_hit_utc": "2026-04-21 15:04:40" } ], "461": [ { "sample_cnt": 1248, "yara_rule_name": "INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with ConfuserEx Mod Beds Protector", "last_hit_utc": "2025-12-12 13:39:18" } ], "462": [ { "sample_cnt": 1248, "yara_rule_name": "Steam_stealer_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "Steam in files like avemaria", "last_hit_utc": "2022-12-10 18:29:35" } ], "463": [ { "sample_cnt": 1236, "yara_rule_name": "ProtectSharewareV11eCompservCMS", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 21:45:31" } ], "464": [ { "sample_cnt": 1236, "yara_rule_name": "win_stop_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.stop.", "last_hit_utc": "2022-11-18 23:09:14" } ], "465": [ { "sample_cnt": 1234, "yara_rule_name": "remcos_rat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 15:08:01" } ], "466": [ { "sample_cnt": 1231, "yara_rule_name": "malware_Formbook_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Formbook in memory", "last_hit_utc": "2025-01-05 15:14:58" } ], "467": [ { "sample_cnt": 1229, "yara_rule_name": "Download_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies download artefacts in shortcut (LNK) files.", "last_hit_utc": "2026-04-27 08:10:44" } ], "468": [ { "sample_cnt": 1225, "yara_rule_name": "Codoso_Gh0st_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT Gh0st Malware", "last_hit_utc": "2025-01-05 15:19:35" } ], "469": [ { "sample_cnt": 1222, "yara_rule_name": "suspicious_msi_file", "yara_rule_author": "Johnk3r", "yara_rule_reference": null, "yara_rule_description": "Detects common strings, DLL and API in Banker_BR", "last_hit_utc": "2025-06-26 14:55:40" } ], "470": [ { "sample_cnt": 1215, "yara_rule_name": "INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects OLE documents potentially exploiting CVE-2017-11882", "last_hit_utc": "2025-06-16 16:55:30" } ], "471": [ { "sample_cnt": 1214, "yara_rule_name": "Glasses", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Glasses family", "last_hit_utc": "2026-04-27 18:00:02" } ], "472": [ { "sample_cnt": 1214, "yara_rule_name": "GlassesCode", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Glasses code features", "last_hit_utc": "2026-04-27 18:00:02" } ], "473": [ { "sample_cnt": 1207, "yara_rule_name": "UNK_install_script", "yara_rule_author": "evilcel3ri", "yara_rule_reference": null, "yara_rule_description": "Detects a suspicious behaviour in an bash installation script", "last_hit_utc": "2026-03-27 22:44:21" } ], "474": [ { "sample_cnt": 1197, "yara_rule_name": "Detect_APT29_WINELOADER_Backdoor", "yara_rule_author": "daniyyell", "yara_rule_reference": "https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties", "yara_rule_description": "Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends", "last_hit_utc": "2025-01-03 20:42:17" } ], "475": [ { "sample_cnt": 1197, "yara_rule_name": "INDICATOR_SUSPICIOUS_GENRansomware", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects command variations typically used by ransomware", "last_hit_utc": "2026-04-23 12:31:37" } ], "476": [ { "sample_cnt": 1196, "yara_rule_name": "win_xworm_bytestring", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects bytestring present in unobfuscated xworm", "last_hit_utc": "2026-04-27 15:22:45" } ], "477": [ { "sample_cnt": 1194, "yara_rule_name": "Parallax", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Parallax RAT.", "last_hit_utc": "2026-04-20 23:31:31" } ], "478": [ { "sample_cnt": 1179, "yara_rule_name": "Windows_Trojan_Formbook_1112e116", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:12:22" } ], "479": [ { "sample_cnt": 1173, "yara_rule_name": "malware_asyncrat", "yara_rule_author": null, "yara_rule_reference": "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp", "yara_rule_description": "detect AsyncRat in memory", "last_hit_utc": "2026-04-27 04:44:24" } ], "480": [ { "sample_cnt": 1170, "yara_rule_name": "PyInstaller", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies executable converted using PyInstaller.", "last_hit_utc": "2025-01-05 17:35:29" } ], "481": [ { "sample_cnt": 1165, "yara_rule_name": "Typical_Malware_String_Transforms_RID3473", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects typical strings in a reversed or otherwise modified form", "last_hit_utc": "2026-04-24 02:13:49" } ], "482": [ { "sample_cnt": 1163, "yara_rule_name": "Heuristics_ChromeABE", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers", "last_hit_utc": "2026-04-25 21:08:48" } ], "483": [ { "sample_cnt": 1163, "yara_rule_name": "Linux_Trojan_Mirai_99d78950", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:58:16" } ], "484": [ { "sample_cnt": 1159, "yara_rule_name": "Telegram_Exfiltration_Via_Api", "yara_rule_author": "lsepaolo", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-09-30 09:25:33" } ], "485": [ { "sample_cnt": 1151, "yara_rule_name": "Windows_Generic_Threat_803feff4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:44:24" } ], "486": [ { "sample_cnt": 1148, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing base64 encoded User Agent", "last_hit_utc": "2026-03-13 21:45:25" } ], "487": [ { "sample_cnt": 1137, "yara_rule_name": "Suspicious_Macro_Presence", "yara_rule_author": "Mehmet Ali Kerimoglu (CYB3RMX)", "yara_rule_reference": null, "yara_rule_description": "This rule detects common malicious/suspicious implementations.", "last_hit_utc": "2025-01-05 15:51:23" } ], "488": [ { "sample_cnt": 1134, "yara_rule_name": "SUSP_PE_Discord_Attachment_Oct21_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)", "last_hit_utc": "2025-01-05 15:36:51" } ], "489": [ { "sample_cnt": 1134, "yara_rule_name": "Vidar", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Vidar Payload", "last_hit_utc": "2023-01-22 23:15:05" } ], "490": [ { "sample_cnt": 1133, "yara_rule_name": "Nanocore_RAT_Gen_2_RID2D96", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/", "yara_rule_description": "Detetcs the Nanocore RAT", "last_hit_utc": "2026-04-27 16:01:04" } ], "491": [ { "sample_cnt": 1124, "yara_rule_name": "Detect_PyInstaller", "yara_rule_author": "Obscurity Labs LLC", "yara_rule_reference": null, "yara_rule_description": "Detects PyInstaller compiled executables across platforms", "last_hit_utc": "2026-04-26 16:32:31" } ], "492": [ { "sample_cnt": 1120, "yara_rule_name": "Nanocore_RAT_Feb18_1_RID2DF1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - T2T", "yara_rule_description": "Detects Nanocore RAT", "last_hit_utc": "2026-04-27 16:01:03" } ], "493": [ { "sample_cnt": 1117, "yara_rule_name": "Win32_Trojan_RedLineStealer", "yara_rule_author": "Netskope Threat Labs", "yara_rule_reference": "deb95cae4ba26dfba536402318154405", "yara_rule_description": "Identifies RedLine Stealer samples", "last_hit_utc": "2025-05-02 07:13:47" } ], "494": [ { "sample_cnt": 1116, "yara_rule_name": "SUSP_OneNote", "yara_rule_author": "spatronn", "yara_rule_reference": null, "yara_rule_description": "Hard-Detect One", "last_hit_utc": "2025-01-05 17:34:35" } ], "495": [ { "sample_cnt": 1113, "yara_rule_name": "SUSP_netsh_firewall_command", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 18:36:36" } ], "496": [ { "sample_cnt": 1112, "yara_rule_name": "Malware_QA_vqgk", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file vqgk.dll", "last_hit_utc": "2025-01-05 15:16:06" } ], "497": [ { "sample_cnt": 1107, "yara_rule_name": "SUSP_XORed_MSDOS_Stub_Message", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings", "yara_rule_description": "Detects suspicious XORed MSDOS stub message", "last_hit_utc": "2026-04-27 14:57:29" } ], "498": [ { "sample_cnt": 1096, "yara_rule_name": "win_formbook_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.formbook.", "last_hit_utc": "2026-03-13 20:39:18" } ], "499": [ { "sample_cnt": 1093, "yara_rule_name": "MALWARE_Win_Vidar", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Vidar / ArkeiStealer", "last_hit_utc": "2023-01-22 23:15:05" } ], "500": [ { "sample_cnt": 1084, "yara_rule_name": "remcos_rat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-07-14 14:30:03" } ], "501": [ { "sample_cnt": 1070, "yara_rule_name": "Execution_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies execution artefacts in shortcut (LNK) files.", "last_hit_utc": "2026-04-27 08:10:44" } ], "502": [ { "sample_cnt": 1060, "yara_rule_name": "Codoso_Gh0st_1_RID2C2D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT Gh0st Malware", "last_hit_utc": "2026-03-23 08:46:22" } ], "503": [ { "sample_cnt": 1058, "yara_rule_name": "detect_Mars_Stealer", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_Mars_Stealer", "last_hit_utc": "2026-03-15 08:07:20" } ], "504": [ { "sample_cnt": 1057, "yara_rule_name": "SUSP_Websites", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects the reference of suspicious sites that might be used to download further malware", "last_hit_utc": "2026-04-15 09:48:53" } ], "505": [ { "sample_cnt": 1053, "yara_rule_name": "PowerShell_Susp_Parameter_Combo", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/uAic1X", "yara_rule_description": "Detects PowerShell invocation with suspicious parameters", "last_hit_utc": "2023-06-29 20:36:03" } ], "506": [ { "sample_cnt": 1050, "yara_rule_name": "Redline_Stealer_Monitor", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects RedLine Stealer Variants", "last_hit_utc": "2022-10-12 16:46:35" } ], "507": [ { "sample_cnt": 1046, "yara_rule_name": "Beacon_K5om", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "yara_rule_description": "Detects Meterpreter Beacon - file K5om.dll", "last_hit_utc": "2025-01-05 15:16:05" } ], "508": [ { "sample_cnt": 1046, "yara_rule_name": "Leviathan_CobaltStrike_Sample_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/MZ7dRg", "yara_rule_description": "Detects Cobalt Strike sample from Leviathan report", "last_hit_utc": "2025-01-05 15:16:06" } ], "509": [ { "sample_cnt": 1044, "yara_rule_name": "elf_arm_mips_ko_so", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 06:02:31" } ], "510": [ { "sample_cnt": 1042, "yara_rule_name": "MALWARE_Win_NjRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects NjRAT / Bladabindi / NjRAT Golden", "last_hit_utc": "2026-04-23 18:36:35" } ], "511": [ { "sample_cnt": 1042, "yara_rule_name": "ReflectiveLoader", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended", "last_hit_utc": "2026-04-27 07:59:37" } ], "512": [ { "sample_cnt": 1038, "yara_rule_name": "Sectigo_Code_Signed", "yara_rule_author": null, "yara_rule_reference": "https://bazaar.abuse.ch/export/csv/cscb/", "yara_rule_description": "Detects code signed by the Sectigo RSA Code Signing CA", "last_hit_utc": "2026-04-25 07:00:55" } ], "513": [ { "sample_cnt": 1027, "yara_rule_name": "Linux_Trojan_Gafgyt_779e142f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:50:39" } ], "514": [ { "sample_cnt": 1026, "yara_rule_name": "Linux_Trojan_Gafgyt_f3d83a74", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:50:39" } ], "515": [ { "sample_cnt": 1026, "yara_rule_name": "MAL_njrat", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 18:36:35" } ], "516": [ { "sample_cnt": 1020, "yara_rule_name": "malware_Njrat_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect njRAT in memory", "last_hit_utc": "2026-04-23 18:36:35" } ], "517": [ { "sample_cnt": 1015, "yara_rule_name": "win_gcleaner_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.gcleaner.", "last_hit_utc": "2022-11-26 14:51:04" } ], "518": [ { "sample_cnt": 1013, "yara_rule_name": "Linux_Trojan_Gafgyt_6122acdf", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:45:31" } ], "519": [ { "sample_cnt": 1013, "yara_rule_name": "Remcos", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Remcos Payload", "last_hit_utc": "2025-01-22 05:58:37" } ], "520": [ { "sample_cnt": 1012, "yara_rule_name": "Linux_Trojan_Gafgyt_a6a2adb9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:50:39" } ], "521": [ { "sample_cnt": 1006, "yara_rule_name": "Linux_Trojan_Mirai_1e0c5ce0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 10:03:38" } ], "522": [ { "sample_cnt": 1005, "yara_rule_name": "win_agent_tesla_g2", "yara_rule_author": "Daniel Plohmann ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-09 07:54:06" } ], "523": [ { "sample_cnt": 1002, "yara_rule_name": "MAL_ELF_Xlogin_Nov24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/", "yara_rule_description": "Detects xlogin backdoor samples", "last_hit_utc": "2026-04-26 23:59:35" } ], "524": [ { "sample_cnt": 1000, "yara_rule_name": "Linux_Trojan_Gafgyt_09c3070e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:50:38" } ], "525": [ { "sample_cnt": 990, "yara_rule_name": "CMD_Ping_Localhost", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 05:19:40" } ], "526": [ { "sample_cnt": 989, "yara_rule_name": "Mal_WIN_AsyncRat_RAT_PE", "yara_rule_author": "Phatcharadol Thangplub", "yara_rule_reference": null, "yara_rule_description": "Use to detect AsyncRAT implant.", "last_hit_utc": "2026-04-21 14:28:29" } ], "527": [ { "sample_cnt": 988, "yara_rule_name": "Script_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies scripting artefacts in shortcut (LNK) files.", "last_hit_utc": "2026-04-27 10:07:32" } ], "528": [ { "sample_cnt": 986, "yara_rule_name": "CN_disclosed_20180208_c", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/cyberintproject/status/961714165550342146", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2026-04-23 18:36:35" } ], "529": [ { "sample_cnt": 985, "yara_rule_name": "Jupyter_infostealer", "yara_rule_author": "CD_R0M_", "yara_rule_reference": null, "yara_rule_description": "Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022", "last_hit_utc": "2026-04-27 07:59:37" } ], "530": [ { "sample_cnt": 985, "yara_rule_name": "win_stealc_w0", "yara_rule_author": "crep1x", "yara_rule_reference": "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/", "yara_rule_description": "Find standalone Stealc sample based on decryption routine or characteristic strings", "last_hit_utc": "2026-03-27 03:15:27" } ], "531": [ { "sample_cnt": 984, "yara_rule_name": "Stealer_word_in_memory", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "The actual word stealer in memory", "last_hit_utc": "2025-06-04 00:00:20" } ], "532": [ { "sample_cnt": 981, "yara_rule_name": "win_raccoon_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-07 18:32:06" } ], "533": [ { "sample_cnt": 979, "yara_rule_name": "DridexLoader", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Dridex v4 dropper C2 parsing function", "last_hit_utc": "2022-09-07 09:45:07" } ], "534": [ { "sample_cnt": 979, "yara_rule_name": "infostealer_win_stealc_standalone", "yara_rule_author": null, "yara_rule_reference": "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/", "yara_rule_description": "Find standalone Stealc sample based on decryption routine or characteristic strings", "last_hit_utc": "2026-03-27 03:15:26" } ], "535": [ { "sample_cnt": 970, "yara_rule_name": "Windows_Trojan_DarkCloud_9905abce", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 21:45:31" } ], "536": [ { "sample_cnt": 966, "yara_rule_name": "Armadillov1xxv2xx", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 09:25:40" } ], "537": [ { "sample_cnt": 966, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables attemping to enumerate video devices using WMI", "last_hit_utc": "2026-04-21 14:28:29" } ], "538": [ { "sample_cnt": 964, "yara_rule_name": "Sus_All_Windows_PE_Malware", "yara_rule_author": "DiegoAnalytics", "yara_rule_reference": null, "yara_rule_description": "Detects Windows PE malware of all types, avoids non-executables like .html", "last_hit_utc": "2026-04-27 16:04:57" } ], "539": [ { "sample_cnt": 960, "yara_rule_name": "CAS_Malware_Hunting", "yara_rule_author": "Michael Reinprecht", "yara_rule_reference": "", "yara_rule_description": "DEMO CAS YARA Rules for sample2.exe", "last_hit_utc": "2023-09-07 10:03:52" } ], "540": [ { "sample_cnt": 957, "yara_rule_name": "win_formbook_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-11-30 15:45:08" } ], "541": [ { "sample_cnt": 953, "yara_rule_name": "Linux_Trojan_Gafgyt_cf84c9f2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:50:39" } ], "542": [ { "sample_cnt": 952, "yara_rule_name": "Linux_Trojan_Mirai_93fc3657", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:58:16" } ], "543": [ { "sample_cnt": 950, "yara_rule_name": "NSIS_April_2024", "yara_rule_author": "NDA0N", "yara_rule_reference": null, "yara_rule_description": "Detects NSIS installers", "last_hit_utc": "2025-01-05 17:34:24" } ], "544": [ { "sample_cnt": 946, "yara_rule_name": "RansomwareTest6", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": "", "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2023-02-26 15:22:48" } ], "545": [ { "sample_cnt": 945, "yara_rule_name": "Reverse_text_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "Reverse text detected", "last_hit_utc": "2022-11-17 22:41:03" } ], "546": [ { "sample_cnt": 944, "yara_rule_name": "SUSP_LNK_PowerShell", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects the reference to powershell inside an lnk file, which is suspicious", "last_hit_utc": "2026-04-27 10:07:32" } ], "547": [ { "sample_cnt": 942, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing potential Windows Defender anti-emulation checks", "last_hit_utc": "2023-01-22 23:15:05" } ], "548": [ { "sample_cnt": 941, "yara_rule_name": "Linux_Trojan_Mirai_a68e498c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:58:16" } ], "549": [ { "sample_cnt": 940, "yara_rule_name": "INDICATOR_EXE_Packed_Themida", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with Themida", "last_hit_utc": "2023-08-26 21:25:41" } ], "550": [ { "sample_cnt": 939, "yara_rule_name": "Windows_Trojan_Lokibot_0f421617", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 02:11:50" } ], "551": [ { "sample_cnt": 938, "yara_rule_name": "Linux_Trojan_Mirai_0cb1699c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:08:33" } ], "552": [ { "sample_cnt": 938, "yara_rule_name": "Windows_Trojan_Lokibot_1f885282", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 02:11:50" } ], "553": [ { "sample_cnt": 938, "yara_rule_name": "win_lokipws_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.lokipws.", "last_hit_utc": "2026-04-23 02:11:50" } ], "554": [ { "sample_cnt": 936, "yara_rule_name": "MALWARE_Win_DarkCloud", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects DarkCloud infostealer", "last_hit_utc": "2026-04-25 21:45:31" } ], "555": [ { "sample_cnt": 935, "yara_rule_name": "upx_antiunpack_elf32", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "UPX Anti-Unpacking technique to magic renamed for ELF32", "last_hit_utc": "2026-04-26 13:20:43" } ], "556": [ { "sample_cnt": 933, "yara_rule_name": "RansomwareTest4", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": "", "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2023-02-26 15:22:48" } ], "557": [ { "sample_cnt": 931, "yara_rule_name": "Linux_Trojan_Mirai_268aac0b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:08:33" } ], "558": [ { "sample_cnt": 927, "yara_rule_name": "INDICATOR_RTF_EXPLOIT_CVE_2017_11882_4", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects RTF variant documents potentially exploiting CVE-2018-0802 or CVE-2017-11882", "last_hit_utc": "2025-01-05 17:30:26" } ], "559": [ { "sample_cnt": 927, "yara_rule_name": "INDICATOR_SUSPICIOUS_ReflectiveLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Reflective DLL injection artifacts", "last_hit_utc": "2026-04-27 07:59:37" } ], "560": [ { "sample_cnt": 924, "yara_rule_name": "WannaCry_Ransomware", "yara_rule_author": "Florian Roth (with the help of binar.ly)", "yara_rule_reference": "https://goo.gl/HG2j5T", "yara_rule_description": "Detects WannaCry Ransomware", "last_hit_utc": "2026-03-12 08:02:07" } ], "561": [ { "sample_cnt": 920, "yara_rule_name": "Detect_Remcos_RAT", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects Remcos RAT payloads and commands", "last_hit_utc": "2026-04-27 16:04:55" } ], "562": [ { "sample_cnt": 916, "yara_rule_name": "ach_IcedID_xlsm_20210326_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/8c6eb6ade6710335b3328cabf02d867c/", "yara_rule_description": "Detects IcedID xlsm", "last_hit_utc": "2022-04-19 22:37:02" } ], "563": [ { "sample_cnt": 916, "yara_rule_name": "Telegram_stealer_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "Telegram in files like avemaria", "last_hit_utc": "2021-09-06 19:32:29" } ], "564": [ { "sample_cnt": 911, "yara_rule_name": "Mirai_Unpack", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-21 15:28:17" } ], "565": [ { "sample_cnt": 910, "yara_rule_name": "GoBinTest", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-08-29 14:57:46" } ], "566": [ { "sample_cnt": 909, "yara_rule_name": "INDICATOR_DOC_PhishingPatterns", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects OLE, RTF, PDF and OOXML (decompressed) documents with common phishing strings", "last_hit_utc": "2025-01-05 17:23:57" } ], "567": [ { "sample_cnt": 907, "yara_rule_name": "win_njrat_w1", "yara_rule_author": "Brian Wallace @botnet_hunter", "yara_rule_reference": null, "yara_rule_description": "Identify njRat", "last_hit_utc": "2022-06-20 18:09:03" } ], "568": [ { "sample_cnt": 903, "yara_rule_name": "LNK_sospechosos", "yara_rule_author": "Germ\u00e1n Fern\u00e1ndez", "yara_rule_reference": null, "yara_rule_description": "Detecta archivos .lnk sospechosos", "last_hit_utc": "2026-04-27 09:56:27" } ], "569": [ { "sample_cnt": 901, "yara_rule_name": "adonunix2", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": "", "yara_rule_description": "AD on UNIX", "last_hit_utc": "2024-02-02 09:30:49" } ], "570": [ { "sample_cnt": 901, "yara_rule_name": "detect_Redline_Stealer_V2", "yara_rule_author": "Varp0s", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 21:14:23" } ], "571": [ { "sample_cnt": 896, "yara_rule_name": "SUSP_PowerShell_Base64_Decode", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell code to decode Base64 data. This can yield many FP", "last_hit_utc": "2026-04-26 15:44:26" } ], "572": [ { "sample_cnt": 893, "yara_rule_name": "multiple_concats_in_excel4_exec_enjoy_the_silence", "yara_rule_author": "Will Metcalf", "yara_rule_reference": "https://blog.reversinglabs.com/blog/excel-4.0-macros", "yara_rule_description": "Behold The Great And Powerful Match Iterator. Multiple Concats with register Function SILENT BUILDER EDITION", "last_hit_utc": "2025-01-05 15:39:54" } ], "573": [ { "sample_cnt": 891, "yara_rule_name": "INDICATOR_EXE_Packed_ConfuserEx", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with ConfuserEx Mod", "last_hit_utc": "2025-04-21 02:11:07" } ], "574": [ { "sample_cnt": 888, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_DiscordURL", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables Discord URL observed in first stage droppers", "last_hit_utc": "2026-04-25 08:57:34" } ], "575": [ { "sample_cnt": 887, "yara_rule_name": "UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 17:54:14" } ], "576": [ { "sample_cnt": 886, "yara_rule_name": "MALW_emotet", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "", "yara_rule_description": "Rule to detect unpacked Emotet", "last_hit_utc": "2023-01-19 18:54:16" } ], "577": [ { "sample_cnt": 885, "yara_rule_name": "Quasar_RAT_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2025-01-05 15:32:17" } ], "578": [ { "sample_cnt": 882, "yara_rule_name": "MALWARE_Win_STOP", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects STOP ransomware", "last_hit_utc": "2026-03-04 06:02:26" } ], "579": [ { "sample_cnt": 880, "yara_rule_name": "win_dridex_loader_v2", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": null, "yara_rule_description": "detects some Dridex loaders", "last_hit_utc": "2021-07-06 05:32:22" } ], "580": [ { "sample_cnt": 879, "yara_rule_name": "Skystars_LightDefender_Njrat_Rule", "yara_rule_author": "Skystars LightDefender", "yara_rule_reference": null, "yara_rule_description": "Detects Njrat", "last_hit_utc": "2026-04-23 18:36:36" } ], "581": [ { "sample_cnt": 877, "yara_rule_name": "pe_no_import_table", "yara_rule_author": "qux", "yara_rule_reference": null, "yara_rule_description": "Detects exe does not have import table", "last_hit_utc": "2025-01-05 16:42:26" } ], "582": [ { "sample_cnt": 876, "yara_rule_name": "Multi_Generic_Threat_19854dc2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 16:28:31" } ], "583": [ { "sample_cnt": 869, "yara_rule_name": "INDICATOR_RMM_ConnectWise_ScreenConnect", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory", "last_hit_utc": "2026-04-26 20:40:42" } ], "584": [ { "sample_cnt": 868, "yara_rule_name": "Linux_Trojan_Mirai_804f8e7c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:58:16" } ], "585": [ { "sample_cnt": 862, "yara_rule_name": "DridexV4", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Dridex v4 Payload", "last_hit_utc": "2022-09-07 09:45:07" } ], "586": [ { "sample_cnt": 861, "yara_rule_name": "LokiBot", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "LokiBot Payload", "last_hit_utc": "2026-04-16 13:46:31" } ], "587": [ { "sample_cnt": 861, "yara_rule_name": "malware_Nanocore_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Nanocore in memory", "last_hit_utc": "2026-04-27 16:01:03" } ], "588": [ { "sample_cnt": 860, "yara_rule_name": "HeavensGate", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Heaven's Gate: Switch from 32-bit to 64-mode", "last_hit_utc": "2023-12-09 10:26:40" } ], "589": [ { "sample_cnt": 860, "yara_rule_name": "MALWARE_Win_AveMaria", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "AveMaria variant payload", "last_hit_utc": "2023-08-25 17:30:03" } ], "590": [ { "sample_cnt": 859, "yara_rule_name": "Detect_Tofsee", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "Detect_Tofsee", "last_hit_utc": "2026-04-14 10:40:19" } ], "591": [ { "sample_cnt": 859, "yara_rule_name": "Linux_Trojan_Gafgyt_dd0d6173", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 09:55:44" } ], "592": [ { "sample_cnt": 855, "yara_rule_name": "MALWARE_Win_WarzoneRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects AveMaria/WarzoneRAT", "last_hit_utc": "2023-08-25 17:30:03" } ], "593": [ { "sample_cnt": 854, "yara_rule_name": "redline_stealer", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)", "last_hit_utc": "2025-01-05 17:31:42" } ], "594": [ { "sample_cnt": 852, "yara_rule_name": "nanocore_rat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-05-10 18:38:10" } ], "595": [ { "sample_cnt": 851, "yara_rule_name": "win_nanocore_w0", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-05-10 18:38:10" } ], "596": [ { "sample_cnt": 848, "yara_rule_name": "ach_NanoCore", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/a5b86db98044c4e68a3f15043e12f108/", "yara_rule_description": "", "last_hit_utc": "2025-05-10 18:38:10" } ], "597": [ { "sample_cnt": 846, "yara_rule_name": "Linux_Trojan_Mirai_2e3f67a9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:08:33" } ], "598": [ { "sample_cnt": 845, "yara_rule_name": "golang", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-08-29 14:57:46" } ], "599": [ { "sample_cnt": 842, "yara_rule_name": "Windows_Trojan_Asyncrat_11a11ba1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-20 23:03:05" } ], "600": [ { "sample_cnt": 842, "yara_rule_name": "win_doppeldridex_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.doppeldridex.", "last_hit_utc": "2022-09-07 09:45:07" } ], "601": [ { "sample_cnt": 840, "yara_rule_name": "MALWARE_Win_DLLLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects unknown DLL Loader", "last_hit_utc": "2022-09-07 09:45:07" } ], "602": [ { "sample_cnt": 837, "yara_rule_name": "vbaproject_bin", "yara_rule_author": "CD_R0M_", "yara_rule_reference": null, "yara_rule_description": "{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time", "last_hit_utc": "2026-04-24 11:17:30" } ], "603": [ { "sample_cnt": 834, "yara_rule_name": "Linux_Trojan_Mirai_70ef58f1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:08:33" } ], "604": [ { "sample_cnt": 833, "yara_rule_name": "win_remcos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.remcos.", "last_hit_utc": "2025-01-22 05:58:38" } ], "605": [ { "sample_cnt": 831, "yara_rule_name": "MALWARE_Win_NjRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects NjRAT / Bladabindi", "last_hit_utc": "2025-09-10 20:33:14" } ], "606": [ { "sample_cnt": 824, "yara_rule_name": "win_dridex_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.dridex.", "last_hit_utc": "2022-09-07 09:45:07" } ], "607": [ { "sample_cnt": 823, "yara_rule_name": "ClamAV_Emotet_String_Aggregate", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 01:34:30" } ], "608": [ { "sample_cnt": 821, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects file containing reversed ASEP Autorun registry keys", "last_hit_utc": "2023-02-26 09:34:04" } ], "609": [ { "sample_cnt": 819, "yara_rule_name": "win_redline_wextract_hunting_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects wextract archives related to redline/amadey", "last_hit_utc": "2026-03-01 08:15:24" } ], "610": [ { "sample_cnt": 814, "yara_rule_name": "Linux_Trojan_Gafgyt_a0a4de11", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:50:39" } ], "611": [ { "sample_cnt": 809, "yara_rule_name": "TelegramAPIMalware_PowerShell_EXE", "yara_rule_author": "@polygonben", "yara_rule_reference": null, "yara_rule_description": "Hunting for pwsh malware using Telegram for C2", "last_hit_utc": "2026-04-27 05:40:44" } ], "612": [ { "sample_cnt": 805, "yara_rule_name": "MAL_XMR_Miner_May19_1_RID2E1B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/", "yara_rule_description": "Detects Monero Crypto Coin Miner", "last_hit_utc": "2026-04-26 15:48:26" } ], "613": [ { "sample_cnt": 803, "yara_rule_name": "botnet_dedsec", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "dedsec botnet", "last_hit_utc": "2026-04-23 18:25:28" } ], "614": [ { "sample_cnt": 798, "yara_rule_name": "win_gootkit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-09 11:26:05" } ], "615": [ { "sample_cnt": 796, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables embedding command execution via IExecuteCommand COM object", "last_hit_utc": "2023-08-25 17:30:03" } ], "616": [ { "sample_cnt": 796, "yara_rule_name": "Linux_Generic_Threat_e9aef030", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 14:56:32" } ], "617": [ { "sample_cnt": 792, "yara_rule_name": "win_alina_pos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-05-10 08:08:04" } ], "618": [ { "sample_cnt": 785, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_CC_Regex", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing credit card regular expressions", "last_hit_utc": "2026-04-25 21:45:31" } ], "619": [ { "sample_cnt": 784, "yara_rule_name": "Linux_Trojan_Gafgyt_32eb0c81", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:50:39" } ], "620": [ { "sample_cnt": 783, "yara_rule_name": "XLS_STRINGS", "yara_rule_author": "somedieyoungZZ", "yara_rule_reference": null, "yara_rule_description": "Detect Strings targeting Bangladesh", "last_hit_utc": "2026-04-27 14:36:31" } ], "621": [ { "sample_cnt": 779, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers", "last_hit_utc": "2023-08-24 15:58:45" } ], "622": [ { "sample_cnt": 778, "yara_rule_name": "MALWARE_Win_A310Logger", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects A310Logger", "last_hit_utc": "2026-04-25 21:45:31" } ], "623": [ { "sample_cnt": 777, "yara_rule_name": "asyncrat_kingrat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-20 23:03:03" } ], "624": [ { "sample_cnt": 776, "yara_rule_name": "win_asyncrat_bytecodes", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)", "last_hit_utc": "2026-04-20 23:03:04" } ], "625": [ { "sample_cnt": 776, "yara_rule_name": "win_lokipws_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-08 16:30:37" } ], "626": [ { "sample_cnt": 775, "yara_rule_name": "Mimikatz_Generic", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match all variants of Mimikatz", "last_hit_utc": "2026-04-25 20:23:30" } ], "627": [ { "sample_cnt": 768, "yara_rule_name": "MALWARE_Win_Raccoon", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Raccoon stealer payload", "last_hit_utc": "2022-09-18 18:10:52" } ], "628": [ { "sample_cnt": 762, "yara_rule_name": "testlumma", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-01 22:04:24" } ], "629": [ { "sample_cnt": 760, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers", "last_hit_utc": "2022-11-26 03:32:03" } ], "630": [ { "sample_cnt": 760, "yara_rule_name": "Windows_Trojan_RedLineStealer_6dfafd7b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 15:04:41" } ], "631": [ { "sample_cnt": 756, "yara_rule_name": "MALWARE_Win_AveMaria", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "AveMaria variant payload", "last_hit_utc": "2026-04-26 03:12:41" } ], "632": [ { "sample_cnt": 755, "yara_rule_name": "XOREngine_Misc_XOR_Func", "yara_rule_author": "smiller cc @florian @wesley idea on implementation with yara's built in XOR function", "yara_rule_reference": "", "yara_rule_description": "Use with care, https://twitter.com/cyb3rops/status/1237042104406355968", "last_hit_utc": "2023-03-11 04:19:03" } ], "633": [ { "sample_cnt": 749, "yara_rule_name": "MAL_QuasarRAT_May19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.ensilo.com/uncovering-new-activity-by-apt10", "yara_rule_description": "Detects QuasarRAT malware", "last_hit_utc": "2025-01-05 15:32:16" } ], "634": [ { "sample_cnt": 749, "yara_rule_name": "upx_3", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "UPX 3.X", "last_hit_utc": "2026-04-22 19:22:13" } ], "635": [ { "sample_cnt": 746, "yara_rule_name": "MAL_Linux_IoT_MultiArch_BotnetLoader_Generic", "yara_rule_author": "Anish Bogati", "yara_rule_reference": "MalwareBazaar sample lilin.sh", "yara_rule_description": "Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads", "last_hit_utc": "2026-04-27 13:31:31" } ], "636": [ { "sample_cnt": 745, "yara_rule_name": "AveMaria", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies AveMaria aka WarZone RAT.", "last_hit_utc": "2023-01-18 12:49:25" } ], "637": [ { "sample_cnt": 745, "yara_rule_name": "ave_maria_warzone_rat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-01-18 12:49:25" } ], "638": [ { "sample_cnt": 744, "yara_rule_name": "ScanStringsInsocks5systemz", "yara_rule_author": "Byambaa@pubcert.mn", "yara_rule_reference": null, "yara_rule_description": "Scans presence of the found strings using the in-house brute force method", "last_hit_utc": "2026-04-27 07:03:32" } ], "639": [ { "sample_cnt": 742, "yara_rule_name": "TA505_Maldoc_21Nov_2", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/58_158_177_102/status/1197432303057637377", "yara_rule_description": "invitation (1).xls", "last_hit_utc": "2026-04-20 12:28:41" } ], "640": [ { "sample_cnt": 737, "yara_rule_name": "Check_Dlls", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 12:39:29" } ], "641": [ { "sample_cnt": 737, "yara_rule_name": "informational_win_ole_protected", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": "", "yara_rule_description": "Identify OLE Project protection within documents.", "last_hit_utc": "2022-11-26 10:08:03" } ], "642": [ { "sample_cnt": 737, "yara_rule_name": "Windows_Trojan_Remcos_b296e965", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-15 17:12:39" } ], "643": [ { "sample_cnt": 733, "yara_rule_name": "HKTL_CobaltStrike_Beacon_Strings", "yara_rule_author": "Elastic", "yara_rule_reference": "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "yara_rule_description": "Identifies strings used in Cobalt Strike Beacon DLL", "last_hit_utc": "2026-04-27 04:44:38" } ], "644": [ { "sample_cnt": 730, "yara_rule_name": "AppLaunch", "yara_rule_author": "iam-py-test", "yara_rule_reference": null, "yara_rule_description": "Detect files referencing .Net AppLaunch.exe", "last_hit_utc": "2026-04-10 18:26:22" } ], "645": [ { "sample_cnt": 728, "yara_rule_name": "CobaltStrikeBeacon", "yara_rule_author": "enzo", "yara_rule_reference": null, "yara_rule_description": "Cobalt Strike Beacon Payload", "last_hit_utc": "2021-07-07 18:58:05" } ], "646": [ { "sample_cnt": 725, "yara_rule_name": "win_ave_maria_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-27 15:52:22" } ], "647": [ { "sample_cnt": 724, "yara_rule_name": "INDICATOR_EXE_Packed_ASPack", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with ASPack", "last_hit_utc": "2026-04-09 13:56:37" } ], "648": [ { "sample_cnt": 724, "yara_rule_name": "UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 15:13:27" } ], "649": [ { "sample_cnt": 724, "yara_rule_name": "win_samsam_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2026-04-21 13:45:45" } ], "650": [ { "sample_cnt": 723, "yara_rule_name": "CobaltStrike_Sleep_Decoder_Indicator", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": null, "yara_rule_description": "Detects CobaltStrike sleep_mask decoder", "last_hit_utc": "2026-04-27 04:44:37" } ], "651": [ { "sample_cnt": 719, "yara_rule_name": "suspicious_msi_file", "yara_rule_author": "Johnk3r", "yara_rule_reference": "", "yara_rule_description": "Detects common strings, DLL and API in Banker_BR", "last_hit_utc": "2022-11-23 13:40:05" } ], "652": [ { "sample_cnt": 710, "yara_rule_name": "RansomwareTest5", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": "", "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2023-02-26 15:22:48" } ], "653": [ { "sample_cnt": 708, "yara_rule_name": "HKTL_Win_CobaltStrike", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "yara_rule_description": "The CobaltStrike malware family.", "last_hit_utc": "2026-04-27 04:44:38" } ], "654": [ { "sample_cnt": 703, "yara_rule_name": "Linux_Trojan_Mirai_0d73971c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 12:08:33" } ], "655": [ { "sample_cnt": 695, "yara_rule_name": "SUSP_EXE_in_ISO", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ISO files that contains an Exe file. Does not need to be malicious", "last_hit_utc": "2026-04-12 14:15:46" } ], "656": [ { "sample_cnt": 694, "yara_rule_name": "Detect_LATAM_MSI_Banker", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-31 21:52:20" } ], "657": [ { "sample_cnt": 691, "yara_rule_name": "win_vidar_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-10 09:14:27" } ], "658": [ { "sample_cnt": 685, "yara_rule_name": "dridex_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-05-14 04:30:03" } ], "659": [ { "sample_cnt": 684, "yara_rule_name": "AveMaria", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies AveMaria aka WarZone RAT.", "last_hit_utc": "2026-03-23 08:46:22" } ], "660": [ { "sample_cnt": 683, "yara_rule_name": "Base64_decoding", "yara_rule_author": "iam-py-test", "yara_rule_reference": null, "yara_rule_description": "Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)", "last_hit_utc": "2026-04-27 13:28:26" } ], "661": [ { "sample_cnt": 681, "yara_rule_name": "Typical_Malware_String_Transforms", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects typical strings in a reversed or otherwise modified form", "last_hit_utc": "2026-04-24 02:13:48" } ], "662": [ { "sample_cnt": 679, "yara_rule_name": "MALWARE_Win_Vidar", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Vidar / ArkeiStealer", "last_hit_utc": "2025-01-03 19:33:41" } ], "663": [ { "sample_cnt": 679, "yara_rule_name": "win_asyncrat_j1", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": "", "yara_rule_description": "detects AsyncRAT", "last_hit_utc": "2023-02-26 09:34:04" } ], "664": [ { "sample_cnt": 674, "yara_rule_name": "INDICATOR_SUSPICIOUS_GENRansomware", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects command variations typically used by ransomware", "last_hit_utc": "2025-08-20 16:12:50" } ], "665": [ { "sample_cnt": 674, "yara_rule_name": "Quasar_RAT_1_RID2B54", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2026-04-20 23:03:25" } ], "666": [ { "sample_cnt": 670, "yara_rule_name": "SUSP_Discord_Attachments_URL", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads", "last_hit_utc": "2022-11-25 17:03:03" } ], "667": [ { "sample_cnt": 670, "yara_rule_name": "TH_Win_ETW_Bypass_2025_CYFARE", "yara_rule_author": "CYFARE", "yara_rule_reference": "https://cyfare.net/", "yara_rule_description": "Windows ETW Bypass Detection Rule - 2025", "last_hit_utc": "2026-04-27 04:56:35" } ], "668": [ { "sample_cnt": 666, "yara_rule_name": "EXE_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies executable artefacts in shortcut (LNK) files.", "last_hit_utc": "2022-11-25 07:21:04" } ], "669": [ { "sample_cnt": 660, "yara_rule_name": "Telegram_Links", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-31 17:26:34" } ], "670": [ { "sample_cnt": 651, "yara_rule_name": "Long_RelativePath_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.", "last_hit_utc": "2026-04-26 17:30:26" } ], "671": [ { "sample_cnt": 643, "yara_rule_name": "mal_healer", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Payload disabling Windows AV", "last_hit_utc": "2025-04-18 20:02:11" } ], "672": [ { "sample_cnt": 642, "yara_rule_name": "silentbuilder_03_11", "yara_rule_author": "James Quinn", "yara_rule_reference": null, "yara_rule_description": "SilentBuilder xls sheets", "last_hit_utc": "2025-01-07 09:03:03" } ], "673": [ { "sample_cnt": 641, "yara_rule_name": "ach_Heodo_doc_gen", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/75d02ed5fce33f6b606e305b0c9d8a65/", "yara_rule_description": "Detects Heodo DOC", "last_hit_utc": "2023-01-28 19:25:03" } ], "674": [ { "sample_cnt": 641, "yara_rule_name": "Linux_Trojan_Mirai_3a56423b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 11:35:33" } ], "675": [ { "sample_cnt": 640, "yara_rule_name": "Linux_Generic_Threat_da28eb8b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 14:56:31" } ], "676": [ { "sample_cnt": 639, "yara_rule_name": "win_emotet_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.emotet.", "last_hit_utc": "2023-01-19 18:56:15" } ], "677": [ { "sample_cnt": 638, "yara_rule_name": "win_njrat_w1", "yara_rule_author": "Brian Wallace @botnet_hunter ", "yara_rule_reference": "", "yara_rule_description": "Identify njRat", "last_hit_utc": "2025-09-10 20:33:14" } ], "678": [ { "sample_cnt": 636, "yara_rule_name": "APT_Sandworm_ArguePatch_Apr_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "yara_rule_description": "Detect ArguePatch loader used by Sandworm group for load CaddyWiper", "last_hit_utc": "2026-04-27 16:11:31" } ], "679": [ { "sample_cnt": 634, "yara_rule_name": "silentbuilder_03_17", "yara_rule_author": "James Quinn", "yara_rule_reference": null, "yara_rule_description": "SilentBuilder xls sheets", "last_hit_utc": "2025-01-07 09:03:03" } ], "680": [ { "sample_cnt": 632, "yara_rule_name": "MALWARE_Win_NjRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects NjRAT / Bladabindi", "last_hit_utc": "2025-01-05 16:17:55" } ], "681": [ { "sample_cnt": 628, "yara_rule_name": "botnet_RyM", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "RyM botnet", "last_hit_utc": "2026-04-22 20:40:48" } ], "682": [ { "sample_cnt": 624, "yara_rule_name": "MAL_XMR_Miner_May19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/", "yara_rule_description": "Detects Monero Crypto Coin Miner", "last_hit_utc": "2025-12-01 20:35:14" } ], "683": [ { "sample_cnt": 622, "yara_rule_name": "win_tofsee_w0", "yara_rule_author": "akrasuski1", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 15:00:51" } ], "684": [ { "sample_cnt": 621, "yara_rule_name": "SUSP_LNK_CMD", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects the reference to cmd.exe inside an lnk file, which is suspicious", "last_hit_utc": "2026-04-27 08:10:45" } ], "685": [ { "sample_cnt": 621, "yara_rule_name": "Windows_Ransomware_Stop_1e8d48ff", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-04 06:02:26" } ], "686": [ { "sample_cnt": 620, "yara_rule_name": "ICMLuaUtil_UACMe_M41", "yara_rule_author": "Marius 'f0wL' Genheimer ", "yara_rule_reference": "https://github.com/hfiref0x/UACME", "yara_rule_description": "A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface", "last_hit_utc": "2026-04-23 14:22:41" } ], "687": [ { "sample_cnt": 619, "yara_rule_name": "EXE_RAT_XWorm_April2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-17 11:22:37" } ], "688": [ { "sample_cnt": 617, "yara_rule_name": "win_stop_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.stop.", "last_hit_utc": "2026-03-04 06:02:26" } ], "689": [ { "sample_cnt": 616, "yara_rule_name": "Linux_Trojan_Gafgyt_1b2e2a3a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:43:28" } ], "690": [ { "sample_cnt": 616, "yara_rule_name": "RansomwareTest3", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": "", "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2022-10-04 15:54:04" } ], "691": [ { "sample_cnt": 615, "yara_rule_name": "ach_RemcosRAT", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/ba1b7055651cb3b832dca2927fc5fd5c/", "yara_rule_description": "", "last_hit_utc": "2022-11-09 13:10:05" } ], "692": [ { "sample_cnt": 613, "yara_rule_name": "win_formbook_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-07 13:52:08" } ], "693": [ { "sample_cnt": 611, "yara_rule_name": "AsyncRat_Detection_Dec_2022", "yara_rule_author": "Potatech", "yara_rule_reference": null, "yara_rule_description": "AsyncRat", "last_hit_utc": "2025-01-05 15:35:38" } ], "694": [ { "sample_cnt": 609, "yara_rule_name": "MALWARE_Win_Raccoon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Raccoon/Racealer infostealer", "last_hit_utc": "2021-07-07 18:32:06" } ], "695": [ { "sample_cnt": 608, "yara_rule_name": "ach_ZLoader_xls_20201029", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/2e228782196fda1ba41be75b2bcf06bc/", "yara_rule_description": "Detects ZLoader XLS", "last_hit_utc": "2021-09-14 11:19:32" } ], "696": [ { "sample_cnt": 606, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients", "yara_rule_author": "@ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many email and collaboration clients. Observed in information stealers", "last_hit_utc": "2021-05-05 13:11:05" } ], "697": [ { "sample_cnt": 606, "yara_rule_name": "Tsunami_Backdoor", "yara_rule_author": "@is_henderson", "yara_rule_reference": null, "yara_rule_description": "Tsunami Backdoor", "last_hit_utc": "2026-03-03 12:25:26" } ], "698": [ { "sample_cnt": 604, "yara_rule_name": "INDICATOR_RMM_ConnectWise_ScreenConnect_CERT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory", "last_hit_utc": "2026-04-26 20:40:42" } ], "699": [ { "sample_cnt": 604, "yara_rule_name": "SPLCrypt", "yara_rule_author": "James Quinn, Binary Defense", "yara_rule_reference": "", "yara_rule_description": "Identifies SPLCrypt, a new crypter associated with Bazaloader", "last_hit_utc": "2022-11-21 06:02:04" } ], "700": [ { "sample_cnt": 602, "yara_rule_name": "Sectigo_Code_Signed", "yara_rule_author": "", "yara_rule_reference": "https://bazaar.abuse.ch/export/csv/cscb/", "yara_rule_description": "Detects code signed by the Sectigo RSA Code Signing CA", "last_hit_utc": "2024-04-29 14:32:48" } ], "701": [ { "sample_cnt": 601, "yara_rule_name": "win_netwire_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-01-06 07:16:07" } ], "702": [ { "sample_cnt": 597, "yara_rule_name": "Linux_Trojan_Gafgyt_9127f7be", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:43:29" } ], "703": [ { "sample_cnt": 596, "yara_rule_name": "EnigmaStub", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Enigma packer stub.", "last_hit_utc": "2026-03-22 06:40:11" } ], "704": [ { "sample_cnt": 596, "yara_rule_name": "Windows_Trojan_Generic_2993e5a5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-14 10:43:16" } ], "705": [ { "sample_cnt": 594, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_DcRatBy", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing the string DcRatBy", "last_hit_utc": "2026-04-21 14:28:29" } ], "706": [ { "sample_cnt": 594, "yara_rule_name": "multiple_concats_in_excel4_formula_call", "yara_rule_author": "Will Metcalf", "yara_rule_reference": "https://blog.reversinglabs.com/blog/excel-4.0-macros", "yara_rule_description": "Behold The Great And Powerful Match Iterator. Multiple Concats Inside of call Function", "last_hit_utc": "2022-07-13 08:08:02" } ], "707": [ { "sample_cnt": 593, "yara_rule_name": "XMRIG_Monero_Miner", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/xmrig/xmrig/releases", "yara_rule_description": "Detects Monero mining software", "last_hit_utc": "2026-04-26 15:48:27" } ], "708": [ { "sample_cnt": 592, "yara_rule_name": "INDICATOR_EXE_Packed_dotNetProtector", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with dotNetProtector", "last_hit_utc": "2022-11-24 11:19:02" } ], "709": [ { "sample_cnt": 592, "yara_rule_name": "unixredflags2", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Hunts for UNIX red flags", "last_hit_utc": "2021-03-07 07:15:08" } ], "710": [ { "sample_cnt": 591, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing URLs to raw contents of a Github gist", "last_hit_utc": "2025-01-05 17:28:28" } ], "711": [ { "sample_cnt": 591, "yara_rule_name": "MALWARE_Win_NanoCore", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects NanoCore", "last_hit_utc": "2022-11-24 08:17:03" } ], "712": [ { "sample_cnt": 586, "yara_rule_name": "AveMaria_WarZone", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 03:12:40" } ], "713": [ { "sample_cnt": 586, "yara_rule_name": "MALWARE_Win_MetaStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects MetaStealer infostealer", "last_hit_utc": "2026-04-08 01:32:25" } ], "714": [ { "sample_cnt": 585, "yara_rule_name": "Windows_Trojan_Generic_40899c85", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 15:04:41" } ], "715": [ { "sample_cnt": 584, "yara_rule_name": "crime_win32_icedid_stage1", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": "https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html", "yara_rule_description": "Detects IcedID Photoloader", "last_hit_utc": "2026-03-13 22:25:20" } ], "716": [ { "sample_cnt": 584, "yara_rule_name": "SUSP_DOTNET_PE_List_AV", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detecs .NET Binary that lists installed AVs", "last_hit_utc": "2023-02-26 09:34:04" } ], "717": [ { "sample_cnt": 583, "yara_rule_name": "Linux_Trojan_Gafgyt_e4a1982b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 16:46:31" } ], "718": [ { "sample_cnt": 580, "yara_rule_name": "MALWARE_Win_Tofsee", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Tofsee", "last_hit_utc": "2022-11-26 15:00:51" } ], "719": [ { "sample_cnt": 580, "yara_rule_name": "skip20_sqllang_hook", "yara_rule_author": "Mathieu Tartare ", "yara_rule_reference": "https://www.welivesecurity.com/", "yara_rule_description": "YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.", "last_hit_utc": "2026-04-27 18:00:04" } ], "720": [ { "sample_cnt": 575, "yara_rule_name": "crait", "yara_rule_author": "Hugo Porcher", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "yara_rule_description": "Signature to detect Crait family", "last_hit_utc": "2026-04-01 21:48:15" } ], "721": [ { "sample_cnt": 574, "yara_rule_name": "Emotet", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Emotet in memory", "last_hit_utc": "2026-03-24 14:31:10" } ], "722": [ { "sample_cnt": 571, "yara_rule_name": "Linux_Trojan_Mirai_95e0056c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 10:47:24" } ], "723": [ { "sample_cnt": 571, "yara_rule_name": "TrojanSpy_EMOTET_W4", "yara_rule_author": "Ian Kenefick (Trend Micro)", "yara_rule_reference": "", "yara_rule_description": "Emotet x64 Loader", "last_hit_utc": "2022-11-11 03:18:02" } ], "724": [ { "sample_cnt": 570, "yara_rule_name": "Linux_Trojan_Gafgyt_d2953f92", "yara_rule_author": "Elastic Security", "yara_rule_reference": "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628", "yara_rule_description": null, "last_hit_utc": "2026-04-24 09:53:29" } ], "725": [ { "sample_cnt": 568, "yara_rule_name": "PowerShell_Susp_Parameter_Combo_RID336F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/uAic1X", "yara_rule_description": "Detects PowerShell invocation with suspicious parameters", "last_hit_utc": "2026-04-27 04:44:38" } ], "726": [ { "sample_cnt": 567, "yara_rule_name": "MALWARE_Win_WarzoneRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects AveMaria/WarzoneRAT", "last_hit_utc": "2026-04-26 03:12:41" } ], "727": [ { "sample_cnt": 562, "yara_rule_name": "Quasar", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect QuasarRAT in memory", "last_hit_utc": "2026-04-20 23:03:25" } ], "728": [ { "sample_cnt": 561, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables embedding registry key / value combination indicative of disabling Windows Defender features", "last_hit_utc": "2026-04-27 04:46:22" } ], "729": [ { "sample_cnt": 560, "yara_rule_name": "Linux_Trojan_Gafgyt_c573932b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:45:31" } ], "730": [ { "sample_cnt": 560, "yara_rule_name": "meth_peb_parsing", "yara_rule_author": "Willi Ballenthin", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-12-09 10:26:40" } ], "731": [ { "sample_cnt": 555, "yara_rule_name": "Linux_Trojan_Gafgyt_6a510422", "yara_rule_author": "Elastic Security", "yara_rule_reference": "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628", "yara_rule_description": null, "last_hit_utc": "2026-04-24 09:53:29" } ], "732": [ { "sample_cnt": 554, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing bas64 encoded gzip files", "last_hit_utc": "2026-04-27 16:04:58" } ], "733": [ { "sample_cnt": 551, "yara_rule_name": "MALW_cobaltrike", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect CobaltStrike beacon", "last_hit_utc": "2021-07-06 05:27:14" } ], "734": [ { "sample_cnt": 551, "yara_rule_name": "Vidar", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Vidar Payload", "last_hit_utc": "2025-01-05 14:57:11" } ], "735": [ { "sample_cnt": 550, "yara_rule_name": "Linux_Trojan_Gafgyt_7167d08f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:45:31" } ], "736": [ { "sample_cnt": 550, "yara_rule_name": "QakBot", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "QakBot Payload", "last_hit_utc": "2022-11-22 21:15:09" } ], "737": [ { "sample_cnt": 548, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxUserNames", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing possible sandbox analysis VM usernames", "last_hit_utc": "2026-04-26 19:33:24" } ], "738": [ { "sample_cnt": 546, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many email and collaboration clients. Observed in information stealers", "last_hit_utc": "2023-12-09 12:29:41" } ], "739": [ { "sample_cnt": 544, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)", "last_hit_utc": "2023-03-27 03:26:27" } ], "740": [ { "sample_cnt": 543, "yara_rule_name": "AcRat", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "AcRat Payload (based on AsyncRat)", "last_hit_utc": "2026-04-21 14:28:29" } ], "741": [ { "sample_cnt": 543, "yara_rule_name": "identity_golang", "yara_rule_author": "Eric Yocam", "yara_rule_reference": "", "yara_rule_description": "find Golang malware", "last_hit_utc": "2023-08-29 14:57:46" } ], "742": [ { "sample_cnt": 542, "yara_rule_name": "dridex_loader", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Dridex Loader", "last_hit_utc": "2022-09-07 09:45:07" } ], "743": [ { "sample_cnt": 542, "yara_rule_name": "SUSP_RTF_Header_Anomaly_RID2F7F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/ItsReallyNick/status/975705759618158593", "yara_rule_description": "Detects malformed RTF header often used to trick mechanisms that check for a full RTF header", "last_hit_utc": "2025-12-14 07:39:11" } ], "744": [ { "sample_cnt": 531, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RawPaste_URL", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables (downlaoders) containing URLs to raw contents of a paste", "last_hit_utc": "2026-04-20 13:21:47" } ], "745": [ { "sample_cnt": 530, "yara_rule_name": "INDICATOR_EXE_Packed_Dotfuscator", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with Dotfuscator", "last_hit_utc": "2022-11-24 11:19:02" } ], "746": [ { "sample_cnt": 530, "yara_rule_name": "StrelaDownloader", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects StrelaDownloader written in JavaScript", "last_hit_utc": "2025-01-03 21:10:26" } ], "747": [ { "sample_cnt": 530, "yara_rule_name": "sus_pe_free_without_allocation", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": null, "yara_rule_description": "Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution", "last_hit_utc": "2026-04-21 12:09:35" } ], "748": [ { "sample_cnt": 529, "yara_rule_name": "INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect binaries embedding considerable number of MFA browser extension IDs.", "last_hit_utc": "2026-04-23 12:31:36" } ], "749": [ { "sample_cnt": 529, "yara_rule_name": "mirai_botnet_unpack", "yara_rule_author": "bozer", "yara_rule_reference": null, "yara_rule_description": "Use to detect unpacked mirai, and there variants.", "last_hit_utc": "2025-01-05 17:15:13" } ], "750": [ { "sample_cnt": 528, "yara_rule_name": "ach_Dridex_xlsm_20200528_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/8d2c87fe3217fc82d1d4c2431ba841cf/", "yara_rule_description": null, "last_hit_utc": "2025-07-23 11:05:29" } ], "751": [ { "sample_cnt": 528, "yara_rule_name": "SUSP_Reversed_Base64_Encoded_EXE_RID3291", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an base64 encoded executable with reversed characters", "last_hit_utc": "2026-04-22 16:36:14" } ], "752": [ { "sample_cnt": 526, "yara_rule_name": "BAZT_B5_NOCEXInvalidStream", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 10:54:51" } ], "753": [ { "sample_cnt": 522, "yara_rule_name": "Windows_Trojan_XWorm_b7d6eaa8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 15:22:45" } ], "754": [ { "sample_cnt": 521, "yara_rule_name": "golang_david_CSC846", "yara_rule_author": "David", "yara_rule_reference": null, "yara_rule_description": "CSC-846 Golang", "last_hit_utc": "2026-04-22 17:54:13" } ], "755": [ { "sample_cnt": 519, "yara_rule_name": "redline_stealer_2", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "RedLine Stealer Payload", "last_hit_utc": "2025-01-05 16:53:57" } ], "756": [ { "sample_cnt": 518, "yara_rule_name": "Amadey", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Amadey Payload", "last_hit_utc": "2025-08-03 17:26:23" } ], "757": [ { "sample_cnt": 518, "yara_rule_name": "linux_generic_irc_catcher", "yara_rule_author": "@_lubiedo", "yara_rule_reference": null, "yara_rule_description": "Find new ELF IRC samples", "last_hit_utc": "2026-03-23 16:27:17" } ], "758": [ { "sample_cnt": 515, "yara_rule_name": "INDICATOR_RTF_EXPLOIT_CVE_2017_11882_4", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects RTF variant documents potentially exploiting CVE-2018-0802 or CVE-2017-11882", "last_hit_utc": "2022-11-25 07:12:04" } ], "759": [ { "sample_cnt": 515, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing bas64 encoded gzip files", "last_hit_utc": "2022-11-25 17:57:03" } ], "760": [ { "sample_cnt": 515, "yara_rule_name": "Windows_Trojan_Formbook_1112e116", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach", "yara_rule_description": null, "last_hit_utc": "2026-03-13 20:39:18" } ], "761": [ { "sample_cnt": 514, "yara_rule_name": "MALWARE_Win_QuasarRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "QuasarRAT payload", "last_hit_utc": "2026-04-20 23:03:25" } ], "762": [ { "sample_cnt": 514, "yara_rule_name": "pdb2", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-01-19 18:52:17" } ], "763": [ { "sample_cnt": 513, "yara_rule_name": "Quasar_RAT_2_RID2B55", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2026-04-20 23:03:25" } ], "764": [ { "sample_cnt": 511, "yara_rule_name": "Typical_Malware_String_Transforms", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects typical strings in a reversed or otherwise modified form", "last_hit_utc": "2025-01-05 15:33:40" } ], "765": [ { "sample_cnt": 508, "yara_rule_name": "Linux_Trojan_Mirai_485c4b13", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:58:17" } ], "766": [ { "sample_cnt": 506, "yara_rule_name": "agentesla", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked agenttesla malware samples.", "last_hit_utc": "2025-10-14 15:46:04" } ], "767": [ { "sample_cnt": 505, "yara_rule_name": "Windows_Trojan_AgentTesla_ebf431a8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:12:21" } ], "768": [ { "sample_cnt": 505, "yara_rule_name": "yarahub_win_stealc_bytecodes_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-15 06:23:58" } ], "769": [ { "sample_cnt": 503, "yara_rule_name": "js_StrelaDownloader", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects StrelaDownloader written in JavaScript", "last_hit_utc": "2025-01-03 19:41:15" } ], "770": [ { "sample_cnt": 500, "yara_rule_name": "Linux_Generic_Threat_a40aaa96", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-11 18:25:45" } ], "771": [ { "sample_cnt": 498, "yara_rule_name": "SUSP_VBS_Wscript_Shell", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon", "last_hit_utc": "2026-04-27 05:34:27" } ], "772": [ { "sample_cnt": 496, "yara_rule_name": "Trojan_W32_Gh0stMiancha_1_0_0", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-29 12:12:15" } ], "773": [ { "sample_cnt": 493, "yara_rule_name": "APT_Bitter_ZxxZ_Downloader", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh", "yara_rule_description": "Detects Bitter (T-APT-17) ZxxZ Downloader", "last_hit_utc": "2026-04-25 20:23:28" } ], "774": [ { "sample_cnt": 492, "yara_rule_name": "sfx_pdb", "yara_rule_author": "@razvialex", "yara_rule_reference": null, "yara_rule_description": "Detect interesting files containing sfx with pdb paths.", "last_hit_utc": "2025-01-05 16:01:35" } ], "775": [ { "sample_cnt": 491, "yara_rule_name": "win_tofsee_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.tofsee.", "last_hit_utc": "2022-11-26 15:00:51" } ], "776": [ { "sample_cnt": 490, "yara_rule_name": "INDICATOR_EXE_Packed_VMProtect", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with VMProtect.", "last_hit_utc": "2026-03-07 12:43:37" } ], "777": [ { "sample_cnt": 490, "yara_rule_name": "MAL_Winnti_Sample_May18_1_RID3003", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://401trg.pw/burning-umbrella/", "yara_rule_description": "Detects malware sample from Burning Umbrella report - Generic Winnti Rule", "last_hit_utc": "2026-04-23 18:36:35" } ], "778": [ { "sample_cnt": 490, "yara_rule_name": "RedLine", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies RedLine stealer.", "last_hit_utc": "2023-01-22 23:15:04" } ], "779": [ { "sample_cnt": 489, "yara_rule_name": "botnet_mortem_qbot_gafgyt", "yara_rule_author": "cip", "yara_rule_reference": null, "yara_rule_description": "Some strings that stand out from a publicly-available botnet source code (Mortem-qBot-Botnet-Src)", "last_hit_utc": "2026-04-26 16:47:35" } ], "780": [ { "sample_cnt": 486, "yara_rule_name": "elf_mirai_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects elf.mirai.", "last_hit_utc": "2026-04-24 10:11:41" } ], "781": [ { "sample_cnt": 484, "yara_rule_name": "SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects RAR file with suspicious .pdf extension prefix to trick users", "last_hit_utc": "2026-04-16 14:00:39" } ], "782": [ { "sample_cnt": 483, "yara_rule_name": "SUSP_PS1_JAB_Pattern_Jun22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable", "last_hit_utc": "2026-04-27 11:01:41" } ], "783": [ { "sample_cnt": 482, "yara_rule_name": "exec_macros", "yara_rule_author": "ddvvmmzz", "yara_rule_reference": "", "yara_rule_description": "exec macros", "last_hit_utc": "2026-02-22 18:15:54" } ], "784": [ { "sample_cnt": 482, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Windows executables referencing non-Windows User-Agents", "last_hit_utc": "2022-11-25 18:32:03" } ], "785": [ { "sample_cnt": 482, "yara_rule_name": "Windows_Generic_Threat_808f680e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 15:20:49" } ], "786": [ { "sample_cnt": 481, "yara_rule_name": "Lumma", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Lumma Payload", "last_hit_utc": "2026-04-24 13:19:29" } ], "787": [ { "sample_cnt": 478, "yara_rule_name": "CobaltStrike", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", "yara_rule_description": "detect CobaltStrike Beacon in memory", "last_hit_utc": "2026-03-24 14:33:14" } ], "788": [ { "sample_cnt": 478, "yara_rule_name": "MAL_XMR_Miner_May19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/", "yara_rule_description": "Detects Monero Crypto Coin Miner", "last_hit_utc": "2026-04-26 15:48:26" } ], "789": [ { "sample_cnt": 476, "yara_rule_name": "xRAT_1_RID2900", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/Pg3P4W", "yara_rule_description": "Detects Patchwork malware", "last_hit_utc": "2026-04-20 23:03:26" } ], "790": [ { "sample_cnt": 475, "yara_rule_name": "Linux_Trojan_Gafgyt_862c4e0e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 09:55:44" } ], "791": [ { "sample_cnt": 475, "yara_rule_name": "SUSP_Ngrok_URL", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects a PE file that contains an ngrok.io URL. This can be used as C2 channel", "last_hit_utc": "2026-04-02 17:37:17" } ], "792": [ { "sample_cnt": 473, "yara_rule_name": "MAL_AsnycRAT", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects AsnycRAT based on it's config decryption routine", "last_hit_utc": "2023-02-26 09:34:04" } ], "793": [ { "sample_cnt": 472, "yara_rule_name": "NETDIC208_NOCEX_NOREACTOR", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 02:57:03" } ], "794": [ { "sample_cnt": 466, "yara_rule_name": "malware_CobaltStrike_v3v4", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", "yara_rule_description": "detect CobaltStrike Beacon in memory", "last_hit_utc": "2026-04-27 04:44:38" } ], "795": [ { "sample_cnt": 466, "yara_rule_name": "Vermin_Keylogger_Jan18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "yara_rule_description": "Detects Vermin Keylogger", "last_hit_utc": "2025-01-05 15:32:17" } ], "796": [ { "sample_cnt": 464, "yara_rule_name": "ach_NetSupportRAT_Config", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 09:25:40" } ], "797": [ { "sample_cnt": 464, "yara_rule_name": "QbotStuff", "yara_rule_author": "anonymous", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 09:18:03" } ], "798": [ { "sample_cnt": 463, "yara_rule_name": "AutoIT_Compiled", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies compiled AutoIT script (as EXE).", "last_hit_utc": "2023-09-07 10:03:52" } ], "799": [ { "sample_cnt": 463, "yara_rule_name": "CN_disclosed_20180208_KeyLogger_1_RID3227", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2026-04-20 23:03:23" } ], "800": [ { "sample_cnt": 463, "yara_rule_name": "Vermin_Keylogger_Jan18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "yara_rule_description": "Detects Vermin Keylogger", "last_hit_utc": "2026-04-20 23:03:26" } ], "801": [ { "sample_cnt": 460, "yara_rule_name": "CobaltStrike_ReflectiveLoader_RID3297", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects reflective loader (Cobalt Strike)", "last_hit_utc": "2026-04-27 04:44:37" } ], "802": [ { "sample_cnt": 460, "yara_rule_name": "INDICATOR_EXE_Packed_ASPack", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with ASPack", "last_hit_utc": "2024-01-01 17:47:11" } ], "803": [ { "sample_cnt": 457, "yara_rule_name": "Ins_NSIS_Buer_Nov_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "", "yara_rule_description": "Detect NSIS installer used for Buer loader", "last_hit_utc": "2025-03-02 03:13:10" } ], "804": [ { "sample_cnt": 456, "yara_rule_name": "Malware_QA_update", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file update.exe", "last_hit_utc": "2025-05-22 01:28:49" } ], "805": [ { "sample_cnt": 455, "yara_rule_name": "MALWARE_Win_NanoCore", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects NanoCore", "last_hit_utc": "2026-04-27 16:01:03" } ], "806": [ { "sample_cnt": 452, "yara_rule_name": "AgentTesla_mod_tough_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/", "yara_rule_description": null, "last_hit_utc": "2026-04-23 12:31:35" } ], "807": [ { "sample_cnt": 450, "yara_rule_name": "win_nanocore_w0", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 16:01:04" } ], "808": [ { "sample_cnt": 448, "yara_rule_name": "AgentTesla_extracted_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "", "yara_rule_description": "AgentTesla extracted", "last_hit_utc": "2022-11-04 11:29:03" } ], "809": [ { "sample_cnt": 446, "yara_rule_name": "malware_Quasar_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect QuasarRAT in memory", "last_hit_utc": "2026-04-20 23:03:24" } ], "810": [ { "sample_cnt": 444, "yara_rule_name": "AsyncRat", "yara_rule_author": "kevoreilly, JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "AsyncRat Payload", "last_hit_utc": "2023-02-26 09:34:04" } ], "811": [ { "sample_cnt": 443, "yara_rule_name": "grakate_stealer_nov_2021", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-12-25 15:12:32" } ], "812": [ { "sample_cnt": 443, "yara_rule_name": "Windows_Trojan_Nanocore_d8c4e3c5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 16:01:05" } ], "813": [ { "sample_cnt": 442, "yara_rule_name": "win_lumma_generic", "yara_rule_author": "dubfib", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-07 00:36:29" } ], "814": [ { "sample_cnt": 441, "yara_rule_name": "MALWARE_Win_CobaltStrike", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "CobaltStrike payload", "last_hit_utc": "2026-04-27 04:44:38" } ], "815": [ { "sample_cnt": 441, "yara_rule_name": "MAL_unspecified_Jan18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects unspecified malware sample", "last_hit_utc": "2023-01-20 13:57:03" } ], "816": [ { "sample_cnt": 441, "yara_rule_name": "win_njrat_strings_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 18:36:36" } ], "817": [ { "sample_cnt": 439, "yara_rule_name": "iot_req_metachar", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-24 07:44:04" } ], "818": [ { "sample_cnt": 437, "yara_rule_name": "CobaltStrikeBeacon", "yara_rule_author": "ditekshen, enzo & Elastic", "yara_rule_reference": null, "yara_rule_description": "Cobalt Strike Beacon Payload", "last_hit_utc": "2026-04-27 04:44:37" } ], "819": [ { "sample_cnt": 437, "yara_rule_name": "MAL_Neshta_Generic_RID2DC9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Neshta malware", "last_hit_utc": "2026-03-06 15:18:28" } ], "820": [ { "sample_cnt": 432, "yara_rule_name": "ach_Heodo_doc_20201222", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/3f55c8f0115f56a515e0d0d797a3c8b7/", "yara_rule_description": "Detects Heodo DOC", "last_hit_utc": "2022-10-31 16:12:02" } ], "821": [ { "sample_cnt": 432, "yara_rule_name": "CobaltStrike_C2_Encoded_Config_Indicator", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": null, "yara_rule_description": "Detects CobaltStrike C2 encoded profile configuration", "last_hit_utc": "2021-06-18 07:35:18" } ], "822": [ { "sample_cnt": 432, "yara_rule_name": "Quasar_RAT_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2025-01-05 15:32:17" } ], "823": [ { "sample_cnt": 431, "yara_rule_name": "MALWARE_Win_Raccoon", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Raccoon/Racealer infostealer", "last_hit_utc": "2021-09-21 04:41:03" } ], "824": [ { "sample_cnt": 431, "yara_rule_name": "RansomwareTest7", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": "", "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2023-02-26 15:22:48" } ], "825": [ { "sample_cnt": 430, "yara_rule_name": "attack_India", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 17:59:59" } ], "826": [ { "sample_cnt": 430, "yara_rule_name": "Skystars_LightDefender_Njrat_Rule", "yara_rule_author": "Skystars LightDefender", "yara_rule_reference": "", "yara_rule_description": "Detects Njrat", "last_hit_utc": "2025-09-10 20:33:14" } ], "827": [ { "sample_cnt": 429, "yara_rule_name": "Linux_Trojan_Mirai_122ff2e6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-02 10:25:23" } ], "828": [ { "sample_cnt": 428, "yara_rule_name": "Linux_Packer_Patched_UPX_62e11c64", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/", "yara_rule_description": null, "last_hit_utc": "2026-04-24 13:29:26" } ], "829": [ { "sample_cnt": 427, "yara_rule_name": "win_cobalt_strike_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-09 11:30:10" } ], "830": [ { "sample_cnt": 426, "yara_rule_name": "RedLine_a", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies RedLine stealer.", "last_hit_utc": "2026-04-21 15:04:40" } ], "831": [ { "sample_cnt": 425, "yara_rule_name": "CobaltStrike_C2_Encoded_XOR_Config_Indicator", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": null, "yara_rule_description": "Detects CobaltStrike C2 encoded profile configuration", "last_hit_utc": "2026-04-27 04:44:37" } ], "832": [ { "sample_cnt": 425, "yara_rule_name": "MAL_AsyncRAT_Config_Decryption", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects AsnycRAT based on it's config decryption routine", "last_hit_utc": "2023-02-26 09:34:04" } ], "833": [ { "sample_cnt": 424, "yara_rule_name": "INDICATOR_EXE_DotNET_Encrypted", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects encrypted or obfuscated .NET executables", "last_hit_utc": "2026-04-26 20:40:42" } ], "834": [ { "sample_cnt": 422, "yara_rule_name": "RAT_DarkComet", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/DarkComet", "yara_rule_description": "Detects DarkComet RAT", "last_hit_utc": "2026-04-26 19:07:27" } ], "835": [ { "sample_cnt": 422, "yara_rule_name": "remcos_", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked remcos malware samples.", "last_hit_utc": "2025-10-15 12:47:14" } ], "836": [ { "sample_cnt": 422, "yara_rule_name": "Windows_Generic_Threat_779cf969", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 15:23:26" } ], "837": [ { "sample_cnt": 421, "yara_rule_name": "netwire", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect netwire in memory", "last_hit_utc": "2026-04-24 23:31:42" } ], "838": [ { "sample_cnt": 420, "yara_rule_name": "Windows_Trojan_AveMaria_31d2bce9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 03:12:42" } ], "839": [ { "sample_cnt": 419, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables with interest in wireless interface using netsh", "last_hit_utc": "2026-04-23 10:06:41" } ], "840": [ { "sample_cnt": 418, "yara_rule_name": "Codoso_Gh0st_2_RID2C2E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT Gh0st Malware", "last_hit_utc": "2026-03-23 08:46:22" } ], "841": [ { "sample_cnt": 418, "yara_rule_name": "INDICATOR_SUSPICIOUS_References_SecTools", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many IR and analysis tools", "last_hit_utc": "2026-04-23 12:53:34" } ], "842": [ { "sample_cnt": 418, "yara_rule_name": "Windows_Trojan_RedLineStealer_f54632eb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 15:04:41" } ], "843": [ { "sample_cnt": 417, "yara_rule_name": "CMD_Shutdown", "yara_rule_author": "adm1n_usa32", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 05:07:33" } ], "844": [ { "sample_cnt": 417, "yara_rule_name": "INDICATOR_EXE_Packed_MPress", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables built or packed with MPress PE compressor", "last_hit_utc": "2022-11-24 18:43:02" } ], "845": [ { "sample_cnt": 417, "yara_rule_name": "MacOS_Cryptominer_Xmrig_241780a1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 15:10:36" } ], "846": [ { "sample_cnt": 417, "yara_rule_name": "upx_antiunpack_elf32", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "UPX Anti-Unpacking technique to magic renamed for ELF32", "last_hit_utc": "2022-11-23 18:51:02" } ], "847": [ { "sample_cnt": 414, "yara_rule_name": "CoinMiner_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://minergate.com/faq/what-pool-address", "yara_rule_description": "Detects mining pool protocol string in Executable", "last_hit_utc": "2026-04-11 14:25:33" } ], "848": [ { "sample_cnt": 412, "yara_rule_name": "Malicious_BAT_Strings", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://pastebin.com/8qaiyPxs", "yara_rule_description": "Detects a string also used in Netwire RAT auxilliary", "last_hit_utc": "2023-01-17 07:04:45" } ], "849": [ { "sample_cnt": 411, "yara_rule_name": "Suspicious_BAT_Strings", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://pastebin.com/8qaiyPxs", "yara_rule_description": "Detects a string also used in Netwire RAT auxilliary", "last_hit_utc": "2023-01-17 07:04:45" } ], "850": [ { "sample_cnt": 410, "yara_rule_name": "Windows_Trojan_Donutloader_f40e3759", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-14 10:52:52" } ], "851": [ { "sample_cnt": 408, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables embedding command execution via IExecuteCommand COM object", "last_hit_utc": "2026-04-26 03:12:41" } ], "852": [ { "sample_cnt": 407, "yara_rule_name": "Cerberus", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "Cerberus", "last_hit_utc": "2026-04-14 07:40:49" } ], "853": [ { "sample_cnt": 406, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing possible sandbox analysis VM names", "last_hit_utc": "2026-04-26 19:33:24" } ], "854": [ { "sample_cnt": 406, "yara_rule_name": "Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021", "yara_rule_author": "BlackBerry Threat Research Team", "yara_rule_reference": null, "yara_rule_description": "Detects Unobfuscated RedLine Infostealer Executables (.NET)", "last_hit_utc": "2026-04-21 15:04:40" } ], "855": [ { "sample_cnt": 405, "yara_rule_name": "ach_SmokeLoader_xlsb_20201112", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/1a4c3a2a418f90c08c5c5341d517753d/", "yara_rule_description": "Detects Quakbot XLSB", "last_hit_utc": "2020-11-12 09:54:56" } ], "856": [ { "sample_cnt": 404, "yara_rule_name": "RedLine_a", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies RedLine stealer.", "last_hit_utc": "2022-11-24 21:08:04" } ], "857": [ { "sample_cnt": 403, "yara_rule_name": "rig_win64_xmrig_6_13_1_xmrig", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "rig_win64 - file xmrig.exe", "last_hit_utc": "2026-04-26 15:48:27" } ], "858": [ { "sample_cnt": 402, "yara_rule_name": "dcrat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 14:28:29" } ], "859": [ { "sample_cnt": 402, "yara_rule_name": "Windows_Generic_Threat_4b0b73ce", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 21:44:30" } ], "860": [ { "sample_cnt": 401, "yara_rule_name": "Socelars_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/6cd9a083-44e6-48e2-9c21-355c35cb9a57", "yara_rule_description": "Socelars stealer", "last_hit_utc": "2025-01-05 16:23:19" } ], "861": [ { "sample_cnt": 401, "yara_rule_name": "win_qakbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.qakbot.", "last_hit_utc": "2022-11-22 21:15:09" } ], "862": [ { "sample_cnt": 400, "yara_rule_name": "NETDIC208_NOCEX_NOREACTOR", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-04 14:51:20" } ], "863": [ { "sample_cnt": 399, "yara_rule_name": "Linux_Trojan_Gafgyt_46eec778", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 09:55:44" } ], "864": [ { "sample_cnt": 399, "yara_rule_name": "SUSP_LNK_SuspiciousCommands", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects LNK file with suspicious content", "last_hit_utc": "2026-04-27 09:56:27" } ], "865": [ { "sample_cnt": 399, "yara_rule_name": "WIN_ClickFix_Detection", "yara_rule_author": "dogsafetyforeverone", "yara_rule_reference": "ClickFix social engineering and malicious PowerShell commands", "yara_rule_description": "Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands", "last_hit_utc": "2026-04-25 17:51:27" } ], "866": [ { "sample_cnt": 398, "yara_rule_name": "MALWARE_Win_BlackMoon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables using BlackMoon RunTime", "last_hit_utc": "2026-04-24 03:31:37" } ], "867": [ { "sample_cnt": 398, "yara_rule_name": "quakbot_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-05-18 03:32:54" } ], "868": [ { "sample_cnt": 398, "yara_rule_name": "win_stealc_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.stealc.", "last_hit_utc": "2026-04-25 21:08:49" } ], "869": [ { "sample_cnt": 396, "yara_rule_name": "MSIL_TinyDownloader_Generic", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": "Detects small-sized dotNET downloaders", "last_hit_utc": "2025-01-15 15:38:02" } ], "870": [ { "sample_cnt": 396, "yara_rule_name": "tofsee_yhub", "yara_rule_author": "Billy Austin", "yara_rule_reference": "", "yara_rule_description": "Detects Tofsee botnet, also known as Gheg", "last_hit_utc": "2022-11-26 15:00:51" } ], "871": [ { "sample_cnt": 395, "yara_rule_name": "dcrat_", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked dcrat malware samples.", "last_hit_utc": "2025-10-04 11:06:25" } ], "872": [ { "sample_cnt": 395, "yara_rule_name": "Nanocore_RAT_Gen_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/", "yara_rule_description": "Detetcs the Nanocore RAT", "last_hit_utc": "2026-04-27 16:01:04" } ], "873": [ { "sample_cnt": 395, "yara_rule_name": "UPXProtectorv10x2", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 02:11:38" } ], "874": [ { "sample_cnt": 393, "yara_rule_name": "Windows_Trojan_CobaltStrike_1787eef5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "CS shellcode variants", "last_hit_utc": "2026-04-27 04:44:39" } ], "875": [ { "sample_cnt": 392, "yara_rule_name": "command_and_control", "yara_rule_author": "CD_R0M_", "yara_rule_reference": "", "yara_rule_description": "This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group", "last_hit_utc": "2022-12-25 15:12:32" } ], "876": [ { "sample_cnt": 392, "yara_rule_name": "SUSP_netsh_firewall_command", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:02:03" } ], "877": [ { "sample_cnt": 391, "yara_rule_name": "XMRIG_Monero_Miner", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/xmrig/xmrig/releases", "yara_rule_description": "Detects Monero mining software", "last_hit_utc": "2025-01-05 15:37:02" } ], "878": [ { "sample_cnt": 390, "yara_rule_name": "Nanocore_RAT_Feb18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research - T2T", "yara_rule_description": "Detects Nanocore RAT", "last_hit_utc": "2026-04-27 16:01:03" } ], "879": [ { "sample_cnt": 390, "yara_rule_name": "Windows_Trojan_Quasarrat_e52df647", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-20 23:03:26" } ], "880": [ { "sample_cnt": 388, "yara_rule_name": "ach_Quakbot_xlsb_20201020", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/010b2364821b624364526c70bb941d67/", "yara_rule_description": "Detects Quakbot XLS", "last_hit_utc": "2021-01-09 13:33:34" } ], "881": [ { "sample_cnt": 385, "yara_rule_name": "botnet_unknown", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "unknown botnet", "last_hit_utc": "2026-04-22 20:40:48" } ], "882": [ { "sample_cnt": 383, "yara_rule_name": "BlackGuard_Rule", "yara_rule_author": "Jiho Kim", "yara_rule_reference": "https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection", "yara_rule_description": "Yara rule for BlackGuarad Stealer v1.0 - v3.0", "last_hit_utc": "2026-04-26 05:07:33" } ], "883": [ { "sample_cnt": 382, "yara_rule_name": "elf_mirai_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects elf.mirai.", "last_hit_utc": "2022-11-12 18:25:05" } ], "884": [ { "sample_cnt": 382, "yara_rule_name": "INDICATOR_EXE_Packed_Goliath", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with Goliath", "last_hit_utc": "2022-11-24 11:19:02" } ], "885": [ { "sample_cnt": 381, "yara_rule_name": "INDICATOR_EXE_Packed_Babel", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with Babel", "last_hit_utc": "2022-11-16 13:26:03" } ], "886": [ { "sample_cnt": 380, "yara_rule_name": "malware_Stealc_str", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "Stealc infostealer", "last_hit_utc": "2026-03-27 03:15:26" } ], "887": [ { "sample_cnt": 380, "yara_rule_name": "Windows_Trojan_Winos_464b8a2e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:44:32" } ], "888": [ { "sample_cnt": 377, "yara_rule_name": "Check_VmTools", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:46:22" } ], "889": [ { "sample_cnt": 377, "yara_rule_name": "Linux_Trojan_Mirai_7d05725e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:58:17" } ], "890": [ { "sample_cnt": 375, "yara_rule_name": "Windows_Generic_Threat_efdb9e81", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-08 01:32:27" } ], "891": [ { "sample_cnt": 374, "yara_rule_name": "Linux_Trojan_Gafgyt_656bf077", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 09:55:44" } ], "892": [ { "sample_cnt": 374, "yara_rule_name": "Linux_Trojan_Gafgyt_e0673a90", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 09:55:44" } ], "893": [ { "sample_cnt": 372, "yara_rule_name": "APT_CobaltStrike_Beacon_Indicator", "yara_rule_author": "JPCERT", "yara_rule_reference": "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", "yara_rule_description": "Detects CobaltStrike beacons", "last_hit_utc": "2026-03-24 14:33:14" } ], "894": [ { "sample_cnt": 371, "yara_rule_name": "SUSP_Double_Base64_Encoded_Executable_RID34CC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/TweeterCyber/status/1189073238803877889", "yara_rule_description": "Detects an executable that has been encoded with base64 twice", "last_hit_utc": "2026-04-18 18:52:39" } ], "895": [ { "sample_cnt": 370, "yara_rule_name": "Glupteba", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-14 15:30:35" } ], "896": [ { "sample_cnt": 370, "yara_rule_name": "INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects OLE documents potentially exploiting CVE-2017-11882", "last_hit_utc": "2022-11-26 12:49:03" } ], "897": [ { "sample_cnt": 370, "yara_rule_name": "Quasar_RAT_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2026-04-20 23:03:25" } ], "898": [ { "sample_cnt": 368, "yara_rule_name": "Redline_Hunter", "yara_rule_author": "Potato", "yara_rule_reference": null, "yara_rule_description": "Unpacked RedLine Hunter", "last_hit_utc": "2025-01-05 15:57:05" } ], "899": [ { "sample_cnt": 368, "yara_rule_name": "Windows_Trojan_Metasploit_c9773203", "yara_rule_author": null, "yara_rule_reference": "https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm", "yara_rule_description": "Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.", "last_hit_utc": "2026-04-22 20:38:24" } ], "900": [ { "sample_cnt": 367, "yara_rule_name": "INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects CVE-2017-8759 weaponized RTF documents.", "last_hit_utc": "2025-11-20 13:47:26" } ], "901": [ { "sample_cnt": 366, "yara_rule_name": "Diff_QuasarRAT_01", "yara_rule_author": "schmidtsz", "yara_rule_reference": null, "yara_rule_description": "Identify QuasarRAT samples", "last_hit_utc": "2026-04-27 04:44:22" } ], "902": [ { "sample_cnt": 366, "yara_rule_name": "MacOS_Cryptominer_Generic_333129b7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:11:35" } ], "903": [ { "sample_cnt": 365, "yara_rule_name": "Linux_Trojan_Mirai_fa48b592", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-02 10:25:23" } ], "904": [ { "sample_cnt": 365, "yara_rule_name": "MALWARE_Win_zgRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects zgRAT", "last_hit_utc": "2025-01-05 17:24:54" } ], "905": [ { "sample_cnt": 365, "yara_rule_name": "Weedhack_Family_Generic", "yara_rule_author": "jlab", "yara_rule_reference": null, "yara_rule_description": "Generic Weedhack family detection", "last_hit_utc": "2026-04-27 18:00:06" } ], "906": [ { "sample_cnt": 363, "yara_rule_name": "WannaCry_Ransomware", "yara_rule_author": "Florian Roth (Nextron Systems) (with the help of binar.ly)", "yara_rule_reference": "https://goo.gl/HG2j5T", "yara_rule_description": "Detects WannaCry Ransomware", "last_hit_utc": "2026-03-29 14:33:22" } ], "907": [ { "sample_cnt": 361, "yara_rule_name": "Detect_MSI_LATAM_Banker_From_LatAm", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 11:37:25" } ], "908": [ { "sample_cnt": 361, "yara_rule_name": "xRAT_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/Pg3P4W", "yara_rule_description": "Detects Patchwork malware", "last_hit_utc": "2026-04-20 23:03:26" } ], "909": [ { "sample_cnt": 360, "yara_rule_name": "Windows_Trojan_Tofsee_26124fe4", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 15:00:51" } ], "910": [ { "sample_cnt": 359, "yara_rule_name": "cobalt_strike_beacon_detected", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "This rule detects cobalt strike beacons.", "last_hit_utc": "2026-04-27 04:44:37" } ], "911": [ { "sample_cnt": 359, "yara_rule_name": "MALWARE_Win_CoinMiner02", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects coinmining malware", "last_hit_utc": "2026-04-26 15:48:26" } ], "912": [ { "sample_cnt": 356, "yara_rule_name": "Archive_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies archive (compressed) files in shortcut (LNK) files.", "last_hit_utc": "2026-04-27 10:07:31" } ], "913": [ { "sample_cnt": 356, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_B64_Artifacts", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.", "last_hit_utc": "2026-04-09 08:35:56" } ], "914": [ { "sample_cnt": 355, "yara_rule_name": "MALWARE_Win_Grum", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect Grum spam bot", "last_hit_utc": "2026-04-14 10:40:20" } ], "915": [ { "sample_cnt": 354, "yara_rule_name": "Linux_Trojan_Mirai_3a85a418", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 06:07:21" } ], "916": [ { "sample_cnt": 353, "yara_rule_name": "OBFUS_PowerShell_Common_Replace", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects the common usage of replace for obfuscation", "last_hit_utc": "2026-04-25 17:28:36" } ], "917": [ { "sample_cnt": 353, "yara_rule_name": "win_valley_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.valley_rat.", "last_hit_utc": "2026-01-14 13:50:40" } ], "918": [ { "sample_cnt": 351, "yara_rule_name": "CN_disclosed_20180208_KeyLogger_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2026-04-20 23:03:23" } ], "919": [ { "sample_cnt": 351, "yara_rule_name": "Gh0stKCP", "yara_rule_author": "Netresec", "yara_rule_reference": "https://netresec.com/?b=259a5af", "yara_rule_description": "Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.", "last_hit_utc": "2026-04-27 04:44:32" } ], "920": [ { "sample_cnt": 351, "yara_rule_name": "PK_PUMP_AND_DUMP", "yara_rule_author": "Will Metcalf @node5", "yara_rule_reference": null, "yara_rule_description": "Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size", "last_hit_utc": "2026-04-23 11:39:31" } ], "921": [ { "sample_cnt": 350, "yara_rule_name": "MAL_BackNet_Nov18_1_RID2D6D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/valsov/BackNet", "yara_rule_description": "Detects BackNet samples", "last_hit_utc": "2026-04-14 07:46:06" } ], "922": [ { "sample_cnt": 348, "yara_rule_name": "Windows_Trojan_RedLineStealer_15ee6903", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 15:04:41" } ], "923": [ { "sample_cnt": 347, "yara_rule_name": "Check_VBox_Guest_Additions", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:46:22" } ], "924": [ { "sample_cnt": 346, "yara_rule_name": "AveMaria_WarZone", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-01-18 12:49:25" } ], "925": [ { "sample_cnt": 346, "yara_rule_name": "MAL_ELF_LNX_Mirai_Oct10_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ELF Mirai variant", "last_hit_utc": "2025-01-05 15:37:38" } ], "926": [ { "sample_cnt": 346, "yara_rule_name": "Windows_Trojan_Metasploit_c9773203", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm", "yara_rule_description": "Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.", "last_hit_utc": "2026-04-22 20:38:24" } ], "927": [ { "sample_cnt": 345, "yara_rule_name": "Linux_Trojan_Mirai_575f5bc8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 14:55:31" } ], "928": [ { "sample_cnt": 345, "yara_rule_name": "Quasar_RAT_1", "yara_rule_author": "@SOCRadar", "yara_rule_reference": null, "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2026-04-20 23:03:25" } ], "929": [ { "sample_cnt": 343, "yara_rule_name": "elf_bashlite_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects elf.bashlite.", "last_hit_utc": "2026-04-24 09:55:43" } ], "930": [ { "sample_cnt": 343, "yara_rule_name": "Quasar_RAT_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2026-04-20 23:03:25" } ], "931": [ { "sample_cnt": 342, "yara_rule_name": "elf_persirai_w0", "yara_rule_author": "Tim Yeh", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Persirai Botnet Malware", "last_hit_utc": "2026-04-01 22:02:57" } ], "932": [ { "sample_cnt": 341, "yara_rule_name": "Windows_Trojan_DCRat_1aeea1ac", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-09 08:36:18" } ], "933": [ { "sample_cnt": 340, "yara_rule_name": "xmrig_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 15:48:27" } ], "934": [ { "sample_cnt": 339, "yara_rule_name": "malware_Njrat_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "detect njRAT in memory", "last_hit_utc": "2022-11-25 14:52:03" } ], "935": [ { "sample_cnt": 339, "yara_rule_name": "MAL_Winnti_Sample_May18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://401trg.pw/burning-umbrella/", "yara_rule_description": "Detects malware sample from Burning Umbrella report - Generic Winnti Rule", "last_hit_utc": "2026-04-23 18:36:35" } ], "936": [ { "sample_cnt": 339, "yara_rule_name": "sfx_pdb", "yara_rule_author": "@razvialex", "yara_rule_reference": "", "yara_rule_description": "Detect interesting files containing sfx with pdb paths.", "last_hit_utc": "2022-11-26 10:36:02" } ], "937": [ { "sample_cnt": 338, "yara_rule_name": "Quasar_RAT_2", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2026-04-20 23:03:25" } ], "938": [ { "sample_cnt": 337, "yara_rule_name": "Intezer_Vaccine_DarkComet", "yara_rule_author": "Intezer Labs", "yara_rule_reference": "https://analyze.intezer.com", "yara_rule_description": "Automatic YARA vaccination rule created based on the file's genes", "last_hit_utc": "2026-04-26 19:07:27" } ], "939": [ { "sample_cnt": 337, "yara_rule_name": "SUSP_RAR_with_PDF_Script_Obfuscation", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects RAR file with suspicious .pdf extension prefix to trick users", "last_hit_utc": "2026-04-16 14:00:39" } ], "940": [ { "sample_cnt": 336, "yara_rule_name": "Linux_Trojan_Gafgyt_27de1106", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 07:58:29" } ], "941": [ { "sample_cnt": 336, "yara_rule_name": "Linux_Trojan_Gafgyt_f51c5ac3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 07:58:29" } ], "942": [ { "sample_cnt": 335, "yara_rule_name": "RAT_HawkEye", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/HawkEye", "yara_rule_description": "Detects HawkEye RAT", "last_hit_utc": "2025-03-25 16:03:35" } ], "943": [ { "sample_cnt": 334, "yara_rule_name": "silentbuilder_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-05-18 03:32:54" } ], "944": [ { "sample_cnt": 333, "yara_rule_name": "ShellScript_Downloader", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Generic ShellScript Downloader", "last_hit_utc": "2025-01-03 21:18:10" } ], "945": [ { "sample_cnt": 333, "yara_rule_name": "SUSP_LNX_Base64_Exec_Apr24", "yara_rule_author": "Christian Burkard", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)", "last_hit_utc": "2026-04-27 18:31:17" } ], "946": [ { "sample_cnt": 332, "yara_rule_name": "dcrat_kingrat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 14:28:29" } ], "947": [ { "sample_cnt": 331, "yara_rule_name": "botnet_Vixaati", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Vixaati botnet", "last_hit_utc": "2026-04-22 20:40:49" } ], "948": [ { "sample_cnt": 331, "yara_rule_name": "dcrat_rkp", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "Detects DCRat payloads", "last_hit_utc": "2026-04-21 14:28:29" } ], "949": [ { "sample_cnt": 331, "yara_rule_name": "Windows_Trojan_CobaltStrike_f0b627fc", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Rule for beacon reflective loader", "last_hit_utc": "2026-04-27 04:44:39" } ], "950": [ { "sample_cnt": 329, "yara_rule_name": "EnigmaStub", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Enigma packer stub.", "last_hit_utc": "2023-03-09 18:32:46" } ], "951": [ { "sample_cnt": 329, "yara_rule_name": "MALWARE_Win_Neshta", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Neshta", "last_hit_utc": "2026-03-06 15:18:28" } ], "952": [ { "sample_cnt": 329, "yara_rule_name": "SUSP_Reverse_Run_Key", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects a Reversed Run Key", "last_hit_utc": "2023-02-26 09:34:04" } ], "953": [ { "sample_cnt": 328, "yara_rule_name": "Hawkeye", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect HawkEye in memory", "last_hit_utc": "2025-03-25 16:03:35" } ], "954": [ { "sample_cnt": 328, "yara_rule_name": "XMRIG_Miner", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-01 20:35:54" } ], "955": [ { "sample_cnt": 327, "yara_rule_name": "crime_ZZ_botnet_aicm", "yara_rule_author": "imp0rtp3", "yara_rule_reference": "https://twitter.com/IntezerLabs/status/1401869234511175683", "yara_rule_description": "DDoS Golang Botnet sample for linux called 'aicm'", "last_hit_utc": "2026-02-18 16:31:15" } ], "956": [ { "sample_cnt": 327, "yara_rule_name": "INDICATOR_EXE_Packed_Fody", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables manipulated with Fody", "last_hit_utc": "2025-06-04 23:14:22" } ], "957": [ { "sample_cnt": 327, "yara_rule_name": "Long_RelativePath_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.", "last_hit_utc": "2022-11-15 11:28:03" } ], "958": [ { "sample_cnt": 327, "yara_rule_name": "win_tofsee", "yara_rule_author": "akrasuski1", "yara_rule_reference": "https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining", "yara_rule_description": "Tofsee malware", "last_hit_utc": "2024-02-07 14:44:04" } ], "959": [ { "sample_cnt": 326, "yara_rule_name": "Linux_Trojan_Gafgyt_fb14e81f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "0fd07e6068a721774716eb4940e2c19faef02d5bdacf3b018bf5995fa98a3a27", "yara_rule_description": null, "last_hit_utc": "2026-03-03 12:25:26" } ], "960": [ { "sample_cnt": 326, "yara_rule_name": "Windows_Trojan_Metasploit_7bc0f998", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Identifies the API address lookup function leverage by metasploit shellcode", "last_hit_utc": "2026-04-22 20:38:23" } ], "961": [ { "sample_cnt": 325, "yara_rule_name": "MALW_cobaltrike", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", "yara_rule_description": "Rule to detect CobaltStrike beacon", "last_hit_utc": "2026-04-27 04:44:38" } ], "962": [ { "sample_cnt": 325, "yara_rule_name": "SUSP_Discord_Attachments_URL", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads", "last_hit_utc": "2026-04-25 08:57:34" } ], "963": [ { "sample_cnt": 325, "yara_rule_name": "win_tofsee_bot", "yara_rule_author": "akrasuski1", "yara_rule_reference": null, "yara_rule_description": "Tofsee malware", "last_hit_utc": "2026-04-14 10:40:20" } ], "964": [ { "sample_cnt": 324, "yara_rule_name": "HKTL_CobaltStrike_Beacon_4_2_Decrypt", "yara_rule_author": "Elastic", "yara_rule_reference": "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "yara_rule_description": "Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2", "last_hit_utc": "2026-04-27 04:44:38" } ], "965": [ { "sample_cnt": 324, "yara_rule_name": "win_cobalt_strike_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cobalt_strike.", "last_hit_utc": "2026-04-27 04:44:39" } ], "966": [ { "sample_cnt": 324, "yara_rule_name": "win_hawkeye_keylogger_w0", "yara_rule_author": " Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-04 07:23:08" } ], "967": [ { "sample_cnt": 323, "yara_rule_name": "ValleyRAT", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects ValleyRAT", "last_hit_utc": "2026-04-25 21:44:29" } ], "968": [ { "sample_cnt": 322, "yara_rule_name": "INDICATOR_SUSPICOUS_EXE_References_VEEAM", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing many references to VEEAM. Observed in ransomware", "last_hit_utc": "2026-04-03 06:50:22" } ], "969": [ { "sample_cnt": 322, "yara_rule_name": "MAL_BackNet_Nov18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/valsov/BackNet", "yara_rule_description": "Detects BackNet samples", "last_hit_utc": "2026-04-14 07:46:06" } ], "970": [ { "sample_cnt": 322, "yara_rule_name": "XMRIG_Monero_Miner_RID2DC1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/xmrig/xmrig/releases", "yara_rule_description": "Detects Monero mining software", "last_hit_utc": "2025-10-08 22:10:42" } ], "971": [ { "sample_cnt": 321, "yara_rule_name": "GenericRedLineLike", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "Matches RedLine-like stealer; may match its variants.", "last_hit_utc": "2026-04-08 01:32:25" } ], "972": [ { "sample_cnt": 321, "yara_rule_name": "INDICATOR_KB_CERT_02b6656292310b84022db5541bc48faf", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-04-29 00:11:59" } ], "973": [ { "sample_cnt": 321, "yara_rule_name": "RAT_Sakula", "yara_rule_author": "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings", "yara_rule_reference": "http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara", "yara_rule_description": "Detects Sakula v1.0 RAT", "last_hit_utc": "2025-06-16 16:28:22" } ], "974": [ { "sample_cnt": 320, "yara_rule_name": "adonunix", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "AD on UNIX", "last_hit_utc": "2021-03-04 13:45:07" } ], "975": [ { "sample_cnt": 320, "yara_rule_name": "HUNTING_SUSP_TLS_SECTION", "yara_rule_author": "chaosphere", "yara_rule_reference": "Practical Malware Analysis - Chapter 16", "yara_rule_description": "Detect PE files with .tls section that can be used for anti-debugging", "last_hit_utc": "2025-11-23 10:45:16" } ], "976": [ { "sample_cnt": 319, "yara_rule_name": "Beacon_K5om_RID2B14", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "yara_rule_description": "Detects Meterpreter Beacon - file K5om.dll", "last_hit_utc": "2026-04-27 04:44:37" } ], "977": [ { "sample_cnt": 319, "yara_rule_name": "CN_disclosed_20180208_KeyLogger_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2025-01-05 15:32:16" } ], "978": [ { "sample_cnt": 319, "yara_rule_name": "Leviathan_CobaltStrike_Sample_1_RID3324", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/MZ7dRg", "yara_rule_description": "Detects Cobalt Strike sample from Leviathan report", "last_hit_utc": "2026-04-27 04:44:38" } ], "979": [ { "sample_cnt": 319, "yara_rule_name": "Nighthawk_RAT", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": null, "yara_rule_description": "Detects Nighthawk RAT", "last_hit_utc": "2025-01-05 15:27:03" } ], "980": [ { "sample_cnt": 319, "yara_rule_name": "WiltedTulip_ReflectiveLoader", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip", "last_hit_utc": "2026-04-27 04:44:38" } ], "981": [ { "sample_cnt": 319, "yara_rule_name": "win_xorist_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.xorist.", "last_hit_utc": "2026-04-24 23:16:32" } ], "982": [ { "sample_cnt": 318, "yara_rule_name": "Cobaltstrike1", "yara_rule_author": "Ahmet Payaslioglu | Binalyze DFIR LAB", "yara_rule_reference": null, "yara_rule_description": "Cobalt Strike Detection", "last_hit_utc": "2026-04-27 04:44:37" } ], "983": [ { "sample_cnt": 318, "yara_rule_name": "Cobaltstrike2", "yara_rule_author": "Ahmet Payaslioglu | Binalyze DFIR LAB", "yara_rule_reference": null, "yara_rule_description": "Cobalt Strike Detection", "last_hit_utc": "2026-04-27 04:44:37" } ], "984": [ { "sample_cnt": 317, "yara_rule_name": "HiveRansomware", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": "", "yara_rule_description": "Yara Rule To Detect Hive V4 Ransomware", "last_hit_utc": "2022-12-25 15:12:33" } ], "985": [ { "sample_cnt": 317, "yara_rule_name": "Windows_Trojan_CobaltStrike_7f8da98a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-08 20:56:34" } ], "986": [ { "sample_cnt": 317, "yara_rule_name": "win_rat_generic", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting generic RAT malware", "last_hit_utc": "2025-11-23 10:44:40" } ], "987": [ { "sample_cnt": 316, "yara_rule_name": "Qbot_Gafgyt_Bashlite", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-21 14:15:34" } ], "988": [ { "sample_cnt": 316, "yara_rule_name": "SUSP_obfuscated_JS_obfuscatorio", "yara_rule_author": "@imp0rtp3", "yara_rule_reference": "https://obfuscator.io", "yara_rule_description": "Detects JS obfuscation done by the js obfuscator (often malicious)", "last_hit_utc": "2025-05-09 12:57:10" } ], "989": [ { "sample_cnt": 316, "yara_rule_name": "troj_win_cobaltstrike_memoryinject", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": null, "yara_rule_description": "Detects Cobalt Strike payload typically loaded into memory via PowerShell.", "last_hit_utc": "2026-04-27 04:44:38" } ], "990": [ { "sample_cnt": 315, "yara_rule_name": "ACE_Containing_EXE", "yara_rule_author": "Florian Roth - based on Nick Hoffman' rule - Morphick Inc", "yara_rule_reference": "", "yara_rule_description": "Looks for ACE Archives containing an exe/scr file", "last_hit_utc": "2022-11-21 08:15:03" } ], "991": [ { "sample_cnt": 315, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features", "last_hit_utc": "2025-04-26 21:37:09" } ], "992": [ { "sample_cnt": 315, "yara_rule_name": "xRAT_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/Pg3P4W", "yara_rule_description": "Detects Patchwork malware", "last_hit_utc": "2025-01-05 15:32:17" } ], "993": [ { "sample_cnt": 314, "yara_rule_name": "RSharedStrings", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "identifiers for remote and gmremote", "last_hit_utc": "2026-04-17 04:57:33" } ], "994": [ { "sample_cnt": 314, "yara_rule_name": "win_amadey_bytecodes_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-26 18:04:20" } ], "995": [ { "sample_cnt": 313, "yara_rule_name": "agent_tesla_2019", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-07 18:16:06" } ], "996": [ { "sample_cnt": 313, "yara_rule_name": "Guloader_VBScript", "yara_rule_author": "Ankit Anubhav - ankitanubhav.info", "yara_rule_reference": null, "yara_rule_description": "Detects GuLoader/CloudEye VBScripts", "last_hit_utc": "2026-01-16 16:37:27" } ], "997": [ { "sample_cnt": 312, "yara_rule_name": "Windows_Generic_Threat_e5f4703f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:09:46" } ], "998": [ { "sample_cnt": 311, "yara_rule_name": "enterpriseunix2", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": "", "yara_rule_description": "Enterprise UNIX", "last_hit_utc": "2022-11-17 02:15:02" } ], "999": [ { "sample_cnt": 309, "yara_rule_name": "Codoso_Gh0st_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT Gh0st Malware", "last_hit_utc": "2026-03-23 08:46:22" } ], "1000": [ { "sample_cnt": 309, "yara_rule_name": "INDICATOR_RTF_Exploit_Scripting", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.", "last_hit_utc": "2022-11-09 07:11:02" } ], "1001": [ { "sample_cnt": 308, "yara_rule_name": "Cobaltbaltstrike_Beacon_x64", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2026-04-27 04:44:37" } ], "1002": [ { "sample_cnt": 305, "yara_rule_name": "SUSP_Scheduled_Tasks_Create_From_Susp_Dir", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory", "last_hit_utc": "2026-04-27 15:02:46" } ], "1003": [ { "sample_cnt": 305, "yara_rule_name": "win_cobaltstrike_pipe_strings_nov_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects default strings related to cobalt strike named pipes", "last_hit_utc": "2026-04-08 20:56:33" } ], "1004": [ { "sample_cnt": 304, "yara_rule_name": "CobaltStrike_MZ_Launcher", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": null, "yara_rule_description": "Detects CobaltStrike MZ header ReflectiveLoader launcher", "last_hit_utc": "2026-04-27 04:44:37" } ], "1005": [ { "sample_cnt": 304, "yara_rule_name": "Malware_QA_vqgk", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file vqgk.dll", "last_hit_utc": "2026-04-27 04:44:38" } ], "1006": [ { "sample_cnt": 304, "yara_rule_name": "win_agent_tesla_ab4444e9", "yara_rule_author": "Johannes Bader", "yara_rule_reference": "", "yara_rule_description": "detects Agent Tesla", "last_hit_utc": "2022-11-21 14:04:43" } ], "1007": [ { "sample_cnt": 302, "yara_rule_name": "Golangmalware", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": "", "yara_rule_description": "Malware in Golang", "last_hit_utc": "2022-12-25 15:12:32" } ], "1008": [ { "sample_cnt": 302, "yara_rule_name": "Large_filesize_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.", "last_hit_utc": "2026-04-16 17:53:27" } ], "1009": [ { "sample_cnt": 301, "yara_rule_name": "APT_DustSquad_PE_Nov19_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/Rmy_Reserve/status/1197448735422238721", "yara_rule_description": "Detection Rule for APT DustSquad campaign Nov19", "last_hit_utc": "2026-04-20 23:18:42" } ], "1010": [ { "sample_cnt": 301, "yara_rule_name": "MALWARE_Win_EXEPWSH_DLAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects SystemBC", "last_hit_utc": "2023-05-13 22:58:12" } ], "1011": [ { "sample_cnt": 300, "yara_rule_name": "dgaaga", "yara_rule_author": "Harshit", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious PowerShell or registry activity", "last_hit_utc": "2026-04-27 16:04:55" } ], "1012": [ { "sample_cnt": 300, "yara_rule_name": "Linux_Trojan_Gafgyt_31796a40", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:50:39" } ], "1013": [ { "sample_cnt": 300, "yara_rule_name": "win_oski_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-14 00:32:04" } ], "1014": [ { "sample_cnt": 299, "yara_rule_name": "dsc", "yara_rule_author": "Aaron DeVera", "yara_rule_reference": "", "yara_rule_description": "Discord domains", "last_hit_utc": "2022-11-25 07:44:03" } ], "1015": [ { "sample_cnt": 299, "yara_rule_name": "win_xfilesstealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.xfilesstealer.", "last_hit_utc": "2023-12-11 21:47:28" } ], "1016": [ { "sample_cnt": 298, "yara_rule_name": "Windows_Trojan_CobaltStrike_3dc22d14", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:44:39" } ], "1017": [ { "sample_cnt": 297, "yara_rule_name": "Linux_Trojan_Mirai_1cb033f3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 07:01:40" } ], "1018": [ { "sample_cnt": 297, "yara_rule_name": "MAL_njrat", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-25 14:52:03" } ], "1019": [ { "sample_cnt": 297, "yara_rule_name": "obfuscate_macros", "yara_rule_author": "ddvvmmzz", "yara_rule_reference": "", "yara_rule_description": "obfuscate macros", "last_hit_utc": "2022-07-11 12:27:40" } ], "1020": [ { "sample_cnt": 296, "yara_rule_name": "Detect_all_IPv6_variants", "yara_rule_author": "Bierchermuesli", "yara_rule_reference": null, "yara_rule_description": "Generic IPv6 catcher", "last_hit_utc": "2026-04-27 18:00:01" } ], "1021": [ { "sample_cnt": 296, "yara_rule_name": "MALWARE_Win_EXEPWSH_DLAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SystemBC", "last_hit_utc": "2026-04-27 15:04:24" } ], "1022": [ { "sample_cnt": 295, "yara_rule_name": "ach_202409_html_FedEx_phish", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects potential HTML FedEx phishing forms", "last_hit_utc": "2026-04-25 20:23:28" } ], "1023": [ { "sample_cnt": 294, "yara_rule_name": "Tsunami_Backdoor", "yara_rule_author": "@is_henderson", "yara_rule_reference": "", "yara_rule_description": "Tsunami Backdoor", "last_hit_utc": "2022-10-16 12:10:04" } ], "1024": [ { "sample_cnt": 293, "yara_rule_name": "AutoIT_Script", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies AutoIT script. This rule by itself does NOT necessarily mean the detected file is malicious.", "last_hit_utc": "2026-04-24 11:17:29" } ], "1025": [ { "sample_cnt": 292, "yara_rule_name": "Linux_Trojan_Tsunami_8a11f9be", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-11 15:52:31" } ], "1026": [ { "sample_cnt": 291, "yara_rule_name": "Windows_Trojan_AgentTesla_d3ac2b2f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:52:04" } ], "1027": [ { "sample_cnt": 290, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion", "last_hit_utc": "2025-04-26 21:37:09" } ], "1028": [ { "sample_cnt": 289, "yara_rule_name": "botnet_Kaiten", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Kaiten botnet", "last_hit_utc": "2026-04-22 20:40:48" } ], "1029": [ { "sample_cnt": 289, "yara_rule_name": "MAL_Neshta_Generic", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Neshta malware", "last_hit_utc": "2026-03-06 15:18:28" } ], "1030": [ { "sample_cnt": 289, "yara_rule_name": "SUSP_NET_Msil_Suspicious_Use_StrReverse", "yara_rule_author": "dr4k0nia, modified by Florian Roth", "yara_rule_reference": "https://github.com/dr4k0nia/yara-rules", "yara_rule_description": "Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse", "last_hit_utc": "2026-04-27 16:05:01" } ], "1031": [ { "sample_cnt": 288, "yara_rule_name": "Windows_Trojan_CobaltStrike_ee756db7", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Attempts to detect Cobalt Strike based on strings found in BEACON", "last_hit_utc": "2026-03-26 15:28:17" } ], "1032": [ { "sample_cnt": 287, "yara_rule_name": "AgentTesla", "yara_rule_author": "Harish Kumar P", "yara_rule_reference": null, "yara_rule_description": "Yara Rule to Detect AgentTesla", "last_hit_utc": "2026-04-09 10:06:30" } ], "1033": [ { "sample_cnt": 287, "yara_rule_name": "Linux_Generic_Threat_e24558e1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-11 15:29:15" } ], "1034": [ { "sample_cnt": 286, "yara_rule_name": "Execution_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies execution artefacts in shortcut (LNK) files.", "last_hit_utc": "2022-11-14 19:55:05" } ], "1035": [ { "sample_cnt": 286, "yara_rule_name": "Linux_Trojan_Mirai_aa39fb02", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 23:43:23" } ], "1036": [ { "sample_cnt": 286, "yara_rule_name": "nirsoft_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 17:52:42" } ], "1037": [ { "sample_cnt": 286, "yara_rule_name": "PUA_Crypto_Mining_CommandLine_Indicators_Oct21", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.poolwatch.io/coin/monero", "yara_rule_description": "Detects command line parameters often used by crypto mining software", "last_hit_utc": "2026-04-27 16:04:57" } ], "1038": [ { "sample_cnt": 286, "yara_rule_name": "Windows_Trojan_Metasploit_7bc0f998", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies the API address lookup function leverage by metasploit shellcode", "last_hit_utc": "2026-04-22 20:38:24" } ], "1039": [ { "sample_cnt": 285, "yara_rule_name": "MatchByteSequence", "yara_rule_author": "Generated by ChatGPT", "yara_rule_reference": null, "yara_rule_description": "Rule to match specific byte sequence: 89 C8 C1 E8 08 31 D1 31 C8", "last_hit_utc": "2026-04-24 05:13:32" } ], "1040": [ { "sample_cnt": 285, "yara_rule_name": "Windows_Trojan_RedLineStealer_f07b3cb4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 15:04:41" } ], "1041": [ { "sample_cnt": 284, "yara_rule_name": "Windows_Trojan_RedLineStealer_4df4bcb6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 15:04:41" } ], "1042": [ { "sample_cnt": 283, "yara_rule_name": "win_ave_maria_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.ave_maria.", "last_hit_utc": "2023-01-18 12:49:25" } ], "1043": [ { "sample_cnt": 282, "yara_rule_name": "HKTL_CobaltStrike_SleepMask_Jul22", "yara_rule_author": "CodeX", "yara_rule_reference": "https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs", "yara_rule_description": "Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated", "last_hit_utc": "2026-04-27 04:44:38" } ], "1044": [ { "sample_cnt": 282, "yara_rule_name": "win_amadey_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.amadey.", "last_hit_utc": "2026-04-13 17:36:39" } ], "1045": [ { "sample_cnt": 281, "yara_rule_name": "SUSP_ZIP_LNK_PhishAttachment", "yara_rule_author": "ignacior", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicius tiny ZIP files with malicious lnk files", "last_hit_utc": "2026-04-27 10:07:32" } ], "1046": [ { "sample_cnt": 280, "yara_rule_name": "F01_s1ckrule", "yara_rule_author": "s1ckb017", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-22 00:36:04" } ], "1047": [ { "sample_cnt": 280, "yara_rule_name": "INDICATOR_EXE_Packed_Babel", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with Babel", "last_hit_utc": "2026-04-15 11:21:20" } ], "1048": [ { "sample_cnt": 280, "yara_rule_name": "msil_rc4", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-11 15:01:27" } ], "1049": [ { "sample_cnt": 280, "yara_rule_name": "win_darkcomet_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2026-04-26 19:07:27" } ], "1050": [ { "sample_cnt": 279, "yara_rule_name": "Detect_Nimplant_PE", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects malicious nimplant variant PE malware.", "last_hit_utc": "2025-01-17 10:47:30" } ], "1051": [ { "sample_cnt": 279, "yara_rule_name": "sfx_pdb_winrar_restrict", "yara_rule_author": "@razvialex", "yara_rule_reference": null, "yara_rule_description": "Detect interesting files containing sfx with pdb paths.", "last_hit_utc": "2025-06-12 08:48:37" } ], "1052": [ { "sample_cnt": 279, "yara_rule_name": "win_matiex_keylogger_v1", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": null, "yara_rule_description": "detects the Matiex Keylogger", "last_hit_utc": "2023-08-05 09:54:04" } ], "1053": [ { "sample_cnt": 278, "yara_rule_name": "Ursnif3", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Ursnif Payload", "last_hit_utc": "2026-03-07 13:05:25" } ], "1054": [ { "sample_cnt": 277, "yara_rule_name": "MSILStealer", "yara_rule_author": "https://github.com/hwvs", "yara_rule_reference": "https://github.com/quasar/QuasarRAT", "yara_rule_description": "Detects strings from C#/VB Stealers and QuasarRat", "last_hit_utc": "2021-08-31 10:25:07" } ], "1055": [ { "sample_cnt": 275, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many varying, potentially fake Windows User-Agents", "last_hit_utc": "2026-04-22 18:32:41" } ], "1056": [ { "sample_cnt": 273, "yara_rule_name": "Windows_Trojan_CobaltStrike_663fc95d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies CobaltStrike via unidentified function code", "last_hit_utc": "2026-04-27 04:44:39" } ], "1057": [ { "sample_cnt": 272, "yara_rule_name": "Linux_Trojan_Mirai_6e8e9257", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 11:35:33" } ], "1058": [ { "sample_cnt": 271, "yara_rule_name": "AgentTeslaV4", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "AgentTesla Payload", "last_hit_utc": "2025-09-05 13:03:42" } ], "1059": [ { "sample_cnt": 270, "yara_rule_name": "Windows_Cryptominer_Generic_f53cfb9b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 15:48:27" } ], "1060": [ { "sample_cnt": 269, "yara_rule_name": "SUSP_RANSOMWARE_Indicator_Jul20", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "yara_rule_description": "Detects ransomware indicator", "last_hit_utc": "2026-04-15 11:33:59" } ], "1061": [ { "sample_cnt": 268, "yara_rule_name": "SUSP_Reversed_Base64_Encoded_EXE", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an base64 encoded executable with reversed characters", "last_hit_utc": "2025-06-16 16:14:15" } ], "1062": [ { "sample_cnt": 267, "yara_rule_name": "SUSP_Double_Base64_Encoded_Executable", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/TweeterCyber/status/1189073238803877889", "yara_rule_description": "Detects an executable that has been encoded with base64 twice", "last_hit_utc": "2025-01-05 15:34:42" } ], "1063": [ { "sample_cnt": 267, "yara_rule_name": "UroburosVirtualBoxDriver", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:04:33" } ], "1064": [ { "sample_cnt": 265, "yara_rule_name": "PS_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies PowerShell artefacts in shortcut (LNK) files.", "last_hit_utc": "2022-11-25 07:21:04" } ], "1065": [ { "sample_cnt": 264, "yara_rule_name": "AutoIT_Script", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies AutoIT script.", "last_hit_utc": "2025-01-05 16:55:48" } ], "1066": [ { "sample_cnt": 264, "yara_rule_name": "Gandcrab", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Gandcrab Payload", "last_hit_utc": "2025-04-27 19:41:17" } ], "1067": [ { "sample_cnt": 264, "yara_rule_name": "Windows_Generic_Threat_f57e5e2a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 10:06:41" } ], "1068": [ { "sample_cnt": 264, "yara_rule_name": "win_bazarbackdoor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.bazarbackdoor.", "last_hit_utc": "2026-04-05 13:52:38" } ], "1069": [ { "sample_cnt": 263, "yara_rule_name": "MALWARE_Win_CryptBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "CryptBot/Fugrafa stealer payload", "last_hit_utc": "2022-04-12 15:01:01" } ], "1070": [ { "sample_cnt": 261, "yara_rule_name": "CoinMiner_Strings", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://minergate.com/faq/what-pool-address", "yara_rule_description": "Detects mining pool protocol string in Executable", "last_hit_utc": "2023-01-23 08:22:25" } ], "1071": [ { "sample_cnt": 261, "yara_rule_name": "Linux_Trojan_Gafgyt_83715433", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 07:58:29" } ], "1072": [ { "sample_cnt": 261, "yara_rule_name": "RansomwareTest2", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": "", "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2022-09-28 16:27:25" } ], "1073": [ { "sample_cnt": 260, "yara_rule_name": "MALWARE_Win_BitRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects BitRAT RAT", "last_hit_utc": "2022-11-20 16:31:03" } ], "1074": [ { "sample_cnt": 258, "yara_rule_name": "Beacon_K5om", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "yara_rule_description": "Detects Meterpreter Beacon - file K5om.dll", "last_hit_utc": "2026-04-27 04:44:36" } ], "1075": [ { "sample_cnt": 258, "yara_rule_name": "Leviathan_CobaltStrike_Sample_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/MZ7dRg", "yara_rule_description": "Detects Cobalt Strike sample from Leviathan report", "last_hit_utc": "2026-04-27 04:44:38" } ], "1076": [ { "sample_cnt": 257, "yara_rule_name": "INDICATOR_EXE_Packed_Dotfuscator", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with Dotfuscator", "last_hit_utc": "2026-04-07 17:04:41" } ], "1077": [ { "sample_cnt": 257, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables attemping to enumerate video devices using WMI", "last_hit_utc": "2022-11-26 05:47:05" } ], "1078": [ { "sample_cnt": 257, "yara_rule_name": "win_icondown_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-10-27 14:49:29" } ], "1079": [ { "sample_cnt": 256, "yara_rule_name": "blackmoon_payload_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 03:31:35" } ], "1080": [ { "sample_cnt": 255, "yara_rule_name": "Vidar", "yara_rule_author": "kevoreilly,rony", "yara_rule_reference": null, "yara_rule_description": "Vidar Payload", "last_hit_utc": "2026-01-10 13:28:26" } ], "1081": [ { "sample_cnt": 254, "yara_rule_name": "Windows_Trojan_Stealc_b8ab9ab5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-15 08:07:21" } ], "1082": [ { "sample_cnt": 254, "yara_rule_name": "win_raccoon_a0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-05 10:56:06" } ], "1083": [ { "sample_cnt": 252, "yara_rule_name": "Malware_QA_update_RID2DAD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file update.exe", "last_hit_utc": "2026-04-26 19:07:27" } ], "1084": [ { "sample_cnt": 251, "yara_rule_name": "INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing virtualization MAC addresses", "last_hit_utc": "2026-04-21 22:40:48" } ], "1085": [ { "sample_cnt": 250, "yara_rule_name": "INDICATOR_SUSPICIOUS_AHK_Downloader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects AutoHotKey binaries acting as second stage droppers", "last_hit_utc": "2025-05-20 15:58:17" } ], "1086": [ { "sample_cnt": 250, "yara_rule_name": "MAL_Winnti_Sample_May18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://401trg.pw/burning-umbrella/", "yara_rule_description": "Detects malware sample from Burning Umbrella report - Generic Winnti Rule", "last_hit_utc": "2025-01-05 15:36:26" } ], "1087": [ { "sample_cnt": 250, "yara_rule_name": "pony", "yara_rule_author": "Brian Wallace @botnet_hunter", "yara_rule_reference": null, "yara_rule_description": "Identify Pony", "last_hit_utc": "2026-04-15 11:48:00" } ], "1088": [ { "sample_cnt": 250, "yara_rule_name": "possible_trojan_banker", "yara_rule_author": "@johnk3r", "yara_rule_reference": null, "yara_rule_description": "Detects common strings, DLL and API in Banker_BR", "last_hit_utc": "2026-03-22 21:38:44" } ], "1089": [ { "sample_cnt": 250, "yara_rule_name": "Windows_Virus_Neshta_2a5a14c8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 15:18:29" } ], "1090": [ { "sample_cnt": 250, "yara_rule_name": "WIN_WebSocket_Base64_C2_20250726", "yara_rule_author": "dogsafetyforeverone", "yara_rule_reference": null, "yara_rule_description": "Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.", "last_hit_utc": "2026-04-26 14:30:43" } ], "1091": [ { "sample_cnt": 249, "yara_rule_name": "RaccoonV2", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/", "yara_rule_description": "This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.", "last_hit_utc": "2022-10-22 19:52:39" } ], "1092": [ { "sample_cnt": 249, "yara_rule_name": "Trojan_CoinMiner", "yara_rule_author": "Trellix ATR", "yara_rule_reference": "", "yara_rule_description": "Rule to detect Coinminer malware", "last_hit_utc": "2022-07-16 08:11:03" } ], "1093": [ { "sample_cnt": 247, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Discord_Regex", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing Discord tokens regular expressions", "last_hit_utc": "2026-03-13 15:58:15" } ], "1094": [ { "sample_cnt": 247, "yara_rule_name": "malware_sakula_xorloop", "yara_rule_author": "David Cannings", "yara_rule_reference": null, "yara_rule_description": "XOR loops from Sakula malware", "last_hit_utc": "2025-11-05 08:22:40" } ], "1095": [ { "sample_cnt": 247, "yara_rule_name": "win_njrat_bytecodes_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-14 11:22:39" } ], "1096": [ { "sample_cnt": 246, "yara_rule_name": "INDICATOR_SUSPICIOUS_DisableWinDefender", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing artifcats associated with disabling Widnows Defender", "last_hit_utc": "2025-01-05 16:04:01" } ], "1097": [ { "sample_cnt": 246, "yara_rule_name": "win_recordbreaker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.recordbreaker.", "last_hit_utc": "2022-11-02 13:20:09" } ], "1098": [ { "sample_cnt": 245, "yara_rule_name": "Detect_Zoom_Invite_malware_RAT_C2", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects Zoom Invite Call Leading to Malware Hosted in Telegram C2", "last_hit_utc": "2026-04-27 15:02:46" } ], "1099": [ { "sample_cnt": 245, "yara_rule_name": "win_redline_stealer_generic", "yara_rule_author": "dubfib", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 15:04:41" } ], "1100": [ { "sample_cnt": 244, "yara_rule_name": "Download_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies download artefacts in shortcut (LNK) files.", "last_hit_utc": "2022-11-25 07:21:04" } ], "1101": [ { "sample_cnt": 244, "yara_rule_name": "metasploit_rev_tcp_32", "yara_rule_author": "Javier Rascon", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 10:33:40" } ], "1102": [ { "sample_cnt": 244, "yara_rule_name": "win_vidar_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.vidar.", "last_hit_utc": "2023-01-22 23:15:05" } ], "1103": [ { "sample_cnt": 244, "yara_rule_name": "XWorm_Hunter", "yara_rule_author": "Potato", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:58:31" } ], "1104": [ { "sample_cnt": 243, "yara_rule_name": "Linux_Trojan_Gafgyt_30444846", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-18 04:17:24" } ], "1105": [ { "sample_cnt": 242, "yara_rule_name": "Check_VBox_Description", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:46:21" } ], "1106": [ { "sample_cnt": 241, "yara_rule_name": "PyInstaller", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies executable converted using PyInstaller.", "last_hit_utc": "2023-11-01 12:36:29" } ], "1107": [ { "sample_cnt": 241, "yara_rule_name": "SUSP_PE_Discord_Attachment_Oct21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)", "last_hit_utc": "2026-04-25 08:57:34" } ], "1108": [ { "sample_cnt": 240, "yara_rule_name": "sfx_pdb_winrar_restrict", "yara_rule_author": "@razvialex", "yara_rule_reference": "", "yara_rule_description": "Detect interesting files containing sfx with pdb paths.", "last_hit_utc": "2022-11-26 10:35:03" } ], "1109": [ { "sample_cnt": 240, "yara_rule_name": "win_isfb_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.isfb.", "last_hit_utc": "2022-10-26 08:30:19" } ], "1110": [ { "sample_cnt": 239, "yara_rule_name": "INDICATOR_EXE_Packed_Goliath", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with Goliath", "last_hit_utc": "2026-03-24 15:33:18" } ], "1111": [ { "sample_cnt": 239, "yara_rule_name": "ScanBox_Malware_Generic", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP", "last_hit_utc": "2021-02-28 07:03:20" } ], "1112": [ { "sample_cnt": 239, "yara_rule_name": "win_delivery_check_g0", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:05:20" } ], "1113": [ { "sample_cnt": 238, "yara_rule_name": "MALWARE_Win_Simda", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects Simda / Shifu infostealer", "last_hit_utc": "2025-11-23 20:29:20" } ], "1114": [ { "sample_cnt": 237, "yara_rule_name": "APT_DustSquad_PE_Nov19_2", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/Rmy_Reserve/status/1197448735422238721", "yara_rule_description": "Detection Rule for APT DustSquad campaign Nov19", "last_hit_utc": "2026-04-04 11:43:45" } ], "1115": [ { "sample_cnt": 237, "yara_rule_name": "Destructive_Ransomware_Gen1_RID31CB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "yara_rule_description": "Detects destructive malware", "last_hit_utc": "2026-04-12 14:19:22" } ], "1116": [ { "sample_cnt": 237, "yara_rule_name": "PDF_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Adobe Acrobat artefacts in shortcut (LNK) files.", "last_hit_utc": "2025-07-16 03:19:31" } ], "1117": [ { "sample_cnt": 237, "yara_rule_name": "Win32_Ransomware_GandCrab", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects GandCrab ransomware.", "last_hit_utc": "2025-01-05 16:09:32" } ], "1118": [ { "sample_cnt": 237, "yara_rule_name": "Windows_Trojan_Metasploit_38b8ceec", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).", "last_hit_utc": "2026-04-21 14:06:14" } ], "1119": [ { "sample_cnt": 236, "yara_rule_name": "win_gandcrab_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.gandcrab.", "last_hit_utc": "2025-04-27 19:41:17" } ], "1120": [ { "sample_cnt": 235, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing URLs to raw contents of a Github gist", "last_hit_utc": "2024-02-01 08:35:05" } ], "1121": [ { "sample_cnt": 235, "yara_rule_name": "unpacked_qbot", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects unpacked or memory-dumped QBot samples", "last_hit_utc": "2022-11-22 21:15:09" } ], "1122": [ { "sample_cnt": 234, "yara_rule_name": "AgentTeslaV4", "yara_rule_author": "Rony (r0ny_123)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-18 16:11:26" } ], "1123": [ { "sample_cnt": 234, "yara_rule_name": "Choice_Del_method_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "cmd ping IP nul del", "last_hit_utc": "2025-07-28 13:28:28" } ], "1124": [ { "sample_cnt": 234, "yara_rule_name": "SUSP_Ngrok_URL", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects a PE file that contains an ngrok.io URL. This can be used as C2 channel", "last_hit_utc": "2022-11-26 13:02:03" } ], "1125": [ { "sample_cnt": 234, "yara_rule_name": "WIN_FileFix_Detection", "yara_rule_author": "dogsafetyforeverone", "yara_rule_reference": "FileFix social engineering with PowerShell and PHP commands", "yara_rule_description": "Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths", "last_hit_utc": "2026-04-26 15:04:30" } ], "1126": [ { "sample_cnt": 233, "yara_rule_name": "QuasarRAT", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "QuasarRAT payload", "last_hit_utc": "2026-04-20 23:03:25" } ], "1127": [ { "sample_cnt": 233, "yara_rule_name": "Windows_Trojan_Xeno_89f9f060", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 10:06:41" } ], "1128": [ { "sample_cnt": 232, "yara_rule_name": "Start2__bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e", "yara_rule_description": "SystemBC", "last_hit_utc": "2026-02-13 17:32:16" } ], "1129": [ { "sample_cnt": 232, "yara_rule_name": "SUSP_LNK_Big_Link_File_RID2EDD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspiciously big LNK file - maybe with embedded content", "last_hit_utc": "2026-04-14 20:25:57" } ], "1130": [ { "sample_cnt": 231, "yara_rule_name": "INDICATOR_SUSPICIOUS_AHK_Downloader", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects AutoHotKey binaries acting as second stage droppers", "last_hit_utc": "2022-04-15 09:39:30" } ], "1131": [ { "sample_cnt": 231, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_DcRatBy", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing the string DcRatBy", "last_hit_utc": "2022-11-26 05:47:05" } ], "1132": [ { "sample_cnt": 231, "yara_rule_name": "MINER_monero_mining_detection", "yara_rule_author": "Trellix ATR team", "yara_rule_reference": null, "yara_rule_description": "Monero mining software", "last_hit_utc": "2025-10-28 13:44:49" } ], "1133": [ { "sample_cnt": 230, "yara_rule_name": "hunt_skyproj_backdoor", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/", "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:36" } ], "1134": [ { "sample_cnt": 230, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks", "last_hit_utc": "2023-08-03 12:55:32" } ], "1135": [ { "sample_cnt": 230, "yara_rule_name": "virustotal", "yara_rule_author": "Tracel", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-14 14:03:25" } ], "1136": [ { "sample_cnt": 229, "yara_rule_name": "downloader_macros", "yara_rule_author": "ddvvmmzz", "yara_rule_reference": "", "yara_rule_description": "downloader macros", "last_hit_utc": "2022-10-12 16:51:24" } ], "1137": [ { "sample_cnt": 229, "yara_rule_name": "PureBasic4xNeilHodgson", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 20:44:24" } ], "1138": [ { "sample_cnt": 229, "yara_rule_name": "SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious tiny ZIP files with phishing attachment characteristics", "last_hit_utc": "2026-04-27 10:07:32" } ], "1139": [ { "sample_cnt": 228, "yara_rule_name": "Cryptocoin_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "Steam in files like avemaria", "last_hit_utc": "2024-02-05 06:17:31" } ], "1140": [ { "sample_cnt": 228, "yara_rule_name": "growtopia", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked growtopia stealer malware samples.", "last_hit_utc": "2025-10-14 15:46:04" } ], "1141": [ { "sample_cnt": 228, "yara_rule_name": "Guloader_VBScript", "yara_rule_author": "Ankit Anubhav - ankitanubhav.info", "yara_rule_reference": "", "yara_rule_description": "Detects GuLoader/CloudEye VBScripts", "last_hit_utc": "2022-11-25 17:04:02" } ], "1142": [ { "sample_cnt": 227, "yara_rule_name": "win_lumma_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.lumma.", "last_hit_utc": "2026-04-04 01:19:09" } ], "1143": [ { "sample_cnt": 226, "yara_rule_name": "maldoc_indirect_function_call_3", "yara_rule_author": "Didier Stevens (https://DidierStevens.com)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-21 18:44:31" } ], "1144": [ { "sample_cnt": 226, "yara_rule_name": "StealcV2", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match the instructions found in StealcV2", "last_hit_utc": "2026-04-25 11:10:42" } ], "1145": [ { "sample_cnt": 225, "yara_rule_name": "Methodology_Suspicious_Shortcut_SMB_URL", "yara_rule_author": "@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)", "yara_rule_reference": "https://twitter.com/cglyer/status/1176184798248919044", "yara_rule_description": "Detects remote SMB path for .URL persistence", "last_hit_utc": "2026-04-02 13:39:15" } ], "1146": [ { "sample_cnt": 225, "yara_rule_name": "SUSP_Encoded_Discord_Attachment_Oct21_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)", "last_hit_utc": "2025-01-05 15:36:01" } ], "1147": [ { "sample_cnt": 224, "yara_rule_name": "Mal_WIN_NjRAT_RAT_PE", "yara_rule_author": "Phatcharadol Thangplub", "yara_rule_reference": null, "yara_rule_description": "Use to detect NjRAT implant.", "last_hit_utc": "2026-04-23 18:36:35" } ], "1148": [ { "sample_cnt": 224, "yara_rule_name": "SUSP_EnableContent_String_Gen_RID322C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious string that asks to enable active content in Office Doc", "last_hit_utc": "2025-12-01 07:47:18" } ], "1149": [ { "sample_cnt": 224, "yara_rule_name": "Windows_Generic_Threat_e8abb835", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-30 20:36:15" } ], "1150": [ { "sample_cnt": 222, "yara_rule_name": "MALWARE_Win_DCRat", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "DCRat payload", "last_hit_utc": "2026-04-27 16:04:59" } ], "1151": [ { "sample_cnt": 222, "yara_rule_name": "Windows_Trojan_Amadey_7abb059b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-13 12:22:33" } ], "1152": [ { "sample_cnt": 221, "yara_rule_name": "MALWARE_Win_A310Logger", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects A310Logger", "last_hit_utc": "2022-11-10 06:45:03" } ], "1153": [ { "sample_cnt": 221, "yara_rule_name": "without_urls", "yara_rule_author": "Antonio Sanchez ", "yara_rule_reference": "http://laboratorio.blogs.hispasec.com/", "yara_rule_description": "Rule to detect the no presence of any url", "last_hit_utc": "2026-04-27 14:59:27" } ], "1154": [ { "sample_cnt": 220, "yara_rule_name": "MALWARE_Win_CryptBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "CryptBot/Fugrafa stealer payload", "last_hit_utc": "2024-01-21 19:13:02" } ], "1155": [ { "sample_cnt": 220, "yara_rule_name": "win_hawkeye_keylogger_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-03-25 16:03:36" } ], "1156": [ { "sample_cnt": 219, "yara_rule_name": "crime_win64_emotet_unpacked", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-01-19 18:52:18" } ], "1157": [ { "sample_cnt": 219, "yara_rule_name": "HUN_APT29_EnvyScout_Jul_2023_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": null, "yara_rule_description": "Hunting rule for detect possible Envyscout malware used by the APT29 group by patterns already used in the past", "last_hit_utc": "2026-04-22 21:59:48" } ], "1158": [ { "sample_cnt": 219, "yara_rule_name": "MALWARE_Win_DLInjector04", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects downloader / injector", "last_hit_utc": "2025-02-08 17:36:18" } ], "1159": [ { "sample_cnt": 219, "yara_rule_name": "MALWARE_Win_IceID", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects IceID / Bokbot variants", "last_hit_utc": "2025-01-05 17:23:49" } ], "1160": [ { "sample_cnt": 218, "yara_rule_name": "Njrat", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "detect njRAT in memory", "last_hit_utc": "2025-09-10 20:33:13" } ], "1161": [ { "sample_cnt": 217, "yara_rule_name": "INDICATOR_DOC_PhishingPatterns", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects OLE, RTF, PDF and OOXML (decompressed) documents with common phishing strings", "last_hit_utc": "2022-10-19 07:06:03" } ], "1162": [ { "sample_cnt": 217, "yara_rule_name": "methodology_golang_build_strings", "yara_rule_author": "smiller", "yara_rule_reference": "", "yara_rule_description": "Looks for PEs with a Golang build ID", "last_hit_utc": "2023-08-01 20:41:29" } ], "1163": [ { "sample_cnt": 216, "yara_rule_name": "D1S1Gv11betaD1N", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 16:02:44" } ], "1164": [ { "sample_cnt": 216, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion", "last_hit_utc": "2025-01-05 17:02:00" } ], "1165": [ { "sample_cnt": 216, "yara_rule_name": "INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing combination of virtualization drivers", "last_hit_utc": "2026-04-27 04:45:29" } ], "1166": [ { "sample_cnt": 216, "yara_rule_name": "Linux_Trojan_Gafgyt_859042a0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:21:38" } ], "1167": [ { "sample_cnt": 214, "yara_rule_name": "RedOctoberPluginCollectInfo", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-01-22 23:15:05" } ], "1168": [ { "sample_cnt": 214, "yara_rule_name": "Windows_Trojan_Zeus_e51c60d7", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects", "yara_rule_description": "Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.", "last_hit_utc": "2025-11-23 20:29:20" } ], "1169": [ { "sample_cnt": 213, "yara_rule_name": "High_Entropy_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies shortcut (LNK) file with equal or higher entropy than 6.5. Most goodware LNK files have a low entropy, lower than 6.", "last_hit_utc": "2026-04-21 10:54:36" } ], "1170": [ { "sample_cnt": 213, "yara_rule_name": "RansomwareTest8", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": "", "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2022-10-24 18:01:41" } ], "1171": [ { "sample_cnt": 212, "yara_rule_name": "Adsterra_Adware_DOM", "yara_rule_author": "IlluminatiFish", "yara_rule_reference": "", "yara_rule_description": "Detects Adsterra adware script being loaded without the user's consent", "last_hit_utc": "2022-10-08 11:56:41" } ], "1172": [ { "sample_cnt": 212, "yara_rule_name": "Trojan_Raw_Generic_4", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": null, "last_hit_utc": "2026-04-24 11:17:29" } ], "1173": [ { "sample_cnt": 211, "yara_rule_name": "SR_APT_DustSquad_PE_Nov19", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/Rmy_Reserve/status/1197448735422238721", "yara_rule_description": "Super Rule for APT DustSquad campaign Nov19", "last_hit_utc": "2026-04-23 21:35:40" } ], "1174": [ { "sample_cnt": 211, "yara_rule_name": "Windows_Trojan_Metasploit_38b8ceec", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).", "last_hit_utc": "2026-03-24 14:33:18" } ], "1175": [ { "sample_cnt": 210, "yara_rule_name": "CoinMiner_Strings_RID2DDE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://minergate.com/faq/what-pool-address", "yara_rule_description": "Detects mining pool protocol string in Executable", "last_hit_utc": "2026-04-05 01:52:07" } ], "1176": [ { "sample_cnt": 210, "yara_rule_name": "Darkside", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Darkside ransomware.", "last_hit_utc": "2026-03-17 21:03:27" } ], "1177": [ { "sample_cnt": 210, "yara_rule_name": "INDICATOR_SUSPICIOUS_DisableWinDefender", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing artifacts associated with disabling Widnows Defender", "last_hit_utc": "2026-04-23 12:31:37" } ], "1178": [ { "sample_cnt": 210, "yara_rule_name": "MALWARE_Win_BitRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects BitRAT RAT", "last_hit_utc": "2025-06-16 16:34:38" } ], "1179": [ { "sample_cnt": 210, "yara_rule_name": "MALWARE_Win_Chaos", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Chaos ransomware", "last_hit_utc": "2026-04-12 14:19:22" } ], "1180": [ { "sample_cnt": 209, "yara_rule_name": "GenericGh0st", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 21:44:28" } ], "1181": [ { "sample_cnt": 209, "yara_rule_name": "SPLCrypt", "yara_rule_author": "James Quinn, Binary Defense", "yara_rule_reference": null, "yara_rule_description": "Identifies SPLCrypt, a new crypter associated with Bazaloader", "last_hit_utc": "2026-04-10 13:13:29" } ], "1182": [ { "sample_cnt": 209, "yara_rule_name": "Vidar_unpacked_PulseIntel", "yara_rule_author": "PulseIntel", "yara_rule_reference": null, "yara_rule_description": "Vidar Payload", "last_hit_utc": "2026-03-15 08:07:21" } ], "1183": [ { "sample_cnt": 208, "yara_rule_name": "MALWARE_Win_NetWire", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects NetWire RAT", "last_hit_utc": "2022-11-23 21:25:04" } ], "1184": [ { "sample_cnt": 208, "yara_rule_name": "Windows_Trojan_Metasploit_4a1c4da8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies Metasploit 64 bit reverse tcp shellcode.", "last_hit_utc": "2026-04-11 14:03:11" } ], "1185": [ { "sample_cnt": 207, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables calling ClearMyTracksByProcess", "last_hit_utc": "2026-04-24 08:43:28" } ], "1186": [ { "sample_cnt": 207, "yara_rule_name": "MALWARE_Win_R77", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects r77 rootkit", "last_hit_utc": "2026-04-27 11:34:40" } ], "1187": [ { "sample_cnt": 207, "yara_rule_name": "Multi_Cryptominer_Xmrig_f9516741", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 15:48:27" } ], "1188": [ { "sample_cnt": 207, "yara_rule_name": "win_simda_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.simda.", "last_hit_utc": "2025-11-23 20:29:20" } ], "1189": [ { "sample_cnt": 206, "yara_rule_name": "DCRat", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "DCRat Payload", "last_hit_utc": "2026-04-27 16:04:58" } ], "1190": [ { "sample_cnt": 206, "yara_rule_name": "EnigmaProtector11X13XSukhovVladimirSergeNMarkin", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-22 06:30:38" } ], "1191": [ { "sample_cnt": 206, "yara_rule_name": "gafgyt_ansi_beacon", "yara_rule_author": "Liho", "yara_rule_reference": "Custom bot variant using ANSI red in IP report string", "yara_rule_description": "Detects Gafgyt variant with custom ANSI-colored IP beacon", "last_hit_utc": "2026-04-26 19:50:38" } ], "1192": [ { "sample_cnt": 206, "yara_rule_name": "MALWARE_Win_DCRat", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "DCRat payload", "last_hit_utc": "2022-11-25 17:57:03" } ], "1193": [ { "sample_cnt": 205, "yara_rule_name": "CRIME_WIN32_RANSOM_BLACKMATTER", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects Blackmatter ransomware", "last_hit_utc": "2026-03-17 21:03:27" } ], "1194": [ { "sample_cnt": 204, "yara_rule_name": "MAL_ARM_LNX_Mirai_Mar13_2022", "yara_rule_author": "Mehmet Ali Kerimoglu a.k.a. CYB3RMX", "yara_rule_reference": "", "yara_rule_description": "Detects new ARM Mirai variant", "last_hit_utc": "2022-11-24 00:36:03" } ], "1195": [ { "sample_cnt": 204, "yara_rule_name": "MAL_HawkEye_Keylogger_Gen_Dec18", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/James_inthe_box/status/1072116224652324870", "yara_rule_description": "Detects HawkEye Keylogger Reborn", "last_hit_utc": "2022-04-23 17:23:23" } ], "1196": [ { "sample_cnt": 204, "yara_rule_name": "SUSP_LNK_Big_Link_File", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspiciously big LNK file - maybe with embedded content", "last_hit_utc": "2026-04-14 20:25:57" } ], "1197": [ { "sample_cnt": 204, "yara_rule_name": "Windows_Ransomware_Lockbit_369e1e94", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-17 21:03:27" } ], "1198": [ { "sample_cnt": 203, "yara_rule_name": "MoleBoxv20", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 18:25:28" } ], "1199": [ { "sample_cnt": 202, "yara_rule_name": "Windows_Rootkit_R77_d0367e28", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", "yara_rule_description": null, "last_hit_utc": "2026-04-27 11:34:40" } ], "1200": [ { "sample_cnt": 201, "yara_rule_name": "Base64_Encoded_Powershell_Directives", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-02-26 04:26:27" } ], "1201": [ { "sample_cnt": 201, "yara_rule_name": "RedLine_Stealer_unpacked_PulseIntel", "yara_rule_author": "PulseIntel", "yara_rule_reference": null, "yara_rule_description": "Detecting unpacked Redline", "last_hit_utc": "2026-03-24 14:25:04" } ], "1202": [ { "sample_cnt": 201, "yara_rule_name": "VIPKeyLogger", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Detects VIPKeyLogger Keylogger", "last_hit_utc": "2026-04-27 05:40:45" } ], "1203": [ { "sample_cnt": 200, "yara_rule_name": "win_hancitor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-08 19:10:40" } ], "1204": [ { "sample_cnt": 199, "yara_rule_name": "Linux_Trojan_Gafgyt_148b91a2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-18 07:54:31" } ], "1205": [ { "sample_cnt": 199, "yara_rule_name": "Linux_Trojan_Mirai_3fe3c668", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 03:46:32" } ], "1206": [ { "sample_cnt": 199, "yara_rule_name": "MINER_monero_mining_detection", "yara_rule_author": "Christiaan Beek | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Monero mining software", "last_hit_utc": "2022-08-31 02:54:16" } ], "1207": [ { "sample_cnt": 198, "yara_rule_name": "Check_Qemu_Description", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:46:21" } ], "1208": [ { "sample_cnt": 197, "yara_rule_name": "APT_DarkHydrus_Jul18_5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "yara_rule_description": "Detects strings found in malware samples in APT report in DarkHydrus", "last_hit_utc": "2021-07-09 10:38:55" } ], "1209": [ { "sample_cnt": 197, "yara_rule_name": "crime_win32_hvnc_banker_gen", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1247058432223477760", "yara_rule_description": "Detects malware banker hidden VNC", "last_hit_utc": "2025-01-25 03:58:48" } ], "1210": [ { "sample_cnt": 197, "yara_rule_name": "crime_win32_hvnc_zloader1_hvnc_generic", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1240664014121828352", "yara_rule_description": "Detects Zloader hidden VNC", "last_hit_utc": "2025-01-25 03:58:48" } ], "1211": [ { "sample_cnt": 197, "yara_rule_name": "OneNote_magic", "yara_rule_author": "Stuart Gonzalez", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-09 05:35:24" } ], "1212": [ { "sample_cnt": 197, "yara_rule_name": "SUSP_ZIP_Smuggling_Jun01", "yara_rule_author": "delivr.to", "yara_rule_reference": "https://github.com/Octoberfest7/zip_smuggling/", "yara_rule_description": "ZIP archives with data smuggled between last file record and the central directory.", "last_hit_utc": "2026-04-25 13:18:33" } ], "1213": [ { "sample_cnt": 196, "yara_rule_name": "Check_VBox_DeviceMap", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 06:27:39" } ], "1214": [ { "sample_cnt": 196, "yara_rule_name": "Check_VMWare_DeviceMap", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 06:27:39" } ], "1215": [ { "sample_cnt": 196, "yara_rule_name": "Embedded_RTF_File", "yara_rule_author": "Nicholas Dhaeyer - @DhaeyerWolf", "yara_rule_reference": null, "yara_rule_description": "Related to CVE-2023-36884. Hunts for any zip-like archive (eg. office documents) that have an embedded .rtf file, based on the '.rtf' extension of the file.", "last_hit_utc": "2026-04-26 15:15:39" } ], "1216": [ { "sample_cnt": 196, "yara_rule_name": "SUSP_Reversed_Base64_Encoded_EXE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an base64 encoded executable with reversed characters", "last_hit_utc": "2025-01-05 15:25:46" } ], "1217": [ { "sample_cnt": 195, "yara_rule_name": "WinosStager", "yara_rule_author": "YungBinary", "yara_rule_reference": null, "yara_rule_description": "https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign", "last_hit_utc": "2026-04-27 04:44:33" } ], "1218": [ { "sample_cnt": 194, "yara_rule_name": "Capability_Embedded_Lua", "yara_rule_author": "Obscurity Labs LLC", "yara_rule_reference": null, "yara_rule_description": "Detects embedded Lua engines by looking for multiple Lua API symbols or env-var hooks", "last_hit_utc": "2026-04-25 00:02:06" } ], "1219": [ { "sample_cnt": 193, "yara_rule_name": "Hacktools_CN_Panda_andrew", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor", "last_hit_utc": "2026-04-24 03:31:37" } ], "1220": [ { "sample_cnt": 193, "yara_rule_name": "Linux_Trojan_Gafgyt_28a2fe0c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-23 19:38:02" } ], "1221": [ { "sample_cnt": 193, "yara_rule_name": "Linux_Trojan_Gafgyt_750fe002", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-18 08:03:34" } ], "1222": [ { "sample_cnt": 193, "yara_rule_name": "SUSP_ENV_Folder_Root_File_Jan23_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious file path pointing to the root of a folder easily accessible via environment variables", "last_hit_utc": "2026-04-26 23:46:22" } ], "1223": [ { "sample_cnt": 193, "yara_rule_name": "UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-08 15:28:14" } ], "1224": [ { "sample_cnt": 192, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_VPN", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many VPN software clients. Observed in infosteslers", "last_hit_utc": "2026-03-13 15:58:15" } ], "1225": [ { "sample_cnt": 192, "yara_rule_name": "Linux_Trojan_Mirai_564b8eda", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 22:44:37" } ], "1226": [ { "sample_cnt": 192, "yara_rule_name": "MALWARE_Win_Meterpreter", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Meterpreter payload", "last_hit_utc": "2026-04-21 14:06:14" } ], "1227": [ { "sample_cnt": 190, "yara_rule_name": "SUSP_NET_NAME_ConfuserEx", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/yck1509/ConfuserEx", "yara_rule_description": "Detects ConfuserEx packed file", "last_hit_utc": "2025-04-21 02:11:07" } ], "1228": [ { "sample_cnt": 190, "yara_rule_name": "Telegram_Exfiltration_Via_Api", "yara_rule_author": "lsepaolo", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:45:22" } ], "1229": [ { "sample_cnt": 190, "yara_rule_name": "unixredflags", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Hunts for red flags", "last_hit_utc": "2024-03-16 08:25:40" } ], "1230": [ { "sample_cnt": 190, "yara_rule_name": "unknown_dropper", "yara_rule_author": "#evilcel3ri", "yara_rule_reference": null, "yara_rule_description": "Detects an unknown dropper", "last_hit_utc": "2026-04-15 06:42:42" } ], "1231": [ { "sample_cnt": 189, "yara_rule_name": "jackskid_ddos_botnet", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": "https://blog.xlab.qianxin.com/analysis-of-rctea-botnet/", "yara_rule_description": "Jackskid/RCtea DDoS botnet - all variants", "last_hit_utc": "2026-04-27 07:02:38" } ], "1232": [ { "sample_cnt": 189, "yara_rule_name": "PE_File_pyinstaller", "yara_rule_author": "Didier Stevens (https://DidierStevens.com)", "yara_rule_reference": "https://isc.sans.edu/diary/21057", "yara_rule_description": "Detect PE file produced by pyinstaller", "last_hit_utc": "2025-12-01 20:35:13" } ], "1233": [ { "sample_cnt": 188, "yara_rule_name": "INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing potential Windows Defender anti-emulation checks", "last_hit_utc": "2021-07-10 09:14:26" } ], "1234": [ { "sample_cnt": 188, "yara_rule_name": "iso_lnk", "yara_rule_author": "tdawg", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-16 10:20:02" } ], "1235": [ { "sample_cnt": 188, "yara_rule_name": "win_azorult_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.azorult.", "last_hit_utc": "2022-10-26 13:47:04" } ], "1236": [ { "sample_cnt": 187, "yara_rule_name": "Check_Qemu_DeviceMap", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 06:27:39" } ], "1237": [ { "sample_cnt": 187, "yara_rule_name": "MALWARE_Win_Amadey", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Amadey downloader payload", "last_hit_utc": "2025-11-16 17:31:25" } ], "1238": [ { "sample_cnt": 187, "yara_rule_name": "MALWARE_Win_RedLineDropperAHK", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects AutoIt/AutoHotKey executables dropping RedLine infostealer", "last_hit_utc": "2023-05-17 12:45:04" } ], "1239": [ { "sample_cnt": 187, "yara_rule_name": "suspicious_PEs", "yara_rule_author": "txc", "yara_rule_reference": null, "yara_rule_description": "This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.", "last_hit_utc": "2026-04-26 16:39:27" } ], "1240": [ { "sample_cnt": 187, "yara_rule_name": "Ursnif", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory", "last_hit_utc": "2025-11-05 08:22:46" } ], "1241": [ { "sample_cnt": 186, "yara_rule_name": "MALWARE_Win_StormKitty", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects StormKitty infostealer", "last_hit_utc": "2026-03-13 15:58:16" } ], "1242": [ { "sample_cnt": 185, "yara_rule_name": "crime_win32_banker_iceid_ldr1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "twitter", "yara_rule_description": "Detects IcedId/BokBot png loader (unpacked)", "last_hit_utc": "2025-01-05 17:23:48" } ], "1243": [ { "sample_cnt": 185, "yara_rule_name": "Linux_Trojan_Mirai_637f2c04", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 09:55:44" } ], "1244": [ { "sample_cnt": 185, "yara_rule_name": "SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg", "yara_rule_description": "Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments", "last_hit_utc": "2025-11-10 08:46:18" } ], "1245": [ { "sample_cnt": 185, "yara_rule_name": "win_evilconwi_w0", "yara_rule_author": "Karsten Hahn @ G DATA CyberDefense", "yara_rule_reference": null, "yara_rule_description": "Settings from app.config that hide the connection of the client. These settings are potentially unwanted", "last_hit_utc": "2026-04-26 20:39:23" } ], "1246": [ { "sample_cnt": 184, "yara_rule_name": "MALWARE_Win_RedLineDropperAHK", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects AutoIt/AutoHotKey executables dropping RedLine infostealer", "last_hit_utc": "2021-12-26 01:29:11" } ], "1247": [ { "sample_cnt": 183, "yara_rule_name": "elf_bashlite_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects elf.bashlite.", "last_hit_utc": "2022-11-02 20:50:07" } ], "1248": [ { "sample_cnt": 183, "yara_rule_name": "Find_Any_Xll_Files", "yara_rule_author": "David Ledbetter @Ledtech3", "yara_rule_reference": null, "yara_rule_description": "Find Any XLL File", "last_hit_utc": "2026-04-06 09:49:12" } ], "1249": [ { "sample_cnt": 183, "yara_rule_name": "Multi_Trojan_Sliver_3bde542d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-30 16:58:16" } ], "1250": [ { "sample_cnt": 183, "yara_rule_name": "SUSP_LNK_CMD", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects the reference to cmd.exe inside an lnk file, which is suspicious", "last_hit_utc": "2022-11-14 13:51:03" } ], "1251": [ { "sample_cnt": 182, "yara_rule_name": "Azorult", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Azorult in memory", "last_hit_utc": "2025-11-23 15:28:24" } ], "1252": [ { "sample_cnt": 182, "yara_rule_name": "Costura_Protobuf", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Costura and Protobuf in .NET assemblies, respectively for storing resources and (de)serialization. Seen together might indicate a suspect binary.", "last_hit_utc": "2026-04-16 05:49:34" } ], "1253": [ { "sample_cnt": 182, "yara_rule_name": "LokiPWS", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects LokiBot", "last_hit_utc": "2026-04-23 02:11:49" } ], "1254": [ { "sample_cnt": 182, "yara_rule_name": "Stealc", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Stealc Payload", "last_hit_utc": "2026-04-09 16:07:32" } ], "1255": [ { "sample_cnt": 181, "yara_rule_name": "reverse_http", "yara_rule_author": "CD_R0M_", "yara_rule_reference": "", "yara_rule_description": "Identify strings with http reversed (ptth)", "last_hit_utc": "2022-11-25 01:13:03" } ], "1256": [ { "sample_cnt": 181, "yara_rule_name": "Unknown_Malware_Sample_Jul17_2_RID326D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/iqH8CK", "yara_rule_description": "Detects unknown malware sample with pastebin RAW URL", "last_hit_utc": "2026-03-31 04:01:22" } ], "1257": [ { "sample_cnt": 180, "yara_rule_name": "Multi_Trojan_Bishopsliver_42298c4a", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 11:09:29" } ], "1258": [ { "sample_cnt": 180, "yara_rule_name": "Multi_Trojan_Sliver_42298c4a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 11:09:29" } ], "1259": [ { "sample_cnt": 180, "yara_rule_name": "Runtime_Broker_Variant_1", "yara_rule_author": "Sn0wFr0$t", "yara_rule_reference": null, "yara_rule_description": "Detecting malicious Runtime Broker", "last_hit_utc": "2026-04-26 19:32:24" } ], "1260": [ { "sample_cnt": 179, "yara_rule_name": "CHM_File_Executes_JS_Via_PowerShell", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell", "last_hit_utc": "2026-04-27 07:25:40" } ], "1261": [ { "sample_cnt": 179, "yara_rule_name": "MAL_Neshta_Generic", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Neshta malware", "last_hit_utc": "2025-01-05 15:31:13" } ], "1262": [ { "sample_cnt": 179, "yara_rule_name": "qbot_bashlite_gafgyt_botnet", "yara_rule_author": "bozer", "yara_rule_reference": null, "yara_rule_description": "Use to detect qbot/gafgyt/bashlite botnet, and there variants.", "last_hit_utc": "2025-01-05 17:15:19" } ], "1263": [ { "sample_cnt": 178, "yara_rule_name": "SUSP_PS1_FromBase64String_Content_Indicator_RID3714", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639", "yara_rule_description": "Detects suspicious base64 encoded PowerShell expressions", "last_hit_utc": "2026-04-19 02:46:34" } ], "1264": [ { "sample_cnt": 177, "yara_rule_name": "CobaltStrikeBeacon", "yara_rule_author": "ditekshen, enzo & Elastic", "yara_rule_reference": "", "yara_rule_description": "Cobalt Strike Beacon Payload", "last_hit_utc": "2023-06-29 20:36:03" } ], "1265": [ { "sample_cnt": 176, "yara_rule_name": "ach_202412_elf_hailbot", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects HailBot ELF files", "last_hit_utc": "2026-04-23 19:28:31" } ], "1266": [ { "sample_cnt": 175, "yara_rule_name": "CobaltStrike_Unmodifed_Beacon", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": "", "yara_rule_description": "Detects unmodified CobaltStrike beacon DLL", "last_hit_utc": "2023-06-29 20:36:03" } ], "1267": [ { "sample_cnt": 175, "yara_rule_name": "HiddenVNC", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies HiddenVNC, which can start remote sessions.", "last_hit_utc": "2025-08-26 13:42:44" } ], "1268": [ { "sample_cnt": 175, "yara_rule_name": "IcedID", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies IcedID (stage 1 and 2, loaders).", "last_hit_utc": "2021-07-04 18:21:07" } ], "1269": [ { "sample_cnt": 175, "yara_rule_name": "Linux_Trojan_Gafgyt_e6d75e6f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-18 05:57:47" } ], "1270": [ { "sample_cnt": 175, "yara_rule_name": "PUA_Crypto_Mining_CommandLine_Indicators_Oct21", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.poolwatch.io/coin/monero", "yara_rule_description": "Detects command line parameters often used by crypto mining software", "last_hit_utc": "2025-01-05 15:03:12" } ], "1271": [ { "sample_cnt": 175, "yara_rule_name": "weird_zip_high_compression_ratio", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://twitter.com/Cryptolaemus1/status/1633099154623803394", "yara_rule_description": "Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit", "last_hit_utc": "2026-04-23 11:39:31" } ], "1272": [ { "sample_cnt": 174, "yara_rule_name": "aPLib_decompression", "yara_rule_author": "@r3c0nst", "yara_rule_reference": "https://ibsensoftware.com/files/aPLib-1.1.1.zip", "yara_rule_description": "Detects aPLib decompression code often used in malware", "last_hit_utc": "2026-03-31 14:40:21" } ], "1273": [ { "sample_cnt": 174, "yara_rule_name": "Linux_Trojan_Pornoasset_927f314f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 15:10:36" } ], "1274": [ { "sample_cnt": 174, "yara_rule_name": "Start2_net_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e", "yara_rule_description": "SystemBC", "last_hit_utc": "2026-02-13 17:32:16" } ], "1275": [ { "sample_cnt": 174, "yara_rule_name": "strrat_jar_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 14:22:42" } ], "1276": [ { "sample_cnt": 173, "yara_rule_name": "MAL_Emotet_Jan20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/", "yara_rule_description": "Detects Emotet malware", "last_hit_utc": "2022-11-30 06:14:44" } ], "1277": [ { "sample_cnt": 172, "yara_rule_name": "CobaltStrike_C2_Encoded_XOR_Config_Indicator", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": "", "yara_rule_description": "Detects CobaltStrike C2 encoded profile configuration", "last_hit_utc": "2023-06-29 20:36:04" } ], "1278": [ { "sample_cnt": 172, "yara_rule_name": "MALWARE_Win_Babuk", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Babuk ransomware", "last_hit_utc": "2025-08-15 18:32:39" } ], "1279": [ { "sample_cnt": 171, "yara_rule_name": "MAL_RTF_Embedded_OLE_PE", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/", "yara_rule_description": "Detects a suspicious string often used in PE files in a hex encoded object stream", "last_hit_utc": "2026-03-09 13:49:16" } ], "1280": [ { "sample_cnt": 170, "yara_rule_name": "CS_beacon", "yara_rule_author": "Etienne Maynier tek@randhome.io", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:44:37" } ], "1281": [ { "sample_cnt": 169, "yara_rule_name": "cobalt_strike_beacon_decrypted", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "This rule detects cobalt strike decrypted beacons.", "last_hit_utc": "2026-04-27 04:44:37" } ], "1282": [ { "sample_cnt": 169, "yara_rule_name": "Dotnet_Hidden_Executables_Detect", "yara_rule_author": "Mehmet Ali Kerimoglu (@CYB3RMX)", "yara_rule_reference": "https://github.com/CYB3RMX/Qu1cksc0pe", "yara_rule_description": "This rule detects hidden PE file presence.", "last_hit_utc": "2025-12-13 09:41:13" } ], "1283": [ { "sample_cnt": 169, "yara_rule_name": "Linux_Generic_Threat_902cfdc5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 09:32:22" } ], "1284": [ { "sample_cnt": 169, "yara_rule_name": "mht_inside_word", "yara_rule_author": "dPhish", "yara_rule_reference": null, "yara_rule_description": "Detect embedded mht files inside microsfot word.", "last_hit_utc": "2026-04-24 10:37:45" } ], "1285": [ { "sample_cnt": 168, "yara_rule_name": "Bolonyokte", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "UnknownDotNet RAT - Bolonyokte", "last_hit_utc": "2026-04-23 09:58:24" } ], "1286": [ { "sample_cnt": 168, "yara_rule_name": "win_qakbot_malped", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.qakbot.", "last_hit_utc": "2022-11-22 21:15:09" } ], "1287": [ { "sample_cnt": 167, "yara_rule_name": "Check_VBox_VideoDrivers", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 09:45:41" } ], "1288": [ { "sample_cnt": 167, "yara_rule_name": "win_azorult_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-02-04 05:12:11" } ], "1289": [ { "sample_cnt": 166, "yara_rule_name": "APT_Lazarus_Loader_Dec_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect loader used by Lazarus group in december 2020", "last_hit_utc": "2026-04-05 13:44:16" } ], "1290": [ { "sample_cnt": 165, "yara_rule_name": "Linux_Trojan_Tsunami_ad60d7e8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 16:12:29" } ], "1291": [ { "sample_cnt": 165, "yara_rule_name": "Parallax", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Parallax RAT.", "last_hit_utc": "2022-11-09 13:10:05" } ], "1292": [ { "sample_cnt": 165, "yara_rule_name": "RansomPyShield_Antiransomware", "yara_rule_author": "XiAnzheng", "yara_rule_reference": null, "yara_rule_description": "Checking for malicious import combination that common Ransomware mostly use", "last_hit_utc": "2025-01-03 21:59:49" } ], "1293": [ { "sample_cnt": 165, "yara_rule_name": "Windows_Trojan_AgentTesla_d3ac2b2f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-12-07 13:54:05" } ], "1294": [ { "sample_cnt": 164, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_B64_Artifacts", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.", "last_hit_utc": "2022-11-26 05:47:05" } ], "1295": [ { "sample_cnt": 164, "yara_rule_name": "win_netwire_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.netwire.", "last_hit_utc": "2022-11-23 21:25:04" } ], "1296": [ { "sample_cnt": 163, "yara_rule_name": "INDICATOR_EXE_Packed_Enigma", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with Enigma", "last_hit_utc": "2026-04-09 13:56:37" } ], "1297": [ { "sample_cnt": 163, "yara_rule_name": "INDICATOR_TOOL_Sliver", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Sliver implant cross-platform adversary emulation/red team", "last_hit_utc": "2026-03-30 16:58:16" } ], "1298": [ { "sample_cnt": 163, "yara_rule_name": "multiple_concats_in_excel4_enjoy_the_silence", "yara_rule_author": "Will Metcalf", "yara_rule_reference": "https://www.youtube.com/watch?v=2sd7MQVofYc", "yara_rule_description": "Behold The Great And Powerful Match Iterator. Multiple Concats with register Function SILENT BUILDER EDITION", "last_hit_utc": "2022-05-31 06:33:22" } ], "1299": [ { "sample_cnt": 163, "yara_rule_name": "win_isfb_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.isfb.", "last_hit_utc": "2025-01-05 16:29:53" } ], "1300": [ { "sample_cnt": 163, "yara_rule_name": "win_sliver_w0", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Sliver implant cross-platform adversary emulation/red team", "last_hit_utc": "2026-03-30 16:58:17" } ], "1301": [ { "sample_cnt": 162, "yara_rule_name": "Agent_BTZ", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 22:16:19" } ], "1302": [ { "sample_cnt": 162, "yara_rule_name": "MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/", "yara_rule_description": "Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group", "last_hit_utc": "2026-04-06 08:03:23" } ], "1303": [ { "sample_cnt": 162, "yara_rule_name": "Sliver__Implant_32bit", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-30 16:58:17" } ], "1304": [ { "sample_cnt": 161, "yara_rule_name": "EXE_Stealer_StealC_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:21:46" } ], "1305": [ { "sample_cnt": 161, "yara_rule_name": "StealcV2", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Stealc V2 Payload", "last_hit_utc": "2026-04-25 21:08:49" } ], "1306": [ { "sample_cnt": 161, "yara_rule_name": "Windows_Generic_Threat_2bba6bae", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-24 16:27:28" } ], "1307": [ { "sample_cnt": 160, "yara_rule_name": "CobaltStrike_Sleeve_BeaconLoader_x64_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6", "last_hit_utc": "2026-04-27 04:44:37" } ], "1308": [ { "sample_cnt": 160, "yara_rule_name": "CobaltStrike__Sleeve_BeaconLoader_x64_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:44:37" } ], "1309": [ { "sample_cnt": 160, "yara_rule_name": "MALWARE_Win_DanaBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects DanaBot variants", "last_hit_utc": "2025-07-30 18:32:26" } ], "1310": [ { "sample_cnt": 160, "yara_rule_name": "Windows_Trojan_Lumma_4ad749b0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 13:19:29" } ], "1311": [ { "sample_cnt": 160, "yara_rule_name": "win_neshta_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-08-19 15:38:29" } ], "1312": [ { "sample_cnt": 159, "yara_rule_name": "Fareit", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Fareit Payload", "last_hit_utc": "2026-02-22 02:50:13" } ], "1313": [ { "sample_cnt": 159, "yara_rule_name": "INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2026-01-01 01:42:17" } ], "1314": [ { "sample_cnt": 159, "yara_rule_name": "MALWARE_BAT_KoadicBAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Koadic post-exploitation framework BAT payload", "last_hit_utc": "2026-01-01 15:37:13" } ], "1315": [ { "sample_cnt": 159, "yara_rule_name": "Start2_overlap_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e", "yara_rule_description": "SystemBC", "last_hit_utc": "2026-02-13 17:32:16" } ], "1316": [ { "sample_cnt": 159, "yara_rule_name": "Windows_Generic_Threat_d7b57912", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 14:29:53" } ], "1317": [ { "sample_cnt": 159, "yara_rule_name": "win_xworm_simple_strings", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects simple strings present in unobfuscated xworm", "last_hit_utc": "2026-04-01 21:29:30" } ], "1318": [ { "sample_cnt": 158, "yara_rule_name": "Destructive_Ransomware_Gen1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "yara_rule_description": "Detects destructive malware", "last_hit_utc": "2025-08-20 16:12:50" } ], "1319": [ { "sample_cnt": 158, "yara_rule_name": "Rozena", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 10:33:41" } ], "1320": [ { "sample_cnt": 158, "yara_rule_name": "Windows_Generic_Threat_3055c14a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 21:44:29" } ], "1321": [ { "sample_cnt": 158, "yara_rule_name": "win_ave_maria_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-08 07:48:09" } ], "1322": [ { "sample_cnt": 157, "yara_rule_name": "AlternativesExample1", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 10:55:41" } ], "1323": [ { "sample_cnt": 157, "yara_rule_name": "Qbot", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": null, "yara_rule_description": "Yara Rule to Detect Qbot", "last_hit_utc": "2026-04-20 12:30:50" } ], "1324": [ { "sample_cnt": 157, "yara_rule_name": "vbaproject_bin", "yara_rule_author": "CD_R0M_", "yara_rule_reference": "", "yara_rule_description": "{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time", "last_hit_utc": "2022-11-21 07:46:04" } ], "1325": [ { "sample_cnt": 156, "yara_rule_name": "Record_Breaker_Similarities", "yara_rule_author": "DigitalPanda", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-29 03:57:31" } ], "1326": [ { "sample_cnt": 156, "yara_rule_name": "SUSP_RAR_with_PDF_Script_Obfuscation", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects RAR file with suspicious .pdf extension prefix to trick users", "last_hit_utc": "2025-01-05 15:27:23" } ], "1327": [ { "sample_cnt": 156, "yara_rule_name": "test_rule_vldslv", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 16:05:01" } ], "1328": [ { "sample_cnt": 156, "yara_rule_name": "win_smominru_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.smominru.", "last_hit_utc": "2023-03-09 18:32:46" } ], "1329": [ { "sample_cnt": 155, "yara_rule_name": "MALWARE_Win_PWSH_PoshKeylogger", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects PowerShell PoshKeylogger", "last_hit_utc": "2023-10-22 18:11:30" } ], "1330": [ { "sample_cnt": 155, "yara_rule_name": "shad0w_beacon_16June", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://github.com/bats3c/shad0w", "yara_rule_description": "Shad0w beacon compressed", "last_hit_utc": "2026-03-10 16:56:17" } ], "1331": [ { "sample_cnt": 154, "yara_rule_name": "win_dbatloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-11-28 17:22:15" } ], "1332": [ { "sample_cnt": 152, "yara_rule_name": "RevengeRAT_Sep17", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects RevengeRAT malware", "last_hit_utc": "2025-01-05 15:27:40" } ], "1333": [ { "sample_cnt": 151, "yara_rule_name": "Certutil_Decode_OR_Download", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Certutil Decode", "last_hit_utc": "2026-03-12 20:54:18" } ], "1334": [ { "sample_cnt": 151, "yara_rule_name": "CS_beacon", "yara_rule_author": "Etienne Maynier tek@randhome.io", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-06-29 20:36:03" } ], "1335": [ { "sample_cnt": 151, "yara_rule_name": "Linux_Trojan_Kinsing_2c1ffe78", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-27 13:52:18" } ], "1336": [ { "sample_cnt": 150, "yara_rule_name": "Cobaltbaltstrike_strike_Payload_XORed", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2025-01-05 15:13:15" } ], "1337": [ { "sample_cnt": 150, "yara_rule_name": "mpress_2_xx_x86", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "MPRESS v2.XX x86 - no .NET", "last_hit_utc": "2026-04-20 23:19:27" } ], "1338": [ { "sample_cnt": 150, "yara_rule_name": "win_malumpos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-01-20 14:40:06" } ], "1339": [ { "sample_cnt": 150, "yara_rule_name": "win_zloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-15 06:21:08" } ], "1340": [ { "sample_cnt": 148, "yara_rule_name": "MAL_IcedID_GZIP_LDR_202104", "yara_rule_author": "Thomas Barabosch, Telekom Security", "yara_rule_reference": "https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240", "yara_rule_description": "2021 initial Bokbot / Icedid loader for fake GZIP payloads", "last_hit_utc": "2026-03-13 22:25:20" } ], "1341": [ { "sample_cnt": 148, "yara_rule_name": "SUSP_VBS_in_ISO", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ISO files that contain VBS functions", "last_hit_utc": "2026-04-19 02:33:33" } ], "1342": [ { "sample_cnt": 147, "yara_rule_name": "Discord_APIs", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-29 19:36:59" } ], "1343": [ { "sample_cnt": 147, "yara_rule_name": "Linux_Trojan_Mirai_449937aa", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 06:38:33" } ], "1344": [ { "sample_cnt": 147, "yara_rule_name": "Multi_Ransomware_Akira_21842eb3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-11 19:28:13" } ], "1345": [ { "sample_cnt": 146, "yara_rule_name": "MALWARE_Win_Akira", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Akira Ransomware Windows", "last_hit_utc": "2025-08-26 09:08:40" } ], "1346": [ { "sample_cnt": 146, "yara_rule_name": "MAL_packer_lb_was_detected", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "Detect the packer used by Lockbit4.0", "last_hit_utc": "2026-04-25 21:44:28" } ], "1347": [ { "sample_cnt": 145, "yara_rule_name": "crime_win64_bumbleebee_loader_packed", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-13 17:07:04" } ], "1348": [ { "sample_cnt": 145, "yara_rule_name": "EXT_EXPL_ZTH_LNK_EXPLOIT_A", "yara_rule_author": "Peter Girnus", "yara_rule_reference": "https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html", "yara_rule_description": "This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.", "last_hit_utc": "2026-04-26 17:30:25" } ], "1349": [ { "sample_cnt": 145, "yara_rule_name": "INDICATOR_SUSPICIOUS_ClearWinLogs", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing commands for clearing Windows Event Logs", "last_hit_utc": "2026-04-15 11:33:58" } ], "1350": [ { "sample_cnt": 145, "yara_rule_name": "PowerShell_Case_Anomaly", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/danielhbohannon/status/905096106924761088", "yara_rule_description": "Detects obfuscated PowerShell hacktools", "last_hit_utc": "2022-05-05 10:28:02" } ], "1351": [ { "sample_cnt": 145, "yara_rule_name": "Telegram_bot_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "Telegram in files like avemaria", "last_hit_utc": "2022-11-17 22:41:03" } ], "1352": [ { "sample_cnt": 145, "yara_rule_name": "win_remcos_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-04 13:54:15" } ], "1353": [ { "sample_cnt": 144, "yara_rule_name": "Mimikatz_Strings_RID2DA0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Detects Mimikatz strings", "last_hit_utc": "2026-04-27 05:18:17" } ], "1354": [ { "sample_cnt": 144, "yara_rule_name": "Win32_Trojan_Emotet", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Emotet trojan.", "last_hit_utc": "2023-01-19 18:45:15" } ], "1355": [ { "sample_cnt": 144, "yara_rule_name": "win_nymaim_g0", "yara_rule_author": "mak, msm, CERT.pl", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-23 14:38:11" } ], "1356": [ { "sample_cnt": 143, "yara_rule_name": "generic_IG_stealer", "yara_rule_author": "RE4rensics", "yara_rule_reference": null, "yara_rule_description": "Detects stealers that interacts with IG endpoints after stealing IG cookies", "last_hit_utc": "2026-03-07 18:44:15" } ], "1357": [ { "sample_cnt": 143, "yara_rule_name": "Linux_Trojan_Ircbot_bb204b81", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:42:33" } ], "1358": [ { "sample_cnt": 143, "yara_rule_name": "NSIS_GuLoader", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects GuLoader using NSIS", "last_hit_utc": "2025-01-03 21:14:57" } ], "1359": [ { "sample_cnt": 143, "yara_rule_name": "Windows_Trojan_CobaltStrike_ee756db7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Attempts to detect Cobalt Strike based on strings found in BEACON", "last_hit_utc": "2026-04-27 04:44:39" } ], "1360": [ { "sample_cnt": 143, "yara_rule_name": "win_cannon_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-07-07 14:51:15" } ], "1361": [ { "sample_cnt": 142, "yara_rule_name": "PyInstaller_Packed_April_2024", "yara_rule_author": "NDA0N", "yara_rule_reference": null, "yara_rule_description": "Detects files packed with PyInstaller", "last_hit_utc": "2025-01-05 17:35:29" } ], "1362": [ { "sample_cnt": 142, "yara_rule_name": "win_pony_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.pony.", "last_hit_utc": "2026-04-15 11:48:00" } ], "1363": [ { "sample_cnt": 142, "yara_rule_name": "win_pony_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.pony.", "last_hit_utc": "2022-11-24 17:32:02" } ], "1364": [ { "sample_cnt": 142, "yara_rule_name": "XWorm_3_0_3_1_Detection", "yara_rule_author": "Archevod", "yara_rule_reference": null, "yara_rule_description": "Detects XWorm versions 3.0 and 3.1", "last_hit_utc": "2026-04-22 17:54:14" } ], "1365": [ { "sample_cnt": 141, "yara_rule_name": "ach_Heodo_doc_20200729", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/3e19b488ac74f18d76a90837b59e00f1/", "yara_rule_description": "Detects Heodo DOC", "last_hit_utc": "2020-12-11 18:08:19" } ], "1366": [ { "sample_cnt": 141, "yara_rule_name": "Azorult", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Azorult Payload", "last_hit_utc": "2022-11-04 20:22:04" } ], "1367": [ { "sample_cnt": 141, "yara_rule_name": "Redline32", "yara_rule_author": "Muffin", "yara_rule_reference": null, "yara_rule_description": "This rule detects Redline Stealer", "last_hit_utc": "2024-05-26 01:52:03" } ], "1368": [ { "sample_cnt": 141, "yara_rule_name": "win_m0yv_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.m0yv.", "last_hit_utc": "2026-04-11 11:03:43" } ], "1369": [ { "sample_cnt": 140, "yara_rule_name": "gorilla_keykey", "yara_rule_author": "Your Name", "yara_rule_reference": null, "yara_rule_description": "Detects specific hex string in a file", "last_hit_utc": "2025-08-01 06:04:23" } ], "1370": [ { "sample_cnt": 140, "yara_rule_name": "SUSP_GObfuscate_May21", "yara_rule_author": "James Quinn, Paul Hager (merged with new similar pattern)", "yara_rule_reference": "https://github.com/unixpickle/gobfuscate", "yara_rule_description": "Identifies binaries obfuscated with gobfuscate", "last_hit_utc": "2026-04-08 08:19:33" } ], "1371": [ { "sample_cnt": 140, "yara_rule_name": "venomrat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-28 23:38:16" } ], "1372": [ { "sample_cnt": 139, "yara_rule_name": "Codoso_Gh0st_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT Gh0st Malware", "last_hit_utc": "2026-03-23 08:46:22" } ], "1373": [ { "sample_cnt": 139, "yara_rule_name": "EnigmaProtector1XSukhovVladimirSergeNMarkin", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-22 06:30:38" } ], "1374": [ { "sample_cnt": 139, "yara_rule_name": "hancitor_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-15 06:19:04" } ], "1375": [ { "sample_cnt": 139, "yara_rule_name": "INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell content designed to retrieve passwords from host", "last_hit_utc": "2021-06-22 11:04:43" } ], "1376": [ { "sample_cnt": 139, "yara_rule_name": "Mal_LNX_Mozi_Botnet_ELF", "yara_rule_author": "Phatcharadol Thangplub", "yara_rule_reference": null, "yara_rule_description": "Use to detect Mozi botnet.", "last_hit_utc": "2026-04-18 17:43:44" } ], "1377": [ { "sample_cnt": 139, "yara_rule_name": "Windows_Trojan_CobaltStrike_f0b627fc", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Rule for beacon reflective loader", "last_hit_utc": "2026-04-24 11:17:30" } ], "1378": [ { "sample_cnt": 139, "yara_rule_name": "yarahub_win_njrat_bytecodes_V2_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-14 09:11:16" } ], "1379": [ { "sample_cnt": 138, "yara_rule_name": "ach_TrickBot_xlsm_20210324", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/7cc15e9e54b0dbaf6c6075b373eda02b/", "yara_rule_description": "Detects TrickBot xlsm", "last_hit_utc": "2025-11-05 13:47:33" } ], "1380": [ { "sample_cnt": 138, "yara_rule_name": "Embedded_PE", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-09-11 08:27:34" } ], "1381": [ { "sample_cnt": 138, "yara_rule_name": "EXE_Virus_Neshta_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 15:18:28" } ], "1382": [ { "sample_cnt": 138, "yara_rule_name": "Windows_Ransomware_Akira_c8c298ba", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-26 09:08:40" } ], "1383": [ { "sample_cnt": 138, "yara_rule_name": "Windows_Trojan_Pony_d5516fe8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-15 11:48:00" } ], "1384": [ { "sample_cnt": 138, "yara_rule_name": "win_redline_stealer_bytecodes_sep_203", "yara_rule_author": "Matthew @embee_research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:53:57" } ], "1385": [ { "sample_cnt": 137, "yara_rule_name": "IcedIDStage1", "yara_rule_author": "kevoreilly, threathive, enzo", "yara_rule_reference": null, "yara_rule_description": "IcedID Payload", "last_hit_utc": "2025-02-20 02:17:21" } ], "1386": [ { "sample_cnt": 136, "yara_rule_name": "BruteSyscallHashes", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-20 23:19:23" } ], "1387": [ { "sample_cnt": 136, "yara_rule_name": "IDATDropper", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).", "last_hit_utc": "2025-08-13 07:18:24" } ], "1388": [ { "sample_cnt": 136, "yara_rule_name": "win_brute_ratel_c4_w0", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-20 23:19:24" } ], "1389": [ { "sample_cnt": 136, "yara_rule_name": "win_spider_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.spider_rat.", "last_hit_utc": "2022-11-10 15:41:04" } ], "1390": [ { "sample_cnt": 135, "yara_rule_name": "DevCv5", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 05:31:14" } ], "1391": [ { "sample_cnt": 135, "yara_rule_name": "HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "yara_rule_description": "Detects strings found in CobaltStrike shellcode", "last_hit_utc": "2025-01-05 15:04:02" } ], "1392": [ { "sample_cnt": 135, "yara_rule_name": "Linux_Trojan_Mirai_ac253e4f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-18 17:43:43" } ], "1393": [ { "sample_cnt": 135, "yara_rule_name": "MALWARE_Win_CobaltStrike", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "CobaltStrike payload", "last_hit_utc": "2023-06-29 20:36:03" } ], "1394": [ { "sample_cnt": 135, "yara_rule_name": "MALWARE_Win_DLAgent10", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects known downloader agent", "last_hit_utc": "2026-04-01 14:50:24" } ], "1395": [ { "sample_cnt": 135, "yara_rule_name": "onenote_maldocs", "yara_rule_author": "Stuart Gonzalez", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:46:55" } ], "1396": [ { "sample_cnt": 135, "yara_rule_name": "RansomPyShield_Antiransomware", "yara_rule_author": "XiAnzheng", "yara_rule_reference": null, "yara_rule_description": "Check for malicious import combination that ransomware mostly use(can create FP)", "last_hit_utc": "2025-01-03 22:00:07" } ], "1397": [ { "sample_cnt": 135, "yara_rule_name": "Script_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies scripting artefacts in shortcut (LNK) files.", "last_hit_utc": "2022-11-22 21:25:03" } ], "1398": [ { "sample_cnt": 135, "yara_rule_name": "Windows_Trojan_Njrat_eb2698d2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 18:36:37" } ], "1399": [ { "sample_cnt": 134, "yara_rule_name": "MALWARE_Win_QuasarRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "QuasarRAT payload", "last_hit_utc": "2022-11-24 04:25:04" } ], "1400": [ { "sample_cnt": 134, "yara_rule_name": "neshta_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 15:18:28" } ], "1401": [ { "sample_cnt": 134, "yara_rule_name": "Sliver_Implant_32bit", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Sliver 32-bit implant (with and without --debug flag at compile)", "last_hit_utc": "2026-02-13 10:00:33" } ], "1402": [ { "sample_cnt": 134, "yara_rule_name": "Stealc_unpacked_PulseIntel", "yara_rule_author": "PulseIntel", "yara_rule_reference": null, "yara_rule_description": "Stealc Payload", "last_hit_utc": "2026-03-15 08:07:20" } ], "1403": [ { "sample_cnt": 133, "yara_rule_name": "BlackMoon", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects BlackMoon", "last_hit_utc": "2026-04-24 03:31:35" } ], "1404": [ { "sample_cnt": 133, "yara_rule_name": "CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x", "last_hit_utc": "2026-04-22 10:33:40" } ], "1405": [ { "sample_cnt": 133, "yara_rule_name": "CobaltStrike__Resources_Reverse_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 10:33:40" } ], "1406": [ { "sample_cnt": 133, "yara_rule_name": "Linux_Trojan_Mirai_5c62e6b2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-18 17:43:43" } ], "1407": [ { "sample_cnt": 133, "yara_rule_name": "Linux_Trojan_Mirai_77137320", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-18 17:43:43" } ], "1408": [ { "sample_cnt": 133, "yara_rule_name": "myGozi", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-24 05:47:03" } ], "1409": [ { "sample_cnt": 132, "yara_rule_name": "ACE_Containing_EXE", "yara_rule_author": "Florian Roth (Nextron Systems) - based on Nick Hoffman' rule - Morphick Inc", "yara_rule_reference": null, "yara_rule_description": "Looks for ACE Archives containing an exe/scr file", "last_hit_utc": "2026-04-21 09:12:27" } ], "1410": [ { "sample_cnt": 132, "yara_rule_name": "aix", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "AIX binary", "last_hit_utc": "2026-04-23 16:35:35" } ], "1411": [ { "sample_cnt": 132, "yara_rule_name": "bitrat_unpacked", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/", "yara_rule_description": "Experimental rule to detect unpacked BitRat payloads on disk or in memory, looking for a combination of strings and decryption/decoding patterns", "last_hit_utc": "2026-01-22 05:24:29" } ], "1412": [ { "sample_cnt": 132, "yara_rule_name": "masslogger_gcch", "yara_rule_author": "govcert_ch", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-17 08:28:21" } ], "1413": [ { "sample_cnt": 132, "yara_rule_name": "multiple_concats_in_excel4_formula_exec_1", "yara_rule_author": "Will Metcalf", "yara_rule_reference": "https://blog.reversinglabs.com/blog/excel-4.0-macros", "yara_rule_description": "Behold The Great And Powerful Match Iterator. Multiple Concats Inside of exec Function", "last_hit_utc": "2022-07-13 08:08:02" } ], "1414": [ { "sample_cnt": 132, "yara_rule_name": "RAT_win_njrat", "yara_rule_author": "KrknSec", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", "yara_rule_description": "Detects njRAT binaries.", "last_hit_utc": "2026-03-28 21:41:06" } ], "1415": [ { "sample_cnt": 132, "yara_rule_name": "win_dridex_loader_v2", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": "", "yara_rule_description": "detects some Dridex loaders", "last_hit_utc": "2022-10-13 09:39:02" } ], "1416": [ { "sample_cnt": 132, "yara_rule_name": "win_masslogger_w0", "yara_rule_author": "govcert_ch", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-17 08:28:21" } ], "1417": [ { "sample_cnt": 131, "yara_rule_name": "MALWARE_Win_HyperBro03", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Hunt HyperBro IronTiger / LuckyMouse / APT27 malware", "last_hit_utc": "2021-07-09 13:06:05" } ], "1418": [ { "sample_cnt": 131, "yara_rule_name": "SUSP_VBS_Wscript_Shell", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon", "last_hit_utc": "2022-11-25 17:04:03" } ], "1419": [ { "sample_cnt": 131, "yara_rule_name": "Unknown_Malware_Sample_Jul17_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/iqH8CK", "yara_rule_description": "Detects unknown malware sample with pastebin RAW URL", "last_hit_utc": "2026-03-31 04:01:22" } ], "1420": [ { "sample_cnt": 130, "yara_rule_name": "linux_generic_p2p_catcher", "yara_rule_author": "@_lubiedo", "yara_rule_reference": "", "yara_rule_description": "Generic catcher for P2P capable linux ELFs", "last_hit_utc": "2022-10-21 17:43:04" } ], "1421": [ { "sample_cnt": 130, "yara_rule_name": "Win32_Ransomware_Kovter", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Kovter ransomware.", "last_hit_utc": "2025-01-05 16:06:30" } ], "1422": [ { "sample_cnt": 130, "yara_rule_name": "Windows_Trojan_CobaltStrike_b54b94ac", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Rule for beacon sleep obfuscation routine", "last_hit_utc": "2026-03-16 02:55:23" } ], "1423": [ { "sample_cnt": 129, "yara_rule_name": "MALWARE_Win_Nitol", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Nitol backdoor", "last_hit_utc": "2026-02-12 13:55:23" } ], "1424": [ { "sample_cnt": 129, "yara_rule_name": "Windows_Trojan_Remcos_921ef449", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 17:52:43" } ], "1425": [ { "sample_cnt": 128, "yara_rule_name": "Destructive_Ransomware_Gen1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "yara_rule_description": "Detects destructive malware", "last_hit_utc": "2026-04-12 14:19:22" } ], "1426": [ { "sample_cnt": 128, "yara_rule_name": "linux_generic_p2p_catcher", "yara_rule_author": "@_lubiedo", "yara_rule_reference": null, "yara_rule_description": "Generic catcher for P2P capable linux ELFs", "last_hit_utc": "2026-04-18 17:43:43" } ], "1427": [ { "sample_cnt": 128, "yara_rule_name": "Remcos", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "detect Remcos in memory", "last_hit_utc": "2022-06-24 09:12:04" } ], "1428": [ { "sample_cnt": 128, "yara_rule_name": "Windows_Ransomware_Ryuk_8ba51798", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "yara_rule_description": "Identifies RYUK ransomware", "last_hit_utc": "2025-04-28 05:58:09" } ], "1429": [ { "sample_cnt": 127, "yara_rule_name": "AteraAgent_RemoteAdmin_April_2024", "yara_rule_author": "NDA0", "yara_rule_reference": null, "yara_rule_description": "Detects AteraAgent Remote Admin Tool", "last_hit_utc": "2025-11-04 16:42:01" } ], "1430": [ { "sample_cnt": 127, "yara_rule_name": "MALWARE_Win_CoinMiner02", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects coinmining malware", "last_hit_utc": "2022-11-06 13:39:03" } ], "1431": [ { "sample_cnt": 127, "yara_rule_name": "Windows_Generic_Threat_aeaeb5cf", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 15:17:43" } ], "1432": [ { "sample_cnt": 126, "yara_rule_name": "SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg", "yara_rule_description": "Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments", "last_hit_utc": "2025-11-10 08:46:18" } ], "1433": [ { "sample_cnt": 125, "yara_rule_name": "CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6", "last_hit_utc": "2026-02-06 09:10:35" } ], "1434": [ { "sample_cnt": 125, "yara_rule_name": "CobaltStrike__Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-06 09:10:35" } ], "1435": [ { "sample_cnt": 125, "yara_rule_name": "IcedID_init_loader", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies IcedID (stage 1 and 2, initial loaders).", "last_hit_utc": "2022-11-21 12:34:05" } ], "1436": [ { "sample_cnt": 125, "yara_rule_name": "Linux_Trojan_Mirai_c8385b81", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 06:07:21" } ], "1437": [ { "sample_cnt": 125, "yara_rule_name": "MALWARE_Win_Arechclient2", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Arechclient2 RAT", "last_hit_utc": "2026-03-21 13:40:25" } ], "1438": [ { "sample_cnt": 125, "yara_rule_name": "PDF_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.", "last_hit_utc": "2026-04-27 08:47:22" } ], "1439": [ { "sample_cnt": 125, "yara_rule_name": "Windows_Trojan_Smokeloader_ea14b2a5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-14 10:31:42" } ], "1440": [ { "sample_cnt": 124, "yara_rule_name": "DDoS_Win32_Nitol_B", "yara_rule_author": "mk", "yara_rule_reference": null, "yara_rule_description": "Nitol Family", "last_hit_utc": "2026-04-18 17:43:43" } ], "1441": [ { "sample_cnt": 124, "yara_rule_name": "IcedID", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "IcedID Payload", "last_hit_utc": "2021-03-27 17:42:06" } ], "1442": [ { "sample_cnt": 124, "yara_rule_name": "SUSP_PowerShell_Caret_Obfuscation_2_RID347B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects powershell keyword obfuscated with carets", "last_hit_utc": "2025-12-18 17:34:14" } ], "1443": [ { "sample_cnt": 124, "yara_rule_name": "win_njrat_bytecodes_V2_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-14 09:11:16" } ], "1444": [ { "sample_cnt": 123, "yara_rule_name": "Glupteba", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-19 17:49:03" } ], "1445": [ { "sample_cnt": 123, "yara_rule_name": "Malware_QA_update", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file update.exe", "last_hit_utc": "2026-04-26 19:07:27" } ], "1446": [ { "sample_cnt": 123, "yara_rule_name": "win_kovter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-06-27 14:34:39" } ], "1447": [ { "sample_cnt": 122, "yara_rule_name": "MALWARE_Win_DLInjector06", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects downloader / injector", "last_hit_utc": "2022-11-23 20:49:38" } ], "1448": [ { "sample_cnt": 122, "yara_rule_name": "NSIS_GuLoader_July_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects GuLoader packed with NSIS installer", "last_hit_utc": "2025-01-03 21:14:57" } ], "1449": [ { "sample_cnt": 121, "yara_rule_name": "go_binary", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:34:24" } ], "1450": [ { "sample_cnt": 121, "yara_rule_name": "MALWARE_Win_StormKitty", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects StormKitty infostealer", "last_hit_utc": "2022-11-23 10:52:03" } ], "1451": [ { "sample_cnt": 121, "yara_rule_name": "Surtr", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "Rule for Surtr Stage One", "last_hit_utc": "2026-04-25 15:49:35" } ], "1452": [ { "sample_cnt": 121, "yara_rule_name": "SurtrStrings", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "Strings for Surtr", "last_hit_utc": "2026-04-25 15:49:35" } ], "1453": [ { "sample_cnt": 121, "yara_rule_name": "Windows_Trojan_Metasploit_91bc5d7d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-26 10:21:22" } ], "1454": [ { "sample_cnt": 121, "yara_rule_name": "win_oski_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.oski.", "last_hit_utc": "2022-11-25 03:57:02" } ], "1455": [ { "sample_cnt": 120, "yara_rule_name": "ASPackv212AlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 07:49:22" } ], "1456": [ { "sample_cnt": 120, "yara_rule_name": "ASProtectV2XDLLAlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 07:49:22" } ], "1457": [ { "sample_cnt": 120, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Discord_Regex", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing Discord tokens regular expressions", "last_hit_utc": "2022-10-26 06:53:03" } ], "1458": [ { "sample_cnt": 120, "yara_rule_name": "obfuscated_BAT", "yara_rule_author": "@warz_s", "yara_rule_reference": "https://github.com/secwarz/YaraRules", "yara_rule_description": "Identifies obfuscated BAT files", "last_hit_utc": "2026-04-27 13:28:26" } ], "1459": [ { "sample_cnt": 120, "yara_rule_name": "win_oski_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-07 11:40:06" } ], "1460": [ { "sample_cnt": 119, "yara_rule_name": "avemaria_rat_yhub", "yara_rule_author": "Billy Austin", "yara_rule_reference": null, "yara_rule_description": "Detects AveMaria RAT a.k.a. WarZone", "last_hit_utc": "2026-04-26 03:12:40" } ], "1461": [ { "sample_cnt": 119, "yara_rule_name": "GoInjector", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Go Injector", "last_hit_utc": "2025-04-06 05:49:40" } ], "1462": [ { "sample_cnt": 119, "yara_rule_name": "infostealer_pony", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-05-13 22:59:10" } ], "1463": [ { "sample_cnt": 119, "yara_rule_name": "LinuxTsunami", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 16:12:29" } ], "1464": [ { "sample_cnt": 119, "yara_rule_name": "metasploit_rev_tcp_64", "yara_rule_author": "Javier Rascon", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-26 10:21:21" } ], "1465": [ { "sample_cnt": 119, "yara_rule_name": "Stealer_Stealc", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match instructions/strings found in Stealc", "last_hit_utc": "2026-03-24 16:27:28" } ], "1466": [ { "sample_cnt": 119, "yara_rule_name": "TH_Generic_MassHunt_Webshells_2025_CYFARE", "yara_rule_author": "CYFARE", "yara_rule_reference": "https://cyfare.net/", "yara_rule_description": "Generic multi-language webshell mass-hunt rule (PHP/ASP(X)/JSP/Python/Perl/Node) - 2025", "last_hit_utc": "2025-11-06 10:14:14" } ], "1467": [ { "sample_cnt": 119, "yara_rule_name": "win_vidar", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detection of Vidar Stealer and Variants via strings present in final unpacked payloads", "last_hit_utc": "2025-05-02 07:14:09" } ], "1468": [ { "sample_cnt": 118, "yara_rule_name": "ByteCode_MSIL_Backdoor_NjRAT", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects NjRAT backdoor.", "last_hit_utc": "2026-04-09 07:47:29" } ], "1469": [ { "sample_cnt": 118, "yara_rule_name": "lb_stack_string_decrypt_1", "yara_rule_author": "CTI Purple Team", "yara_rule_reference": null, "yara_rule_description": "This rule detects the code pattern of the Stack Strings decryption algorithm.", "last_hit_utc": "2026-03-17 21:03:27" } ], "1470": [ { "sample_cnt": 118, "yara_rule_name": "Windows_Ransomware_Ryuk_878bae7e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "yara_rule_description": "Identifies RYUK ransomware", "last_hit_utc": "2025-11-05 08:22:49" } ], "1471": [ { "sample_cnt": 118, "yara_rule_name": "WinRAR_CVE_2025_8088_Exploit", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": "https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/", "yara_rule_description": "Detects RAR archives exploiting CVE-2025-8088 in WinRAR", "last_hit_utc": "2026-04-16 18:16:32" } ], "1472": [ { "sample_cnt": 117, "yara_rule_name": "Check_Wine", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-27 20:27:20" } ], "1473": [ { "sample_cnt": 117, "yara_rule_name": "enterpriseunix", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Enterprise UNIX", "last_hit_utc": "2021-03-02 06:50:22" } ], "1474": [ { "sample_cnt": 117, "yara_rule_name": "linux_protocol_doh", "yara_rule_author": "@_lubiedo", "yara_rule_reference": null, "yara_rule_description": "DNS-over-HTTPS yara rule", "last_hit_utc": "2026-04-22 20:40:47" } ], "1475": [ { "sample_cnt": 117, "yara_rule_name": "MALWARE_Win_QuasarStealer", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "Detects Quasar infostealer", "last_hit_utc": "2022-11-25 18:32:03" } ], "1476": [ { "sample_cnt": 117, "yara_rule_name": "MALWARE_Win_zgRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects zgRAT", "last_hit_utc": "2022-11-25 09:42:03" } ], "1477": [ { "sample_cnt": 117, "yara_rule_name": "win_blackshades_w0", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-24 22:59:45" } ], "1478": [ { "sample_cnt": 117, "yara_rule_name": "win_smokeloader_a2", "yara_rule_author": "pnx", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-09 13:06:41" } ], "1479": [ { "sample_cnt": 116, "yara_rule_name": "Detect_Golang_Binary", "yara_rule_author": "Andrew Morrow", "yara_rule_reference": null, "yara_rule_description": "Detects binaries compiled with Go", "last_hit_utc": "2025-11-23 10:45:22" } ], "1480": [ { "sample_cnt": 116, "yara_rule_name": "malware_Azorult", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Azorult in memory", "last_hit_utc": "2025-11-23 15:28:24" } ], "1481": [ { "sample_cnt": 116, "yara_rule_name": "SUSP_PowerShell_Caret_Obfuscation_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects powershell keyword obfuscated with carets", "last_hit_utc": "2025-01-05 15:18:18" } ], "1482": [ { "sample_cnt": 116, "yara_rule_name": "SystemBC_Config", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies SystemBC RAT, decrypted config.", "last_hit_utc": "2023-05-13 22:58:12" } ], "1483": [ { "sample_cnt": 115, "yara_rule_name": "INDICATOR_EXE_Packed_ConfuserEx_Custom", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with ConfuserEx Custom; outside of GIT", "last_hit_utc": "2025-12-03 09:40:22" } ], "1484": [ { "sample_cnt": 115, "yara_rule_name": "Kovter", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Kovter Payload", "last_hit_utc": "2025-01-05 16:06:30" } ], "1485": [ { "sample_cnt": 115, "yara_rule_name": "upx_packed", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "UPX packed file", "last_hit_utc": "2022-12-29 21:34:56" } ], "1486": [ { "sample_cnt": 115, "yara_rule_name": "Windows_Generic_Threat_7526f106", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-22 06:40:11" } ], "1487": [ { "sample_cnt": 115, "yara_rule_name": "Windows_Generic_Threat_bc6ae28d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-02 22:17:12" } ], "1488": [ { "sample_cnt": 115, "yara_rule_name": "win_revil_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-03-21 19:09:04" } ], "1489": [ { "sample_cnt": 114, "yara_rule_name": "Hancitor", "yara_rule_author": "threathive", "yara_rule_reference": null, "yara_rule_description": "Hancitor Payload", "last_hit_utc": "2021-07-08 19:10:40" } ], "1490": [ { "sample_cnt": 114, "yara_rule_name": "MALWARE_Win_FakeCaptcha_Downloader", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects downloader executables dropped by fake captcha", "last_hit_utc": "2025-11-05 08:22:40" } ], "1491": [ { "sample_cnt": 114, "yara_rule_name": "RaccoonV2", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/", "yara_rule_description": "Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).", "last_hit_utc": "2025-06-27 05:51:29" } ], "1492": [ { "sample_cnt": 114, "yara_rule_name": "SUSP_Websites", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects the reference of suspicious sites that might be used to download further malware", "last_hit_utc": "2022-11-26 07:03:04" } ], "1493": [ { "sample_cnt": 114, "yara_rule_name": "upx_antiunpack_elf64", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "UPX Anti-Unpacking technique to magic renamed for ELF64", "last_hit_utc": "2026-04-26 13:21:32" } ], "1494": [ { "sample_cnt": 114, "yara_rule_name": "Windows_Generic_Threat_2bb6f41d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-13 15:58:17" } ], "1495": [ { "sample_cnt": 114, "yara_rule_name": "win_iceid_gzip_ldr_202104", "yara_rule_author": "Thomas Barabosch, Telekom Security", "yara_rule_reference": "", "yara_rule_description": "2021 initial Bokbot / Icedid loader for fake GZIP payloads", "last_hit_utc": "2022-11-11 14:46:03" } ], "1496": [ { "sample_cnt": 113, "yara_rule_name": "Linux_Generic_Threat_aa0c23d5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:35:53" } ], "1497": [ { "sample_cnt": 113, "yara_rule_name": "MAL_RANSOM_COVID19_Apr20_1_RID2ECC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", "yara_rule_description": "Detects ransomware distributed in COVID-19 theme", "last_hit_utc": "2026-03-27 01:50:22" } ], "1498": [ { "sample_cnt": 113, "yara_rule_name": "NitroRansomware", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-22 08:11:02" } ], "1499": [ { "sample_cnt": 112, "yara_rule_name": "INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with ConfuserEx Mod Beds Protector", "last_hit_utc": "2023-01-31 12:36:27" } ], "1500": [ { "sample_cnt": 112, "yara_rule_name": "MALWARE_Win_IceID", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects IceID / Bokbot variants", "last_hit_utc": "2022-11-21 12:34:06" } ], "1501": [ { "sample_cnt": 112, "yara_rule_name": "win_privateloader_w0", "yara_rule_author": "andretavare5", "yara_rule_reference": "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service", "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:30:00" } ], "1502": [ { "sample_cnt": 111, "yara_rule_name": "Check_FindWindowA_iat", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 00:06:37" } ], "1503": [ { "sample_cnt": 111, "yara_rule_name": "ClamAV_Emotet_String_Aggregate", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 11:44:03" } ], "1504": [ { "sample_cnt": 111, "yara_rule_name": "html_auto_download_b64", "yara_rule_author": "Tdawg", "yara_rule_reference": "", "yara_rule_description": "html auto download", "last_hit_utc": "2022-11-26 03:14:02" } ], "1505": [ { "sample_cnt": 111, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing possible sandbox system UUIDs", "last_hit_utc": "2026-04-21 22:40:47" } ], "1506": [ { "sample_cnt": 111, "yara_rule_name": "MAL_BackNet_Nov18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/valsov/BackNet", "yara_rule_description": "Detects BackNet samples", "last_hit_utc": "2025-01-05 15:17:56" } ], "1507": [ { "sample_cnt": 111, "yara_rule_name": "privateloader", "yara_rule_author": "andretavare5", "yara_rule_reference": null, "yara_rule_description": "PrivateLoader pay-per-install malware", "last_hit_utc": "2025-01-05 16:30:00" } ], "1508": [ { "sample_cnt": 111, "yara_rule_name": "SUSP_LNK_PowerShell", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects the reference to powershell inside an lnk file, which is suspicious", "last_hit_utc": "2022-11-22 21:25:03" } ], "1509": [ { "sample_cnt": 111, "yara_rule_name": "win_vidar_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-02-03 17:12:05" } ], "1510": [ { "sample_cnt": 109, "yara_rule_name": "ach_202409_html_AJAX_phish", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects potential HTML phishing page using AJXA", "last_hit_utc": "2026-04-03 16:21:15" } ], "1511": [ { "sample_cnt": 109, "yara_rule_name": "INDICATOR_OLE_ObjectPool_Embedded_Files", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects OLE documents with ObjectPool OLE storage and embed suspicous excutable files", "last_hit_utc": "2024-01-26 00:56:03" } ], "1512": [ { "sample_cnt": 109, "yara_rule_name": "INDICATOR_OLE_Suspicious_ActiveX", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects OLE documents with suspicious ActiveX content", "last_hit_utc": "2025-01-05 17:17:45" } ], "1513": [ { "sample_cnt": 109, "yara_rule_name": "iso_lnk", "yara_rule_author": "tdawg", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-05 10:32:18" } ], "1514": [ { "sample_cnt": 109, "yara_rule_name": "Linux_Trojan_Gafgyt_a10161ce", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-17 06:59:26" } ], "1515": [ { "sample_cnt": 109, "yara_rule_name": "MALWARE_Win_Ficker", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Ficker infostealer", "last_hit_utc": "2021-07-03 00:21:07" } ], "1516": [ { "sample_cnt": 109, "yara_rule_name": "RansomwareTest4", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": null, "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2025-01-05 15:16:38" } ], "1517": [ { "sample_cnt": 109, "yara_rule_name": "Ryuk_SequentialComparisons_B", "yara_rule_author": "Malware Utkonos", "yara_rule_reference": null, "yara_rule_description": "Sequential comparison of SID lookup result characters, variant B.", "last_hit_utc": "2025-04-28 05:58:08" } ], "1518": [ { "sample_cnt": 109, "yara_rule_name": "SUSP_Base64_Encoded_Hex_Encoded_Code_RID3420", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects hex encoded code that has been base64 encoded", "last_hit_utc": "2026-02-10 07:20:26" } ], "1519": [ { "sample_cnt": 109, "yara_rule_name": "win32_dotnet_form_obfuscate", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting .NET form obfuscate malware", "last_hit_utc": "2025-11-23 10:26:15" } ], "1520": [ { "sample_cnt": 109, "yara_rule_name": "Windows_Ransomware_Ryuk_6c726744", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "yara_rule_description": "Identifies RYUK ransomware", "last_hit_utc": "2025-04-28 05:58:09" } ], "1521": [ { "sample_cnt": 109, "yara_rule_name": "win_ryuk_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.ryuk.", "last_hit_utc": "2025-04-28 05:58:09" } ], "1522": [ { "sample_cnt": 109, "yara_rule_name": "win_uroburos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-08-26 05:40:26" } ], "1523": [ { "sample_cnt": 108, "yara_rule_name": "Fareit", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Fareit Payload", "last_hit_utc": "2022-11-24 17:32:02" } ], "1524": [ { "sample_cnt": 108, "yara_rule_name": "INDICATOR_RTF_Exploit_Scripting", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.", "last_hit_utc": "2025-01-05 16:06:47" } ], "1525": [ { "sample_cnt": 108, "yara_rule_name": "MSOffice_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Microsoft Office artefacts in shortcut (LNK) files.", "last_hit_utc": "2026-04-24 15:17:29" } ], "1526": [ { "sample_cnt": 108, "yara_rule_name": "SystemBC_Socks", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies SystemBC RAT, Socks proxy version.", "last_hit_utc": "2023-05-13 22:58:11" } ], "1527": [ { "sample_cnt": 108, "yara_rule_name": "Win32_Ransomware_Ryuk", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Ryuk ransomware.", "last_hit_utc": "2025-04-28 05:58:09" } ], "1528": [ { "sample_cnt": 108, "yara_rule_name": "Windows_Ransomware_Ryuk_6c726744", "yara_rule_author": null, "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "yara_rule_description": "Identifies RYUK ransomware", "last_hit_utc": "2025-04-28 05:58:09" } ], "1529": [ { "sample_cnt": 108, "yara_rule_name": "Windows_Shellcode_Rdi_eee75d2c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 05:18:16" } ], "1530": [ { "sample_cnt": 108, "yara_rule_name": "win_ave_maria_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.ave_maria.", "last_hit_utc": "2026-04-26 03:12:42" } ], "1531": [ { "sample_cnt": 107, "yara_rule_name": "APT32_KerrDown", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-01-09 13:31:40" } ], "1532": [ { "sample_cnt": 107, "yara_rule_name": "Linux_Trojan_Gafgyt_6ae4b580", "yara_rule_author": "Elastic Security", "yara_rule_reference": "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628", "yara_rule_description": null, "last_hit_utc": "2026-04-18 01:49:26" } ], "1533": [ { "sample_cnt": 107, "yara_rule_name": "MALWARE_Win_Neshta", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Neshta", "last_hit_utc": "2023-03-11 04:17:03" } ], "1534": [ { "sample_cnt": 107, "yara_rule_name": "ta505_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-06 16:11:03" } ], "1535": [ { "sample_cnt": 106, "yara_rule_name": "Linux_Trojan_Tsunami_0fa3a6e9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-25 10:33:50" } ], "1536": [ { "sample_cnt": 106, "yara_rule_name": "win_Brute_Syscall_Hashes", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": "Detection of Brute Ratel Badger via api hashes of Nt* functions.", "last_hit_utc": "2026-04-20 23:19:24" } ], "1537": [ { "sample_cnt": 105, "yara_rule_name": "hancitor", "yara_rule_author": "J from THL ", "yara_rule_reference": null, "yara_rule_description": "Memory string yara for Hancitor", "last_hit_utc": "2021-07-01 16:26:09" } ], "1538": [ { "sample_cnt": 105, "yara_rule_name": "HKTL_Imphashes_Aug22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects different hacktools based on their imphash", "last_hit_utc": "2026-03-23 08:47:11" } ], "1539": [ { "sample_cnt": 105, "yara_rule_name": "INDICATOR_RTF_EXPLOIT_CVE_2017_11882_1", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RTF documents potentially exploiting CVE-2017-11882", "last_hit_utc": "2025-01-05 17:30:26" } ], "1540": [ { "sample_cnt": 105, "yara_rule_name": "MALWARE_Win_NetWire", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects NetWire RAT", "last_hit_utc": "2026-04-24 23:31:42" } ], "1541": [ { "sample_cnt": 105, "yara_rule_name": "PECompact2xxBitSumTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-22 14:08:19" } ], "1542": [ { "sample_cnt": 105, "yara_rule_name": "PECompactV2XBitsumTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-22 14:08:20" } ], "1543": [ { "sample_cnt": 105, "yara_rule_name": "PECompactv2xx", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-22 14:08:20" } ], "1544": [ { "sample_cnt": 105, "yara_rule_name": "RansomwareTest6", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": null, "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2025-01-05 15:16:38" } ], "1545": [ { "sample_cnt": 105, "yara_rule_name": "Windows_Generic_Threat_2bb7fbe3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 15:09:53" } ], "1546": [ { "sample_cnt": 105, "yara_rule_name": "win_pony_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-05 02:06:10" } ], "1547": [ { "sample_cnt": 105, "yara_rule_name": "win_stealer_generic", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting generic stealer malware", "last_hit_utc": "2025-11-23 10:44:40" } ], "1548": [ { "sample_cnt": 104, "yara_rule_name": "IcedIDStage2", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "IcedID Stage2 Payload", "last_hit_utc": "2025-01-03 21:26:17" } ], "1549": [ { "sample_cnt": 104, "yara_rule_name": "matiex", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked matiex malware samples.", "last_hit_utc": "2025-10-09 14:54:38" } ], "1550": [ { "sample_cnt": 104, "yara_rule_name": "NETDIC_208", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-07-12 09:50:39" } ], "1551": [ { "sample_cnt": 104, "yara_rule_name": "Redline32", "yara_rule_author": "Muffin", "yara_rule_reference": "", "yara_rule_description": "This rule detects Redline Stealer", "last_hit_utc": "2022-11-24 21:08:04" } ], "1552": [ { "sample_cnt": 104, "yara_rule_name": "Windows_Generic_Threat_1f2e969c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-13 17:36:39" } ], "1553": [ { "sample_cnt": 104, "yara_rule_name": "Windows_Trojan_AgentTesla_a2d69e48", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla", "yara_rule_description": null, "last_hit_utc": "2025-09-05 12:55:06" } ], "1554": [ { "sample_cnt": 104, "yara_rule_name": "win_hawkeye_keylogger_g0", "yara_rule_author": "Various authors / Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-01-11 12:38:06" } ], "1555": [ { "sample_cnt": 103, "yara_rule_name": "ach_202503_elf_GorillaBot", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects GorillaBot ELF files", "last_hit_utc": "2025-06-28 17:22:07" } ], "1556": [ { "sample_cnt": 103, "yara_rule_name": "MALW_trickbot_bankBot", "yara_rule_author": "Marc Salinas @Bondey_m", "yara_rule_reference": null, "yara_rule_description": "Detects Trickbot Banking Trojan", "last_hit_utc": "2021-05-12 20:59:26" } ], "1557": [ { "sample_cnt": 103, "yara_rule_name": "SUSP_RAR_NTFS_ADS", "yara_rule_author": "Proofpoint", "yara_rule_reference": "https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats", "yara_rule_description": "Detects RAR archive with NTFS alternate data stream", "last_hit_utc": "2026-04-16 18:16:32" } ], "1558": [ { "sample_cnt": 102, "yara_rule_name": "aachum_Stealcv2", "yara_rule_author": "aachum", "yara_rule_reference": null, "yara_rule_description": "Detects new version of Stealc.", "last_hit_utc": "2026-04-11 09:40:38" } ], "1559": [ { "sample_cnt": 102, "yara_rule_name": "IcedIDLoader", "yara_rule_author": "kevoreilly, threathive, enzo", "yara_rule_reference": "", "yara_rule_description": "IcedID Loader", "last_hit_utc": "2022-11-21 12:34:05" } ], "1560": [ { "sample_cnt": 102, "yara_rule_name": "NETDIC208_NOCEX", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-07-12 09:50:39" } ], "1561": [ { "sample_cnt": 101, "yara_rule_name": "AgentTesla", "yara_rule_author": "Harish Kumar P", "yara_rule_reference": "", "yara_rule_description": "Yara Rule to Detect AgentTesla", "last_hit_utc": "2022-11-15 18:10:03" } ], "1562": [ { "sample_cnt": 101, "yara_rule_name": "INDICATOR_SUSPICIOUS_References_SecTools", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many IR and analysis tools", "last_hit_utc": "2024-03-05 01:29:38" } ], "1563": [ { "sample_cnt": 101, "yara_rule_name": "INDICATOR_SUSPICOIUS_EXE_DotNetProcHook", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables with potential process hoocking", "last_hit_utc": "2023-04-05 14:02:02" } ], "1564": [ { "sample_cnt": 101, "yara_rule_name": "MALWARE_Win_RevengeRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "RevengeRAT and variants payload", "last_hit_utc": "2026-03-27 18:29:16" } ], "1565": [ { "sample_cnt": 101, "yara_rule_name": "Microsoft_Office_Document_with_Embedded_Flash_File", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-11-07 15:02:23" } ], "1566": [ { "sample_cnt": 101, "yara_rule_name": "Windows_Generic_Threat_76a7579f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 03:12:42" } ], "1567": [ { "sample_cnt": 101, "yara_rule_name": "win_sinowal_w1", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Quarian code features", "last_hit_utc": "2026-01-07 18:03:20" } ], "1568": [ { "sample_cnt": 100, "yara_rule_name": "Emotet", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": "", "yara_rule_description": "Yara Rule To Detect Emotet", "last_hit_utc": "2022-10-12 16:59:43" } ], "1569": [ { "sample_cnt": 100, "yara_rule_name": "Linux_Trojan_Kinsing_7cdbe9fa", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-27 13:52:18" } ], "1570": [ { "sample_cnt": 100, "yara_rule_name": "MALWARE_Win_AsyncRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects AsyncRAT", "last_hit_utc": "2022-11-23 23:35:04" } ], "1571": [ { "sample_cnt": 100, "yara_rule_name": "OneNote_EmbeddedFiles_NoPictures", "yara_rule_author": "Nicholas Dhaeyer - @DhaeyerWolf", "yara_rule_reference": "https://blog.didierstevens.com/2023/01/22/analyzing-malicious-onenote-documents/", "yara_rule_description": "OneNote files that contain embedded files that are not pictures.", "last_hit_utc": "2026-04-09 05:35:24" } ], "1572": [ { "sample_cnt": 100, "yara_rule_name": "Windows_Generic_Threat_ebf62328", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-11 11:03:44" } ], "1573": [ { "sample_cnt": 100, "yara_rule_name": "Windows_Trojan_Stealc_41db1d4d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 21:08:49" } ], "1574": [ { "sample_cnt": 100, "yara_rule_name": "win_netwire_w0", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": "", "yara_rule_description": "NetWiredRC", "last_hit_utc": "2022-11-04 23:23:03" } ], "1575": [ { "sample_cnt": 99, "yara_rule_name": "DemonNtdllHashes", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 14:02:58" } ], "1576": [ { "sample_cnt": 99, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing potential Windows Defender anti-emulation checks", "last_hit_utc": "2026-03-28 14:26:16" } ], "1577": [ { "sample_cnt": 99, "yara_rule_name": "win_havoc_w0", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 14:02:59" } ], "1578": [ { "sample_cnt": 98, "yara_rule_name": "INDICATOR_EXE_Packed_dotNetProtector", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with dotNetProtector", "last_hit_utc": "2026-03-17 18:57:17" } ], "1579": [ { "sample_cnt": 98, "yara_rule_name": "INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-09-23 18:57:03" } ], "1580": [ { "sample_cnt": 98, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_CC_Regex", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing credit card regular expressions", "last_hit_utc": "2022-11-23 10:52:03" } ], "1581": [ { "sample_cnt": 98, "yara_rule_name": "NitroRansomware", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-28 17:32:12" } ], "1582": [ { "sample_cnt": 98, "yara_rule_name": "Windows_Generic_Threat_c374cd85", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:27:15" } ], "1583": [ { "sample_cnt": 97, "yara_rule_name": "INDICATOR_OLE_ObjectPool_Embedded_Files", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects OLE documents with ObjectPool OLE storage and embed suspicous excutable files", "last_hit_utc": "2022-05-25 21:36:03" } ], "1584": [ { "sample_cnt": 97, "yara_rule_name": "Nexe", "yara_rule_author": "nwunderly", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-05 13:47:15" } ], "1585": [ { "sample_cnt": 97, "yara_rule_name": "nuitka_py_compiler", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Executable compiled with Nuitka Python Compiler", "last_hit_utc": "2026-02-27 06:59:15" } ], "1586": [ { "sample_cnt": 97, "yara_rule_name": "susp_winsvc_upx", "yara_rule_author": "SBousseaden", "yara_rule_reference": null, "yara_rule_description": "broad hunt for any PE exporting ServiceMain API and upx packed", "last_hit_utc": "2026-04-13 06:03:06" } ], "1587": [ { "sample_cnt": 97, "yara_rule_name": "Windows_Generic_Threat_cbe3313a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-22 06:40:11" } ], "1588": [ { "sample_cnt": 97, "yara_rule_name": "woof_mirai_variant", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": "Internal analysis of sample 6ef4ce02", "yara_rule_description": "Detects Woof Mirai variant (ChaCha20 table, HTTP C2 with token/guid, .woof dropper)", "last_hit_utc": "2026-04-27 06:02:32" } ], "1589": [ { "sample_cnt": 96, "yara_rule_name": "CobaltStrike_Resources_Xor_Bin_v2_x_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resource/xor.bin signature for version 2.x through 4.x", "last_hit_utc": "2026-03-03 13:33:15" } ], "1590": [ { "sample_cnt": 96, "yara_rule_name": "CobaltStrike__Resources_Xor_Bin_v2_x_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-03 13:33:15" } ], "1591": [ { "sample_cnt": 96, "yara_rule_name": "Emotet", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Emotet Payload", "last_hit_utc": "2026-04-02 17:04:31" } ], "1592": [ { "sample_cnt": 95, "yara_rule_name": "LNK_Malicious_Nov1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/", "yara_rule_description": "Detects a suspicious LNK file", "last_hit_utc": "2026-04-26 17:30:25" } ], "1593": [ { "sample_cnt": 95, "yara_rule_name": "MAL_unspecified_Jan18_1_RID2F4A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects unspecified malware sample", "last_hit_utc": "2026-04-24 23:31:42" } ], "1594": [ { "sample_cnt": 95, "yara_rule_name": "njrat_", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked njrat malware samples.", "last_hit_utc": "2025-09-29 22:17:29" } ], "1595": [ { "sample_cnt": 95, "yara_rule_name": "Windows_Generic_Threat_b509dfc8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-10 14:58:13" } ], "1596": [ { "sample_cnt": 95, "yara_rule_name": "win_amadey_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-27 04:50:12" } ], "1597": [ { "sample_cnt": 95, "yara_rule_name": "win_servhelper_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-12-24 18:01:20" } ], "1598": [ { "sample_cnt": 94, "yara_rule_name": "EXT_MAL_SystemBC_Mar22_1", "yara_rule_author": "Thomas Barabosch, Deutsche Telekom Security", "yara_rule_reference": "https://twitter.com/Cryptolaemus1/status/1502069552246575105", "yara_rule_description": "Detects unpacked SystemBC module as used by Emotet in March 2022", "last_hit_utc": "2026-02-13 17:32:16" } ], "1599": [ { "sample_cnt": 94, "yara_rule_name": "HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5_RID361D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "yara_rule_description": "Detects strings found in malware samples in APT report in DarkHydrus", "last_hit_utc": "2025-01-05 15:04:02" } ], "1600": [ { "sample_cnt": 94, "yara_rule_name": "Linux_Trojan_Gafgyt_821173df", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-03 06:23:17" } ], "1601": [ { "sample_cnt": 94, "yara_rule_name": "Linux_Trojan_Gafgyt_ea92cca8", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-23 19:38:03" } ], "1602": [ { "sample_cnt": 94, "yara_rule_name": "MALWARE_Win_DLInjector03", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects unknown loader / injector", "last_hit_utc": "2022-10-25 17:47:03" } ], "1603": [ { "sample_cnt": 94, "yara_rule_name": "MALWARE_Win_FatalRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects FatalRAT", "last_hit_utc": "2026-04-08 00:50:39" } ], "1604": [ { "sample_cnt": 94, "yara_rule_name": "MALWARE_Win_Multi_Family_InfoStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Prynt, WorldWind, DarkEye, Stealerium and ToxicEye / TelegramRAT infostealers", "last_hit_utc": "2026-02-25 08:31:52" } ], "1605": [ { "sample_cnt": 94, "yara_rule_name": "Mimikatz_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "not set", "yara_rule_description": "Detects Mimikatz strings", "last_hit_utc": "2026-04-27 05:18:17" } ], "1606": [ { "sample_cnt": 94, "yara_rule_name": "PassProtected_ZIP_ISO_file", "yara_rule_author": "_jc", "yara_rule_reference": "", "yara_rule_description": "Detects container formats commonly smuggled through password-protected zips", "last_hit_utc": "2022-11-23 23:07:03" } ], "1607": [ { "sample_cnt": 94, "yara_rule_name": "SUSP_PS1_JAB_Pattern_Jun22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable", "last_hit_utc": "2025-01-05 15:16:24" } ], "1608": [ { "sample_cnt": 94, "yara_rule_name": "win_netwire_w0", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "NetWiredRC", "last_hit_utc": "2025-11-24 16:35:35" } ], "1609": [ { "sample_cnt": 94, "yara_rule_name": "win_photoloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.photoloader.", "last_hit_utc": "2022-11-21 12:34:06" } ], "1610": [ { "sample_cnt": 93, "yara_rule_name": "ach_AgentTesla_test", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/b2c1cb673c61537b88826b097a160f6f/", "yara_rule_description": "Detects AgentTesla PE", "last_hit_utc": "2022-04-22 13:44:33" } ], "1611": [ { "sample_cnt": 93, "yara_rule_name": "Cobaltbaltstrike_Beacon_XORed_x86", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2025-01-05 15:56:06" } ], "1612": [ { "sample_cnt": 93, "yara_rule_name": "Linux_Trojan_Gafgyt_71e487ea", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 09:54:33" } ], "1613": [ { "sample_cnt": 93, "yara_rule_name": "malware_CobaltStrike_beacon", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "CobaltStrike encoding code", "last_hit_utc": "2025-12-31 09:01:22" } ], "1614": [ { "sample_cnt": 93, "yara_rule_name": "MALWARE_Win_DLAgent07", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects delf downloader agent", "last_hit_utc": "2021-06-15 14:34:55" } ], "1615": [ { "sample_cnt": 93, "yara_rule_name": "Windows_Generic_Threat_bd24be68", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-15 04:01:20" } ], "1616": [ { "sample_cnt": 93, "yara_rule_name": "win_lockbit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.lockbit.", "last_hit_utc": "2025-12-19 11:59:15" } ], "1617": [ { "sample_cnt": 92, "yara_rule_name": "pdb", "yara_rule_author": "@stvemillertime", "yara_rule_reference": "", "yara_rule_description": "Searching for PE files with PDB path keywords, terms or anomalies.", "last_hit_utc": "2022-04-29 09:33:31" } ], "1618": [ { "sample_cnt": 92, "yara_rule_name": "recordbreaker_win_generic", "yara_rule_author": "_kphi", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-12 03:06:03" } ], "1619": [ { "sample_cnt": 92, "yara_rule_name": "Windows_Trojan_GhostPulse_caea316b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-04 17:05:55" } ], "1620": [ { "sample_cnt": 91, "yara_rule_name": "Any_SU_Domain", "yara_rule_author": "you", "yara_rule_reference": null, "yara_rule_description": "Detect any reference to .su domains or subdomains", "last_hit_utc": "2025-11-24 20:00:41" } ], "1621": [ { "sample_cnt": 91, "yara_rule_name": "INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell content designed to retrieve passwords from host", "last_hit_utc": "2025-10-28 13:44:36" } ], "1622": [ { "sample_cnt": 91, "yara_rule_name": "MALWARE_Win_UmbralStealer", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects Umbral infostealer", "last_hit_utc": "2026-04-19 16:22:34" } ], "1623": [ { "sample_cnt": 91, "yara_rule_name": "Windows_Trojan_Formbook_1112e116", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-12-01 10:16:04" } ], "1624": [ { "sample_cnt": 91, "yara_rule_name": "win_amadey_a9f4", "yara_rule_author": "Johannes Bader", "yara_rule_reference": "", "yara_rule_description": "matches unpacked Amadey samples", "last_hit_utc": "2022-11-26 14:58:08" } ], "1625": [ { "sample_cnt": 90, "yara_rule_name": "discordrat_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 20:04:26" } ], "1626": [ { "sample_cnt": 90, "yara_rule_name": "DLL_BankingTrojan_Coyote_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 14:36:24" } ], "1627": [ { "sample_cnt": 90, "yara_rule_name": "Vidar", "yara_rule_author": "kevoreilly,rony", "yara_rule_reference": "", "yara_rule_description": "Vidar Payload", "last_hit_utc": "2022-11-01 18:41:03" } ], "1628": [ { "sample_cnt": 89, "yara_rule_name": "APT_PatchWork_BADNEWS_20211105", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects PatchWork Group RTF or BADNEWS", "last_hit_utc": "2026-04-08 06:48:27" } ], "1629": [ { "sample_cnt": 89, "yara_rule_name": "INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing potential Windows Defender anti-emulation checks", "last_hit_utc": "2021-08-04 07:05:29" } ], "1630": [ { "sample_cnt": 89, "yara_rule_name": "MassLogger", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "MassLogger", "last_hit_utc": "2021-05-11 13:14:54" } ], "1631": [ { "sample_cnt": 89, "yara_rule_name": "shortloader", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "ShortLoader Payload", "last_hit_utc": "2025-02-08 17:36:18" } ], "1632": [ { "sample_cnt": 89, "yara_rule_name": "win_agent_tesla_ab4444e9", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects Agent Tesla", "last_hit_utc": "2025-10-14 23:09:38" } ], "1633": [ { "sample_cnt": 88, "yara_rule_name": "Bumblebee_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "7a2ac6664ef13971ce464676012092befde8f14b0013b2f0f3e21c9051cb45a0", "yara_rule_description": "Bumblebee loader", "last_hit_utc": "2026-03-19 13:36:03" } ], "1634": [ { "sample_cnt": 88, "yara_rule_name": "CDN_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies CDN (Content Delivery Network) domain in shortcut (LNK) file.", "last_hit_utc": "2022-09-15 06:12:05" } ], "1635": [ { "sample_cnt": 88, "yara_rule_name": "DarkCloud", "yara_rule_author": "YungBinary", "yara_rule_reference": null, "yara_rule_description": "https://x.com/YungBinary/status/1971585972912689643", "last_hit_utc": "2026-04-25 21:45:30" } ], "1636": [ { "sample_cnt": 88, "yara_rule_name": "Linux_Generic_Threat_81aa5579", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 14:51:41" } ], "1637": [ { "sample_cnt": 88, "yara_rule_name": "Linux_Trojan_Tsunami_55a80ab6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 16:12:29" } ], "1638": [ { "sample_cnt": 88, "yara_rule_name": "WScript_Shell_PowerShell_Combo_RID32E7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html", "yara_rule_description": "Detects malware from Middle Eastern campaign reported by Talos", "last_hit_utc": "2025-11-10 23:01:34" } ], "1639": [ { "sample_cnt": 87, "yara_rule_name": "CobaltStrikeStager", "yara_rule_author": "@dan__mayer ", "yara_rule_reference": null, "yara_rule_description": "Cobalt Strike Stager Payload", "last_hit_utc": "2026-02-07 18:35:18" } ], "1640": [ { "sample_cnt": 87, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF", "last_hit_utc": "2026-04-08 14:07:41" } ], "1641": [ { "sample_cnt": 87, "yara_rule_name": "malware_Remcos_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "detect Remcos in memory", "last_hit_utc": "2023-07-14 14:30:03" } ], "1642": [ { "sample_cnt": 87, "yara_rule_name": "Netwalker", "yara_rule_author": "Marius 'f0wL' Genheimer ", "yara_rule_reference": "https://github.com/f0wl/configwalker", "yara_rule_description": "Detects Netwalker Ransomware", "last_hit_utc": "2023-12-13 15:24:25" } ], "1643": [ { "sample_cnt": 87, "yara_rule_name": "u42_crime_win_heartcrypt", "yara_rule_author": "Unit 42 Threat Intelligence", "yara_rule_reference": null, "yara_rule_description": "HeartCrypt PaaS hunting rule.", "last_hit_utc": "2026-02-10 09:01:21" } ], "1644": [ { "sample_cnt": 87, "yara_rule_name": "Windows_Trojan_Gh0st_ee6de6bc", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies a variant of Gh0st Rat", "last_hit_utc": "2026-04-27 05:18:16" } ], "1645": [ { "sample_cnt": 87, "yara_rule_name": "win_cobalt_strike_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.cobalt_strike.", "last_hit_utc": "2023-06-29 20:36:03" } ], "1646": [ { "sample_cnt": 86, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RawPaste_URL", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables (downlaoders) containing URLs to raw contents of a paste", "last_hit_utc": "2024-02-01 08:35:05" } ], "1647": [ { "sample_cnt": 86, "yara_rule_name": "Office_AutoOpen_Macro", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects an Microsoft Office file that contains the AutoOpen Macro function", "last_hit_utc": "2025-01-05 17:22:42" } ], "1648": [ { "sample_cnt": 86, "yara_rule_name": "RAT_njRat", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/njRat", "yara_rule_description": "Detects njRAT", "last_hit_utc": "2025-06-04 17:12:26" } ], "1649": [ { "sample_cnt": 86, "yara_rule_name": "win_cybergate_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2026-01-19 11:45:47" } ], "1650": [ { "sample_cnt": 85, "yara_rule_name": "malware_netwire_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect netwire in memory", "last_hit_utc": "2026-04-24 23:31:42" } ], "1651": [ { "sample_cnt": 85, "yara_rule_name": "MAL_Ransomware_Wadhrama", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Wadhrama Ransomware via Imphash", "last_hit_utc": "2025-01-05 15:37:30" } ], "1652": [ { "sample_cnt": 85, "yara_rule_name": "redline_new_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/", "yara_rule_description": "Redline stealer", "last_hit_utc": "2025-02-20 04:46:10" } ], "1653": [ { "sample_cnt": 85, "yara_rule_name": "Suspicious_PssCaptureSnapshot_Usage", "yara_rule_author": "Dana Behling - Just me not for personal curiosity, no company.", "yara_rule_reference": null, "yara_rule_description": "Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.", "last_hit_utc": "2026-04-27 11:34:40" } ], "1654": [ { "sample_cnt": 85, "yara_rule_name": "SUSP_Base64_Encoded_Hex_Encoded_Code", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/", "yara_rule_description": "Detects hex encoded code that has been base64 encoded", "last_hit_utc": "2023-02-01 14:12:04" } ], "1655": [ { "sample_cnt": 84, "yara_rule_name": "INDICATOR_SUSPICIOUS_USNDeleteJournal", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing anti-forensic artifcats of deletiing USN change journal. Observed in ransomware", "last_hit_utc": "2025-01-05 15:57:48" } ], "1656": [ { "sample_cnt": 84, "yara_rule_name": "Linux_Trojan_Gafgyt_20f5e74f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-18 01:50:32" } ], "1657": [ { "sample_cnt": 84, "yara_rule_name": "MALWARE_Win_ArrowRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ArrowRAT", "last_hit_utc": "2026-03-30 14:12:17" } ], "1658": [ { "sample_cnt": 84, "yara_rule_name": "MAL_RTF_Embedded_OLE_PE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/", "yara_rule_description": "Detects a suspicious string often used in PE files in a hex encoded object stream", "last_hit_utc": "2025-01-05 15:09:51" } ], "1659": [ { "sample_cnt": 84, "yara_rule_name": "RansomwareTest3", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": null, "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2025-01-05 15:16:33" } ], "1660": [ { "sample_cnt": 84, "yara_rule_name": "UroburosVirtualBoxDriver", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-01 09:45:04" } ], "1661": [ { "sample_cnt": 84, "yara_rule_name": "Windows_Trojan_Njrat_30f3c220", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:02:03" } ], "1662": [ { "sample_cnt": 84, "yara_rule_name": "win_dreambot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-13 13:03:40" } ], "1663": [ { "sample_cnt": 84, "yara_rule_name": "win_upx_packed", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting UPX packed malware", "last_hit_utc": "2025-11-23 10:25:03" } ], "1664": [ { "sample_cnt": 83, "yara_rule_name": "ComRAT", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 22:16:19" } ], "1665": [ { "sample_cnt": 83, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_attrib", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables using attrib with suspicious attributes attributes", "last_hit_utc": "2022-11-19 14:22:03" } ], "1666": [ { "sample_cnt": 83, "yara_rule_name": "Linux_Trojan_Ladvix_db41f9d2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 20:56:26" } ], "1667": [ { "sample_cnt": 83, "yara_rule_name": "MALWARE_Win_NetSupport", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects NetSupport client", "last_hit_utc": "2026-04-25 09:25:40" } ], "1668": [ { "sample_cnt": 83, "yara_rule_name": "Msfpayloads_msf_ref_RID2ED5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf-ref.ps1", "last_hit_utc": "2026-03-09 06:46:17" } ], "1669": [ { "sample_cnt": 83, "yara_rule_name": "Windows_Trojan_Bumblebee_35f50bea", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-15 08:16:32" } ], "1670": [ { "sample_cnt": 83, "yara_rule_name": "win_rms_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2026-01-04 10:35:23" } ], "1671": [ { "sample_cnt": 82, "yara_rule_name": "darkcloud_stealer", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked darkcloud malware samples.", "last_hit_utc": "2025-10-10 06:58:17" } ], "1672": [ { "sample_cnt": 82, "yara_rule_name": "elf_persirai_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects elf.persirai.", "last_hit_utc": "2026-04-23 20:42:29" } ], "1673": [ { "sample_cnt": 82, "yara_rule_name": "elysium", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked elysium stealer malware samples.", "last_hit_utc": "2025-07-16 09:10:24" } ], "1674": [ { "sample_cnt": 82, "yara_rule_name": "INDICATOR_KB_ID_Infostealer", "yara_rule_author": "ditekshen", "yara_rule_reference": "https://github.com/ditekshen/is-wos", "yara_rule_description": "Detects exfiltration email addresses correlated from various infostealers. The same email may be observed in multiple families.", "last_hit_utc": "2025-11-06 17:55:40" } ], "1675": [ { "sample_cnt": 82, "yara_rule_name": "MALWARE_Win_Chebka", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Chebka", "last_hit_utc": "2023-08-11 09:50:05" } ], "1676": [ { "sample_cnt": 82, "yara_rule_name": "MAL_RANSOM_COVID19_Apr20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", "yara_rule_description": "Detects ransomware distributed in COVID-19 theme", "last_hit_utc": "2025-01-05 15:31:25" } ], "1677": [ { "sample_cnt": 82, "yara_rule_name": "MINER_monero_mining_detection", "yara_rule_author": "Trellix ATR team", "yara_rule_reference": "", "yara_rule_description": "Monero mining software", "last_hit_utc": "2022-11-16 14:32:24" } ], "1678": [ { "sample_cnt": 82, "yara_rule_name": "msix_file", "yara_rule_author": "Stuart Gonzalez", "yara_rule_reference": null, "yara_rule_description": "Detection for .msix files", "last_hit_utc": "2026-03-07 07:27:17" } ], "1679": [ { "sample_cnt": 82, "yara_rule_name": "Windows_Trojan_Generic_a681f24a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-11 09:50:06" } ], "1680": [ { "sample_cnt": 81, "yara_rule_name": "INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 15:47:24" } ], "1681": [ { "sample_cnt": 81, "yara_rule_name": "lsi_remcos2", "yara_rule_author": "anonym", "yara_rule_reference": null, "yara_rule_description": "Remcos_V5 Payload", "last_hit_utc": "2026-04-06 20:42:21" } ], "1682": [ { "sample_cnt": 81, "yara_rule_name": "MALWARE_Win_RemoteUtilitiesRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "RemoteUtilitiesRAT RAT payload", "last_hit_utc": "2026-01-04 10:35:22" } ], "1683": [ { "sample_cnt": 81, "yara_rule_name": "Multi_Trojan_Sliver_3d6b7cd3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-13 10:00:32" } ], "1684": [ { "sample_cnt": 81, "yara_rule_name": "NetSupport", "yara_rule_author": "YungBinary", "yara_rule_reference": null, "yara_rule_description": "Detects NetSupport Manager RAT on disk or in memory", "last_hit_utc": "2026-04-25 09:25:41" } ], "1685": [ { "sample_cnt": 81, "yara_rule_name": "pecompact2", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "PECompact", "last_hit_utc": "2026-02-22 14:08:19" } ], "1686": [ { "sample_cnt": 81, "yara_rule_name": "RansomwareTest5", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": null, "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2025-01-05 15:16:38" } ], "1687": [ { "sample_cnt": 81, "yara_rule_name": "troj_win_warzonerat", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", "yara_rule_description": "Detects WarzoneRAT.", "last_hit_utc": "2026-03-23 08:46:23" } ], "1688": [ { "sample_cnt": 81, "yara_rule_name": "Windows_Generic_Threat_3f060b9c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 16:02:46" } ], "1689": [ { "sample_cnt": 81, "yara_rule_name": "win_agent_tesla_bytecodes_sep_2023", "yara_rule_author": "Matthew @embee_research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-05 13:03:42" } ], "1690": [ { "sample_cnt": 80, "yara_rule_name": "dl_shadow", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 19:22:20" } ], "1691": [ { "sample_cnt": 80, "yara_rule_name": "kill_explorer", "yara_rule_author": "iam-py-test", "yara_rule_reference": null, "yara_rule_description": "Detect files killing explorer.exe", "last_hit_utc": "2026-04-15 07:59:39" } ], "1692": [ { "sample_cnt": 80, "yara_rule_name": "Linux_Trojan_Mirai_3278f1b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 14:53:37" } ], "1693": [ { "sample_cnt": 80, "yara_rule_name": "win_cannon_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-11-15 09:04:04" } ], "1694": [ { "sample_cnt": 80, "yara_rule_name": "win_smominru_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-08 13:17:15" } ], "1695": [ { "sample_cnt": 80, "yara_rule_name": "win_smominru_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.smominru.", "last_hit_utc": "2025-02-13 16:44:13" } ], "1696": [ { "sample_cnt": 79, "yara_rule_name": "Hunt_Excel_DNA_Built_XLL_Files", "yara_rule_author": "David Ledbetter @Ledtech3", "yara_rule_reference": null, "yara_rule_description": "Hunt for Excel Addin dll files generated with Excel-DNA builder https://excel-dna.net/", "last_hit_utc": "2025-06-16 16:33:49" } ], "1697": [ { "sample_cnt": 78, "yara_rule_name": "Conti", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Conti Ransomware", "last_hit_utc": "2025-11-05 08:22:27" } ], "1698": [ { "sample_cnt": 78, "yara_rule_name": "Hancitor", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": "", "yara_rule_description": "Yara Rule To Detect Hancitor", "last_hit_utc": "2022-11-22 12:57:02" } ], "1699": [ { "sample_cnt": 78, "yara_rule_name": "MALWARE_Win_PCRat", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PCRat / Gh0st", "last_hit_utc": "2026-04-05 06:46:16" } ], "1700": [ { "sample_cnt": 78, "yara_rule_name": "MALWARE_Win_RaccoonV2", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Raccoon Stealer 2.0, also referred to as RecordBreaker", "last_hit_utc": "2025-10-28 13:44:48" } ], "1701": [ { "sample_cnt": 78, "yara_rule_name": "onenote_file", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Microsoft Onenote File", "last_hit_utc": "2025-01-05 15:43:05" } ], "1702": [ { "sample_cnt": 78, "yara_rule_name": "Packer_Android", "yara_rule_author": "R3R0K", "yara_rule_reference": null, "yara_rule_description": "Android.Packer_Android", "last_hit_utc": "2026-04-17 20:06:01" } ], "1703": [ { "sample_cnt": 78, "yara_rule_name": "QnapCrypt", "yara_rule_author": "Intezer Labs", "yara_rule_reference": "https://www.intezer.com", "yara_rule_description": null, "last_hit_utc": "2025-05-06 17:49:13" } ], "1704": [ { "sample_cnt": 78, "yara_rule_name": "signed_sys_with_vulnerablity", "yara_rule_author": "wonderkun", "yara_rule_reference": null, "yara_rule_description": "signed_sys_with_vulnerablity", "last_hit_utc": "2026-03-25 09:04:20" } ], "1705": [ { "sample_cnt": 78, "yara_rule_name": "WannaCry_Ransomware_Gen_RID302B", "yara_rule_author": "Florian Roth (based on rule by US CERT)", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-132A", "yara_rule_description": "Detects WannaCry Ransomware", "last_hit_utc": "2025-12-16 08:49:14" } ], "1706": [ { "sample_cnt": 78, "yara_rule_name": "win_amadey_062025", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/amadey-targeted-analysis/", "yara_rule_description": "This rule detects intrinsic patterns of Amadey version 5.34.", "last_hit_utc": "2026-03-27 14:22:45" } ], "1707": [ { "sample_cnt": 78, "yara_rule_name": "win_neshta_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-03-11 04:17:03" } ], "1708": [ { "sample_cnt": 78, "yara_rule_name": "win_vidar_strings_jun_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detection of Vidar Stealer and Variants via strings present in final unpacked payloads", "last_hit_utc": "2025-05-02 07:14:09" } ], "1709": [ { "sample_cnt": 77, "yara_rule_name": "asyncrat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-06 06:23:31" } ], "1710": [ { "sample_cnt": 77, "yara_rule_name": "Detect_Kimsuky_APT_Malware", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects Kimsuky APT malware delivery technique using a malicious MMC console file", "last_hit_utc": "2026-03-11 09:24:17" } ], "1711": [ { "sample_cnt": 77, "yara_rule_name": "linux_generic_irc_catcher", "yara_rule_author": "@_lubiedo", "yara_rule_reference": "", "yara_rule_description": "Find new ELF IRC samples", "last_hit_utc": "2022-09-13 12:43:03" } ], "1712": [ { "sample_cnt": 77, "yara_rule_name": "lsi_remcos", "yara_rule_author": "anonym", "yara_rule_reference": null, "yara_rule_description": "Remcos_V5 Payload", "last_hit_utc": "2026-04-06 20:42:21" } ], "1713": [ { "sample_cnt": 77, "yara_rule_name": "MALWARE_Win_DarkComet", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects DarkComet", "last_hit_utc": "2026-04-26 19:07:27" } ], "1714": [ { "sample_cnt": 77, "yara_rule_name": "rhadamanthys_ps1_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 23:05:50" } ], "1715": [ { "sample_cnt": 77, "yara_rule_name": "win_darkcomet_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-10-13 13:14:56" } ], "1716": [ { "sample_cnt": 77, "yara_rule_name": "win_vobfus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-04 15:33:10" } ], "1717": [ { "sample_cnt": 76, "yara_rule_name": "ELF_Toriilike_persist", "yara_rule_author": "4r4", "yara_rule_reference": "Identified via unique string 'npxXoudifFeEgGaACScs'", "yara_rule_description": "Detects Torii IoT Botnet (stealthier Mirai alternative)", "last_hit_utc": "2025-12-26 07:02:15" } ], "1718": [ { "sample_cnt": 76, "yara_rule_name": "INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 16:17:53" } ], "1719": [ { "sample_cnt": 76, "yara_rule_name": "INDICATOR_SUSPICIOUS_ClearWinLogs", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing commands for clearing Windows Event Logs", "last_hit_utc": "2023-05-07 03:21:35" } ], "1720": [ { "sample_cnt": 76, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many varying, potentially fake Windows User-Agents", "last_hit_utc": "2022-11-07 20:25:08" } ], "1721": [ { "sample_cnt": 76, "yara_rule_name": "win_havoc_demon_ntdll_hashes", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": "Detection of havoc demons via hardcoded ntdll api hashes", "last_hit_utc": "2026-04-23 14:02:59" } ], "1722": [ { "sample_cnt": 76, "yara_rule_name": "win_mofksys_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mofksys.", "last_hit_utc": "2026-03-06 15:09:53" } ], "1723": [ { "sample_cnt": 76, "yara_rule_name": "xeno_rat", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Xeno Rat Payload", "last_hit_utc": "2026-04-23 11:56:29" } ], "1724": [ { "sample_cnt": 75, "yara_rule_name": "ach_ZLoader_xls_20200514", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/00c5e69ed4b9559cc349f01c54270d36/", "yara_rule_description": null, "last_hit_utc": "2021-05-24 05:43:06" } ], "1725": [ { "sample_cnt": 75, "yara_rule_name": "INDICATOR_EXE_Packed_SimplePolyEngine", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality", "last_hit_utc": "2026-02-12 16:31:14" } ], "1726": [ { "sample_cnt": 75, "yara_rule_name": "js_ratdispenser", "yara_rule_author": "HP Threat Research @HPSecurity", "yara_rule_reference": "", "yara_rule_description": "JavaScript downloader resp. dropper delivering various RATs", "last_hit_utc": "2022-09-16 01:04:03" } ], "1727": [ { "sample_cnt": 75, "yara_rule_name": "LNK_sospechosos", "yara_rule_author": "Germ\u00e1n Fern\u00e1ndez", "yara_rule_reference": "", "yara_rule_description": "Detecta archivos .lnk sospechosos", "last_hit_utc": "2022-11-22 21:25:03" } ], "1728": [ { "sample_cnt": 75, "yara_rule_name": "MALWARE_Win_Chaos", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Chaos ransomware", "last_hit_utc": "2022-11-21 18:21:02" } ], "1729": [ { "sample_cnt": 75, "yara_rule_name": "MALW_JS_PirateStealerPKG", "yara_rule_author": "skyeto", "yara_rule_reference": "https://twitter.com/skyetothefox/status/1444442313367998467", "yara_rule_description": "PirateStealer Malware", "last_hit_utc": "2026-04-21 22:40:48" } ], "1730": [ { "sample_cnt": 75, "yara_rule_name": "multiple_concats_in_excel4_formula_register", "yara_rule_author": "Will Metcalf", "yara_rule_reference": "https://blog.reversinglabs.com/blog/excel-4.0-macros", "yara_rule_description": "Behold The Great And Powerful Match Iterator. Multiple Concats Inside of register Function", "last_hit_utc": "2022-05-31 06:33:22" } ], "1731": [ { "sample_cnt": 75, "yara_rule_name": "win_havoc_ntdll_hashes_oct_2022", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": "Detection of havoc demons via hardcoded ntdll api hashes", "last_hit_utc": "2026-04-23 14:02:59" } ], "1732": [ { "sample_cnt": 75, "yara_rule_name": "win_systembc_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.systembc.", "last_hit_utc": "2023-05-13 22:58:12" } ], "1733": [ { "sample_cnt": 74, "yara_rule_name": "BazarLoader", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": "", "yara_rule_description": "Yara Rule to Detect Bazar Loader", "last_hit_utc": "2022-10-21 22:37:04" } ], "1734": [ { "sample_cnt": 74, "yara_rule_name": "detect_STRRAT_javascripts_Malware", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects obfuscated JavaScript code indicative of STRRAT malware.", "last_hit_utc": "2026-03-25 07:15:29" } ], "1735": [ { "sample_cnt": 74, "yara_rule_name": "enterpriseapps", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Enterprise apps", "last_hit_utc": "2021-03-01 18:59:32" } ], "1736": [ { "sample_cnt": 74, "yara_rule_name": "Hidden", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://github.com/JKornev/hidden", "yara_rule_description": "Identifies Hidden Windows driver, used by malware such as PurpleFox.", "last_hit_utc": "2026-04-27 05:18:16" } ], "1737": [ { "sample_cnt": 74, "yara_rule_name": "INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution", "last_hit_utc": "2026-04-25 17:28:36" } ], "1738": [ { "sample_cnt": 74, "yara_rule_name": "malware_Remcos_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect Remcos in memory", "last_hit_utc": "2026-03-06 15:08:01" } ], "1739": [ { "sample_cnt": 74, "yara_rule_name": "MALWARE_Win_OnlyLogger", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects OnlyLogger loader variants", "last_hit_utc": "2022-10-25 15:24:05" } ], "1740": [ { "sample_cnt": 74, "yara_rule_name": "win_bazarbackdoor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-03-28 21:37:46" } ], "1741": [ { "sample_cnt": 74, "yara_rule_name": "win_recordbreaker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.recordbreaker.", "last_hit_utc": "2025-06-03 22:21:30" } ], "1742": [ { "sample_cnt": 73, "yara_rule_name": "exploit_any_poppopret", "yara_rule_author": "Jeff White [karttoon@gmail.com] @noottrak", "yara_rule_reference": null, "yara_rule_description": "Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.", "last_hit_utc": "2025-01-05 14:58:45" } ], "1743": [ { "sample_cnt": 73, "yara_rule_name": "IcedID_init_loader", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies IcedID (stage 1 and 2, initial loaders).", "last_hit_utc": "2026-03-13 22:25:20" } ], "1744": [ { "sample_cnt": 73, "yara_rule_name": "MALWARE_Win_HyperBro03", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Hunt HyperBro IronTiger / LuckyMouse / APT27 malware", "last_hit_utc": "2021-08-03 22:22:04" } ], "1745": [ { "sample_cnt": 73, "yara_rule_name": "Mimikatz_Strings", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Detects Mimikatz strings", "last_hit_utc": "2025-11-25 20:47:30" } ], "1746": [ { "sample_cnt": 73, "yara_rule_name": "SystemBC_Socks", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies SystemBC RAT, Socks proxy version.", "last_hit_utc": "2025-01-05 16:21:59" } ], "1747": [ { "sample_cnt": 73, "yara_rule_name": "WannaCry_Ransomware_Gen", "yara_rule_author": "Florian Roth (based on rule by US CERT)", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-132A", "yara_rule_description": "Detects WannaCry Ransomware", "last_hit_utc": "2025-01-15 01:54:03" } ], "1748": [ { "sample_cnt": 72, "yara_rule_name": "BunnyLoader", "yara_rule_author": "indest", "yara_rule_reference": null, "yara_rule_description": "generic crypto/card stealer rule", "last_hit_utc": "2026-04-23 13:16:06" } ], "1749": [ { "sample_cnt": 72, "yara_rule_name": "HavocDemonDJB2", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-24 07:41:47" } ], "1750": [ { "sample_cnt": 72, "yara_rule_name": "hp_doc_svcready", "yara_rule_author": "HP Threat Research @HPSecurity", "yara_rule_reference": "", "yara_rule_description": "SVCReadyLoader document", "last_hit_utc": "2022-08-16 13:56:03" } ], "1751": [ { "sample_cnt": 72, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables embedding registry key / value combination manipulating RDP / Terminal Services", "last_hit_utc": "2026-01-11 15:40:33" } ], "1752": [ { "sample_cnt": 72, "yara_rule_name": "SUSP_Reverse_DOS_header", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects an reversed DOS header", "last_hit_utc": "2025-01-05 17:03:14" } ], "1753": [ { "sample_cnt": 72, "yara_rule_name": "Windows_Trojan_Remcos_b296e965", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 08:40:52" } ], "1754": [ { "sample_cnt": 72, "yara_rule_name": "win_havoc_w1", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-24 07:41:48" } ], "1755": [ { "sample_cnt": 72, "yara_rule_name": "win_vidar_a_a901", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detect unpacked Vidar samples", "last_hit_utc": "2023-07-06 11:30:04" } ], "1756": [ { "sample_cnt": 71, "yara_rule_name": "Hunting_Rule_ShikataGaNai", "yara_rule_author": "Steven Miller", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html", "yara_rule_description": null, "last_hit_utc": "2025-07-25 07:46:25" } ], "1757": [ { "sample_cnt": 71, "yara_rule_name": "malware_Quasar_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "detect QuasarRAT in memory", "last_hit_utc": "2022-11-24 04:25:03" } ], "1758": [ { "sample_cnt": 71, "yara_rule_name": "Polymorph_BAT_CAB", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": null, "yara_rule_description": "Detects polymorphic BAT/CAB files self-extracting payload with extrac32.exe/extract.exe", "last_hit_utc": "2026-03-08 16:52:15" } ], "1759": [ { "sample_cnt": 71, "yara_rule_name": "Windows_Trojan_Azorult_38fce9ea", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 15:28:24" } ], "1760": [ { "sample_cnt": 71, "yara_rule_name": "xenorat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 11:56:29" } ], "1761": [ { "sample_cnt": 70, "yara_rule_name": "INDICATOR_SUSPICOUS_EXE_References_VEEAM", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing many references to VEEAM. Observed in ransomware", "last_hit_utc": "2022-11-18 11:05:02" } ], "1762": [ { "sample_cnt": 70, "yara_rule_name": "MALWARE_Win_XenoRAT", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects Blacksuit", "last_hit_utc": "2026-04-23 11:56:28" } ], "1763": [ { "sample_cnt": 70, "yara_rule_name": "MALWARE_Win_Zegost", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Zegost", "last_hit_utc": "2026-03-29 17:59:12" } ], "1764": [ { "sample_cnt": 70, "yara_rule_name": "MAL_RANSOM_COVID19_Apr20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", "yara_rule_description": "Detects ransomware distributed in COVID-19 theme", "last_hit_utc": "2026-03-27 01:50:22" } ], "1765": [ { "sample_cnt": 70, "yara_rule_name": "observer", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked observer malware samples.", "last_hit_utc": "2025-10-03 06:45:57" } ], "1766": [ { "sample_cnt": 70, "yara_rule_name": "Win32_Ransomware_WannaCry", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects WannaCry ransomware.", "last_hit_utc": "2025-07-25 17:55:19" } ], "1767": [ { "sample_cnt": 69, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_attrib", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables using attrib with suspicious attributes attributes", "last_hit_utc": "2026-02-24 17:03:21" } ], "1768": [ { "sample_cnt": 69, "yara_rule_name": "Office_AutoOpen_Macro", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Detects an Microsoft Office file that contains the AutoOpen Macro function", "last_hit_utc": "2022-11-25 07:08:04" } ], "1769": [ { "sample_cnt": 69, "yara_rule_name": "Windows_Trojan_AgentTesla_a2d69e48", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:02:00" } ], "1770": [ { "sample_cnt": 68, "yara_rule_name": "bumblebee_win_generic", "yara_rule_author": "_kphi", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-20 06:22:21" } ], "1771": [ { "sample_cnt": 68, "yara_rule_name": "Find_Any_Xll_Files", "yara_rule_author": "David Ledbetter @Ledtech3", "yara_rule_reference": "", "yara_rule_description": "Find Any XLL File", "last_hit_utc": "2022-11-14 18:43:03" } ], "1772": [ { "sample_cnt": 68, "yara_rule_name": "Impacket", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://github.com/SecureAuthCorp/impacket", "yara_rule_description": "Identifies Impacket, a collection of Python classes for working with network protocols.", "last_hit_utc": "2026-02-22 18:15:42" } ], "1773": [ { "sample_cnt": 68, "yara_rule_name": "INDICATOR_RMM_MeshAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects MeshAgent. Review RMM Inventory", "last_hit_utc": "2026-04-23 07:55:43" } ], "1774": [ { "sample_cnt": 68, "yara_rule_name": "INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects JS potentially executing WMI queries", "last_hit_utc": "2026-04-09 08:16:25" } ], "1775": [ { "sample_cnt": 68, "yara_rule_name": "MALWARE_Win_LimeRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "LimeRAT payload", "last_hit_utc": "2025-09-28 08:39:21" } ], "1776": [ { "sample_cnt": 68, "yara_rule_name": "Unknown_Malware_Sample_Jul17_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/iqH8CK", "yara_rule_description": "Detects unknown malware sample with pastebin RAW URL", "last_hit_utc": "2025-01-05 15:33:02" } ], "1777": [ { "sample_cnt": 68, "yara_rule_name": "Windows_Ransomware_Phobos_11ea7be5", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos", "yara_rule_description": "Identifies Phobos ransomware", "last_hit_utc": "2025-09-04 12:13:31" } ], "1778": [ { "sample_cnt": 68, "yara_rule_name": "win_azorult_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.azorult.", "last_hit_utc": "2025-11-23 15:28:24" } ], "1779": [ { "sample_cnt": 67, "yara_rule_name": "apk_flubot_w0", "yara_rule_author": "Thomas Barabosch, Telekom Security", "yara_rule_reference": null, "yara_rule_description": "matches on dumped, decrypted V/DEX files of Flubot version > 4.2", "last_hit_utc": "2026-03-16 17:28:15" } ], "1780": [ { "sample_cnt": 67, "yara_rule_name": "apt_CN_Tetris_JS_advanced_1", "yara_rule_author": "@imp0rtp3 (modified by Florian Roth)", "yara_rule_reference": "https://imp0rtp3.wordpress.com/2021/08/12/tetris", "yara_rule_description": "Unique code from Jetriz, Swid & Jeniva of the Tetris framework", "last_hit_utc": "2026-02-23 12:02:23" } ], "1781": [ { "sample_cnt": 67, "yara_rule_name": "INDICATOR_RTF_EXPLOIT_CVE_2017_11882_1", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RTF documents potentially exploiting CVE-2017-11882", "last_hit_utc": "2022-10-28 06:16:02" } ], "1782": [ { "sample_cnt": 67, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxProductID", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects binaries and memory artifacts referencing sandbox product IDs", "last_hit_utc": "2026-04-24 12:39:30" } ], "1783": [ { "sample_cnt": 67, "yara_rule_name": "SuspiciousDll", "yara_rule_author": "martclau", "yara_rule_reference": null, "yara_rule_description": "Detects SolarWinds Orion backdoor", "last_hit_utc": "2026-04-23 05:40:21" } ], "1784": [ { "sample_cnt": 67, "yara_rule_name": "win_xenorat_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "Detects win.xenorat.", "last_hit_utc": "2026-04-23 11:56:29" } ], "1785": [ { "sample_cnt": 67, "yara_rule_name": "win_younglotus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-30 17:55:10" } ], "1786": [ { "sample_cnt": 66, "yara_rule_name": "AgentTesla", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "AgentTesla Payload", "last_hit_utc": "2025-10-03 20:02:38" } ], "1787": [ { "sample_cnt": 66, "yara_rule_name": "Amadey", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Amadey Payload", "last_hit_utc": "2021-11-12 21:24:48" } ], "1788": [ { "sample_cnt": 66, "yara_rule_name": "Azorult", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Azorult Payload", "last_hit_utc": "2025-11-23 15:28:24" } ], "1789": [ { "sample_cnt": 66, "yara_rule_name": "Guloader_Heuristic_VBS_A", "yara_rule_author": "Ankit Anubhav - ankitanubhav.info", "yara_rule_reference": null, "yara_rule_description": "Heuristic to detect 2023 Guloader variant", "last_hit_utc": "2026-04-15 09:13:39" } ], "1790": [ { "sample_cnt": 66, "yara_rule_name": "informational_win_ole_exist", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": null, "yara_rule_description": "Identify OLE Packages embedded in Office 97-2K3 Doc Files.", "last_hit_utc": "2026-04-22 06:45:32" } ], "1791": [ { "sample_cnt": 66, "yara_rule_name": "Linux_Trojan_Mirai_0bce98a2", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 01:17:02" } ], "1792": [ { "sample_cnt": 66, "yara_rule_name": "MALWARE_Win_Phobos", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects Phobos ransomware", "last_hit_utc": "2025-09-04 12:13:31" } ], "1793": [ { "sample_cnt": 66, "yara_rule_name": "Trojan_CoinMiner", "yara_rule_author": "Trellix ATR", "yara_rule_reference": null, "yara_rule_description": "Rule to detect Coinminer malware", "last_hit_utc": "2025-10-04 11:06:34" } ], "1794": [ { "sample_cnt": 66, "yara_rule_name": "win_vidar_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.vidar.", "last_hit_utc": "2026-03-24 16:27:28" } ], "1795": [ { "sample_cnt": 65, "yara_rule_name": "dbatloader_bat_v2", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-22 14:02:16" } ], "1796": [ { "sample_cnt": 65, "yara_rule_name": "MALWARE_Win_DLAgent09", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects known downloader agent", "last_hit_utc": "2025-06-23 13:58:29" } ], "1797": [ { "sample_cnt": 65, "yara_rule_name": "netwire", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-09 13:45:04" } ], "1798": [ { "sample_cnt": 64, "yara_rule_name": "Backdoor_Nitol_Jun17", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/OOB3mH", "yara_rule_description": "Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader", "last_hit_utc": "2025-01-05 15:30:28" } ], "1799": [ { "sample_cnt": 64, "yara_rule_name": "Datper", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html", "yara_rule_description": "detect Datper in memory", "last_hit_utc": "2026-04-22 16:02:44" } ], "1800": [ { "sample_cnt": 64, "yara_rule_name": "exploit_generic", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "exploit", "last_hit_utc": "2026-03-27 04:34:16" } ], "1801": [ { "sample_cnt": 64, "yara_rule_name": "MALWARE_Win_Matiex", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Matiex/XetimaLogger keylogger payload", "last_hit_utc": "2023-08-05 09:54:04" } ], "1802": [ { "sample_cnt": 64, "yara_rule_name": "Msfpayloads_msf_ref", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf-ref.ps1", "last_hit_utc": "2026-03-09 06:46:17" } ], "1803": [ { "sample_cnt": 64, "yara_rule_name": "RAT_win_Orcus", "yara_rule_author": "KrknSec", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", "yara_rule_description": "Detects Orcus RAT", "last_hit_utc": "2026-03-07 08:53:18" } ], "1804": [ { "sample_cnt": 64, "yara_rule_name": "RobotDropper", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects RobotDropper", "last_hit_utc": "2025-06-16 15:39:01" } ], "1805": [ { "sample_cnt": 64, "yara_rule_name": "SUSP_VBA_FileSystem_Access_RID30A9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious VBA that writes to disk and is activated on document open", "last_hit_utc": "2026-02-27 08:11:20" } ], "1806": [ { "sample_cnt": 64, "yara_rule_name": "Windows_Exploit_Generic_008359cf", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-10 16:18:15" } ], "1807": [ { "sample_cnt": 64, "yara_rule_name": "Windows_Trojan_Generic_9997489c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:05:45" } ], "1808": [ { "sample_cnt": 64, "yara_rule_name": "Windows_Trojan_Metasploit_24338919", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).", "last_hit_utc": "2025-08-02 23:52:08" } ], "1809": [ { "sample_cnt": 64, "yara_rule_name": "Winnti_NlaifSvc_RID2CFF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/VbvJtL", "yara_rule_description": "Winnti sample - file NlaifSvc.dll", "last_hit_utc": "2026-02-27 13:46:15" } ], "1810": [ { "sample_cnt": 64, "yara_rule_name": "win_bruteratel_syscall_hashes_oct_2022", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": "Detection of Brute Ratel Badger via api hashes of Nt* functions.", "last_hit_utc": "2026-04-20 23:19:24" } ], "1811": [ { "sample_cnt": 64, "yara_rule_name": "win_unidentified_111_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.unidentified_111.", "last_hit_utc": "2025-11-14 18:08:50" } ], "1812": [ { "sample_cnt": 63, "yara_rule_name": "azov_Dropped", "yara_rule_author": "Potatech", "yara_rule_reference": null, "yara_rule_description": "Azov Detection", "last_hit_utc": "2025-04-04 11:02:23" } ], "1813": [ { "sample_cnt": 63, "yara_rule_name": "INDICATOR_KB_CERT_65628c146ace93037fc58659f14bd35f", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-10-24 05:47:03" } ], "1814": [ { "sample_cnt": 63, "yara_rule_name": "INDICATOR_SUSPICIOUS_DisableWinDefender", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing artifcats associated with disabling Widnows Defender", "last_hit_utc": "2022-10-23 14:43:03" } ], "1815": [ { "sample_cnt": 63, "yara_rule_name": "js_ratdispenser", "yara_rule_author": "HP Threat Research @HPSecurity", "yara_rule_reference": null, "yara_rule_description": "JavaScript downloader resp. dropper delivering various RATs", "last_hit_utc": "2025-01-05 16:12:18" } ], "1816": [ { "sample_cnt": 63, "yara_rule_name": "SUSP_Base64_Encoded_Hex_Encoded_Code", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/", "yara_rule_description": "Detects hex encoded code that has been base64 encoded", "last_hit_utc": "2025-01-19 19:43:02" } ], "1817": [ { "sample_cnt": 63, "yara_rule_name": "Windows_Generic_MalCert_65514fe0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-15 14:28:12" } ], "1818": [ { "sample_cnt": 63, "yara_rule_name": "Windows_Trojan_Darkcomet_1df27bcc", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:07:27" } ], "1819": [ { "sample_cnt": 63, "yara_rule_name": "win_aurora_stealer_a_706a", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects Aurora Stealer samples", "last_hit_utc": "2025-06-16 16:39:43" } ], "1820": [ { "sample_cnt": 63, "yara_rule_name": "win_gcleaner_de41", "yara_rule_author": "Johannes Bader", "yara_rule_reference": "", "yara_rule_description": "detects GCleaner", "last_hit_utc": "2022-11-24 17:12:50" } ], "1821": [ { "sample_cnt": 62, "yara_rule_name": "agent_tesla", "yara_rule_author": "Stormshield", "yara_rule_reference": null, "yara_rule_description": "Detecting HTML strings used by Agent Tesla malware", "last_hit_utc": "2025-10-28 13:43:47" } ], "1822": [ { "sample_cnt": 62, "yara_rule_name": "crime_win32_rat_parralax_shell_bin", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1257714191902937088", "yara_rule_description": "Detects Parallax injected code", "last_hit_utc": "2022-02-02 08:15:06" } ], "1823": [ { "sample_cnt": 62, "yara_rule_name": "MAL_crime_win32_rat_parallax_shell_bin", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1257714191902937088", "yara_rule_description": "Detects Parallax injected code", "last_hit_utc": "2022-02-02 08:15:06" } ], "1824": [ { "sample_cnt": 62, "yara_rule_name": "MinGWGCC3x", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 14:10:56" } ], "1825": [ { "sample_cnt": 62, "yara_rule_name": "PM_Zip_with_js", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-04-30 18:20:36" } ], "1826": [ { "sample_cnt": 62, "yara_rule_name": "UmbrealStealerEXIFData", "yara_rule_author": "adm1n_usa32", "yara_rule_reference": null, "yara_rule_description": "Detects UmbralStealer by obvious comment in EXIF Data", "last_hit_utc": "2026-04-01 16:43:19" } ], "1827": [ { "sample_cnt": 62, "yara_rule_name": "win_bumblebee_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.bumblebee.", "last_hit_utc": "2026-03-19 13:36:06" } ], "1828": [ { "sample_cnt": 61, "yara_rule_name": "Backdoor_Nitol_Jun17_RID2E8F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/OOB3mH", "yara_rule_description": "Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader", "last_hit_utc": "2025-06-16 16:17:25" } ], "1829": [ { "sample_cnt": 61, "yara_rule_name": "Linux_Trojan_Gafgyt_6321b565", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-03 12:24:25" } ], "1830": [ { "sample_cnt": 61, "yara_rule_name": "Methodology_Contains_Shortcut_OtherURIhandlers", "yara_rule_author": "@itsreallynick (Nick Carr)", "yara_rule_reference": "https://twitter.com/cglyer/status/1176184798248919044", "yara_rule_description": "Detects possible shortcut usage for .URL persistence", "last_hit_utc": "2026-04-13 07:49:42" } ], "1831": [ { "sample_cnt": 61, "yara_rule_name": "mpress_2_xx_net", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "MPRESS v2.XX .NET", "last_hit_utc": "2025-09-27 16:42:34" } ], "1832": [ { "sample_cnt": 61, "yara_rule_name": "STRRAT", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects STRRAT config filename", "last_hit_utc": "2026-04-23 14:22:42" } ], "1833": [ { "sample_cnt": 61, "yara_rule_name": "Windows_Generic_Threat_d331d190", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-15 20:53:45" } ], "1834": [ { "sample_cnt": 61, "yara_rule_name": "win_bumblebee", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-19 13:36:55" } ], "1835": [ { "sample_cnt": 61, "yara_rule_name": "win_cobalt_sleep_encrypt", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects Sleep Encryption Logic Found in Cobalt Strike Deployments", "last_hit_utc": "2026-04-27 04:44:38" } ], "1836": [ { "sample_cnt": 61, "yara_rule_name": "win_trickbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.trickbot.", "last_hit_utc": "2022-07-08 09:32:47" } ], "1837": [ { "sample_cnt": 60, "yara_rule_name": "Anydesk", "yara_rule_author": "CD_R0M_", "yara_rule_reference": "https://www.crowdstrike.com/blog/falcon-complete-disrupts-malvertising-campaign-targeting-anydesk/", "yara_rule_description": "Anydesk is commonly used by threat actors for remote access. This rule aims to identify legitimate anydesk, renamed binaries and trojanized versions.", "last_hit_utc": "2026-02-13 12:44:52" } ], "1838": [ { "sample_cnt": 60, "yara_rule_name": "Chinese_Hacktool_1014", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese hacktool with unknown use", "last_hit_utc": "2026-04-05 16:53:16" } ], "1839": [ { "sample_cnt": 60, "yara_rule_name": "CobaltStrike_C2_Decoded_Config_Indicator", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": null, "yara_rule_description": "Detects CobaltStrike C2 decoded profile configuration", "last_hit_utc": "2020-11-17 15:24:54" } ], "1840": [ { "sample_cnt": 60, "yara_rule_name": "CobaltStrike_MZ_Launcher", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": "", "yara_rule_description": "Detects CobaltStrike MZ header ReflectiveLoader launcher", "last_hit_utc": "2022-10-30 07:51:03" } ], "1841": [ { "sample_cnt": 60, "yara_rule_name": "CobaltStrike_Resources_Artifact32_v3_14_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0", "last_hit_utc": "2026-02-13 10:01:36" } ], "1842": [ { "sample_cnt": 60, "yara_rule_name": "CobaltStrike__Resources_Artifact32_v3_14_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-13 10:01:36" } ], "1843": [ { "sample_cnt": 60, "yara_rule_name": "DbatLoader", "yara_rule_author": "Harish Kumar P", "yara_rule_reference": null, "yara_rule_description": "Yara Rule to Detect DbatLoader", "last_hit_utc": "2026-02-12 14:04:14" } ], "1844": [ { "sample_cnt": 60, "yara_rule_name": "INDICATOR_EXE_Packed_AgileDotNet", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with Agile.NET / CliSecure", "last_hit_utc": "2026-02-17 09:33:28" } ], "1845": [ { "sample_cnt": 60, "yara_rule_name": "INDICATOR_EXE_Packed_NyanXCat_CSharpLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects .NET executables utilizing NyanX-CAT C# Loader", "last_hit_utc": "2026-03-26 22:09:22" } ], "1846": [ { "sample_cnt": 60, "yara_rule_name": "MAL_Nitol_Malware_Jan19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/shotgunner101/status/1084602413691166721", "yara_rule_description": "Detects Nitol Malware", "last_hit_utc": "2025-01-05 15:30:29" } ], "1847": [ { "sample_cnt": 60, "yara_rule_name": "Mirai", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Mirai", "last_hit_utc": "2022-04-24 03:08:03" } ], "1848": [ { "sample_cnt": 60, "yara_rule_name": "qakbot_api_hashing", "yara_rule_author": "@Embee_Research", "yara_rule_reference": "https://twitter.com/embee_research/status/1592067841154756610", "yara_rule_description": null, "last_hit_utc": "2024-04-18 08:37:02" } ], "1849": [ { "sample_cnt": 60, "yara_rule_name": "StealerDLL_Amadey", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Amadey's Stealer DLL", "last_hit_utc": "2026-04-26 11:42:29" } ], "1850": [ { "sample_cnt": 60, "yara_rule_name": "weird_png_data_after_end", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/", "yara_rule_description": "Detects data suspiciously located after a PNG's end header", "last_hit_utc": "2026-04-23 00:10:58" } ], "1851": [ { "sample_cnt": 60, "yara_rule_name": "win_netwire_g1", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-25 12:02:07" } ], "1852": [ { "sample_cnt": 60, "yara_rule_name": "WScriptShell_Case_Anomaly", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects obfuscated wscript.shell commands", "last_hit_utc": "2022-04-06 12:02:03" } ], "1853": [ { "sample_cnt": 59, "yara_rule_name": "ach_Heodo_doc_20210105", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/4a9a503c5ef194713f9e75b16b13edd6/", "yara_rule_description": "Detects Heodo DOC", "last_hit_utc": "2022-10-31 16:12:02" } ], "1854": [ { "sample_cnt": 59, "yara_rule_name": "GhostDragon_Gh0stRAT", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blog.cylance.com/the-ghost-dragon", "yara_rule_description": "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report", "last_hit_utc": "2026-04-27 11:54:27" } ], "1855": [ { "sample_cnt": 59, "yara_rule_name": "MalScript_Tricks", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.", "last_hit_utc": "2026-04-25 14:51:41" } ], "1856": [ { "sample_cnt": 59, "yara_rule_name": "Qakbot_IsoCampaign", "yara_rule_author": "Malhuters", "yara_rule_reference": "", "yara_rule_description": "Qakbot New Campaign ISO", "last_hit_utc": "2022-11-10 23:54:03" } ], "1857": [ { "sample_cnt": 59, "yara_rule_name": "unpacked_qbot", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects unpacked or memory-dumped QBot samples", "last_hit_utc": "2025-01-05 15:36:24" } ], "1858": [ { "sample_cnt": 59, "yara_rule_name": "Windows_Hacktool_Seatbelt_674fd535", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-21 01:47:21" } ], "1859": [ { "sample_cnt": 59, "yara_rule_name": "Windows_Trojan_Lokibot_0f421617", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-25 09:50:36" } ], "1860": [ { "sample_cnt": 59, "yara_rule_name": "Windows_Trojan_Lokibot_1f885282", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-25 09:50:36" } ], "1861": [ { "sample_cnt": 59, "yara_rule_name": "win_bit_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.bit_rat.", "last_hit_utc": "2022-11-20 16:31:03" } ], "1862": [ { "sample_cnt": 59, "yara_rule_name": "win_qakbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.qakbot.", "last_hit_utc": "2024-04-18 08:37:02" } ], "1863": [ { "sample_cnt": 58, "yara_rule_name": "APT_PatchWork_BADNEWS_20211105", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects PatchWork Group RTF or BADNEWS", "last_hit_utc": "2022-11-07 15:28:04" } ], "1864": [ { "sample_cnt": 58, "yara_rule_name": "CobaltStrike_Resources_Artifact64_v3_14_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x", "last_hit_utc": "2025-10-06 10:22:11" } ], "1865": [ { "sample_cnt": 58, "yara_rule_name": "CobaltStrike__Resources_Artifact64_v3_14_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-06 10:22:11" } ], "1866": [ { "sample_cnt": 58, "yara_rule_name": "Disclosed_0day_POCs_payload_MSI", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed 0day Repos", "yara_rule_description": "Detects POC code from disclosed 0day hacktool set", "last_hit_utc": "2026-03-27 00:32:18" } ], "1867": [ { "sample_cnt": 58, "yara_rule_name": "Windows_Generic_Threat_dbae6542", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-11 15:41:15" } ], "1868": [ { "sample_cnt": 58, "yara_rule_name": "Windows_Trojan_Donutloader_5c38878d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-09 17:21:45" } ], "1869": [ { "sample_cnt": 58, "yara_rule_name": "win_xfilesstealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.xfilesstealer.", "last_hit_utc": "2022-11-26 10:55:52" } ], "1870": [ { "sample_cnt": 57, "yara_rule_name": "ach_Quakbot_20200929", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/2a8cbd4ee39c51fbbef6140ef0a643de/", "yara_rule_description": "Detects QuakBot PE", "last_hit_utc": "2021-01-28 00:14:10" } ], "1871": [ { "sample_cnt": 57, "yara_rule_name": "hunt_credaccess_iis_xor", "yara_rule_author": "SBousseaden", "yara_rule_reference": null, "yara_rule_description": "hunt for strings related to iis credential access", "last_hit_utc": "2026-03-21 01:47:20" } ], "1872": [ { "sample_cnt": 57, "yara_rule_name": "Hunt_Excel_DNA_Built_XLL_Files", "yara_rule_author": "David Ledbetter @Ledtech3", "yara_rule_reference": "", "yara_rule_description": "Hunt for Excel Addin dll files generated with Excel-DNA builder https://excel-dna.net/", "last_hit_utc": "2022-11-14 18:43:03" } ], "1873": [ { "sample_cnt": 57, "yara_rule_name": "MAL_Floxif_Generic_RID2DCE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Floxif Malware", "last_hit_utc": "2026-03-24 15:31:15" } ], "1874": [ { "sample_cnt": 57, "yara_rule_name": "Pkg", "yara_rule_author": "nwunderly", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-14 08:53:17" } ], "1875": [ { "sample_cnt": 57, "yara_rule_name": "Quasar", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "detect QuasarRAT in memory", "last_hit_utc": "2022-01-26 14:08:08" } ], "1876": [ { "sample_cnt": 57, "yara_rule_name": "SUSP_Microsoft_Copyright_String_Anomaly_2_RID3720", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Floxif Malware", "last_hit_utc": "2026-03-24 15:31:15" } ], "1877": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_23fee092", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, File analysis module", "last_hit_utc": "2026-03-21 01:47:21" } ], "1878": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_413caa6b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, event module", "last_hit_utc": "2026-03-21 01:47:21" } ], "1879": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_4a9b9603", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, Services info module", "last_hit_utc": "2026-03-21 01:47:21" } ], "1880": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_4db2c852", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, System info module", "last_hit_utc": "2026-03-21 01:47:21" } ], "1881": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_57587f8c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, Network module", "last_hit_utc": "2026-03-21 01:47:21" } ], "1882": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_66197d54", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, application module", "last_hit_utc": "2026-03-21 01:47:21" } ], "1883": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_861d3264", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, File Info module", "last_hit_utc": "2026-03-21 01:47:22" } ], "1884": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_b6bb3e7c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, Windows credentials module", "last_hit_utc": "2026-03-21 01:47:22" } ], "1885": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_bcedc8b2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, User info module", "last_hit_utc": "2026-03-21 01:47:22" } ], "1886": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_cae025b1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, Process info module", "last_hit_utc": "2026-03-21 01:47:22" } ], "1887": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_e8ed269c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the dotNet binary, checks module", "last_hit_utc": "2026-03-21 01:47:22" } ], "1888": [ { "sample_cnt": 57, "yara_rule_name": "Windows_Trojan_IcedID_91562d18", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-08 20:41:03" } ], "1889": [ { "sample_cnt": 57, "yara_rule_name": "win_qakbot_malped", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.qakbot.", "last_hit_utc": "2023-11-28 09:24:57" } ], "1890": [ { "sample_cnt": 56, "yara_rule_name": "Amadey", "yara_rule_author": "kevoreilly, YungBinary", "yara_rule_reference": null, "yara_rule_description": "Amadey Payload", "last_hit_utc": "2026-04-26 17:25:27" } ], "1891": [ { "sample_cnt": 56, "yara_rule_name": "EXE_Unknown_Byakugan_April2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 20:23:29" } ], "1892": [ { "sample_cnt": 56, "yara_rule_name": "HKTL_NET_GUID_privilege_escalation_awesome_scripts_suite", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2026-03-21 01:47:20" } ], "1893": [ { "sample_cnt": 56, "yara_rule_name": "INDICATOR_OLE_Excel4Macros_DL2", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects OLE Excel 4 Macros documents acting as downloaders", "last_hit_utc": "2025-01-05 15:13:58" } ], "1894": [ { "sample_cnt": 56, "yara_rule_name": "INDICATOR_RMM_MeshAgent_CERT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Mesh Agent by (default) certificate. Review RMM Inventory", "last_hit_utc": "2026-04-22 08:51:36" } ], "1895": [ { "sample_cnt": 56, "yara_rule_name": "Linux_Generic_Threat_3fa2df51", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-04 06:59:11" } ], "1896": [ { "sample_cnt": 56, "yara_rule_name": "MAL_Ransomware_Wadhrama_RID2FED", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Wadhrama Ransomware via Imphash", "last_hit_utc": "2025-01-05 16:44:33" } ], "1897": [ { "sample_cnt": 56, "yara_rule_name": "MAL_RANSOM_REvil_Oct20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects REvil ransomware", "last_hit_utc": "2023-11-16 23:47:03" } ], "1898": [ { "sample_cnt": 56, "yara_rule_name": "nuso", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked nuso malware samples.", "last_hit_utc": "2025-06-22 22:21:18" } ], "1899": [ { "sample_cnt": 56, "yara_rule_name": "Ran_Crysis_Sep_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect Crysis ransomware", "last_hit_utc": "2025-01-05 16:44:33" } ], "1900": [ { "sample_cnt": 56, "yara_rule_name": "RAT_CyberGate", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/CyberGate", "yara_rule_description": "Detects CyberGate RAT", "last_hit_utc": "2025-11-29 05:46:13" } ], "1901": [ { "sample_cnt": 56, "yara_rule_name": "Retefe", "yara_rule_author": "bartblaze", "yara_rule_reference": null, "yara_rule_description": "Retefe", "last_hit_utc": "2023-01-26 00:41:47" } ], "1902": [ { "sample_cnt": 56, "yara_rule_name": "Windows_Generic_Threat_97c1a260", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:12:32" } ], "1903": [ { "sample_cnt": 56, "yara_rule_name": "Windows_Trojan_IcedID_0b62e783", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-08 20:41:03" } ], "1904": [ { "sample_cnt": 56, "yara_rule_name": "Windows_Trojan_Xeno_f92ffb82", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 11:56:29" } ], "1905": [ { "sample_cnt": 55, "yara_rule_name": "AgentTesla_mod_tough_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/", "yara_rule_description": null, "last_hit_utc": "2025-05-17 22:41:12" } ], "1906": [ { "sample_cnt": 55, "yara_rule_name": "Andromeda_MalBot_Jun_1A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/", "yara_rule_description": "Detects a malicious Worm Andromeda / RETADUP", "last_hit_utc": "2023-01-25 21:07:01" } ], "1907": [ { "sample_cnt": 55, "yara_rule_name": "Executable_Converted_to_MSI", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-17 19:39:44" } ], "1908": [ { "sample_cnt": 55, "yara_rule_name": "EXE_Vidar_May_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Vidar payload", "last_hit_utc": "2025-01-03 21:18:05" } ], "1909": [ { "sample_cnt": 55, "yara_rule_name": "InstallShield2000", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 12:25:30" } ], "1910": [ { "sample_cnt": 55, "yara_rule_name": "PyInstaller_Packed_April_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects files packed with PyInstaller", "last_hit_utc": "2025-01-03 19:46:22" } ], "1911": [ { "sample_cnt": 55, "yara_rule_name": "SUSP_PDB_Path_Keywords_RID2F34", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/stvemillertime/status/1179832666285326337?s=20", "yara_rule_description": "Detects suspicious PDB paths", "last_hit_utc": "2026-04-26 16:39:27" } ], "1912": [ { "sample_cnt": 55, "yara_rule_name": "win32_younglotus", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting YoungLotus malware", "last_hit_utc": "2026-04-08 00:50:40" } ], "1913": [ { "sample_cnt": 55, "yara_rule_name": "Windows_Ransomware_Dharma_942142e3", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/", "yara_rule_description": "Identifies DHARMA ransomware", "last_hit_utc": "2025-01-05 16:44:33" } ], "1914": [ { "sample_cnt": 55, "yara_rule_name": "Windows_Ransomware_Dharma_aa5eefed", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/", "yara_rule_description": "Identifies DHARMA ransomware", "last_hit_utc": "2025-01-05 16:44:33" } ], "1915": [ { "sample_cnt": 55, "yara_rule_name": "Windows_Trojan_CobaltStrike_b54b94ac", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Rule for beacon sleep obfuscation routine", "last_hit_utc": "2026-04-27 04:44:39" } ], "1916": [ { "sample_cnt": 55, "yara_rule_name": "win_blackremote_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-21 06:33:05" } ], "1917": [ { "sample_cnt": 55, "yara_rule_name": "win_parallax_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-15 19:15:05" } ], "1918": [ { "sample_cnt": 55, "yara_rule_name": "win_vidar_a_6118", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detect unpacked Vidar samples", "last_hit_utc": "2023-05-09 00:10:04" } ], "1919": [ { "sample_cnt": 55, "yara_rule_name": "zbot", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-28 01:57:58" } ], "1920": [ { "sample_cnt": 54, "yara_rule_name": "ach_Dridex_xlsm_20200528_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/8d2c87fe3217fc82d1d4c2431ba841cf/", "yara_rule_description": "", "last_hit_utc": "2022-11-09 09:00:03" } ], "1921": [ { "sample_cnt": 54, "yara_rule_name": "darkcomet_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 19:07:26" } ], "1922": [ { "sample_cnt": 54, "yara_rule_name": "maldoc_indirect_function_call_1", "yara_rule_author": "Didier Stevens (https://DidierStevens.com)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 12:12:25" } ], "1923": [ { "sample_cnt": 54, "yara_rule_name": "MALWARE_Win_Dharma", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Dharma ransomware", "last_hit_utc": "2025-01-05 16:44:33" } ], "1924": [ { "sample_cnt": 54, "yara_rule_name": "MALWARE_Win_Kutaki", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Kutaki", "last_hit_utc": "2022-11-03 05:40:03" } ], "1925": [ { "sample_cnt": 54, "yara_rule_name": "MALWARE_Win_LimeRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "LimeRAT payload", "last_hit_utc": "2022-10-30 10:17:04" } ], "1926": [ { "sample_cnt": 54, "yara_rule_name": "MiniTor", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://news.sophos.com/en-us/2020/12/16/systembc/", "yara_rule_description": "Identifies MiniTor implementation as seen in SystemBC and Parallax RAT.", "last_hit_utc": "2025-01-05 15:09:44" } ], "1927": [ { "sample_cnt": 54, "yara_rule_name": "Office_AutoOpen_Macro", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects an Microsoft Office file that contains the AutoOpen Macro function", "last_hit_utc": "2026-02-22 18:16:20" } ], "1928": [ { "sample_cnt": 54, "yara_rule_name": "PowerShell_in_Word_Doc", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - ME", "yara_rule_description": "Detects a powershell and bypass keyword in a Word document", "last_hit_utc": "2021-08-30 13:35:59" } ], "1929": [ { "sample_cnt": 54, "yara_rule_name": "prynt_stealer", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Prynt Stealer Payload", "last_hit_utc": "2026-02-25 08:31:52" } ], "1930": [ { "sample_cnt": 54, "yara_rule_name": "WhisperGateStage2", "yara_rule_author": "Harish Kumar", "yara_rule_reference": "", "yara_rule_description": "Yara Rule to Detect WhisperGateStage2", "last_hit_utc": "2022-11-15 11:39:04" } ], "1931": [ { "sample_cnt": 54, "yara_rule_name": "Windows_Generic_Threat_1417511b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-17 15:56:18" } ], "1932": [ { "sample_cnt": 54, "yara_rule_name": "Windows_Ransomware_Dharma_e9319e4a", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/", "yara_rule_description": "Identifies DHARMA ransomware", "last_hit_utc": "2025-01-05 16:44:33" } ], "1933": [ { "sample_cnt": 54, "yara_rule_name": "win_betabot_w0", "yara_rule_author": "Venom23", "yara_rule_reference": null, "yara_rule_description": "Neurevt Malware Sig", "last_hit_utc": "2025-10-08 22:10:41" } ], "1934": [ { "sample_cnt": 54, "yara_rule_name": "win_privateloader", "yara_rule_author": "andretavare5", "yara_rule_reference": "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service", "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:30:00" } ], "1935": [ { "sample_cnt": 53, "yara_rule_name": "CobaltStrikeBeacon", "yara_rule_author": "enzo", "yara_rule_reference": "", "yara_rule_description": "Cobalt Strike Beacon Payload", "last_hit_utc": "2021-10-18 19:49:06" } ], "1936": [ { "sample_cnt": 53, "yara_rule_name": "exela", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked exela stealer malware samples.", "last_hit_utc": "2025-06-22 19:58:29" } ], "1937": [ { "sample_cnt": 53, "yara_rule_name": "INDICATOR_SUSPICIOUS_USNDeleteJournal", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing anti-forensic artifcats of deletiing USN change journal. Observed in ransomware", "last_hit_utc": "2024-06-12 14:26:57" } ], "1938": [ { "sample_cnt": 53, "yara_rule_name": "INDICATOR_SUSPICOUS_EXE_References_VEEAM", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects executables containing many references to VEEAM. Observed in ransomware", "last_hit_utc": "2025-04-10 08:29:09" } ], "1939": [ { "sample_cnt": 53, "yara_rule_name": "INDICATOR_TOOL_PWS_Amady", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects password stealer DLL. Dropped by Amadey", "last_hit_utc": "2022-11-26 10:06:02" } ], "1940": [ { "sample_cnt": 53, "yara_rule_name": "JAR_STRRAT_April_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects STRRAT Java Archive", "last_hit_utc": "2025-01-05 17:32:54" } ], "1941": [ { "sample_cnt": 53, "yara_rule_name": "jh__1995_ZipWithPass_20210105", "yara_rule_author": "jh__1995", "yara_rule_reference": "", "yara_rule_description": "ZIP with password - early detection - HIGH FP!", "last_hit_utc": "2022-10-15 04:42:02" } ], "1942": [ { "sample_cnt": 53, "yara_rule_name": "MALWARE_Win_Matiex", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Matiex keylogger payload", "last_hit_utc": "2021-01-25 07:18:06" } ], "1943": [ { "sample_cnt": 53, "yara_rule_name": "t0_1", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-18 12:38:04" } ], "1944": [ { "sample_cnt": 53, "yara_rule_name": "unknown_dropper", "yara_rule_author": "#evilcel3ri", "yara_rule_reference": "", "yara_rule_description": "Detects an unknown dropper", "last_hit_utc": "2022-07-27 21:51:03" } ], "1945": [ { "sample_cnt": 53, "yara_rule_name": "Windows_Generic_Threat_5fbf5680", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-23 14:11:47" } ], "1946": [ { "sample_cnt": 53, "yara_rule_name": "win_gcleaner_de41", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects GCleaner", "last_hit_utc": "2025-01-05 15:23:35" } ], "1947": [ { "sample_cnt": 53, "yara_rule_name": "win_gcleaner_w0", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": null, "yara_rule_description": "detects GCleaner", "last_hit_utc": "2025-01-05 15:23:35" } ], "1948": [ { "sample_cnt": 53, "yara_rule_name": "win_smokeloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.smokeloader.", "last_hit_utc": "2025-04-28 04:06:11" } ], "1949": [ { "sample_cnt": 53, "yara_rule_name": "win_xwormmm_s1_6f74", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects unpacked Xwormmm samples", "last_hit_utc": "2025-10-08 21:07:35" } ], "1950": [ { "sample_cnt": 52, "yara_rule_name": "BlackShades_4", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "BlackShades", "last_hit_utc": "2026-01-24 22:59:45" } ], "1951": [ { "sample_cnt": 52, "yara_rule_name": "Cobaltstrike3", "yara_rule_author": "Ahmet Payaslioglu | Binalyze DFIR LAB", "yara_rule_reference": null, "yara_rule_description": "Cobalt Strike Detection", "last_hit_utc": "2026-03-24 14:33:15" } ], "1952": [ { "sample_cnt": 52, "yara_rule_name": "hancitor_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-05-18 08:47:30" } ], "1953": [ { "sample_cnt": 52, "yara_rule_name": "Impacket_Lateral_Movement", "yara_rule_author": "Markus Neis", "yara_rule_reference": "https://github.com/CoreSecurity/impacket", "yara_rule_description": "Detects Impacket Network Aktivity for Lateral Movement", "last_hit_utc": "2025-06-16 16:48:10" } ], "1954": [ { "sample_cnt": 52, "yara_rule_name": "INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-06-10 03:26:02" } ], "1955": [ { "sample_cnt": 52, "yara_rule_name": "lnk_emotet", "yara_rule_author": "HP Threat Research @HPSecurity", "yara_rule_reference": "", "yara_rule_description": "LNK file which downloads Emotet", "last_hit_utc": "2022-06-14 14:03:03" } ], "1956": [ { "sample_cnt": 52, "yara_rule_name": "MALWARE_Win_PCRat", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects PCRat / Gh0st", "last_hit_utc": "2022-10-10 14:10:34" } ], "1957": [ { "sample_cnt": 52, "yara_rule_name": "mofongo_loader", "yara_rule_author": "vrzh", "yara_rule_reference": null, "yara_rule_description": "Mofongo loader maps and executes a payload in a hollowed msedge process", "last_hit_utc": "2026-03-06 15:40:27" } ], "1958": [ { "sample_cnt": 52, "yara_rule_name": "netwalker_ransomware", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://www.ccn-cert.cni.es/comunicacion-eventos/comunicados-ccn-cert/9802-publicado-un-informe-de-codigo-danino-sobre-netwalker.html", "yara_rule_description": "Rule to detect Netwalker ransomware", "last_hit_utc": "2020-10-02 15:34:33" } ], "1959": [ { "sample_cnt": 52, "yara_rule_name": "SUSP_PDB_Path_Keywords", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/stvemillertime/status/1179832666285326337?s=20", "yara_rule_description": "Detects suspicious PDB paths", "last_hit_utc": "2026-04-26 16:39:26" } ], "1960": [ { "sample_cnt": 52, "yara_rule_name": "Windows_Hacktool_SharpHound_5adf9d6d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-20 22:53:16" } ], "1961": [ { "sample_cnt": 52, "yara_rule_name": "Windows_Ransomware_Dharma_b31cac3f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/", "yara_rule_description": "Identifies DHARMA ransomware", "last_hit_utc": "2025-01-05 16:44:33" } ], "1962": [ { "sample_cnt": 52, "yara_rule_name": "Windows_Virus_Floxif_493d1897", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 02:26:15" } ], "1963": [ { "sample_cnt": 52, "yara_rule_name": "win_dharma_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.dharma.", "last_hit_utc": "2025-01-05 16:44:33" } ], "1964": [ { "sample_cnt": 52, "yara_rule_name": "win_dreambot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.dreambot.", "last_hit_utc": "2022-11-17 10:45:03" } ], "1965": [ { "sample_cnt": 52, "yara_rule_name": "win_xpertrat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-29 23:12:10" } ], "1966": [ { "sample_cnt": 51, "yara_rule_name": "cecilio_botnet", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": "https://blog.xlab.qianxin.com/catddos-derivative-en/", "yara_rule_description": "Cecilio botnet - CatDDoS derivative with modified RC4 table encryption", "last_hit_utc": "2026-03-30 07:26:11" } ], "1967": [ { "sample_cnt": 51, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Chaos", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Chaos ransomware", "last_hit_utc": "2026-04-05 16:44:10" } ], "1968": [ { "sample_cnt": 51, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_VPN", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many VPN software clients. Observed in infosteslers", "last_hit_utc": "2022-11-24 09:05:02" } ], "1969": [ { "sample_cnt": 51, "yara_rule_name": "KBysPacker028BetaShoooo", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 01:39:46" } ], "1970": [ { "sample_cnt": 51, "yara_rule_name": "MALWARE_Win_DLAgent10", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects known downloader agent", "last_hit_utc": "2023-08-24 15:58:45" } ], "1971": [ { "sample_cnt": 51, "yara_rule_name": "MALWARE_Win_OnlyLogger", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects OnlyLogger loader variants", "last_hit_utc": "2025-05-11 02:34:15" } ], "1972": [ { "sample_cnt": 51, "yara_rule_name": "win_cryptbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.cryptbot.", "last_hit_utc": "2021-11-17 02:12:05" } ], "1973": [ { "sample_cnt": 51, "yara_rule_name": "win_havoc_djb2_hashing_routine_oct_2022", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-24 07:41:47" } ], "1974": [ { "sample_cnt": 51, "yara_rule_name": "win_photoloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.photoloader.", "last_hit_utc": "2026-03-13 22:25:20" } ], "1975": [ { "sample_cnt": 50, "yara_rule_name": "ach_TrickBot_xlsb_20210302", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/5906bbbde1afbe182c8d906242dc188a/", "yara_rule_description": "Detects TrickBot xlsb", "last_hit_utc": "2021-07-28 15:53:43" } ], "1976": [ { "sample_cnt": 50, "yara_rule_name": "AppLaunch", "yara_rule_author": "iam-py-test", "yara_rule_reference": "", "yara_rule_description": "Detect files referencing .Net AppLaunch.exe", "last_hit_utc": "2022-11-20 15:02:03" } ], "1977": [ { "sample_cnt": 50, "yara_rule_name": "BAT_DbatLoader", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects base64 and hex encoded MZ header used by DbatLoader", "last_hit_utc": "2025-07-22 14:02:15" } ], "1978": [ { "sample_cnt": 50, "yara_rule_name": "Cobaltbaltstrike_Payload_Encoded", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2025-12-18 09:38:10" } ], "1979": [ { "sample_cnt": 50, "yara_rule_name": "crime_win32_parallax_payload_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1227976106227224578", "yara_rule_description": "Detects Parallax Injected Payload v1.01", "last_hit_utc": "2021-06-15 14:00:11" } ], "1980": [ { "sample_cnt": 50, "yara_rule_name": "epsilon", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked epsilon malware samples.", "last_hit_utc": "2025-06-16 17:01:15" } ], "1981": [ { "sample_cnt": 50, "yara_rule_name": "evilcrackz", "yara_rule_author": "stu", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "test - file evilcrackz.macho", "last_hit_utc": "2026-04-15 11:28:01" } ], "1982": [ { "sample_cnt": 50, "yara_rule_name": "function_through_object", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-14 16:55:05" } ], "1983": [ { "sample_cnt": 50, "yara_rule_name": "Linux_Trojan_Mirai_dab39a25", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:39:38" } ], "1984": [ { "sample_cnt": 50, "yara_rule_name": "lsadump", "yara_rule_author": "Benjamin DELPY (gentilkiwi)", "yara_rule_reference": null, "yara_rule_description": "LSA dump programe (bootkey/syskey) \u2013 pwdump and others", "last_hit_utc": "2026-04-23 14:49:32" } ], "1985": [ { "sample_cnt": 50, "yara_rule_name": "mal_loader_havoc_x64", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://github.com/HavocFramework/Havoc/blob/1248ff9ecc964325447128ae3ea819f1ad10b790/Teamserver/data/implants/Shellcode/Source/Utils.c", "yara_rule_description": "Detects Havoc C2's import hashing algorithm", "last_hit_utc": "2026-03-24 07:41:47" } ], "1986": [ { "sample_cnt": 50, "yara_rule_name": "MAL_RANSOM_REvil_Oct20_1_RID2ED2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects REvil ransomware", "last_hit_utc": "2025-11-05 08:22:40" } ], "1987": [ { "sample_cnt": 50, "yara_rule_name": "Reflective_DLL_Loader_Aug17_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Reflective DLL Loader - suspicious - Possible FP could be program crack", "last_hit_utc": "2025-01-05 15:26:03" } ], "1988": [ { "sample_cnt": 50, "yara_rule_name": "Start2_net_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e", "yara_rule_description": "SystemBC", "last_hit_utc": "2026-02-14 15:29:26" } ], "1989": [ { "sample_cnt": 50, "yara_rule_name": "SUSP_Reverse_DOS_header", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects an reversed DOS header", "last_hit_utc": "2022-10-05 10:04:02" } ], "1990": [ { "sample_cnt": 50, "yara_rule_name": "Windows_Trojan_AgentTesla_d3ac2b2f", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:50" } ], "1991": [ { "sample_cnt": 50, "yara_rule_name": "Windows_Virus_Expiro_84e99ff0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-01 07:32:20" } ], "1992": [ { "sample_cnt": 50, "yara_rule_name": "win_rektloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.rektloader.", "last_hit_utc": "2021-10-28 02:15:05" } ], "1993": [ { "sample_cnt": 49, "yara_rule_name": "ArechClient", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies ArechClient, infostealer.", "last_hit_utc": "2022-11-24 21:08:04" } ], "1994": [ { "sample_cnt": 49, "yara_rule_name": "esxi_commands_ransomware", "yara_rule_author": "Marius 'f0wL' Genheimer ", "yara_rule_reference": null, "yara_rule_description": "Detects commands issued by Ransomware to interact with ESXi VMs", "last_hit_utc": "2025-10-16 16:22:32" } ], "1995": [ { "sample_cnt": 49, "yara_rule_name": "Hancitor", "yara_rule_author": "threathive", "yara_rule_reference": "", "yara_rule_description": "Hancitor Payload", "last_hit_utc": "2022-03-21 17:00:06" } ], "1996": [ { "sample_cnt": 49, "yara_rule_name": "INDICATOR_MSI_EXE2MSI", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables converted to .MSI packages using a free online converter.", "last_hit_utc": "2026-04-17 19:39:44" } ], "1997": [ { "sample_cnt": 49, "yara_rule_name": "INDICATOR_TOOL_GoCLR", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory", "last_hit_utc": "2026-03-31 04:25:20" } ], "1998": [ { "sample_cnt": 49, "yara_rule_name": "INDICATOR_TOOL_RTK_HiddenRootKit", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects the Hidden public rootkit", "last_hit_utc": "2026-04-27 05:18:16" } ], "1999": [ { "sample_cnt": 49, "yara_rule_name": "Linux_Trojan_Mirai_88a1b067", "yara_rule_author": "Elastic Security", "yara_rule_reference": "1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9", "yara_rule_description": null, "last_hit_utc": "2026-04-19 08:25:37" } ], "2000": [ { "sample_cnt": 49, "yara_rule_name": "Linux_Trojan_Mirai_b9a9d04b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-09 02:43:21" } ], "2001": [ { "sample_cnt": 49, "yara_rule_name": "MALWARE_AHK_RedLine", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "RedLine infostealer payload", "last_hit_utc": "2020-12-29 08:12:05" } ], "2002": [ { "sample_cnt": 49, "yara_rule_name": "Methodology_Suspicious_Shortcut_Local_URL", "yara_rule_author": "@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)", "yara_rule_reference": "https://twitter.com/cglyer/status/1176184798248919044", "yara_rule_description": "Detects local script usage for .URL persistence", "last_hit_utc": "2026-03-02 14:08:16" } ], "2003": [ { "sample_cnt": 49, "yara_rule_name": "nSpackV2xLiuXingPing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-15 08:22:16" } ], "2004": [ { "sample_cnt": 49, "yara_rule_name": "Trojan_Raw_Generic_4", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "", "last_hit_utc": "2022-10-27 17:56:30" } ], "2005": [ { "sample_cnt": 49, "yara_rule_name": "Windows_Trojan_Qbot_1ac22a26", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-11-28 09:24:57" } ], "2006": [ { "sample_cnt": 49, "yara_rule_name": "win_dharma_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-03-07 04:44:04" } ], "2007": [ { "sample_cnt": 49, "yara_rule_name": "win_hancitor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.hancitor.", "last_hit_utc": "2022-03-21 17:00:06" } ], "2008": [ { "sample_cnt": 48, "yara_rule_name": "Babuk", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", "yara_rule_description": "Babuk / Babyk ransomware", "last_hit_utc": "2025-08-08 17:53:15" } ], "2009": [ { "sample_cnt": 48, "yara_rule_name": "Check_DriveSize", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-08 00:50:39" } ], "2010": [ { "sample_cnt": 48, "yara_rule_name": "CN_disclosed_20180208_Mal1_RID2F59", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2026-01-30 20:27:24" } ], "2011": [ { "sample_cnt": 48, "yara_rule_name": "ducktail", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked ducktail malware samples.", "last_hit_utc": "2025-10-01 12:13:26" } ], "2012": [ { "sample_cnt": 48, "yara_rule_name": "gcleaner", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked gcleaner stealer malware samples.", "last_hit_utc": "2025-10-06 20:10:48" } ], "2013": [ { "sample_cnt": 48, "yara_rule_name": "INDICATOR_KB_CERT_56f008e69a7c4c3feb389c66eaf58259", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2026-01-12 23:47:19" } ], "2014": [ { "sample_cnt": 48, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxProductID", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects binaries and memory artifcats referencing sandbox product IDs", "last_hit_utc": "2025-01-05 15:17:40" } ], "2015": [ { "sample_cnt": 48, "yara_rule_name": "Linux_Trojan_Tsunami_6b3974b2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-11 15:52:31" } ], "2016": [ { "sample_cnt": 48, "yara_rule_name": "metasploit_rev_tcp_32", "yara_rule_author": "Javier Rascon", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-22 20:36:04" } ], "2017": [ { "sample_cnt": 48, "yara_rule_name": "Methodology_Shortcut_HotKey", "yara_rule_author": "@itsreallynick (Nick Carr)", "yara_rule_reference": "https://twitter.com/cglyer/status/1176184798248919044", "yara_rule_description": "Detects possible shortcut usage for .URL persistence", "last_hit_utc": "2026-04-03 22:17:13" } ], "2018": [ { "sample_cnt": 48, "yara_rule_name": "Mimikatz_Generic", "yara_rule_author": "Still", "yara_rule_reference": "", "yara_rule_description": "attempts to match all variants of Mimikatz", "last_hit_utc": "2025-11-25 20:47:30" } ], "2019": [ { "sample_cnt": 48, "yara_rule_name": "NsPacKV37LiuXingPing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-30 19:57:13" } ], "2020": [ { "sample_cnt": 48, "yara_rule_name": "PE_File", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-01 10:24:06" } ], "2021": [ { "sample_cnt": 48, "yara_rule_name": "phorp_New_2021_B", "yara_rule_author": "@is_henderson", "yara_rule_reference": null, "yara_rule_description": "Detecting recent phorpiex variant", "last_hit_utc": "2026-03-06 09:19:18" } ], "2022": [ { "sample_cnt": 48, "yara_rule_name": "RedOctoberPluginNetScan", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-26 07:39:15" } ], "2023": [ { "sample_cnt": 48, "yara_rule_name": "silentbuilder_03_11", "yara_rule_author": "James Quinn", "yara_rule_reference": "", "yara_rule_description": "SilentBuilder xls sheets", "last_hit_utc": "2022-07-13 08:09:07" } ], "2024": [ { "sample_cnt": 48, "yara_rule_name": "silentbuilder_03_17", "yara_rule_author": "James Quinn", "yara_rule_reference": "", "yara_rule_description": "SilentBuilder xls sheets", "last_hit_utc": "2022-07-13 08:09:07" } ], "2025": [ { "sample_cnt": 48, "yara_rule_name": "Targeted_SideWinder_Files_July2024", "yara_rule_author": "The BlackBerry Threat Research and Intelligence team", "yara_rule_reference": null, "yara_rule_description": "Rule detecting maldoc used for targeting Egypt and Pakistan", "last_hit_utc": "2025-10-27 10:26:00" } ], "2026": [ { "sample_cnt": 48, "yara_rule_name": "Wimmie", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Wimmie family", "last_hit_utc": "2026-03-08 18:07:20" } ], "2027": [ { "sample_cnt": 48, "yara_rule_name": "WimmieStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Strings used by Wimmie", "last_hit_utc": "2026-03-08 18:07:20" } ], "2028": [ { "sample_cnt": 48, "yara_rule_name": "win_privateloader_w0", "yara_rule_author": "andretavare5", "yara_rule_reference": "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service", "yara_rule_description": "", "last_hit_utc": "2022-11-23 20:49:38" } ], "2029": [ { "sample_cnt": 48, "yara_rule_name": "win_stop_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-06 06:21:14" } ], "2030": [ { "sample_cnt": 48, "yara_rule_name": "xtreme_rat", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "Xtreme RAT", "last_hit_utc": "2026-04-24 21:59:32" } ], "2031": [ { "sample_cnt": 48, "yara_rule_name": "ZloaderXLSBehavior", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-24 06:05:13" } ], "2032": [ { "sample_cnt": 47, "yara_rule_name": "BumbleBee", "yara_rule_author": "enzo & kevoreilly", "yara_rule_reference": null, "yara_rule_description": "BumbleBee Payload", "last_hit_utc": "2025-11-05 08:22:25" } ], "2033": [ { "sample_cnt": 47, "yara_rule_name": "CDN_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies CDN (Content Delivery Network) domain in shortcut (LNK) file.", "last_hit_utc": "2026-03-04 12:32:17" } ], "2034": [ { "sample_cnt": 47, "yara_rule_name": "Chinese_Hacktool_1014", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese hacktool with unknown use", "last_hit_utc": "2026-04-05 16:53:16" } ], "2035": [ { "sample_cnt": 47, "yara_rule_name": "EXPL_Office_TemplateInjection_Aug19", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://attack.mitre.org/techniques/T1221/", "yara_rule_description": "Detects possible template injections in Office documents, particularly those that load content from external sources", "last_hit_utc": "2026-04-16 06:47:43" } ], "2036": [ { "sample_cnt": 47, "yara_rule_name": "INDICATOR_EXE_Packed_AgileDotNet", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with Agile.NET / CliSecure", "last_hit_utc": "2022-11-21 08:26:02" } ], "2037": [ { "sample_cnt": 47, "yara_rule_name": "INDICATOR_KB_CERT_79906faf4fbd75baa10b322356a07f6d", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects NetSupport (client) signed executables", "last_hit_utc": "2025-07-11 04:23:15" } ], "2038": [ { "sample_cnt": 47, "yara_rule_name": "Linux_Trojan_Tsunami_f806d5d9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 16:12:29" } ], "2039": [ { "sample_cnt": 47, "yara_rule_name": "MALWARE_Win_MedusaLocker", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "Detects MedusaLocker ransomware", "last_hit_utc": "2022-11-16 05:29:02" } ], "2040": [ { "sample_cnt": 47, "yara_rule_name": "MALWARE_Win_PhemedroneStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Phemedrone Stealer infostealer", "last_hit_utc": "2025-08-14 13:14:34" } ], "2041": [ { "sample_cnt": 47, "yara_rule_name": "MALWARE_Win_Stealerium", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Stealerium infostealer", "last_hit_utc": "2025-11-20 18:40:30" } ], "2042": [ { "sample_cnt": 47, "yara_rule_name": "MALWARE_Win_VenomRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects VenomRAT", "last_hit_utc": "2026-03-13 15:58:16" } ], "2043": [ { "sample_cnt": 47, "yara_rule_name": "Msfpayloads_msf_10", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.exe", "last_hit_utc": "2023-03-24 12:01:03" } ], "2044": [ { "sample_cnt": 47, "yara_rule_name": "RAT_win_warzone", "yara_rule_author": "KrknSec", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", "yara_rule_description": "Detects AveMaria/Warzone RAT binaries.", "last_hit_utc": "2025-01-05 17:29:26" } ], "2045": [ { "sample_cnt": 47, "yara_rule_name": "Spynote_generic_strings", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects Spynote Android Malware", "last_hit_utc": "2026-04-17 20:07:50" } ], "2046": [ { "sample_cnt": 47, "yara_rule_name": "SUSP_Modified_SystemExeFileName_in_File", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", "yara_rule_description": "Detecst a variant of a system file name often used by attackers to cloak their activity", "last_hit_utc": "2023-06-13 21:19:24" } ], "2047": [ { "sample_cnt": 47, "yara_rule_name": "SUSP_XMRIG_String_RID2D18", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious XMRIG crypto miner executable string in filr", "last_hit_utc": "2026-04-27 16:04:57" } ], "2048": [ { "sample_cnt": 47, "yara_rule_name": "ta505_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-12 10:31:05" } ], "2049": [ { "sample_cnt": 47, "yara_rule_name": "VMware_detection_bin_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "VMWare detection", "last_hit_utc": "2021-06-24 05:52:23" } ], "2050": [ { "sample_cnt": 47, "yara_rule_name": "Windows_Trojan_Formbook", "yara_rule_author": "@malgamy12", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-12-01 10:16:04" } ], "2051": [ { "sample_cnt": 47, "yara_rule_name": "Windows_Trojan_SnakeKeylogger_af3faa65", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-25 16:52:03" } ], "2052": [ { "sample_cnt": 47, "yara_rule_name": "win_404keylogger_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT, Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-04-11 09:37:00" } ], "2053": [ { "sample_cnt": 47, "yara_rule_name": "win_mimikatz_w0", "yara_rule_author": "Benjamin DELPY (gentilkiwi)", "yara_rule_reference": null, "yara_rule_description": "mimikatz", "last_hit_utc": "2026-01-05 11:30:23" } ], "2054": [ { "sample_cnt": 46, "yara_rule_name": "CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13", "last_hit_utc": "2026-02-26 11:55:29" } ], "2055": [ { "sample_cnt": 46, "yara_rule_name": "CobaltStrike__Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-26 11:55:29" } ], "2056": [ { "sample_cnt": 46, "yara_rule_name": "detect_bitcoin", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:47:15" } ], "2057": [ { "sample_cnt": 46, "yara_rule_name": "MALWARE_Win_BlackCat", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects BlackCat ransomware", "last_hit_utc": "2022-11-15 12:30:03" } ], "2058": [ { "sample_cnt": 46, "yara_rule_name": "MALWARE_Win_CookieStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects generic cookie stealer", "last_hit_utc": "2021-10-31 06:44:07" } ], "2059": [ { "sample_cnt": 46, "yara_rule_name": "MALWARE_Win_Snake", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Snake Keylogger", "last_hit_utc": "2020-12-28 08:26:05" } ], "2060": [ { "sample_cnt": 46, "yara_rule_name": "mimikatz", "yara_rule_author": "Benjamin DELPY (gentilkiwi)", "yara_rule_reference": null, "yara_rule_description": "mimikatz", "last_hit_utc": "2026-01-05 11:30:23" } ], "2061": [ { "sample_cnt": 46, "yara_rule_name": "RAT_Xtreme", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Xtreme", "yara_rule_description": "Detects Xtreme RAT", "last_hit_utc": "2024-04-11 15:43:05" } ], "2062": [ { "sample_cnt": 46, "yara_rule_name": "Trojan_Win_Generic_101", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "Detects FireEye Windows trojan", "last_hit_utc": "2026-02-06 16:39:16" } ], "2063": [ { "sample_cnt": 46, "yara_rule_name": "Windows_Generic_Threat_24191082", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-02 21:08:21" } ], "2064": [ { "sample_cnt": 46, "yara_rule_name": "win_cybergate_w0", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-19 11:45:47" } ], "2065": [ { "sample_cnt": 46, "yara_rule_name": "win_cybergate_w0", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-29 15:51:02" } ], "2066": [ { "sample_cnt": 46, "yara_rule_name": "win_emotet_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.emotet.", "last_hit_utc": "2026-03-24 15:29:15" } ], "2067": [ { "sample_cnt": 46, "yara_rule_name": "win_sdbbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.sdbbot.", "last_hit_utc": "2025-12-31 17:28:14" } ], "2068": [ { "sample_cnt": 46, "yara_rule_name": "win_vigilant_cleaner_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.vigilant_cleaner.", "last_hit_utc": "2022-10-06 16:30:03" } ], "2069": [ { "sample_cnt": 45, "yara_rule_name": "CobaltStrike_Resources_Beacon_Dll_v3_8", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/beacon.dll Versions 3.8", "last_hit_utc": "2026-03-24 14:33:15" } ], "2070": [ { "sample_cnt": 45, "yara_rule_name": "GhostDragon_Gh0stRAT", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.cylance.com/the-ghost-dragon", "yara_rule_description": "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report", "last_hit_utc": "2025-01-05 15:15:25" } ], "2071": [ { "sample_cnt": 45, "yara_rule_name": "icarus", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked icarus malware samples.", "last_hit_utc": "2025-06-22 15:45:43" } ], "2072": [ { "sample_cnt": 45, "yara_rule_name": "IcedIDLoader", "yara_rule_author": "kevoreilly, threathive, enzo, r0ny123", "yara_rule_reference": null, "yara_rule_description": "IcedID Loader", "last_hit_utc": "2026-03-13 22:25:20" } ], "2073": [ { "sample_cnt": 45, "yara_rule_name": "INDICATOR_TOOL_LTM_CompiledImpacket", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables of compiled Impacket's python scripts", "last_hit_utc": "2025-06-16 16:48:10" } ], "2074": [ { "sample_cnt": 45, "yara_rule_name": "MALWARE_Win_BlackMoon", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables using BlackMoon RunTime", "last_hit_utc": "2022-11-06 03:03:03" } ], "2075": [ { "sample_cnt": 45, "yara_rule_name": "MALWARE_Win_DarkComet", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects DarkComet", "last_hit_utc": "2022-10-13 13:14:56" } ], "2076": [ { "sample_cnt": 45, "yara_rule_name": "MAL_RANSOM_INC_Aug24", "yara_rule_author": "X__Junior", "yara_rule_reference": null, "yara_rule_description": "Detects INC ransomware and it's variants like Lynx", "last_hit_utc": "2025-08-30 10:06:27" } ], "2077": [ { "sample_cnt": 45, "yara_rule_name": "smokeloader_uac_module", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "UAC bypass/file dropped by Smokeloader", "last_hit_utc": "2025-05-23 14:11:46" } ], "2078": [ { "sample_cnt": 45, "yara_rule_name": "suspecious_plaintext_parameter", "yara_rule_author": "purinechu - indicator plaintext paramater injection", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-09-20 18:33:03" } ], "2079": [ { "sample_cnt": 45, "yara_rule_name": "SUSP_NVIDIA_LAPSUS_Leak_Compromised_Cert_Mar22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1499514240008437762", "yara_rule_description": "Detects a binary signed with the leaked NVIDIA certifcate and compiled after March 1st 2022", "last_hit_utc": "2026-03-19 11:48:07" } ], "2080": [ { "sample_cnt": 45, "yara_rule_name": "Windows_Trojan_Stealc_5d3f297c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-15 08:07:21" } ], "2081": [ { "sample_cnt": 45, "yara_rule_name": "win_bit_rat_w0", "yara_rule_author": "KrabsOnSecurity", "yara_rule_reference": null, "yara_rule_description": "String-based rule for detecting BitRAT malware payload", "last_hit_utc": "2021-03-07 08:30:08" } ], "2082": [ { "sample_cnt": 45, "yara_rule_name": "win_cybergate_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-10-29 15:51:02" } ], "2083": [ { "sample_cnt": 45, "yara_rule_name": "win_extreme_rat_w0", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "Xtrem RAT v3.5", "last_hit_utc": "2025-01-05 17:28:05" } ], "2084": [ { "sample_cnt": 44, "yara_rule_name": "ach_Heodo_doc_20200728", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/a6c75bc2cd9ebe7a1c46dc5ad97d7b02/", "yara_rule_description": "Detects Heodo DOC", "last_hit_utc": "2020-07-29 13:49:51" } ], "2085": [ { "sample_cnt": 44, "yara_rule_name": "Certutil_Decode_OR_Download", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Certutil Decode", "last_hit_utc": "2024-06-13 01:50:03" } ], "2086": [ { "sample_cnt": 44, "yara_rule_name": "CobaltStrike_Sleep_Decoder_Indicator", "yara_rule_author": "yara@s3c.za.net", "yara_rule_reference": "", "yara_rule_description": "Detects CobaltStrike sleep_mask decoder", "last_hit_utc": "2022-10-27 17:56:30" } ], "2087": [ { "sample_cnt": 44, "yara_rule_name": "GuLoader", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-15 04:30:57" } ], "2088": [ { "sample_cnt": 44, "yara_rule_name": "Quarian", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Quarian", "last_hit_utc": "2026-01-07 18:03:20" } ], "2089": [ { "sample_cnt": 44, "yara_rule_name": "SUSP_NET_Shellcode_Loader_Indicators_Jan24", "yara_rule_author": "Jonathan Peters", "yara_rule_reference": "https://github.com/Workingdaturah/Payload-Generator/tree/main", "yara_rule_description": "Detects indicators of shellcode loaders in .NET binaries", "last_hit_utc": "2026-04-14 19:22:20" } ], "2090": [ { "sample_cnt": 44, "yara_rule_name": "SUSP_VBA_FileSystem_Access", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious VBA that writes to disk and is activated on document open", "last_hit_utc": "2026-02-27 08:11:20" } ], "2091": [ { "sample_cnt": 44, "yara_rule_name": "SUSP_XMRIG_String", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious XMRIG crypto miner executable string in filr", "last_hit_utc": "2026-04-27 16:04:57" } ], "2092": [ { "sample_cnt": 44, "yara_rule_name": "win32_dotnet_obfuscate", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting .NET obfuscated malware", "last_hit_utc": "2025-11-21 03:16:22" } ], "2093": [ { "sample_cnt": 43, "yara_rule_name": "Malware_Floxif_mpsvc_dll", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Malware - Floxif", "last_hit_utc": "2025-04-26 21:37:09" } ], "2094": [ { "sample_cnt": 43, "yara_rule_name": "PassProtected_ZIP_ISO_file", "yara_rule_author": "_jc", "yara_rule_reference": null, "yara_rule_description": "Detects container formats commonly smuggled through password-protected zips", "last_hit_utc": "2025-01-05 17:20:51" } ], "2095": [ { "sample_cnt": 43, "yara_rule_name": "PowerTool", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "yara_rule_description": "Identifies PowerTool, sometimes used by attackers to disable security software.", "last_hit_utc": "2022-05-18 23:38:23" } ], "2096": [ { "sample_cnt": 43, "yara_rule_name": "QuarianCode", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Quarian code features", "last_hit_utc": "2026-01-07 18:03:20" } ], "2097": [ { "sample_cnt": 43, "yara_rule_name": "RansomwareTest7", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": null, "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2025-01-05 15:16:38" } ], "2098": [ { "sample_cnt": 43, "yara_rule_name": "Win32_Ransomware_WannaCry", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects WannaCry ransomware.", "last_hit_utc": "2022-10-13 12:40:03" } ], "2099": [ { "sample_cnt": 43, "yara_rule_name": "Windows_Shellcode_Rdi_edc62a10", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 02:03:36" } ], "2100": [ { "sample_cnt": 43, "yara_rule_name": "Windows_Trojan_Havoc_ffecc8af", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-24 07:41:48" } ], "2101": [ { "sample_cnt": 43, "yara_rule_name": "Windows_Trojan_Metasploit_a6e956c9", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Identifies the API address lookup function leverage by metasploit shellcode", "last_hit_utc": "2025-05-07 10:48:22" } ], "2102": [ { "sample_cnt": 42, "yara_rule_name": "Adsterra_Adware_DOM", "yara_rule_author": "IlluminatiFish", "yara_rule_reference": null, "yara_rule_description": "Detects Adsterra adware script being loaded without the user's consent", "last_hit_utc": "2022-11-08 07:50:51" } ], "2103": [ { "sample_cnt": 42, "yara_rule_name": "DanaBot_12_2023", "yara_rule_author": "RussianPanda", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:27" } ], "2104": [ { "sample_cnt": 42, "yara_rule_name": "Hacktools_CN_JoHor_Rdos", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file spec.vbp", "last_hit_utc": "2026-04-24 03:31:37" } ], "2105": [ { "sample_cnt": 42, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Crypto_Wallet_Regex", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing cryptocurrency wallet regular expressions", "last_hit_utc": "2026-04-25 21:44:28" } ], "2106": [ { "sample_cnt": 42, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxProductID", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects binaries and memory artifcats referencing sandbox product IDs", "last_hit_utc": "2022-10-25 15:24:03" } ], "2107": [ { "sample_cnt": 42, "yara_rule_name": "IronTiger_ASPXSpy", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "ASPXSpy detection. It might be used by other fraudsters", "last_hit_utc": "2026-02-18 16:31:16" } ], "2108": [ { "sample_cnt": 42, "yara_rule_name": "JAR_STRRAT_April_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects STRRAT config filename", "last_hit_utc": "2025-01-03 21:15:24" } ], "2109": [ { "sample_cnt": 42, "yara_rule_name": "Large_filesize_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.", "last_hit_utc": "2022-10-18 06:34:04" } ], "2110": [ { "sample_cnt": 42, "yara_rule_name": "MAL_ELF_DeimosC2_Beacon_Nov_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html", "yara_rule_description": "Detect the linux beacon used in the DeimosC2 framework (x64 version)", "last_hit_utc": "2026-02-12 13:51:07" } ], "2111": [ { "sample_cnt": 42, "yara_rule_name": "MAL_Win_Amadey_Jun25", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/amadey-targeted-analysis/", "yara_rule_description": "This rule detects intrinsic patterns of Amadey version 5.34", "last_hit_utc": "2026-03-27 14:22:45" } ], "2112": [ { "sample_cnt": 42, "yara_rule_name": "SUSP_GIF_Anomalies_RID2D89", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://en.wikipedia.org/wiki/GIF", "yara_rule_description": "Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type", "last_hit_utc": "2026-02-22 18:17:27" } ], "2113": [ { "sample_cnt": 42, "yara_rule_name": "tool_frp_str", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://github.com/fatedier/frp", "yara_rule_description": "Detect fast reverse proxy (frp)", "last_hit_utc": "2026-03-21 02:49:18" } ], "2114": [ { "sample_cnt": 42, "yara_rule_name": "Windows_Generic_Threat_23d33b48", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:37:24" } ], "2115": [ { "sample_cnt": 42, "yara_rule_name": "Windows_Trojan_Havoc_88053562", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-07 13:07:50" } ], "2116": [ { "sample_cnt": 42, "yara_rule_name": "Windows_Trojan_Metasploit_a6e956c9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies the API address lookup function leverage by metasploit shellcode", "last_hit_utc": "2025-05-07 10:48:22" } ], "2117": [ { "sample_cnt": 42, "yara_rule_name": "Windows_Trojan_Vidar_114258d5", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-04 10:31:03" } ], "2118": [ { "sample_cnt": 42, "yara_rule_name": "win_whispergate_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.whispergate.", "last_hit_utc": "2026-02-05 16:13:17" } ], "2119": [ { "sample_cnt": 41, "yara_rule_name": "AgentTeslaXor", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "AgentTesla xor-based config decoding", "last_hit_utc": "2025-04-20 13:32:18" } ], "2120": [ { "sample_cnt": 41, "yara_rule_name": "CobaltStrike_Resources_Dnsstager_Bin_v1_47_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/dnsstager.bin signature for versions 1.47 to 4.x", "last_hit_utc": "2026-03-23 01:30:23" } ], "2121": [ { "sample_cnt": 41, "yara_rule_name": "CobaltStrike__Resources_Dnsstager_Bin_v1_47_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 01:30:23" } ], "2122": [ { "sample_cnt": 41, "yara_rule_name": "crime_win64_bazarloader_packed_sep21", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-05-29 16:38:03" } ], "2123": [ { "sample_cnt": 41, "yara_rule_name": "DCRat", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "DCRat payload", "last_hit_utc": "2026-04-27 16:04:58" } ], "2124": [ { "sample_cnt": 41, "yara_rule_name": "detect_apt_APT29", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_APT32_malware", "last_hit_utc": "2025-11-23 10:45:17" } ], "2125": [ { "sample_cnt": 41, "yara_rule_name": "INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects CVE-2017-8759 weaponized RTF documents.", "last_hit_utc": "2022-11-08 03:10:03" } ], "2126": [ { "sample_cnt": 41, "yara_rule_name": "Linux_Trojan_Generic_5420d3e7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-18 14:29:26" } ], "2127": [ { "sample_cnt": 41, "yara_rule_name": "MALWARE_Win_HyperPro03", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Hunt HyperPro IronTiger / LuckyMouse / APT27 malware", "last_hit_utc": "2021-12-21 10:18:05" } ], "2128": [ { "sample_cnt": 41, "yara_rule_name": "MALWARE_Win_Nitol", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Nitol backdoor", "last_hit_utc": "2022-11-25 16:52:03" } ], "2129": [ { "sample_cnt": 41, "yara_rule_name": "MAL_Unknown_PWDumper_Apr18_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects sample from unknown sample set - IL origin", "last_hit_utc": "2022-11-30 20:22:04" } ], "2130": [ { "sample_cnt": 41, "yara_rule_name": "privateloader", "yara_rule_author": "andretavare5", "yara_rule_reference": "", "yara_rule_description": "PrivateLoader pay-per-install malware", "last_hit_utc": "2022-11-23 20:49:38" } ], "2131": [ { "sample_cnt": 41, "yara_rule_name": "Suspicious_PS_Strings", "yara_rule_author": "Lucas Acha (http://www.lukeacha.com)", "yara_rule_reference": "http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", "yara_rule_description": "observed set of strings which are likely malicious, observed with Jupyter malware.", "last_hit_utc": "2026-04-23 09:08:33" } ], "2132": [ { "sample_cnt": 41, "yara_rule_name": "VPNFilterStage3PluginTor", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 17:37:35" } ], "2133": [ { "sample_cnt": 41, "yara_rule_name": "Windows_Generic_Threat_3f390999", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-24 07:41:48" } ], "2134": [ { "sample_cnt": 41, "yara_rule_name": "win_cosmicduke_w0", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect cosmicduke", "last_hit_utc": "2025-11-23 10:45:17" } ], "2135": [ { "sample_cnt": 40, "yara_rule_name": "INDICATOR_KB_CERT_0deb004e56d7fcec1caa8f2928d4e768", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2021-01-31 07:45:17" } ], "2136": [ { "sample_cnt": 40, "yara_rule_name": "INDICATOR_TOOL_GoCLR", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory", "last_hit_utc": "2022-05-17 15:34:03" } ], "2137": [ { "sample_cnt": 40, "yara_rule_name": "INDICATOR_TOOL_PWS_Mimikatz", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Mimikatz", "last_hit_utc": "2026-01-05 11:30:23" } ], "2138": [ { "sample_cnt": 40, "yara_rule_name": "MALWARE_Emotet_OneNote_Delivery_wsf_Mar23", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://www.secuinfra.com/en/news/the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns/", "yara_rule_description": "Detects Microsoft OneNote files used to deliver Emotet (.wsf Payload)", "last_hit_utc": "2023-03-20 16:16:04" } ], "2139": [ { "sample_cnt": 40, "yara_rule_name": "Malware_Floxif_mpsvc_dll_RID30C4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Malware - Floxif", "last_hit_utc": "2026-03-23 02:26:15" } ], "2140": [ { "sample_cnt": 40, "yara_rule_name": "MALWARE_Win_Chebka", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Chebka", "last_hit_utc": "2022-12-20 10:14:38" } ], "2141": [ { "sample_cnt": 40, "yara_rule_name": "MALWARE_Win_PovertyStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PovertyStealer", "last_hit_utc": "2025-06-16 16:34:33" } ], "2142": [ { "sample_cnt": 40, "yara_rule_name": "MALWARE_Win_WorldWind", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects WorldWind infostealer", "last_hit_utc": "2026-02-25 08:31:52" } ], "2143": [ { "sample_cnt": 40, "yara_rule_name": "MALWARE_Win_Zegost", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Zegost", "last_hit_utc": "2022-10-10 14:10:34" } ], "2144": [ { "sample_cnt": 40, "yara_rule_name": "njrat_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-14 09:11:16" } ], "2145": [ { "sample_cnt": 40, "yara_rule_name": "RaccoonV2", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "", "yara_rule_description": "This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.", "last_hit_utc": "2022-08-11 06:51:38" } ], "2146": [ { "sample_cnt": 40, "yara_rule_name": "Raspberry_Robin_DLL_MAY_2022", "yara_rule_author": "CD_R0M_", "yara_rule_reference": "https://redcanary.com/blog/raspberry-robin/", "yara_rule_description": "Detects DLL dropped by Raspberry Robin.", "last_hit_utc": "2026-03-13 19:02:17" } ], "2147": [ { "sample_cnt": 40, "yara_rule_name": "Windows_Trojan_Revengerat_db91bcc6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-19 01:01:46" } ], "2148": [ { "sample_cnt": 40, "yara_rule_name": "win_azorult_g1", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-24 12:52:24" } ], "2149": [ { "sample_cnt": 40, "yara_rule_name": "win_cybergate_w0", "yara_rule_author": " Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-08-31 10:23:11" } ], "2150": [ { "sample_cnt": 40, "yara_rule_name": "win_get2_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-06 14:52:38" } ], "2151": [ { "sample_cnt": 40, "yara_rule_name": "win_iceid_gzip_ldr_202104", "yara_rule_author": "Thomas Barabosch, Telekom Security", "yara_rule_reference": null, "yara_rule_description": "2021 initial Bokbot / Icedid loader for fake GZIP payloads", "last_hit_utc": "2026-03-13 22:25:20" } ], "2152": [ { "sample_cnt": 40, "yara_rule_name": "Zloader", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Zloader Payload", "last_hit_utc": "2021-06-15 06:21:08" } ], "2153": [ { "sample_cnt": 39, "yara_rule_name": "ACE_Containing_EXE", "yara_rule_author": "Florian Roth - based on Nick Hoffman' rule - Morphick Inc", "yara_rule_reference": null, "yara_rule_description": "Looks for ACE Archives containing an exe/scr file", "last_hit_utc": "2025-01-05 15:37:39" } ], "2154": [ { "sample_cnt": 39, "yara_rule_name": "AsyncRAT_", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked AsyncRAT malware samples.", "last_hit_utc": "2025-10-09 14:10:00" } ], "2155": [ { "sample_cnt": 39, "yara_rule_name": "HiddenVNC", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies HiddenVNC, which can start remote sessions.", "last_hit_utc": "2022-11-22 13:42:02" } ], "2156": [ { "sample_cnt": 39, "yara_rule_name": "Impacket_Keyword", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Impacket Keyword in Executable", "last_hit_utc": "2022-12-31 18:31:03" } ], "2157": [ { "sample_cnt": 39, "yara_rule_name": "INDICATOR_KB_CERT_17d99cc2f5b29522d422332e681f3e18", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-04-29 00:11:59" } ], "2158": [ { "sample_cnt": 39, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing non-Windows User-Agents", "last_hit_utc": "2021-09-07 06:16:12" } ], "2159": [ { "sample_cnt": 39, "yara_rule_name": "Linux_Trojan_Zerobot_3a5b56dd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Strings found in the Zerobot Spoofed Header method", "last_hit_utc": "2026-01-13 03:07:33" } ], "2160": [ { "sample_cnt": 39, "yara_rule_name": "MALWARE_Win_DLAgent09", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects known downloader agent", "last_hit_utc": "2022-11-24 04:25:04" } ], "2161": [ { "sample_cnt": 39, "yara_rule_name": "PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20_RID33BA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/", "yara_rule_description": "Detects XMRIG crypto coin miners", "last_hit_utc": "2026-03-03 14:19:11" } ], "2162": [ { "sample_cnt": 39, "yara_rule_name": "Pulsar_RAT", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.pulsar_rat", "yara_rule_description": "Identifies Pulsar RAT, based on Quasar RAT.", "last_hit_utc": "2026-04-14 07:46:07" } ], "2163": [ { "sample_cnt": 39, "yara_rule_name": "SUSP_PowerShell_Base64_Decode", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects PowerShell code to decode Base64 data. This can yield many FP", "last_hit_utc": "2022-10-19 05:32:04" } ], "2164": [ { "sample_cnt": 39, "yara_rule_name": "Windows_Ransomware_Hellokitty_d9391a1a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-10 14:56:42" } ], "2165": [ { "sample_cnt": 39, "yara_rule_name": "Windows_Trojan_Bumblebee_70bed4f3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:57:12" } ], "2166": [ { "sample_cnt": 39, "yara_rule_name": "Winnti_NlaifSvc", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/VbvJtL", "yara_rule_description": "Winnti sample - file NlaifSvc.dll", "last_hit_utc": "2026-02-27 13:46:15" } ], "2167": [ { "sample_cnt": 39, "yara_rule_name": "win_gaboongrabber_w0", "yara_rule_author": "Lena Yu aka LambdaMamba", "yara_rule_reference": "https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/", "yara_rule_description": "Detects GaboonGrabber that grabs its embedded resource to stage further payloads.", "last_hit_utc": "2026-04-23 06:41:34" } ], "2168": [ { "sample_cnt": 39, "yara_rule_name": "win_makop_ransomware_w0", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1242177227682390017", "yara_rule_description": "Detects MAKOP ransomware payload", "last_hit_utc": "2025-12-21 11:48:15" } ], "2169": [ { "sample_cnt": 39, "yara_rule_name": "win_privateloader", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-23 20:49:38" } ], "2170": [ { "sample_cnt": 39, "yara_rule_name": "win_redline_stealer_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": "Detects unpacked main component of Redline Stealer", "last_hit_utc": "2021-02-12 20:44:08" } ], "2171": [ { "sample_cnt": 39, "yara_rule_name": "WScript_Shell_PowerShell_Combo", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html", "yara_rule_description": "Detects malware from Middle Eastern campaign reported by Talos", "last_hit_utc": "2022-06-14 10:20:04" } ], "2172": [ { "sample_cnt": 39, "yara_rule_name": "wsh_rat_vbs_decoded", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "Alerts on the decoded WSH RAT VBScript", "last_hit_utc": "2026-04-26 05:07:33" } ], "2173": [ { "sample_cnt": 39, "yara_rule_name": "Xtreme_Sep17_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects XTREME sample analyzed in September 2017", "last_hit_utc": "2022-08-31 02:34:06" } ], "2174": [ { "sample_cnt": 38, "yara_rule_name": "ach_Gozi_doc_20210208", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/32cd94a32cc460c30a5f9d06f33d43d8/", "yara_rule_description": "Detects Gozi ISFB doc", "last_hit_utc": "2021-02-10 14:56:06" } ], "2175": [ { "sample_cnt": 38, "yara_rule_name": "APT_UNC2447_MAL_RANSOM_HelloKitty_May21_1_RID3455", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects HelloKitty Ransomware samples from UNC2447 campaign", "last_hit_utc": "2025-04-10 14:56:41" } ], "2176": [ { "sample_cnt": 38, "yara_rule_name": "crime_win32_parralax_load_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1240676463126380545", "yara_rule_description": "Detects Parallax loader sequence", "last_hit_utc": "2024-03-15 19:15:05" } ], "2177": [ { "sample_cnt": 38, "yara_rule_name": "hp_doc_svcready", "yara_rule_author": "HP Threat Research @HPSecurity", "yara_rule_reference": null, "yara_rule_description": "SVCReadyLoader document", "last_hit_utc": "2025-01-05 15:10:03" } ], "2178": [ { "sample_cnt": 38, "yara_rule_name": "INDICATOR_EXE_Packed_Loader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects packed executables observed in Molerats", "last_hit_utc": "2026-01-02 16:41:14" } ], "2179": [ { "sample_cnt": 38, "yara_rule_name": "INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-07-24 02:05:20" } ], "2180": [ { "sample_cnt": 38, "yara_rule_name": "lb_apihashing_code_1", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "This rule detects samples from the Lockbit3.0 (and BlackMatter) family unpacked in memory, identifying code reuse of key functions.", "last_hit_utc": "2026-02-06 22:00:24" } ], "2181": [ { "sample_cnt": 38, "yara_rule_name": "Linux_Generic_Threat_b8b076f4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-30 16:58:16" } ], "2182": [ { "sample_cnt": 38, "yara_rule_name": "MALWARE_Win_DanaBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects DanaBot variants", "last_hit_utc": "2022-11-26 04:26:03" } ], "2183": [ { "sample_cnt": 38, "yara_rule_name": "MALWARE_Win_Mercurial", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Mercurial infostealer", "last_hit_utc": "2022-10-03 08:47:03" } ], "2184": [ { "sample_cnt": 38, "yara_rule_name": "MAL_Emotet_Nov_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://cyber.wtf/2021/11/15/guess-whos-back/", "yara_rule_description": "Detect Emotet loader", "last_hit_utc": "2022-02-03 04:50:09" } ], "2185": [ { "sample_cnt": 38, "yara_rule_name": "MAL_WIN_Akira_Apr25", "yara_rule_author": "0x0d4y-Icaro Cesar", "yara_rule_reference": "https://ish.com.br/wp-content/uploads/2025/04/A-Anatomia-do-Ransomware-Akira-e-sua-expansao-multiplataforma.pdf", "yara_rule_description": "This Yara rule from ISH Tecnologia's Heimdall Security Research Team detects key components of Akira Ransomware", "last_hit_utc": "2025-08-26 09:08:40" } ], "2186": [ { "sample_cnt": 38, "yara_rule_name": "PlugX", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect PlugX in memory", "last_hit_utc": "2025-09-19 20:32:06" } ], "2187": [ { "sample_cnt": 38, "yara_rule_name": "RAN_MedusaLocker_Aug_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect MedusaLocker ransomware", "last_hit_utc": "2023-03-09 18:33:06" } ], "2188": [ { "sample_cnt": 38, "yara_rule_name": "RedOctoberPluginCollectInfo", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 14:50:29" } ], "2189": [ { "sample_cnt": 38, "yara_rule_name": "sig_198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77", "yara_rule_author": "Ian Harte - @is_henderson", "yara_rule_reference": "https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/", "yara_rule_description": "sanya WSL To Windows Injection", "last_hit_utc": "2026-01-14 00:41:26" } ], "2190": [ { "sample_cnt": 38, "yara_rule_name": "Windows_Generic_Threat_7693d7fd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-08 00:50:40" } ], "2191": [ { "sample_cnt": 38, "yara_rule_name": "win_blackshades_w0", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-07 12:03:04" } ], "2192": [ { "sample_cnt": 38, "yara_rule_name": "win_medusalocker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.medusalocker.", "last_hit_utc": "2022-11-16 05:29:02" } ], "2193": [ { "sample_cnt": 38, "yara_rule_name": "win_privateloader", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-13 10:01:15" } ], "2194": [ { "sample_cnt": 38, "yara_rule_name": "win_sakula_rat_w3", "yara_rule_author": "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou", "yara_rule_reference": "", "yara_rule_description": "Sakula v1.3", "last_hit_utc": "2022-10-17 08:53:04" } ], "2195": [ { "sample_cnt": 38, "yara_rule_name": "win_socelars_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.socelars.", "last_hit_utc": "2021-09-22 06:19:03" } ], "2196": [ { "sample_cnt": 37, "yara_rule_name": "ach_TrickBot_xlsb_20210226", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/d7685e93288b06ca90d75290f639264b/", "yara_rule_description": "Detects TrickBot xlsb", "last_hit_utc": "2021-02-26 21:14:05" } ], "2197": [ { "sample_cnt": 37, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables calling ClearMyTracksByProcess", "last_hit_utc": "2022-10-10 14:10:34" } ], "2198": [ { "sample_cnt": 37, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing Windows vault credential objects. Observed in infostealers", "last_hit_utc": "2022-11-25 20:44:03" } ], "2199": [ { "sample_cnt": 37, "yara_rule_name": "malware_PlugX_config", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect PlugX in memory", "last_hit_utc": "2025-09-19 20:32:06" } ], "2200": [ { "sample_cnt": 37, "yara_rule_name": "MALWARE_Win_Matiex", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Matiex/XetimaLogger keylogger payload", "last_hit_utc": "2022-08-25 18:54:04" } ], "2201": [ { "sample_cnt": 37, "yara_rule_name": "MAL_Floxif_Generic", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Floxif Malware", "last_hit_utc": "2025-04-26 21:37:09" } ], "2202": [ { "sample_cnt": 37, "yara_rule_name": "MAL_RANSOM_REvil_Oct20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects REvil ransomware", "last_hit_utc": "2025-11-05 08:22:40" } ], "2203": [ { "sample_cnt": 37, "yara_rule_name": "RAT_NetWire", "yara_rule_author": "Kevin Breen & David Cannings", "yara_rule_reference": "http://malwareconfig.com/stats/NetWire", "yara_rule_description": "Detects NetWire RAT", "last_hit_utc": "2025-01-05 17:29:01" } ], "2204": [ { "sample_cnt": 37, "yara_rule_name": "Suspicious_PowerShell_Commands_Executed_via_Rundll32", "yara_rule_author": "assistant", "yara_rule_reference": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_powershell_via_rundll32.yml", "yara_rule_description": "Detects when rundll32.exe is used to execute PowerShell commands that may indicate malicious activity", "last_hit_utc": "2026-04-07 14:01:21" } ], "2205": [ { "sample_cnt": 37, "yara_rule_name": "SUSP_Microsoft_Copyright_String_Anomaly_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Floxif Malware", "last_hit_utc": "2025-04-26 21:37:09" } ], "2206": [ { "sample_cnt": 37, "yara_rule_name": "Windows_Generic_Threat_54ccad4d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-30 18:32:27" } ], "2207": [ { "sample_cnt": 37, "yara_rule_name": "Windows_Trojan_AveMaria_31d2bce9", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-22 11:27:03" } ], "2208": [ { "sample_cnt": 37, "yara_rule_name": "Windows_Trojan_Latrodectus_841ff697", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-14 18:08:50" } ], "2209": [ { "sample_cnt": 37, "yara_rule_name": "win_betabot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-20 15:04:54" } ], "2210": [ { "sample_cnt": 37, "yara_rule_name": "win_cosmicduke_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cosmicduke.", "last_hit_utc": "2025-11-23 10:45:17" } ], "2211": [ { "sample_cnt": 37, "yara_rule_name": "win_younglotus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.younglotus.", "last_hit_utc": "2022-11-21 07:50:33" } ], "2212": [ { "sample_cnt": 36, "yara_rule_name": "CN_disclosed_20180208_lsls_RID2FCC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyberintproject/status/961714165550342146", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2025-09-12 12:45:45" } ], "2213": [ { "sample_cnt": 36, "yara_rule_name": "CN_disclosed_20180208_Mal1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2025-01-05 15:30:29" } ], "2214": [ { "sample_cnt": 36, "yara_rule_name": "Emotet_2022", "yara_rule_author": "Marcelo Rivero", "yara_rule_reference": "", "yara_rule_description": "Emotet EP4 unpacked", "last_hit_utc": "2022-10-28 21:42:25" } ], "2215": [ { "sample_cnt": 36, "yara_rule_name": "Emotet_EP4up", "yara_rule_author": "Marcelo Rivero", "yara_rule_reference": "", "yara_rule_description": "Emotet EP4 unpacked", "last_hit_utc": "2022-10-28 21:42:25" } ], "2216": [ { "sample_cnt": 36, "yara_rule_name": "Ezcob", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Ezcob", "last_hit_utc": "2026-04-19 17:26:26" } ], "2217": [ { "sample_cnt": 36, "yara_rule_name": "EzcobStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Ezcob Identifying Strings", "last_hit_utc": "2026-04-19 17:26:26" } ], "2218": [ { "sample_cnt": 36, "yara_rule_name": "gen_Excel_xll_addin_suspicious", "yara_rule_author": "@JohnLaTwC", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious XLL add-ins to Excel", "last_hit_utc": "2025-01-05 16:32:45" } ], "2219": [ { "sample_cnt": 36, "yara_rule_name": "gorilla_bot", "yara_rule_author": "asyncthecat", "yara_rule_reference": null, "yara_rule_description": "Detects GorillaBot runtime strings", "last_hit_utc": "2026-02-13 08:50:23" } ], "2220": [ { "sample_cnt": 36, "yara_rule_name": "Linux_Trojan_Xorddos_2aef46a6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 05:24:31" } ], "2221": [ { "sample_cnt": 36, "yara_rule_name": "Lockbit", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Lockbit Payload", "last_hit_utc": "2022-10-12 03:41:03" } ], "2222": [ { "sample_cnt": 36, "yara_rule_name": "MAL_Telegram_C2_Communication", "yara_rule_author": "whyyouwannasee", "yara_rule_reference": "https://core.telegram.org/bots/api", "yara_rule_description": "Detects Telegram-based malware communicating with api.telegram.org", "last_hit_utc": "2025-06-10 08:39:54" } ], "2223": [ { "sample_cnt": 36, "yara_rule_name": "mpress_2_xx_x64", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "MPRESS v2.XX x64 - no .NET", "last_hit_utc": "2026-02-16 00:04:15" } ], "2224": [ { "sample_cnt": 36, "yara_rule_name": "ProjectM_DarkComet_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/", "yara_rule_description": "Detects ProjectM Malware", "last_hit_utc": "2025-01-05 15:13:26" } ], "2225": [ { "sample_cnt": 36, "yara_rule_name": "redline_", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked redline malware samples.", "last_hit_utc": "2025-09-22 01:15:40" } ], "2226": [ { "sample_cnt": 36, "yara_rule_name": "SUSP_NullSoftInst_Combo_Oct20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1313023627177193472", "yara_rule_description": "Detects suspicious NullSoft Installer combination with common Copyright strings", "last_hit_utc": "2025-09-05 13:03:26" } ], "2227": [ { "sample_cnt": 36, "yara_rule_name": "win_matiex_keylogger_v1", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": "", "yara_rule_description": "detects the Matiex Keylogger", "last_hit_utc": "2022-08-25 18:54:03" } ], "2228": [ { "sample_cnt": 36, "yara_rule_name": "win_redline_payload_dec_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Patterns observed in redline", "last_hit_utc": "2025-06-16 15:47:54" } ], "2229": [ { "sample_cnt": 36, "yara_rule_name": "win_winos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.winos.", "last_hit_utc": "2026-04-23 09:19:25" } ], "2230": [ { "sample_cnt": 36, "yara_rule_name": "XCSSET_Strings", "yara_rule_author": "@is_henderson", "yara_rule_reference": null, "yara_rule_description": "Rule based on deob strings - easymode", "last_hit_utc": "2026-04-01 19:13:18" } ], "2231": [ { "sample_cnt": 35, "yara_rule_name": "APT_UNC2447_MAL_RANSOM_HelloKitty_May21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects HelloKitty Ransomware samples from UNC2447 campaign", "last_hit_utc": "2025-04-10 14:56:41" } ], "2232": [ { "sample_cnt": 35, "yara_rule_name": "ASProtect13321RegisteredAlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-17 09:24:17" } ], "2233": [ { "sample_cnt": 35, "yara_rule_name": "ASProtectv12xNewStrain", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-17 09:24:17" } ], "2234": [ { "sample_cnt": 35, "yara_rule_name": "attack_India", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-20 19:12:04" } ], "2235": [ { "sample_cnt": 35, "yara_rule_name": "ccrewQAZ", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-12 18:18:21" } ], "2236": [ { "sample_cnt": 35, "yara_rule_name": "Empire_PowerShell_Framework_Gen4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2025-10-14 12:09:40" } ], "2237": [ { "sample_cnt": 35, "yara_rule_name": "erbium", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked erbium malware samples.", "last_hit_utc": "2025-06-23 22:16:58" } ], "2238": [ { "sample_cnt": 35, "yara_rule_name": "Impacket_Tools_psexec", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2022-10-12 03:41:04" } ], "2239": [ { "sample_cnt": 35, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF", "last_hit_utc": "2022-11-24 04:25:04" } ], "2240": [ { "sample_cnt": 35, "yara_rule_name": "Linux_Trojan_Kaiji_91091be3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-25 20:34:29" } ], "2241": [ { "sample_cnt": 35, "yara_rule_name": "Linux_Trojan_Mirai_389ee3e9", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "2242": [ { "sample_cnt": 35, "yara_rule_name": "Linux_Trojan_Mirai_cc93863b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "2243": [ { "sample_cnt": 35, "yara_rule_name": "MALWARE_Win_FloodFix", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects FloodFix", "last_hit_utc": "2026-03-24 15:31:15" } ], "2244": [ { "sample_cnt": 35, "yara_rule_name": "Sodinokobi", "yara_rule_author": "McAfee ATR team", "yara_rule_reference": null, "yara_rule_description": "This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future.", "last_hit_utc": "2025-01-05 16:52:54" } ], "2245": [ { "sample_cnt": 35, "yara_rule_name": "svg_attached_js_code", "yara_rule_author": "Anish Bogati", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious SVG files with JS code and base 64 encoding", "last_hit_utc": "2026-04-21 06:15:32" } ], "2246": [ { "sample_cnt": 35, "yara_rule_name": "testing_win_formbook_autoit", "yara_rule_author": "dubfib", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-25 11:50:31" } ], "2247": [ { "sample_cnt": 35, "yara_rule_name": "Windows_Rootkit_R77_be403e3c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", "yara_rule_description": null, "last_hit_utc": "2026-04-24 02:37:32" } ], "2248": [ { "sample_cnt": 35, "yara_rule_name": "Windows_Trojan_RaspberryRobin_4b4d6899", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-05 14:12:35" } ], "2249": [ { "sample_cnt": 35, "yara_rule_name": "win_fatal_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.fatal_rat.", "last_hit_utc": "2026-04-08 00:50:40" } ], "2250": [ { "sample_cnt": 35, "yara_rule_name": "win_fatal_rat_w0", "yara_rule_author": "AT&T Alien Labs", "yara_rule_reference": "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis", "yara_rule_description": "Detects FatalRAT, unpacked malware.", "last_hit_utc": "2026-04-08 00:50:40" } ], "2251": [ { "sample_cnt": 35, "yara_rule_name": "win_unidentified_023_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-24 19:33:14" } ], "2252": [ { "sample_cnt": 35, "yara_rule_name": "yara_template", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 15:00:51" } ], "2253": [ { "sample_cnt": 35, "yara_rule_name": "ZxShell_Related_Malware_CN_Group_Jul17_1_RID3601", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell related sample from a CN threat group", "last_hit_utc": "2025-04-28 01:41:09" } ], "2254": [ { "sample_cnt": 34, "yara_rule_name": "CMD_Shutdown", "yara_rule_author": "adm1n_usa32", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-18 22:42:03" } ], "2255": [ { "sample_cnt": 34, "yara_rule_name": "CobaltStrike_Resources_Reverse64_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/reverse64.bin signature for versions v2.5 to v4.x", "last_hit_utc": "2026-02-22 18:18:19" } ], "2256": [ { "sample_cnt": 34, "yara_rule_name": "CobaltStrike__Resources_Reverse64_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-22 18:18:19" } ], "2257": [ { "sample_cnt": 34, "yara_rule_name": "EmmenHTAl", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-13 07:18:24" } ], "2258": [ { "sample_cnt": 34, "yara_rule_name": "golang_bin", "yara_rule_author": "Jonathan Cole", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:29:09" } ], "2259": [ { "sample_cnt": 34, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables with interest in wireless interface using netsh", "last_hit_utc": "2022-11-23 10:52:03" } ], "2260": [ { "sample_cnt": 34, "yara_rule_name": "INDICATOR_TOOL_PWS_SharpWeb", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects all versions of the browser password dumping .NET tool, SharpWeb.", "last_hit_utc": "2026-03-21 01:47:21" } ], "2261": [ { "sample_cnt": 34, "yara_rule_name": "Invoke_Mimikatz", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz", "yara_rule_description": "Detects Invoke-Mimikatz String", "last_hit_utc": "2025-12-05 07:43:16" } ], "2262": [ { "sample_cnt": 34, "yara_rule_name": "MacOS_Cryptominer_Generic_333129b7", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-16 14:32:24" } ], "2263": [ { "sample_cnt": 34, "yara_rule_name": "MALWARE_OneNote_Delivery_Jan23", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://twitter.com/James_inthe_box/status/1615421130877329409", "yara_rule_description": "Detects suspicious Microsoft OneNote files used to deliver Malware", "last_hit_utc": "2025-01-05 16:46:55" } ], "2264": [ { "sample_cnt": 34, "yara_rule_name": "MALWARE_Win_Alfonoso", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Alfonoso / Shurk / HunterStealer infostealer", "last_hit_utc": "2022-11-07 16:57:04" } ], "2265": [ { "sample_cnt": 34, "yara_rule_name": "MAL_Floxif_Generic", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Floxif Malware", "last_hit_utc": "2026-03-24 15:31:15" } ], "2266": [ { "sample_cnt": 34, "yara_rule_name": "MAL_JS_Gootloader_jQuery_Compactv2_17Dec24", "yara_rule_author": "@Gootloader", "yara_rule_reference": null, "yara_rule_description": "Detects malicious Gootloader JS hidden in the Query Compat JavaScript Library v3.0.0-alpha1", "last_hit_utc": "2025-11-06 14:50:22" } ], "2267": [ { "sample_cnt": 34, "yara_rule_name": "MAL_Luna_Stealer_Apr_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://github.com/NightfallGT/Mercurial-Grabber", "yara_rule_description": "Detect Luna stealer (also Mercurial Grabber)", "last_hit_utc": "2026-03-03 13:27:15" } ], "2268": [ { "sample_cnt": 34, "yara_rule_name": "metamorfo_msi", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads", "last_hit_utc": "2022-08-04 00:27:02" } ], "2269": [ { "sample_cnt": 34, "yara_rule_name": "methodology_golang_build_strings", "yara_rule_author": "smiller", "yara_rule_reference": null, "yara_rule_description": "Looks for PEs with a Golang build ID", "last_hit_utc": "2025-01-05 15:23:09" } ], "2270": [ { "sample_cnt": 34, "yara_rule_name": "Msfpayloads_msf_10_RID2DF9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.exe", "last_hit_utc": "2025-05-07 10:48:22" } ], "2271": [ { "sample_cnt": 34, "yara_rule_name": "Ping_Command_in_EXE", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an suspicious ping command execution in an executable", "last_hit_utc": "2026-01-28 14:34:18" } ], "2272": [ { "sample_cnt": 34, "yara_rule_name": "QnapCrypt", "yara_rule_author": "Intezer Labs", "yara_rule_reference": "https://www.intezer.com", "yara_rule_description": "", "last_hit_utc": "2022-09-08 03:08:04" } ], "2273": [ { "sample_cnt": 34, "yara_rule_name": "SUSP_Microsoft_Copyright_String_Anomaly_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Floxif Malware", "last_hit_utc": "2026-03-24 15:31:15" } ], "2274": [ { "sample_cnt": 34, "yara_rule_name": "SUSP_XORed_MSDOS_Stub_Message", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings", "yara_rule_description": "Detects suspicious XORed MSDOS stub message", "last_hit_utc": "2023-08-11 09:50:06" } ], "2275": [ { "sample_cnt": 34, "yara_rule_name": "t0_1", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:49:19" } ], "2276": [ { "sample_cnt": 34, "yara_rule_name": "win_chaos_w0", "yara_rule_author": "BlackBerry Threat Research", "yara_rule_reference": null, "yara_rule_description": "Detects Ransomware Built by Chaos Ransomware Builder", "last_hit_utc": "2026-04-05 16:44:11" } ], "2277": [ { "sample_cnt": 34, "yara_rule_name": "win_lumma_2eabe9054cad5152567f0699947a2c5b", "yara_rule_author": "dubfib", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-02 08:03:16" } ], "2278": [ { "sample_cnt": 34, "yara_rule_name": "win_runningrat_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:21:41" } ], "2279": [ { "sample_cnt": 34, "yara_rule_name": "WIN_SHADOW_UNPACKED", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 12:31:38" } ], "2280": [ { "sample_cnt": 34, "yara_rule_name": "win_stealc_bytecodes_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Bytecodes present in Stealc decoding routine", "last_hit_utc": "2026-03-15 06:23:58" } ], "2281": [ { "sample_cnt": 34, "yara_rule_name": "win_unidentified_072_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads", "last_hit_utc": "2022-08-04 00:27:02" } ], "2282": [ { "sample_cnt": 33, "yara_rule_name": "CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6", "last_hit_utc": "2026-02-06 23:01:17" } ], "2283": [ { "sample_cnt": 33, "yara_rule_name": "CobaltStrike__Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-06 23:01:17" } ], "2284": [ { "sample_cnt": 33, "yara_rule_name": "Erbium_Stealer_Obfuscated", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "", "yara_rule_description": "Erbium Stealer in its obfuscated format", "last_hit_utc": "2022-10-26 06:53:03" } ], "2285": [ { "sample_cnt": 33, "yara_rule_name": "INDICATOR_KB_CERT_0a1f3a057a1dce4bf7d76d0c7adf837e", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2026-03-25 17:10:36" } ], "2286": [ { "sample_cnt": 33, "yara_rule_name": "Linux_Trojan_Gafgyt_751acb94", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-29 06:13:29" } ], "2287": [ { "sample_cnt": 33, "yara_rule_name": "Linux_Trojan_Mirai_88de437f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "2288": [ { "sample_cnt": 33, "yara_rule_name": "MALWARE_Win_RemoteUtilitiesRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "RemoteUtilitiesRAT RAT payload", "last_hit_utc": "2022-11-09 04:21:02" } ], "2289": [ { "sample_cnt": 33, "yara_rule_name": "Mirage_APT", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 19:22:21" } ], "2290": [ { "sample_cnt": 33, "yara_rule_name": "octo2_packer_s", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects Octo2 Packer's code (native library! .so) -- This rule only looks for strings! code depends on arch.. x86, x86_64, armeabi-v7a, arm64-v8a", "last_hit_utc": "2025-07-18 14:29:26" } ], "2291": [ { "sample_cnt": 33, "yara_rule_name": "pdb2", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:50:29" } ], "2292": [ { "sample_cnt": 33, "yara_rule_name": "QBOT_HTMLSmuggling_a", "yara_rule_author": "Ankit Anubhav - ankitanubhav.info", "yara_rule_reference": null, "yara_rule_description": "Detects QBOT HTML smuggling variants", "last_hit_utc": "2026-02-18 09:12:23" } ], "2293": [ { "sample_cnt": 33, "yara_rule_name": "RAN_Revil_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect Revil ransomware", "last_hit_utc": "2025-01-05 16:54:35" } ], "2294": [ { "sample_cnt": 33, "yara_rule_name": "SUSP_LNK_Big_Link_File", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspiciously big LNK file - maybe with embedded content", "last_hit_utc": "2025-01-05 15:27:35" } ], "2295": [ { "sample_cnt": 33, "yara_rule_name": "SUSP_LNK_SuspiciousCommands", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Detects LNK file with suspicious content", "last_hit_utc": "2022-08-23 11:58:03" } ], "2296": [ { "sample_cnt": 33, "yara_rule_name": "TrojanSpy_EMOTET_W4", "yara_rule_author": "Ian Kenefick (Trend Micro)", "yara_rule_reference": null, "yara_rule_description": "Emotet x64 Loader", "last_hit_utc": "2025-01-05 15:01:53" } ], "2297": [ { "sample_cnt": 33, "yara_rule_name": "Windows_Generic_Threat_046aa1ec", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-13 19:33:43" } ], "2298": [ { "sample_cnt": 33, "yara_rule_name": "Windows_Trojan_Xworm_732e6c12", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-13 17:36:37" } ], "2299": [ { "sample_cnt": 33, "yara_rule_name": "win_bahamut_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-03-16 20:20:11" } ], "2300": [ { "sample_cnt": 33, "yara_rule_name": "win_redline_bytecodes_jan_2024", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Bytecodes found in late 2023 Redline malware", "last_hit_utc": "2024-02-22 04:55:03" } ], "2301": [ { "sample_cnt": 33, "yara_rule_name": "win_revil_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.revil.", "last_hit_utc": "2025-01-05 16:54:35" } ], "2302": [ { "sample_cnt": 33, "yara_rule_name": "win_rms_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-11-09 04:21:02" } ], "2303": [ { "sample_cnt": 32, "yara_rule_name": "GoldDragon_RunningRAT_RID2F19", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/rW1yvZ", "yara_rule_description": "Detects Running RAT from Gold Dragon report", "last_hit_utc": "2025-01-03 23:00:32" } ], "2304": [ { "sample_cnt": 32, "yara_rule_name": "Havex", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-11 15:43:20" } ], "2305": [ { "sample_cnt": 32, "yara_rule_name": "Latrodectus", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "Latrodectus Payload", "last_hit_utc": "2025-04-16 13:08:07" } ], "2306": [ { "sample_cnt": 32, "yara_rule_name": "Linux_Trojan_Metasploit_69e20012", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 10:33:39" } ], "2307": [ { "sample_cnt": 32, "yara_rule_name": "MALWARE_Win_MeterpreterStager", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Meterpreter stager payload", "last_hit_utc": "2026-02-22 18:17:28" } ], "2308": [ { "sample_cnt": 32, "yara_rule_name": "merlinAgent", "yara_rule_author": "Hilko Bengen", "yara_rule_reference": "https://github.com/Ne0nd0g/merlin", "yara_rule_description": "Detects Merlin agent", "last_hit_utc": "2026-02-10 16:35:23" } ], "2309": [ { "sample_cnt": 32, "yara_rule_name": "netwire", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 23:31:42" } ], "2310": [ { "sample_cnt": 32, "yara_rule_name": "QBOT_HTMLSmuggling_a", "yara_rule_author": "Ankit Anubhav - ankitanubhav.info", "yara_rule_reference": "", "yara_rule_description": "Detects QBOT HTML smuggling variants", "last_hit_utc": "2022-11-17 19:11:02" } ], "2311": [ { "sample_cnt": 32, "yara_rule_name": "SUSP_Base64", "yara_rule_author": "Eslam Hassan", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects hex encoded code that has been base64 encoded", "last_hit_utc": "2026-04-09 07:26:28" } ], "2312": [ { "sample_cnt": 32, "yara_rule_name": "SUSP_certificate_payload", "yara_rule_author": "Didier Stevens, Florian Roth", "yara_rule_reference": "https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/", "yara_rule_description": "Detects payloads that pretend to be certificates", "last_hit_utc": "2025-09-17 12:23:38" } ], "2313": [ { "sample_cnt": 32, "yara_rule_name": "SUSP_certificate_payload_RID3087", "yara_rule_author": "Didier Stevens, Florian Roth", "yara_rule_reference": "https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/", "yara_rule_description": "Detects payloads that pretend to be certificates", "last_hit_utc": "2025-09-17 12:23:38" } ], "2314": [ { "sample_cnt": 32, "yara_rule_name": "SUSP_LNK_SuspiciousCommands", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects LNK file with suspicious content", "last_hit_utc": "2025-01-05 15:33:40" } ], "2315": [ { "sample_cnt": 32, "yara_rule_name": "WIN32_MALWR_DROPPER_INJECTOR_RANSOMWARE", "yara_rule_author": "Jesper Mikkelsen", "yara_rule_reference": "SHA-1:0feda1e7b0d4506270c85973826fa498e9ed0f5b", "yara_rule_description": "Detect Suspicous dropper injector - possible ransomware dropper", "last_hit_utc": "2022-07-13 06:43:45" } ], "2316": [ { "sample_cnt": 32, "yara_rule_name": "Windows_Generic_Threat_994f2330", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 15:08:01" } ], "2317": [ { "sample_cnt": 32, "yara_rule_name": "win_bit_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.bit_rat.", "last_hit_utc": "2025-06-16 16:34:39" } ], "2318": [ { "sample_cnt": 32, "yara_rule_name": "win_floxif_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.floxif.", "last_hit_utc": "2026-03-24 15:31:15" } ], "2319": [ { "sample_cnt": 32, "yara_rule_name": "win_karkoff_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-10-05 07:57:05" } ], "2320": [ { "sample_cnt": 32, "yara_rule_name": "win_latrodectus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.latrodectus.", "last_hit_utc": "2025-11-14 18:08:49" } ], "2321": [ { "sample_cnt": 32, "yara_rule_name": "win_orcus_rat_simple_strings_dec_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Strings observed in Orcus RAT", "last_hit_utc": "2026-04-02 16:36:18" } ], "2322": [ { "sample_cnt": 31, "yara_rule_name": "AgentTesla_test", "yara_rule_author": "abuse.ch", "yara_rule_reference": "", "yara_rule_description": "Detects AgentTesla PE", "last_hit_utc": "2022-05-01 08:25:03" } ], "2323": [ { "sample_cnt": 31, "yara_rule_name": "APT1_WEBC2_Y21K", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-26 23:36:35" } ], "2324": [ { "sample_cnt": 31, "yara_rule_name": "ASPackv211cAlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:54:58" } ], "2325": [ { "sample_cnt": 31, "yara_rule_name": "ASPackv211dAlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:54:58" } ], "2326": [ { "sample_cnt": 31, "yara_rule_name": "BlackWorm", "yara_rule_author": "Brian Wallace @botnet_hunter", "yara_rule_reference": null, "yara_rule_description": "Identify BlackWorm", "last_hit_utc": "2023-06-13 21:19:25" } ], "2327": [ { "sample_cnt": 31, "yara_rule_name": "CredentialStealer_Generic_Backdoor", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects credential stealer byed on many strings that indicate password store access", "last_hit_utc": "2021-09-21 08:46:06" } ], "2328": [ { "sample_cnt": 31, "yara_rule_name": "crime_win64_bumbleebee_loader_packed", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": "", "yara_rule_description": "Detects Bumblebee loader dll", "last_hit_utc": "2022-11-10 20:44:03" } ], "2329": [ { "sample_cnt": 31, "yara_rule_name": "EXE_VenomRAT_May_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects VenomRAT", "last_hit_utc": "2025-01-05 17:31:51" } ], "2330": [ { "sample_cnt": 31, "yara_rule_name": "Linux_Generic_Threat_cd9ce063", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-14 12:31:53" } ], "2331": [ { "sample_cnt": 31, "yara_rule_name": "Linux_Proxy_Frp_4213778f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-21 02:49:17" } ], "2332": [ { "sample_cnt": 31, "yara_rule_name": "Malaysia_mal_APK_1", "yara_rule_author": "@fareedfauzi", "yara_rule_reference": null, "yara_rule_description": "Detects Malicious APK targeting Malaysia", "last_hit_utc": "2025-12-10 09:09:24" } ], "2333": [ { "sample_cnt": 31, "yara_rule_name": "MALWARE_Win_BlackNET", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects BlackNET RAT", "last_hit_utc": "2025-12-26 05:31:17" } ], "2334": [ { "sample_cnt": 31, "yara_rule_name": "MALWARE_Win_EXEPWSH_DLAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects downloader agent, using PowerShell", "last_hit_utc": "2021-07-13 18:30:10" } ], "2335": [ { "sample_cnt": 31, "yara_rule_name": "MALWARE_Win_Kitty", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects HelloKitty ransomware, triggers on FIVEHANDS", "last_hit_utc": "2025-04-10 14:56:42" } ], "2336": [ { "sample_cnt": 31, "yara_rule_name": "MALWARE_Win_ModiLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ModiLoader", "last_hit_utc": "2025-11-28 17:22:14" } ], "2337": [ { "sample_cnt": 31, "yara_rule_name": "MAL_Nitol_Malware_Jan19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/shotgunner101/status/1084602413691166721", "yara_rule_description": "Detects Nitol Malware", "last_hit_utc": "2026-01-30 20:27:24" } ], "2338": [ { "sample_cnt": 31, "yara_rule_name": "Msfpayloads_msf_10", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.exe", "last_hit_utc": "2025-05-07 10:48:22" } ], "2339": [ { "sample_cnt": 31, "yara_rule_name": "NsPack29NorthStar", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-17 09:27:17" } ], "2340": [ { "sample_cnt": 31, "yara_rule_name": "NSPack3xLiuXingPing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-28 18:30:45" } ], "2341": [ { "sample_cnt": 31, "yara_rule_name": "packer_raspberryrobin", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Raspberry Robin Packer (Experimental)", "last_hit_utc": "2025-01-03 21:51:57" } ], "2342": [ { "sample_cnt": 31, "yara_rule_name": "PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/", "yara_rule_description": "Detects XMRIG crypto coin miners", "last_hit_utc": "2026-03-03 14:19:11" } ], "2343": [ { "sample_cnt": 31, "yara_rule_name": "tick_Datper", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html", "yara_rule_description": "detect Datper in memory", "last_hit_utc": "2026-04-22 16:02:45" } ], "2344": [ { "sample_cnt": 31, "yara_rule_name": "windows_encryptor_APOS", "yara_rule_author": "CICS, Jan Dubs", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "APOS RaaS Windows Encryptor", "last_hit_utc": "2025-10-04 11:06:26" } ], "2345": [ { "sample_cnt": 31, "yara_rule_name": "Windows_Generic_Threat_21253888", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-13 15:58:16" } ], "2346": [ { "sample_cnt": 31, "yara_rule_name": "Windows_Generic_Threat_c9003b7b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 21:56:55" } ], "2347": [ { "sample_cnt": 31, "yara_rule_name": "Windows_Trojan_Metasploit_0cc81460", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 10:33:41" } ], "2348": [ { "sample_cnt": 31, "yara_rule_name": "win_epsilon_red_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.epsilon_red.", "last_hit_utc": "2026-02-18 09:23:27" } ], "2349": [ { "sample_cnt": 31, "yara_rule_name": "win_extreme_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-11-30 15:43:03" } ], "2350": [ { "sample_cnt": 31, "yara_rule_name": "win_njrat_g1", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-22 10:02:52" } ], "2351": [ { "sample_cnt": 31, "yara_rule_name": "win_zeus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-09 18:48:09" } ], "2352": [ { "sample_cnt": 31, "yara_rule_name": "WiseInstallerStub", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-28 07:48:15" } ], "2353": [ { "sample_cnt": 31, "yara_rule_name": "ZxShell_Related_Malware_CN_Group_Jul17_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell related sample from a CN threat group", "last_hit_utc": "2022-09-05 18:41:03" } ], "2354": [ { "sample_cnt": 30, "yara_rule_name": "ach_ZLoader_xls_20210125", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/498c79a50161a3d0d31ada626f512080/", "yara_rule_description": "Detects ZLoader XLS", "last_hit_utc": "2021-10-09 11:12:08" } ], "2355": [ { "sample_cnt": 30, "yara_rule_name": "CN_Honker_WordpressScanner_RID315A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file WordpressScanner.exe", "last_hit_utc": "2025-08-22 17:31:19" } ], "2356": [ { "sample_cnt": 30, "yara_rule_name": "HKTL_NET_GUID_wsManager", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/guillaC/wsManager", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2021-10-11 06:41:22" } ], "2357": [ { "sample_cnt": 30, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Reversed", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects reversed executables. Observed N-stage drop", "last_hit_utc": "2022-08-01 10:08:04" } ], "2358": [ { "sample_cnt": 30, "yara_rule_name": "INDICATOR_TOOL_RTK_HiddenRootKit", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects the Hidden public rootkit", "last_hit_utc": "2022-10-10 14:10:33" } ], "2359": [ { "sample_cnt": 30, "yara_rule_name": "Linux_Trojan_Mirai_8aa7b5d3", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:04" } ], "2360": [ { "sample_cnt": 30, "yara_rule_name": "Linux_Trojan_Mirai_b14f4c5d", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "2361": [ { "sample_cnt": 30, "yara_rule_name": "lu0bot_wextract", "yara_rule_author": "Rony (r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects wextract files delivering Lu0bot", "last_hit_utc": "2025-01-05 16:30:02" } ], "2362": [ { "sample_cnt": 30, "yara_rule_name": "MALWARE_Win_DLAgent03", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects known Delphi downloader agent downloading second stage payload, notably from discord", "last_hit_utc": "2021-04-11 09:23:49" } ], "2363": [ { "sample_cnt": 30, "yara_rule_name": "MALWARE_Win_PWSH_PoshWiFiStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects PowerShell PoshWiFiStealer", "last_hit_utc": "2022-08-13 01:39:02" } ], "2364": [ { "sample_cnt": 30, "yara_rule_name": "malw_eicar", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://www.eicar.org/", "yara_rule_description": "Rule to detect the EICAR pattern", "last_hit_utc": "2025-12-15 08:17:16" } ], "2365": [ { "sample_cnt": 30, "yara_rule_name": "MSOffice_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Microsoft Office artefacts in shortcut (LNK) files.", "last_hit_utc": "2022-10-18 06:34:04" } ], "2366": [ { "sample_cnt": 30, "yara_rule_name": "PowerShell_in_Word_Doc_RID2FBC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - ME", "yara_rule_description": "Detects a powershell and bypass keyword in a Word document", "last_hit_utc": "2026-04-17 20:59:42" } ], "2367": [ { "sample_cnt": 30, "yara_rule_name": "RANSOM_makop", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect the unpacked Makop ransomware samples", "last_hit_utc": "2025-12-21 11:48:15" } ], "2368": [ { "sample_cnt": 30, "yara_rule_name": "Suspicious_AutoIt_by_Microsoft_RID334C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - VT", "yara_rule_description": "Detects a AutoIt script with Microsoft identification", "last_hit_utc": "2025-02-18 13:47:01" } ], "2369": [ { "sample_cnt": 30, "yara_rule_name": "SUSP_Encoded_Discord_Attachment_Oct21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)", "last_hit_utc": "2025-12-24 15:37:14" } ], "2370": [ { "sample_cnt": 30, "yara_rule_name": "SUSP_VBA_FileSystem_Access", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious VBA that writes to disk and is activated on document open", "last_hit_utc": "2025-01-05 14:49:16" } ], "2371": [ { "sample_cnt": 30, "yara_rule_name": "Windows_Trojan_Metasploit_47f5d54a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-09 19:15:25" } ], "2372": [ { "sample_cnt": 30, "yara_rule_name": "Windows_Trojan_RedLineStealer_3d9371fd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-15 14:09:22" } ], "2373": [ { "sample_cnt": 30, "yara_rule_name": "win_dbatloader_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": "targets loader", "last_hit_utc": "2020-12-22 14:42:04" } ], "2374": [ { "sample_cnt": 29, "yara_rule_name": "Ammyy_Admin_AA_v3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/gkAg2E", "yara_rule_description": "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe", "last_hit_utc": "2025-10-28 13:43:47" } ], "2375": [ { "sample_cnt": 29, "yara_rule_name": "APT10_ChChes_lnk", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "LNK malware ChChes downloader", "last_hit_utc": "2026-04-21 22:40:45" } ], "2376": [ { "sample_cnt": 29, "yara_rule_name": "APT_ArtraDownloader2_Aug19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", "yara_rule_description": "Detects ArtraDownloader malware", "last_hit_utc": "2022-09-26 09:27:13" } ], "2377": [ { "sample_cnt": 29, "yara_rule_name": "citadel13xy", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "Citadel 1.5.x.y trojan banker", "last_hit_utc": "2025-01-31 10:06:59" } ], "2378": [ { "sample_cnt": 29, "yara_rule_name": "EXPL_POC_SpringCore_0day_Indicators_Mar22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/vxunderground/status/1509170582469943303", "yara_rule_description": "Detects indicators found after SpringCore exploitation attempts and in the POC script", "last_hit_utc": "2026-02-13 10:04:21" } ], "2379": [ { "sample_cnt": 29, "yara_rule_name": "GoldDragon_RunningRAT", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/rW1yvZ", "yara_rule_description": "Detects Running RAT from Gold Dragon report", "last_hit_utc": "2022-09-05 18:41:03" } ], "2380": [ { "sample_cnt": 29, "yara_rule_name": "Hacktool_Strings_p0wnedShell_RID3234", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs", "last_hit_utc": "2025-12-25 12:00:36" } ], "2381": [ { "sample_cnt": 29, "yara_rule_name": "hunt_skyproj_backdoor", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/", "yara_rule_description": "", "last_hit_utc": "2022-11-26 04:26:03" } ], "2382": [ { "sample_cnt": 29, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RawPaste_URL", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing URLs to raw contents of a paste", "last_hit_utc": "2025-04-15 17:21:44" } ], "2383": [ { "sample_cnt": 29, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks", "last_hit_utc": "2025-08-20 12:24:35" } ], "2384": [ { "sample_cnt": 29, "yara_rule_name": "INDICATOR_TOOL_PWS_Amady", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects password stealer DLL. Dropped by Amadey", "last_hit_utc": "2025-01-05 15:30:49" } ], "2385": [ { "sample_cnt": 29, "yara_rule_name": "kleptoparasite", "yara_rule_author": "jarcher", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-19 13:36:05" } ], "2386": [ { "sample_cnt": 29, "yara_rule_name": "Lockbit2_Jul21", "yara_rule_author": "CB @ ATR", "yara_rule_reference": "", "yara_rule_description": "simple rule to detect latest Lockbit ransomware Jul 2021", "last_hit_utc": "2022-06-30 11:57:03" } ], "2387": [ { "sample_cnt": 29, "yara_rule_name": "MALWARE_Win_DLInjector06", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects downloader / injector", "last_hit_utc": "2025-01-05 16:09:23" } ], "2388": [ { "sample_cnt": 29, "yara_rule_name": "MALWARE_Win_XpertRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "XpertRAT payload", "last_hit_utc": "2022-08-02 16:51:03" } ], "2389": [ { "sample_cnt": 29, "yara_rule_name": "MAL_NET_Katz_Stealer_Loader_May25", "yara_rule_author": "Jonathan Peters (cod3nym)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects .NET based Katz stealer loader", "last_hit_utc": "2026-03-23 23:44:14" } ], "2390": [ { "sample_cnt": 29, "yara_rule_name": "Mimikatz_Gen_Strings_RID2F19", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Mimikatz by using some special strings", "last_hit_utc": "2026-01-05 11:30:23" } ], "2391": [ { "sample_cnt": 29, "yara_rule_name": "OBFUS_PowerShell_Common_Replace", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects the common usage of replace for obfuscation", "last_hit_utc": "2022-11-18 22:43:03" } ], "2392": [ { "sample_cnt": 29, "yara_rule_name": "Powerkatz_DLL_Generic_RID2F2F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "PowerKatz Analysis", "yara_rule_description": "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)", "last_hit_utc": "2026-01-05 11:30:23" } ], "2393": [ { "sample_cnt": 29, "yara_rule_name": "Specialist_Repack_Doc", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1483132689586831365", "yara_rule_description": "Identifies Office documents created by a cracked Office version, SPecialiST RePack.", "last_hit_utc": "2026-04-09 15:47:23" } ], "2394": [ { "sample_cnt": 29, "yara_rule_name": "Start2_overlap_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e", "yara_rule_description": "SystemBC", "last_hit_utc": "2026-02-14 15:29:26" } ], "2395": [ { "sample_cnt": 29, "yara_rule_name": "SUSP_GIF_Anomalies", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://en.wikipedia.org/wiki/GIF", "yara_rule_description": "Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type", "last_hit_utc": "2026-02-22 18:17:27" } ], "2396": [ { "sample_cnt": 29, "yara_rule_name": "SUSP_Modified_SystemExeFileName_in_File_RID35F8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", "yara_rule_description": "Detecst a variant of a system file name often used by attackers to cloak their activity", "last_hit_utc": "2025-12-26 05:31:17" } ], "2397": [ { "sample_cnt": 29, "yara_rule_name": "SUSP_PowerShell_Caret_Obfuscation_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects powershell keyword obfuscated with carets", "last_hit_utc": "2025-12-18 17:34:13" } ], "2398": [ { "sample_cnt": 29, "yara_rule_name": "Telegram_APIs", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-12-28 16:54:04" } ], "2399": [ { "sample_cnt": 29, "yara_rule_name": "TTP_Impersonating_Google_Updates_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 06:14:34" } ], "2400": [ { "sample_cnt": 29, "yara_rule_name": "Windows_Generic_Threat_6ee18020", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-30 18:32:27" } ], "2401": [ { "sample_cnt": 29, "yara_rule_name": "Windows_Trojan_DustyWarehouse_a6cfc9f7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-08 14:51:15" } ], "2402": [ { "sample_cnt": 29, "yara_rule_name": "win_buer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-02 13:56:25" } ], "2403": [ { "sample_cnt": 29, "yara_rule_name": "win_danabot_cdf38827", "yara_rule_author": "Johannes Bader", "yara_rule_reference": "", "yara_rule_description": "detects DanaBot", "last_hit_utc": "2022-10-27 16:05:17" } ], "2404": [ { "sample_cnt": 29, "yara_rule_name": "win_xpertrat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.xpertrat.", "last_hit_utc": "2022-08-02 16:51:03" } ], "2405": [ { "sample_cnt": 28, "yara_rule_name": "Backdoor_Nitol_Jun17", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/OOB3mH", "yara_rule_description": "Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader", "last_hit_utc": "2025-06-16 16:17:25" } ], "2406": [ { "sample_cnt": 28, "yara_rule_name": "BazarBackdoor", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/", "yara_rule_description": "Identifies Bazar backdoor.", "last_hit_utc": "2025-06-16 16:06:34" } ], "2407": [ { "sample_cnt": 28, "yara_rule_name": "CN_disclosed_20180208_lsls", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyberintproject/status/961714165550342146", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2022-10-21 02:38:03" } ], "2408": [ { "sample_cnt": 28, "yara_rule_name": "crime_win32_ransom_makop_1_vk", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1242177227682390017", "yara_rule_description": "Detects MAKOP ransomware payload", "last_hit_utc": "2025-12-21 11:48:15" } ], "2409": [ { "sample_cnt": 28, "yara_rule_name": "crime_win32_zloader_a0", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects Zloader Payload", "last_hit_utc": "2025-01-03 20:07:02" } ], "2410": [ { "sample_cnt": 28, "yara_rule_name": "d238aea078ca1bb99a80ec2bf5d07acb818d72e7823ea8e767eefde95a038401", "yara_rule_author": "H3lium", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "MALWARE! - file d238aea078ca1bb99a80ec2bf5d07acb818d72e7823ea8e767eefde95a038401.exe", "last_hit_utc": "2025-12-26 05:31:16" } ], "2411": [ { "sample_cnt": 28, "yara_rule_name": "HKTL_NET_GUID_BlackNET", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/BlackHacker511/BlackNET", "yara_rule_description": "Detects VB.NET red/black-team tools via typelibguid", "last_hit_utc": "2025-01-05 15:23:17" } ], "2412": [ { "sample_cnt": 28, "yara_rule_name": "Linux_Trojan_Tsunami_e98b83ee", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 16:12:29" } ], "2413": [ { "sample_cnt": 28, "yara_rule_name": "MALWARE_Linux_XORDDoS", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects XORDDoS", "last_hit_utc": "2026-04-24 05:24:31" } ], "2414": [ { "sample_cnt": 28, "yara_rule_name": "MALWARE_Win_CyberGate", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects CyberGate/Spyrat/Rebhip RTA", "last_hit_utc": "2025-11-29 05:46:13" } ], "2415": [ { "sample_cnt": 28, "yara_rule_name": "MAL_QakBot_ConfigExtraction_Feb23", "yara_rule_author": "kevoreilly", "yara_rule_reference": "https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar", "yara_rule_description": "QakBot Config Extraction", "last_hit_utc": "2023-11-28 09:24:57" } ], "2416": [ { "sample_cnt": 28, "yara_rule_name": "NsPacKV36LiuXingPing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-28 18:30:45" } ], "2417": [ { "sample_cnt": 28, "yara_rule_name": "PDF_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Adobe Acrobat artefacts in shortcut (LNK) files.", "last_hit_utc": "2022-11-01 19:31:03" } ], "2418": [ { "sample_cnt": 28, "yara_rule_name": "SUSP_shellpop_Bash", "yara_rule_author": "Tobias Michalski", "yara_rule_reference": "https://github.com/0x00-0x00/ShellPop", "yara_rule_description": "Detects susupicious bash command", "last_hit_utc": "2026-03-06 09:19:19" } ], "2419": [ { "sample_cnt": 28, "yara_rule_name": "SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious tiny ZIP files with phishing attachment characteristics", "last_hit_utc": "2025-01-05 15:30:59" } ], "2420": [ { "sample_cnt": 28, "yara_rule_name": "Windows_Generic_Threat_62e1f5fc", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-25 08:31:53" } ], "2421": [ { "sample_cnt": 28, "yara_rule_name": "Windows_Generic_Threat_d7e5ec2d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-30 18:32:27" } ], "2422": [ { "sample_cnt": 28, "yara_rule_name": "Windows_Ransomware_Conti_89f3f6fa", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-05 15:17:24" } ], "2423": [ { "sample_cnt": 28, "yara_rule_name": "Windows_Ransomware_Sodinokibi_a282ba44", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil", "yara_rule_description": "Identifies SODINOKIBI/REvil ransomware", "last_hit_utc": "2025-01-05 16:54:35" } ], "2424": [ { "sample_cnt": 28, "yara_rule_name": "win_globeimposter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.globeimposter.", "last_hit_utc": "2025-08-25 19:16:46" } ], "2425": [ { "sample_cnt": 28, "yara_rule_name": "win_kpot_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-12 14:45:31" } ], "2426": [ { "sample_cnt": 28, "yara_rule_name": "win_webmonitor_w0", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8", "yara_rule_description": "Revcode RAT", "last_hit_utc": "2021-09-17 16:57:39" } ], "2427": [ { "sample_cnt": 27, "yara_rule_name": "ach_202506_suspicious_svg", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious SVG files with HTML/JS code", "last_hit_utc": "2026-02-11 04:55:13" } ], "2428": [ { "sample_cnt": 27, "yara_rule_name": "Archive_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies archive (compressed) files in shortcut (LNK) files.", "last_hit_utc": "2022-09-13 23:55:02" } ], "2429": [ { "sample_cnt": 27, "yara_rule_name": "ASProtectv123RC1", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 20:27:25" } ], "2430": [ { "sample_cnt": 27, "yara_rule_name": "AuraStealer", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "AuraStealer Payload", "last_hit_utc": "2026-04-02 11:16:15" } ], "2431": [ { "sample_cnt": 27, "yara_rule_name": "CN_Honker_WordpressScanner", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file WordpressScanner.exe", "last_hit_utc": "2025-08-22 17:31:19" } ], "2432": [ { "sample_cnt": 27, "yara_rule_name": "Cobaltbaltstrike_Beacon_Encoded", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2025-12-16 11:10:21" } ], "2433": [ { "sample_cnt": 27, "yara_rule_name": "CobaltStrike_Sleeve_Beacon_x64_v4_5_variant", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.5 (variant)", "last_hit_utc": "2026-01-25 14:06:27" } ], "2434": [ { "sample_cnt": 27, "yara_rule_name": "DebuggerCheck__PEB", "yara_rule_author": null, "yara_rule_reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara", "yara_rule_description": null, "last_hit_utc": "2026-02-07 20:23:13" } ], "2435": [ { "sample_cnt": 27, "yara_rule_name": "Hacktool_Strings_p0wnedShell", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "Detects strings found in Runspace Post Exploitation Toolkit", "last_hit_utc": "2025-12-25 12:00:36" } ], "2436": [ { "sample_cnt": 27, "yara_rule_name": "INDICATOR_KB_CERT_0c15be4a15bb0903c901b1d6c265302f", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-06-27 06:42:23" } ], "2437": [ { "sample_cnt": 27, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Chaos", "yara_rule_author": "ditekShen", "yara_rule_reference": "", "yara_rule_description": "Detects files referencing identities associated with Chaos ransomware", "last_hit_utc": "2022-10-14 01:22:03" } ], "2438": [ { "sample_cnt": 27, "yara_rule_name": "INDICATOR_SUSPICIOUS_NTLM_Exfiltration_IPPattern", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects NTLM hashes exfiltration patterns in command line and various file types", "last_hit_utc": "2025-06-13 22:47:03" } ], "2439": [ { "sample_cnt": 27, "yara_rule_name": "INDICATOR_SUSPICOUS_EXE_References_VEEAM", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing many references to VEEAM. Observed in ransomware", "last_hit_utc": "2022-06-30 11:54:08" } ], "2440": [ { "sample_cnt": 27, "yara_rule_name": "Latrodectus_AES", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "Latrodectus Payload", "last_hit_utc": "2025-11-14 18:08:49" } ], "2441": [ { "sample_cnt": 27, "yara_rule_name": "Linux_Hacktool_Flooder_e63396f4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 06:06:35" } ], "2442": [ { "sample_cnt": 27, "yara_rule_name": "Linux_Trojan_Gafgyt_33b4111a", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "2443": [ { "sample_cnt": 27, "yara_rule_name": "Linux_Trojan_Gafgyt_620087b9", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "2444": [ { "sample_cnt": 27, "yara_rule_name": "Linux_Trojan_Gafgyt_807911a2", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "2445": [ { "sample_cnt": 27, "yara_rule_name": "Linux_Trojan_Gafgyt_d4227dbf", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "2446": [ { "sample_cnt": 27, "yara_rule_name": "Linux_Trojan_Kaiji_dcf6565e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 14:26:19" } ], "2447": [ { "sample_cnt": 27, "yara_rule_name": "lu0bot_packer_1", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Detection of Lu0bot CAB packer.", "last_hit_utc": "2025-01-05 16:30:02" } ], "2448": [ { "sample_cnt": 27, "yara_rule_name": "MALWARE_Win_CyberStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects CyberStealer infostealer", "last_hit_utc": "2025-08-14 13:14:34" } ], "2449": [ { "sample_cnt": 27, "yara_rule_name": "MALWARE_Win_DLInjector01", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects specific downloader injector shellcode", "last_hit_utc": "2021-07-23 12:42:06" } ], "2450": [ { "sample_cnt": 27, "yara_rule_name": "mal_socks5systemz", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Socks5SystemZ Payload", "last_hit_utc": "2026-03-25 12:07:17" } ], "2451": [ { "sample_cnt": 27, "yara_rule_name": "RevengeRAT_Sep17", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects RevengeRAT malware", "last_hit_utc": "2026-04-27 12:56:28" } ], "2452": [ { "sample_cnt": 27, "yara_rule_name": "socks5systemz_payload_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 12:07:17" } ], "2453": [ { "sample_cnt": 27, "yara_rule_name": "socks5systemz_payload_v2", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 12:07:17" } ], "2454": [ { "sample_cnt": 27, "yara_rule_name": "SUSP_Scheduled_Tasks_Create_From_Susp_Dir", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory", "last_hit_utc": "2022-10-15 15:00:03" } ], "2455": [ { "sample_cnt": 27, "yara_rule_name": "Sus_AnyDesk_Attempts_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-13 12:44:52" } ], "2456": [ { "sample_cnt": 27, "yara_rule_name": "webshell_asp_obfuscated", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "ASP webshell obfuscated", "last_hit_utc": "2022-06-23 19:49:02" } ], "2457": [ { "sample_cnt": 27, "yara_rule_name": "Windows_Generic_Threat_b1f6f662", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:33:09" } ], "2458": [ { "sample_cnt": 27, "yara_rule_name": "Windows_Trojan_ACRStealer_f9728d76", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-10 16:18:15" } ], "2459": [ { "sample_cnt": 27, "yara_rule_name": "Windows_Trojan_Limerat_24269a79", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-28 08:39:22" } ], "2460": [ { "sample_cnt": 27, "yara_rule_name": "Windows_Trojan_M0yv_92f66467", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-31 03:48:42" } ], "2461": [ { "sample_cnt": 27, "yara_rule_name": "Windows_Trojan_Metasploit_1ca1e384", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-26 10:21:22" } ], "2462": [ { "sample_cnt": 27, "yara_rule_name": "winrar_sfx", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "Winrar SFX Archive", "last_hit_utc": "2025-12-04 11:24:18" } ], "2463": [ { "sample_cnt": 27, "yara_rule_name": "win_citadel_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-17 19:11:32" } ], "2464": [ { "sample_cnt": 27, "yara_rule_name": "win_danabot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-14 18:39:06" } ], "2465": [ { "sample_cnt": 27, "yara_rule_name": "win_limerat_j1_00cfd931", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects the lime rat", "last_hit_utc": "2025-09-28 08:39:22" } ], "2466": [ { "sample_cnt": 27, "yara_rule_name": "win_phobos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.phobos.", "last_hit_utc": "2025-01-05 17:28:33" } ], "2467": [ { "sample_cnt": 27, "yara_rule_name": "win_xiaoba_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.xiaoba.", "last_hit_utc": "2025-08-17 09:24:26" } ], "2468": [ { "sample_cnt": 27, "yara_rule_name": "zloader_halo_generated", "yara_rule_author": "Halogen Generated Rule, Corsin Camichel", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-27 07:53:33" } ], "2469": [ { "sample_cnt": 26, "yara_rule_name": "ClipperDLL_Amadey", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Amadey's Clipper DLL", "last_hit_utc": "2026-01-28 17:06:31" } ], "2470": [ { "sample_cnt": 26, "yara_rule_name": "crime_win64_backdoor_bazarbackdoor1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/pancak3lullz/status/1252303608747565057", "yara_rule_description": "Detects BazarBackdoor injected 64-bit malware", "last_hit_utc": "2025-06-16 16:06:34" } ], "2471": [ { "sample_cnt": 26, "yara_rule_name": "fbrobot_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/317642cd-924b-4fe4-ba97-0c648f89c7a0", "yara_rule_description": "fbrobot stealer", "last_hit_utc": "2025-01-26 10:06:40" } ], "2472": [ { "sample_cnt": 26, "yara_rule_name": "Hunting_Rule_ShikataGaNai", "yara_rule_author": "Steven Miller", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html", "yara_rule_description": "", "last_hit_utc": "2022-11-21 07:57:02" } ], "2473": [ { "sample_cnt": 26, "yara_rule_name": "Linux_Trojan_Gafgyt_9e9530a7", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "2474": [ { "sample_cnt": 26, "yara_rule_name": "Linux_Trojan_Mirai_d18b3463", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 17:38:39" } ], "2475": [ { "sample_cnt": 26, "yara_rule_name": "MALWARE_Win_Avalon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Avalon infostealer payload", "last_hit_utc": "2025-01-05 15:06:19" } ], "2476": [ { "sample_cnt": 26, "yara_rule_name": "MALWARE_Win_MALWARE_Win_DLInjector03", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects unknown loader / injector", "last_hit_utc": "2021-10-06 05:26:04" } ], "2477": [ { "sample_cnt": 26, "yara_rule_name": "MALWARE_Win_Meterpreter", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Meterpreter payload", "last_hit_utc": "2022-10-29 20:38:03" } ], "2478": [ { "sample_cnt": 26, "yara_rule_name": "MALWARE_Win_RunningRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RunningRAT", "last_hit_utc": "2025-01-03 23:01:53" } ], "2479": [ { "sample_cnt": 26, "yara_rule_name": "MAL_CobaltStrike_Oct_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1454154412902002692", "yara_rule_description": "Detect Cobalt Strike implant", "last_hit_utc": "2022-02-08 01:48:04" } ], "2480": [ { "sample_cnt": 26, "yara_rule_name": "MAL_NET_UAC_Bypass_May25", "yara_rule_author": "Jonathan Peters (cod3nym)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects .NET based tool abusing legitimate Windows utility cmstp.exe to bypass UAC (User-Admin-Controls)", "last_hit_utc": "2025-11-30 13:47:12" } ], "2481": [ { "sample_cnt": 26, "yara_rule_name": "metamorfo_msi", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads", "last_hit_utc": "2025-11-10 14:32:15" } ], "2482": [ { "sample_cnt": 26, "yara_rule_name": "Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO", "yara_rule_author": "@itsreallynick (Nick Carr)", "yara_rule_reference": "https://twitter.com/ItsReallyNick/status/1176229087196696577", "yara_rule_description": "Detects possible shortcut usage for .URL persistence", "last_hit_utc": "2026-04-13 07:49:42" } ], "2483": [ { "sample_cnt": 26, "yara_rule_name": "minetrau", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Ninetrau Payload", "last_hit_utc": "2026-02-28 21:08:23" } ], "2484": [ { "sample_cnt": 26, "yara_rule_name": "Multi_Trojan_Mythic_4beb7e17", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-16 11:14:43" } ], "2485": [ { "sample_cnt": 26, "yara_rule_name": "PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/", "yara_rule_description": "Detects XMRIG crypto coin miners", "last_hit_utc": "2025-01-05 15:20:29" } ], "2486": [ { "sample_cnt": 26, "yara_rule_name": "RedLine_b", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies RedLine stealer.", "last_hit_utc": "2022-10-25 15:24:05" } ], "2487": [ { "sample_cnt": 26, "yara_rule_name": "Saudi_Phish_Trojan_RID2E2F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/Z3JUAA", "yara_rule_description": "Detects a trojan used in Saudi Aramco Phishing", "last_hit_utc": "2025-10-09 14:44:38" } ], "2488": [ { "sample_cnt": 26, "yara_rule_name": "SUSP_Double_Base64_Encoded_Executable", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/TweeterCyber/status/1189073238803877889", "yara_rule_description": "Detects an executable that has been encoded with base64 twice", "last_hit_utc": "2025-06-16 16:02:45" } ], "2489": [ { "sample_cnt": 26, "yara_rule_name": "SUSP_LNK_SmallScreenSize", "yara_rule_author": "Greg Lesnewich", "yara_rule_reference": null, "yara_rule_description": "check for LNKs that have a screen buffer size and WindowSize dimensions of 1x1", "last_hit_utc": "2026-04-26 17:30:26" } ], "2490": [ { "sample_cnt": 26, "yara_rule_name": "VMProtectStub", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies VMProtect packer stub.", "last_hit_utc": "2026-03-17 12:35:19" } ], "2491": [ { "sample_cnt": 26, "yara_rule_name": "WannaCry_Ransomware_Gen", "yara_rule_author": "Florian Roth (Nextron Systems) (based on rule by US CERT)", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-132A", "yara_rule_description": "Detects WannaCry Ransomware", "last_hit_utc": "2025-12-16 08:49:14" } ], "2492": [ { "sample_cnt": 26, "yara_rule_name": "Win32_Ransomware_Kangaroo", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Kangaroo ransomware.", "last_hit_utc": "2025-01-05 16:05:45" } ], "2493": [ { "sample_cnt": 26, "yara_rule_name": "Windows_Generic_Threat_d568682a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-03 05:12:47" } ], "2494": [ { "sample_cnt": 26, "yara_rule_name": "Win_DarkGate", "yara_rule_author": "0xToxin", "yara_rule_reference": null, "yara_rule_description": "DarkGate Strings Decryption Routine", "last_hit_utc": "2025-09-01 13:12:37" } ], "2495": [ { "sample_cnt": 26, "yara_rule_name": "win_Eternity", "yara_rule_author": "0xToxin", "yara_rule_reference": null, "yara_rule_description": "Eternity function routines", "last_hit_utc": "2025-06-16 15:49:57" } ], "2496": [ { "sample_cnt": 26, "yara_rule_name": "win_flawedammyy_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.flawedammyy.", "last_hit_utc": "2024-06-04 09:41:02" } ], "2497": [ { "sample_cnt": 26, "yara_rule_name": "win_laplas_clipper_9c96", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects unpacked Laplas Clipper", "last_hit_utc": "2025-01-05 15:52:01" } ], "2498": [ { "sample_cnt": 26, "yara_rule_name": "win_unidentified_072_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads", "last_hit_utc": "2025-11-10 14:32:15" } ], "2499": [ { "sample_cnt": 25, "yara_rule_name": "ach_Gozi_doc_20210302", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/0355b72d01afa724b9050677ac6302ad/", "yara_rule_description": "Detects Gozi ISFB doc", "last_hit_utc": "2021-03-03 08:42:05" } ], "2500": [ { "sample_cnt": 25, "yara_rule_name": "Cobaltbaltstrike_RAW_Payload_http_stager_x64", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2026-02-07 18:35:17" } ], "2501": [ { "sample_cnt": 25, "yara_rule_name": "CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/beacon.dll Versions 4.3 and 4.4", "last_hit_utc": "2025-01-03 19:39:30" } ], "2502": [ { "sample_cnt": 25, "yara_rule_name": "crime_win32_banker_rm3_isfb_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1256653985437622272", "yara_rule_description": "white", "last_hit_utc": "2021-01-03 10:36:05" } ], "2503": [ { "sample_cnt": 25, "yara_rule_name": "crime_win32_matanbuchus_loader", "yara_rule_author": "Rony", "yara_rule_reference": null, "yara_rule_description": "Detects Matanbuchus loader dll", "last_hit_utc": "2025-12-28 12:00:34" } ], "2504": [ { "sample_cnt": 25, "yara_rule_name": "crime_win64_photoloader_packed", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects specific packed photoloader", "last_hit_utc": "2026-04-14 11:11:32" } ], "2505": [ { "sample_cnt": 25, "yara_rule_name": "Find_NewJS_Array_Obfuscation", "yara_rule_author": "David Ledbetter @Ledtech3", "yara_rule_reference": null, "yara_rule_description": "Rule to search for the new JS Obfuscation with the extra rounds of decoding.", "last_hit_utc": "2025-10-02 15:52:43" } ], "2506": [ { "sample_cnt": 25, "yara_rule_name": "IMuler", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "IMuler", "last_hit_utc": "2025-10-04 11:06:34" } ], "2507": [ { "sample_cnt": 25, "yara_rule_name": "IMulerStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "IMuler Identifying Strings", "last_hit_utc": "2025-10-04 11:06:34" } ], "2508": [ { "sample_cnt": 25, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_TransferSh_URL", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects images embedding based64-encoded executable, and a base64 marker", "last_hit_utc": "2025-01-05 17:05:19" } ], "2509": [ { "sample_cnt": 25, "yara_rule_name": "Lockbit", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Lockbit Payload", "last_hit_utc": "2025-01-05 15:57:47" } ], "2510": [ { "sample_cnt": 25, "yara_rule_name": "MaksStealer_Loader", "yara_rule_author": "ShadowOpCode", "yara_rule_reference": null, "yara_rule_description": "Detects MaksStealer dropper/loader JAR", "last_hit_utc": "2026-01-28 19:29:22" } ], "2511": [ { "sample_cnt": 25, "yara_rule_name": "MALWARE_Win_Arechclient2", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Arechclient2 RAT", "last_hit_utc": "2022-11-02 00:47:03" } ], "2512": [ { "sample_cnt": 25, "yara_rule_name": "MALWARE_Win_Renamer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Renamer/Tainp variants", "last_hit_utc": "2025-09-05 13:17:16" } ], "2513": [ { "sample_cnt": 25, "yara_rule_name": "MALWARE_Win_Renamer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Renamer/Tainp variants", "last_hit_utc": "2022-11-23 14:25:02" } ], "2514": [ { "sample_cnt": 25, "yara_rule_name": "NitrogenLoader", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "Nitrogen Loader", "last_hit_utc": "2025-09-10 08:22:39" } ], "2515": [ { "sample_cnt": 25, "yara_rule_name": "Ping_Command_in_EXE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an suspicious ping command execution in an executable", "last_hit_utc": "2024-03-27 19:20:28" } ], "2516": [ { "sample_cnt": 25, "yara_rule_name": "RAT_PredatorPain", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/PredatorPain", "yara_rule_description": "Detects PredatorPain RAT", "last_hit_utc": "2023-07-02 10:29:51" } ], "2517": [ { "sample_cnt": 25, "yara_rule_name": "SUSP_PowerShell_IEX_Download_Combo_RID33EB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/JaromirHorejsi/status/1047084277920411648", "yara_rule_description": "Detects strings found in sample from CN group repo leak in October 2018", "last_hit_utc": "2025-12-09 17:05:25" } ], "2518": [ { "sample_cnt": 25, "yara_rule_name": "Windows_Generic_Threat_8eb547db", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-15 20:55:42" } ], "2519": [ { "sample_cnt": 25, "yara_rule_name": "Windows_Generic_Threat_da0f3cbb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-22 14:12:38" } ], "2520": [ { "sample_cnt": 25, "yara_rule_name": "Windows_Hacktool_Mimikatz_1388212a", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-05 11:30:23" } ], "2521": [ { "sample_cnt": 25, "yara_rule_name": "Windows_Ransomware_Hellokitty_8859e8e8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-10 14:56:42" } ], "2522": [ { "sample_cnt": 25, "yara_rule_name": "Windows_Trojan_Vidar_c374cd85", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-09 16:07:33" } ], "2523": [ { "sample_cnt": 25, "yara_rule_name": "Winnti_NlaifSvc", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/VbvJtL", "yara_rule_description": "Winnti sample - file NlaifSvc.dll", "last_hit_utc": "2022-12-30 10:15:05" } ], "2524": [ { "sample_cnt": 25, "yara_rule_name": "win_blackcat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.blackcat.", "last_hit_utc": "2022-10-17 09:02:04" } ], "2525": [ { "sample_cnt": 25, "yara_rule_name": "win_grimagent_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.grimagent.", "last_hit_utc": "2026-03-24 15:29:15" } ], "2526": [ { "sample_cnt": 25, "yara_rule_name": "win_mailto_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-19 11:04:28" } ], "2527": [ { "sample_cnt": 25, "yara_rule_name": "win_maze_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-12-08 00:52:13" } ], "2528": [ { "sample_cnt": 25, "yara_rule_name": "win_sakula_rat_w2", "yara_rule_author": "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou", "yara_rule_reference": "", "yara_rule_description": "Sakula v1.2", "last_hit_utc": "2022-03-23 09:35:05" } ], "2529": [ { "sample_cnt": 25, "yara_rule_name": "Xtreme_Sep17_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects XTREME sample analyzed in September 2017", "last_hit_utc": "2021-02-28 07:25:04" } ], "2530": [ { "sample_cnt": 24, "yara_rule_name": "ach_202407_html_form_post2php", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects potential HTML phishing by looking for form HTTP post to PHP URL", "last_hit_utc": "2025-08-25 07:53:29" } ], "2531": [ { "sample_cnt": 24, "yara_rule_name": "ach_Dridex_xls_20200528", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/420dd56b97a129b1b3369b477d614eda/", "yara_rule_description": "", "last_hit_utc": "2022-05-06 07:53:02" } ], "2532": [ { "sample_cnt": 24, "yara_rule_name": "AlternativesExample1", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2024-03-21 16:27:50" } ], "2533": [ { "sample_cnt": 24, "yara_rule_name": "Atomic_Stealer_Generic", "yara_rule_author": "security-penguin", "yara_rule_reference": null, "yara_rule_description": "Detects Atomic Stealer targeting MacOS", "last_hit_utc": "2026-04-21 18:01:57" } ], "2534": [ { "sample_cnt": 24, "yara_rule_name": "Conti", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Conti Ransomware", "last_hit_utc": "2022-11-16 06:52:06" } ], "2535": [ { "sample_cnt": 24, "yara_rule_name": "crime_win32_svcready_loader_unpacked", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-08-18 18:38:08" } ], "2536": [ { "sample_cnt": 24, "yara_rule_name": "empyrean", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Empyrean Payload", "last_hit_utc": "2025-08-31 14:18:22" } ], "2537": [ { "sample_cnt": 24, "yara_rule_name": "ffdroider", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked ffdroider stealer malware samples.", "last_hit_utc": "2025-09-24 13:48:07" } ], "2538": [ { "sample_cnt": 24, "yara_rule_name": "Gen_Net_LocalGroup_Administrators_Add_Command_RID38C1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an executable that contains a command to add a user account to the local administrators group", "last_hit_utc": "2026-01-11 15:40:33" } ], "2539": [ { "sample_cnt": 24, "yara_rule_name": "INDICATOR_KB_CERT_07f9d80b85ceff7ee3f58dc594fe66b6", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-12-08 15:40:25" } ], "2540": [ { "sample_cnt": 24, "yara_rule_name": "INDICATOR_KB_CERT_0f9d91c6aba86f4e54cbb9ef57e68346", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-12-08 15:40:25" } ], "2541": [ { "sample_cnt": 24, "yara_rule_name": "INDICATOR_OLE_Suspicious_ActiveX", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects OLE documents with suspicious ActiveX content", "last_hit_utc": "2022-11-24 16:31:02" } ], "2542": [ { "sample_cnt": 24, "yara_rule_name": "INDICATOR_RTF_MultiExploit_Embedded_Files", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RTF documents potentially exploting multiple vulnerabilities and embeding next stage scripts and/or binaries", "last_hit_utc": "2022-08-08 15:18:03" } ], "2543": [ { "sample_cnt": 24, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables (downloaders) containing reversed URLs to raw contents of a paste", "last_hit_utc": "2025-05-01 06:58:10" } ], "2544": [ { "sample_cnt": 24, "yara_rule_name": "INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects PowerShell content designed to retrieve passwords from host", "last_hit_utc": "2022-11-26 04:26:03" } ], "2545": [ { "sample_cnt": 24, "yara_rule_name": "malware_Emotet", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Emotet in memory", "last_hit_utc": "2026-03-24 14:31:10" } ], "2546": [ { "sample_cnt": 24, "yara_rule_name": "MALWARE_Win_Alfonoso", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Alfonoso / Shurk / HunterStealer infostealer", "last_hit_utc": "2025-06-21 21:48:47" } ], "2547": [ { "sample_cnt": 24, "yara_rule_name": "MALWARE_Win_Ficker", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Ficker infostealer", "last_hit_utc": "2022-03-08 17:05:08" } ], "2548": [ { "sample_cnt": 24, "yara_rule_name": "MALWARE_Win_Nitro", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Nitro Ransomware", "last_hit_utc": "2022-11-22 08:11:03" } ], "2549": [ { "sample_cnt": 24, "yara_rule_name": "MAL_CMD_Script_Obfuscated_Feb19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/DbgShell/status/1101076457189793793", "yara_rule_description": "Detects obfuscated batch script using env variable sub-strings", "last_hit_utc": "2025-01-03 20:35:49" } ], "2550": [ { "sample_cnt": 24, "yara_rule_name": "MAL_CMD_Script_Obfuscated_Feb19_1_RID32B7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/DbgShell/status/1101076457189793793", "yara_rule_description": "Detects obfuscated batch script using env variable sub-strings", "last_hit_utc": "2025-01-03 20:35:49" } ], "2551": [ { "sample_cnt": 24, "yara_rule_name": "mal_metasploit_shellcode_windows_powershell_tcp", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/", "yara_rule_description": "Detects Metasploit import-hashes from the windows/powershell_bind_tcp and windows/powershell_reverse_tcp payloads", "last_hit_utc": "2026-04-22 20:38:23" } ], "2552": [ { "sample_cnt": 24, "yara_rule_name": "medusa_ransomware", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-26 18:38:14" } ], "2553": [ { "sample_cnt": 24, "yara_rule_name": "Mimikatz_Gen_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Mimikatz by using some special strings", "last_hit_utc": "2026-01-05 11:30:23" } ], "2554": [ { "sample_cnt": 24, "yara_rule_name": "Nymaim", "yara_rule_author": "Chaitanya", "yara_rule_reference": null, "yara_rule_description": "Nymaim Loader", "last_hit_utc": "2026-02-26 18:38:14" } ], "2555": [ { "sample_cnt": 24, "yara_rule_name": "Powerkatz_DLL_Generic", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "PowerKatz Analysis", "yara_rule_description": "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)", "last_hit_utc": "2026-01-05 11:30:23" } ], "2556": [ { "sample_cnt": 24, "yara_rule_name": "RansomwareTest1", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": "", "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2022-10-04 21:23:03" } ], "2557": [ { "sample_cnt": 24, "yara_rule_name": "Redline_Stealer_Monitor", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects RedLine Stealer Variants", "last_hit_utc": "2025-01-05 14:59:55" } ], "2558": [ { "sample_cnt": 24, "yara_rule_name": "simp_dll_svcready", "yara_rule_author": "@stoerchl", "yara_rule_reference": "", "yara_rule_description": "SVCReadyLoader DLL", "last_hit_utc": "2022-08-18 18:38:08" } ], "2559": [ { "sample_cnt": 24, "yara_rule_name": "SUSP_NVIDIA_LAPSUS_Leak_Compromised_Cert_Mar22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1499514240008437762", "yara_rule_description": "Detects a binary signed with the leaked NVIDIA certifcate and compiled after March 1st 2022", "last_hit_utc": "2026-03-19 11:48:07" } ], "2560": [ { "sample_cnt": 24, "yara_rule_name": "Susp_PowerShell_Sep17_2_RID2FA0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious PowerShell script in combo with VBS or JS", "last_hit_utc": "2026-04-22 09:04:27" } ], "2561": [ { "sample_cnt": 24, "yara_rule_name": "svcready_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "f690f484c1883571a8bbf19313025a1264d3e10f570380f7aca3cc92135e1d2e", "yara_rule_description": "SVCReady", "last_hit_utc": "2022-08-18 18:38:08" } ], "2562": [ { "sample_cnt": 24, "yara_rule_name": "SVCReady_Packed", "yara_rule_author": "Andre Gironda", "yara_rule_reference": "", "yara_rule_description": "packed SVCReady / win.svcready", "last_hit_utc": "2022-08-18 18:38:09" } ], "2563": [ { "sample_cnt": 24, "yara_rule_name": "TH_APT_EquationGroup_2026_CYFARE", "yara_rule_author": "CYFARE", "yara_rule_reference": "https://cyfare.net/", "yara_rule_description": "Equation Group (G0020) APT malware detection - covers EquationDrug, GrayFish, DoubleFantasy, TripleFantasy, Fanny, GROK, nls_933w HDD firmware module, and Shadow Brokers tooling", "last_hit_utc": "2026-04-23 04:07:20" } ], "2564": [ { "sample_cnt": 24, "yara_rule_name": "Unspecified_Malware_Sep1_A1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "yara_rule_description": "Detects malware from DrqgonFly APT report", "last_hit_utc": "2022-04-30 01:37:02" } ], "2565": [ { "sample_cnt": 24, "yara_rule_name": "Ursnif3", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Ursnif Payload", "last_hit_utc": "2022-04-20 17:39:02" } ], "2566": [ { "sample_cnt": 24, "yara_rule_name": "Windows_Ransomware_Sodinokibi_83f05fbe", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil", "yara_rule_description": "Identifies SODINOKIBI/REvil ransomware", "last_hit_utc": "2025-01-05 16:54:35" } ], "2567": [ { "sample_cnt": 24, "yara_rule_name": "Windows_Trojan_Asyncrat_11a11ba1", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 08:57:02" } ], "2568": [ { "sample_cnt": 24, "yara_rule_name": "Windows_Trojan_Bitrat_54916275", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:34:39" } ], "2569": [ { "sample_cnt": 24, "yara_rule_name": "Windows_Trojan_Gh0st_9e4bb0ce", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-11 20:38:14" } ], "2570": [ { "sample_cnt": 24, "yara_rule_name": "win_andromeda_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-17 19:36:41" } ], "2571": [ { "sample_cnt": 24, "yara_rule_name": "win_fickerstealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.fickerstealer.", "last_hit_utc": "2022-03-08 17:05:08" } ], "2572": [ { "sample_cnt": 24, "yara_rule_name": "win_sakula_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.sakula_rat.", "last_hit_utc": "2022-10-17 08:53:04" } ], "2573": [ { "sample_cnt": 24, "yara_rule_name": "win_smokeloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-31 10:30:10" } ], "2574": [ { "sample_cnt": 24, "yara_rule_name": "win_smokeloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.smokeloader.", "last_hit_utc": "2022-11-18 15:12:15" } ], "2575": [ { "sample_cnt": 24, "yara_rule_name": "win_troldesh_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.troldesh.", "last_hit_utc": "2021-10-06 08:35:09" } ], "2576": [ { "sample_cnt": 24, "yara_rule_name": "Zeus_Panda", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", "yara_rule_description": "Detects ZEUS Panda Malware", "last_hit_utc": "2021-09-07 06:10:26" } ], "2577": [ { "sample_cnt": 23, "yara_rule_name": "cert_blocklist_07cef66a71c35bc3aed6d100c6493863", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2021-02-17 08:52:33" } ], "2578": [ { "sample_cnt": 23, "yara_rule_name": "CN_disclosed_20180208_Mal1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2026-01-30 20:27:24" } ], "2579": [ { "sample_cnt": 23, "yara_rule_name": "crime_unidentified_118_packed", "yara_rule_author": "Rony (r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects packed samples of malware family unidentified_118", "last_hit_utc": "2025-11-05 10:22:41" } ], "2580": [ { "sample_cnt": 23, "yara_rule_name": "EDR_Killer_EDR_Freeze_Tool", "yara_rule_author": "Valton Tahiri (cybee.ai)", "yara_rule_reference": "https://www.linkedin.com/in/valton-tahiri/", "yara_rule_description": "Detects EDR-Freeze tool in memory - EDR/AV freezing malware", "last_hit_utc": "2026-02-15 19:36:14" } ], "2581": [ { "sample_cnt": 23, "yara_rule_name": "HackTool_Producers", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Hacktool Producers String", "last_hit_utc": "2025-12-25 12:00:36" } ], "2582": [ { "sample_cnt": 23, "yara_rule_name": "High_Entropy_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies shortcut (LNK) file with equal or higher entropy than 6.5. Most goodware LNK files have a low entropy, lower than 6.", "last_hit_utc": "2022-09-13 23:55:02" } ], "2583": [ { "sample_cnt": 23, "yara_rule_name": "IDATDropper", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects modified versions of dialer.exe and BthUdTask.exe containing embedded JavaScript used to decode a string from Charcode, thus creating a PowerShell downloader script that delivers IDAT Loader, mostly seen paired with Lumma and Meduza.", "last_hit_utc": "2025-01-03 20:02:46" } ], "2584": [ { "sample_cnt": 23, "yara_rule_name": "INDICATOR_EXE_Packed_Loader", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects packed executables observed in Molerats", "last_hit_utc": "2022-11-07 11:43:03" } ], "2585": [ { "sample_cnt": 23, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables embedding registry key / value combination manipulating RDP / Terminal Services", "last_hit_utc": "2022-10-10 02:17:03" } ], "2586": [ { "sample_cnt": 23, "yara_rule_name": "INDICATOR_TOOL_FastReverseProxy", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Fast Reverse Proxy (FRP) tool", "last_hit_utc": "2026-03-21 02:49:17" } ], "2587": [ { "sample_cnt": 23, "yara_rule_name": "ISO_exec", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies execution artefacts in ISO files, seen in malware such as Bumblebee.", "last_hit_utc": "2025-01-05 15:34:49" } ], "2588": [ { "sample_cnt": 23, "yara_rule_name": "LinuxBillGates", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 04:29:17" } ], "2589": [ { "sample_cnt": 23, "yara_rule_name": "Linux_Trojan_Ganiw_b9f045aa", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 04:29:17" } ], "2590": [ { "sample_cnt": 23, "yara_rule_name": "Linux_Trojan_Setag_01e2f79b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 04:29:17" } ], "2591": [ { "sample_cnt": 23, "yara_rule_name": "Linux_Trojan_Setag_351eeb76", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-25 04:29:17" } ], "2592": [ { "sample_cnt": 23, "yara_rule_name": "Lumma_ChaCha20_KeyStub_v2", "yara_rule_author": "pebwalker", "yara_rule_reference": null, "yara_rule_description": "Detects Lumma Stealer ChaCha20 key setup and stub", "last_hit_utc": "2026-01-25 13:55:55" } ], "2593": [ { "sample_cnt": 23, "yara_rule_name": "MALWARE_Win_Babuk", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Babuk ransomware", "last_hit_utc": "2022-11-10 05:14:03" } ], "2594": [ { "sample_cnt": 23, "yara_rule_name": "MALWARE_Win_GloomaneStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects GloomaneStealer", "last_hit_utc": "2026-01-10 19:05:27" } ], "2595": [ { "sample_cnt": 23, "yara_rule_name": "MirrorBlast_Author", "yara_rule_author": "David Coomber", "yara_rule_reference": "https://bazaar.abuse.ch/browse.php?search=tag%3AMirrorBlast", "yara_rule_description": "Detects MirrorBlast samples with Author: Ferop", "last_hit_utc": "2026-02-17 15:57:20" } ], "2596": [ { "sample_cnt": 23, "yara_rule_name": "Msfpayloads_msf_ref", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf-ref.ps1", "last_hit_utc": "2025-01-05 15:34:15" } ], "2597": [ { "sample_cnt": 23, "yara_rule_name": "NightshadeC2", "yara_rule_author": "YungBinary", "yara_rule_reference": null, "yara_rule_description": "NightshadeC2 AKA CastleRAT - https://x.com/YungBinary/status/1963751038340534482", "last_hit_utc": "2026-03-29 04:04:18" } ], "2598": [ { "sample_cnt": 23, "yara_rule_name": "OlympicDestroyer", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "OlympicDestroyer Payload", "last_hit_utc": "2021-02-28 07:42:09" } ], "2599": [ { "sample_cnt": 23, "yara_rule_name": "OutlookBackdoor", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:50:29" } ], "2600": [ { "sample_cnt": 23, "yara_rule_name": "parallax_rat_2020", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-15 19:15:05" } ], "2601": [ { "sample_cnt": 23, "yara_rule_name": "Privateloader_Main_Component", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects PrivateLoader Main Component", "last_hit_utc": "2025-01-05 16:23:57" } ], "2602": [ { "sample_cnt": 23, "yara_rule_name": "ProcessInjector_Gen", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c", "yara_rule_description": "Detects a process injection utility that can be used ofr good and bad purposes", "last_hit_utc": "2022-04-11 11:40:04" } ], "2603": [ { "sample_cnt": 23, "yara_rule_name": "RansomwareTest8", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": null, "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2025-01-05 15:17:25" } ], "2604": [ { "sample_cnt": 23, "yara_rule_name": "Recon_Commands_Windows_Gen1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/MSJCxP", "yara_rule_description": "Detects a set of reconnaissance commands on Windows systems", "last_hit_utc": "2026-03-21 00:49:34" } ], "2605": [ { "sample_cnt": 23, "yara_rule_name": "TrickBot", "yara_rule_author": "sysopfb & kevoreilly", "yara_rule_reference": null, "yara_rule_description": "TrickBot Payload", "last_hit_utc": "2025-10-28 13:45:14" } ], "2606": [ { "sample_cnt": 23, "yara_rule_name": "Truncated_win10_x64_NativeSysCall", "yara_rule_author": "SBousseaden", "yara_rule_reference": null, "yara_rule_description": "hunt of at least 3 occurences of truncated win10 x64 NativeSyscall", "last_hit_utc": "2026-04-20 22:47:47" } ], "2607": [ { "sample_cnt": 23, "yara_rule_name": "Windows_Generic_Threat_9af87ddb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-28 08:33:24" } ], "2608": [ { "sample_cnt": 23, "yara_rule_name": "Windows_Hacktool_Mimikatz_1388212a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-05 11:30:23" } ], "2609": [ { "sample_cnt": 23, "yara_rule_name": "Windows_Ransomware_Makop_3ac2c13c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-21 11:48:15" } ], "2610": [ { "sample_cnt": 23, "yara_rule_name": "Windows_Trojan_Nanocore_d8c4e3c5", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-24 08:17:03" } ], "2611": [ { "sample_cnt": 23, "yara_rule_name": "Windows_Trojan_TwistedTinsel_aa56e527", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-18 20:24:06" } ], "2612": [ { "sample_cnt": 23, "yara_rule_name": "win_evilconwi_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.evilconwi.", "last_hit_utc": "2026-04-24 06:43:32" } ], "2613": [ { "sample_cnt": 23, "yara_rule_name": "win_hookinjex_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.hookinjex.", "last_hit_utc": "2025-11-02 13:53:36" } ], "2614": [ { "sample_cnt": 23, "yara_rule_name": "win_kovter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-10-18 15:22:03" } ], "2615": [ { "sample_cnt": 23, "yara_rule_name": "win_rhysida_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.rhysida.", "last_hit_utc": "2025-04-12 13:49:04" } ], "2616": [ { "sample_cnt": 23, "yara_rule_name": "win_stealc_generic", "yara_rule_author": "dubfib", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-15 08:16:37" } ], "2617": [ { "sample_cnt": 23, "yara_rule_name": "ZIP_PowerShell_Susp_Obf", "yara_rule_author": "ventdrop", "yara_rule_reference": null, "yara_rule_description": "Detect .zip files containing susp and obf embedded PS command", "last_hit_utc": "2026-04-16 20:29:44" } ], "2618": [ { "sample_cnt": 23, "yara_rule_name": "ZxShell_Related_Malware_CN_Group_Jul17_2_RID3602", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell related sample from a CN threat group", "last_hit_utc": "2025-06-16 16:17:25" } ], "2619": [ { "sample_cnt": 22, "yara_rule_name": "APT_UNC2447_MAL_RANSOM_HelloKitty_May21_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects HelloKitty Ransomware samples from UNC2447 campaign", "last_hit_utc": "2025-04-10 14:56:41" } ], "2620": [ { "sample_cnt": 22, "yara_rule_name": "APT_UNC2447_MAL_RANSOM_HelloKitty_May21_2_RID3456", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects HelloKitty Ransomware samples from UNC2447 campaign", "last_hit_utc": "2025-04-10 14:56:41" } ], "2621": [ { "sample_cnt": 22, "yara_rule_name": "blocksig", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-03 15:55:13" } ], "2622": [ { "sample_cnt": 22, "yara_rule_name": "BroEx", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Detects BroEx, a type of agressive adware.", "last_hit_utc": "2025-05-29 20:28:21" } ], "2623": [ { "sample_cnt": 22, "yara_rule_name": "BumbleBeeLoader", "yara_rule_author": "enzo & kevoreilly", "yara_rule_reference": "", "yara_rule_description": "BumbleBee Loader", "last_hit_utc": "2022-10-21 22:37:04" } ], "2624": [ { "sample_cnt": 22, "yara_rule_name": "ByteCode_MSIL_Backdoor_OrcusRAT", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects OrcusRAT backdoor.", "last_hit_utc": "2026-04-02 16:36:15" } ], "2625": [ { "sample_cnt": 22, "yara_rule_name": "CGISscan_CGIScan", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file CGIScan.exe", "last_hit_utc": "2025-11-23 12:16:24" } ], "2626": [ { "sample_cnt": 22, "yara_rule_name": "CN_Actor_AmmyyAdmin_RID2E4F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - CN Actor", "yara_rule_description": "Detects Ammyy Admin Downloader", "last_hit_utc": "2025-10-04 10:44:42" } ], "2627": [ { "sample_cnt": 22, "yara_rule_name": "CN_Actor_RA_Tool_Ammyy_mscorsvw_RID3338", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - CN Actor", "yara_rule_description": "Detects Ammyy remote access tool", "last_hit_utc": "2025-10-04 10:44:42" } ], "2628": [ { "sample_cnt": 22, "yara_rule_name": "davivienda", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-15 22:16:02" } ], "2629": [ { "sample_cnt": 22, "yara_rule_name": "ELF_Kaiji_Chaos_April_2024", "yara_rule_author": "NDA0N", "yara_rule_reference": null, "yara_rule_description": "Detects Chaos, variant of Kaiji", "last_hit_utc": "2025-01-05 17:25:04" } ], "2630": [ { "sample_cnt": 22, "yara_rule_name": "HKTL_mimikatz_icon", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://blog.gentilkiwi.com/mimikatz", "yara_rule_description": "Detects mimikatz icon in PE file", "last_hit_utc": "2026-01-05 11:30:22" } ], "2631": [ { "sample_cnt": 22, "yara_rule_name": "HTML_Windows_Search_Abuse", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": null, "yara_rule_description": "Detects HTML files abusing Windows system functionalities to redirect and download malicious payloads", "last_hit_utc": "2025-10-28 13:44:31" } ], "2632": [ { "sample_cnt": 22, "yara_rule_name": "INDICATOR_EXE_Packed_aPLib", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with aPLib.", "last_hit_utc": "2022-10-17 09:18:03" } ], "2633": [ { "sample_cnt": 22, "yara_rule_name": "INDICATOR_EXE_Packed_NyanXCat_CSharpLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects .NET executables utilizing NyanX-CAT C# Loader", "last_hit_utc": "2022-11-05 19:04:04" } ], "2634": [ { "sample_cnt": 22, "yara_rule_name": "INDICATOR_EXE_Packed_Yano", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with Yano Obfuscator", "last_hit_utc": "2025-09-15 04:04:32" } ], "2635": [ { "sample_cnt": 22, "yara_rule_name": "INDICATOR_KB_CERT_0c15be4a15bb0903c901b1d6c265302f", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-02-02 08:09:04" } ], "2636": [ { "sample_cnt": 22, "yara_rule_name": "INDICATOR_SUSPICIOUS_USNDeleteJournal", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware", "last_hit_utc": "2026-02-11 19:28:13" } ], "2637": [ { "sample_cnt": 22, "yara_rule_name": "INDICATOR_TOOL_WEDGECUT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects WEDGECUT a reconnaissance tool to checks hosts are online using ICMP packets", "last_hit_utc": "2025-10-23 21:33:56" } ], "2638": [ { "sample_cnt": 22, "yara_rule_name": "Lib_Packer", "yara_rule_author": "R3R0K", "yara_rule_reference": null, "yara_rule_description": "Android.Lib_Packer", "last_hit_utc": "2025-07-13 16:59:23" } ], "2639": [ { "sample_cnt": 22, "yara_rule_name": "MacOS_Trojan_Metasploit_6cab0ec0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-09 16:40:45" } ], "2640": [ { "sample_cnt": 22, "yara_rule_name": "MALWARE_Win_PWSH_PoshKeylogger", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell PoshKeylogger", "last_hit_utc": "2025-10-28 13:44:48" } ], "2641": [ { "sample_cnt": 22, "yara_rule_name": "MALWARE_Win_Ratty", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects Ratty Java RAT", "last_hit_utc": "2023-01-06 10:03:02" } ], "2642": [ { "sample_cnt": 22, "yara_rule_name": "Old_Code__Signature_AnyDesk_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-12 08:38:33" } ], "2643": [ { "sample_cnt": 22, "yara_rule_name": "possible_UAC0050_or_STICKYWEREWOLF_files", "yara_rule_author": "rjones", "yara_rule_reference": null, "yara_rule_description": "possible_UAC0050_or_STICKYWEREWOLF_files", "last_hit_utc": "2025-11-21 18:44:32" } ], "2644": [ { "sample_cnt": 22, "yara_rule_name": "Saudi_Phish_Trojan", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/Z3JUAA", "yara_rule_description": "Detects a trojan used in Saudi Aramco Phishing", "last_hit_utc": "2025-10-09 14:44:38" } ], "2645": [ { "sample_cnt": 22, "yara_rule_name": "SUSP_Unsigned_GoogleUpdate_RID3117", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious unsigned GoogleUpdate.exe", "last_hit_utc": "2025-12-28 17:29:15" } ], "2646": [ { "sample_cnt": 22, "yara_rule_name": "svc_stealer", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "SVC Stealer Payload", "last_hit_utc": "2025-07-08 12:09:21" } ], "2647": [ { "sample_cnt": 22, "yara_rule_name": "VBS_dropper_script_Dec17_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a supicious VBS script that drops an executable", "last_hit_utc": "2025-11-09 08:53:15" } ], "2648": [ { "sample_cnt": 22, "yara_rule_name": "VBS_dropper_script_Dec17_1_RID30AE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a supicious VBS script that drops an executable", "last_hit_utc": "2025-11-09 08:53:15" } ], "2649": [ { "sample_cnt": 22, "yara_rule_name": "Windows_Generic_Threat_0e8530f5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-09 13:39:13" } ], "2650": [ { "sample_cnt": 22, "yara_rule_name": "Windows_Trojan_Matanbuchus_58a61aaa", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:30:26" } ], "2651": [ { "sample_cnt": 22, "yara_rule_name": "Windows_Trojan_Metasploit_96233b6b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies another 64 bit API hashing function used by Metasploit.", "last_hit_utc": "2026-02-08 18:11:16" } ], "2652": [ { "sample_cnt": 22, "yara_rule_name": "Windows_Trojan_Netwire_f42cb379", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction", "yara_rule_description": null, "last_hit_utc": "2026-04-24 23:31:42" } ], "2653": [ { "sample_cnt": 22, "yara_rule_name": "win_ghostsocks_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.ghostsocks.", "last_hit_utc": "2025-12-14 12:28:22" } ], "2654": [ { "sample_cnt": 22, "yara_rule_name": "win_houdini_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-05 16:38:05" } ], "2655": [ { "sample_cnt": 22, "yara_rule_name": "win_pandabanker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-17 13:50:42" } ], "2656": [ { "sample_cnt": 22, "yara_rule_name": "win_solarmarker_bytecodes", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects bytecodes present in solarmarker Packer", "last_hit_utc": "2025-01-05 17:03:48" } ], "2657": [ { "sample_cnt": 22, "yara_rule_name": "win_systembc_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.systembc.", "last_hit_utc": "2026-02-13 17:32:16" } ], "2658": [ { "sample_cnt": 22, "yara_rule_name": "win_unidentified_045_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.unidentified_045.", "last_hit_utc": "2025-09-19 18:08:20" } ], "2659": [ { "sample_cnt": 21, "yara_rule_name": "ach_Gozi_doc_20201216", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/11a1d69462c6e27c89ff03e181b0f4ab/", "yara_rule_description": "Detects Gozi ISFB doc", "last_hit_utc": "2020-12-17 08:19:03" } ], "2660": [ { "sample_cnt": 21, "yara_rule_name": "ach_ZLoader_xls_20200804", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/1b4c1358ba459fca836502adcbc23bd9/", "yara_rule_description": "Detects ZLoader XLS", "last_hit_utc": "2020-10-05 15:24:06" } ], "2661": [ { "sample_cnt": 21, "yara_rule_name": "CN_Actor_AmmyyAdmin", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - CN Actor", "yara_rule_description": "Detects Ammyy Admin Downloader", "last_hit_utc": "2024-02-10 04:13:59" } ], "2662": [ { "sample_cnt": 21, "yara_rule_name": "CN_Actor_RA_Tool_Ammyy_mscorsvw", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - CN Actor", "yara_rule_description": "Detects Ammyy remote access tool", "last_hit_utc": "2024-02-10 04:13:59" } ], "2663": [ { "sample_cnt": 21, "yara_rule_name": "crime_win32_isfb_217_browser_mod", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1237453047305048067", "yara_rule_description": "Detects ISFB 2.17 browser grabber module", "last_hit_utc": "2025-01-05 15:14:48" } ], "2664": [ { "sample_cnt": 21, "yara_rule_name": "Darkside", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Darkside ransomware.", "last_hit_utc": "2022-11-16 11:04:02" } ], "2665": [ { "sample_cnt": 21, "yara_rule_name": "darkVision", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked darkVision malware samples.", "last_hit_utc": "2025-09-26 00:28:01" } ], "2666": [ { "sample_cnt": 21, "yara_rule_name": "detect_braodo_stealer", "yara_rule_author": "Priya", "yara_rule_reference": null, "yara_rule_description": "This rule detects Broaodo Stealer", "last_hit_utc": "2026-01-20 18:14:33" } ], "2667": [ { "sample_cnt": 21, "yara_rule_name": "elf_arm_mips_ko_so", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-19 21:36:03" } ], "2668": [ { "sample_cnt": 21, "yara_rule_name": "Go_Malware_Yamux_Variant", "yara_rule_author": "Gemini", "yara_rule_reference": null, "yara_rule_description": "Detects a specific Go-based malware variant using the yamux library, with shared strings and constants across x86 and ARM architectures.", "last_hit_utc": "2026-04-23 16:35:36" } ], "2669": [ { "sample_cnt": 21, "yara_rule_name": "INDICATOR_EXE_Packed_Enigma", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with Enigma", "last_hit_utc": "2022-11-07 11:43:03" } ], "2670": [ { "sample_cnt": 21, "yara_rule_name": "INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many base64-encoded IR and analysis tools names", "last_hit_utc": "2026-02-10 20:05:27" } ], "2671": [ { "sample_cnt": 21, "yara_rule_name": "INDICATOR_TOOL_EXP_ApacheStrusts", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Windows executables containing ApacheStruts exploit artifatcs", "last_hit_utc": "2026-02-18 16:31:16" } ], "2672": [ { "sample_cnt": 21, "yara_rule_name": "Linux_Trojan_Gafgyt_0cd591cd", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "2673": [ { "sample_cnt": 21, "yara_rule_name": "Linux_Trojan_Gafgyt_a33a8363", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "2674": [ { "sample_cnt": 21, "yara_rule_name": "Lumma", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Lumma config extraction", "last_hit_utc": "2025-01-05 17:09:17" } ], "2675": [ { "sample_cnt": 21, "yara_rule_name": "Malware_Floxif_mpsvc_dll", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Malware - Floxif", "last_hit_utc": "2026-03-23 02:26:15" } ], "2676": [ { "sample_cnt": 21, "yara_rule_name": "MALWARE_Win_NWorm", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects NWorm/N-W0rm payload", "last_hit_utc": "2022-10-12 16:53:50" } ], "2677": [ { "sample_cnt": 21, "yara_rule_name": "MALWARE_Win_RevengeRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "RevengeRAT and variants payload", "last_hit_utc": "2022-11-10 10:18:03" } ], "2678": [ { "sample_cnt": 21, "yara_rule_name": "MAL_BPFDoor_May_2022_2", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/jcksnsec/status/1522163033585467393", "yara_rule_description": "Detect BPFDoor used by Red Menshen", "last_hit_utc": "2026-04-25 22:06:33" } ], "2679": [ { "sample_cnt": 21, "yara_rule_name": "mal_metasploit_shellcode_windows_meterpreter_reverse_http_x86", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/", "yara_rule_description": "Detects Metasploit import-hashes from the windows/meterpreter/reverse_http payload", "last_hit_utc": "2025-06-04 17:15:33" } ], "2680": [ { "sample_cnt": 21, "yara_rule_name": "MAL_QBot_HTML_Smuggling_Indicators_Oct22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/ankit_anubhav/status/1578257383133876225?s=20&t=Bu3CCJCzImpTGOQX_KGsdA", "yara_rule_description": "Detects double encoded PKZIP headers as seen in HTML files used by QBot", "last_hit_utc": "2025-01-05 15:28:04" } ], "2681": [ { "sample_cnt": 21, "yara_rule_name": "MC_Office_DDE_Command_Execution", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-22 18:17:26" } ], "2682": [ { "sample_cnt": 21, "yara_rule_name": "Obfuscar", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Obfuscar xor routime", "last_hit_utc": "2026-03-19 17:57:20" } ], "2683": [ { "sample_cnt": 21, "yara_rule_name": "QakBot_OneNote_Loader", "yara_rule_author": "Ankit Anubhav - ankitanubhav.info", "yara_rule_reference": null, "yara_rule_description": "Detects a OneNote malicious loader mostly used by QBot (TA570/TA577)", "last_hit_utc": "2025-03-24 07:48:36" } ], "2684": [ { "sample_cnt": 21, "yara_rule_name": "RansomwareTest2", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": null, "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2025-01-05 15:16:30" } ], "2685": [ { "sample_cnt": 21, "yara_rule_name": "SUSP_LNX_SH_CryptoMiner_Indicators_Dec20_1_RID364E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/", "yara_rule_description": "Detects helper script used in a crypto miner campaign", "last_hit_utc": "2025-12-12 07:27:15" } ], "2686": [ { "sample_cnt": 21, "yara_rule_name": "troj_win_cobaltstrike_memoryinject", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": "", "yara_rule_description": "Detects Cobalt Strike payload typically loaded into memory via PowerShell.", "last_hit_utc": "2023-06-29 20:36:04" } ], "2687": [ { "sample_cnt": 21, "yara_rule_name": "upx_antiunpack_elf64", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "UPX Anti-Unpacking technique to magic renamed for ELF64", "last_hit_utc": "2022-11-23 19:38:02" } ], "2688": [ { "sample_cnt": 21, "yara_rule_name": "Win32_Infostealer_StealC", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects StealC infostealer.", "last_hit_utc": "2026-04-09 16:07:32" } ], "2689": [ { "sample_cnt": 21, "yara_rule_name": "Windows_Generic_Threat_0cc1481e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:29:21" } ], "2690": [ { "sample_cnt": 21, "yara_rule_name": "Windows_Generic_Threat_9a8dc290", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-06-27 09:20:06" } ], "2691": [ { "sample_cnt": 21, "yara_rule_name": "Windows_Trojan_CyberGate_c219a2f3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-29 05:45:46" } ], "2692": [ { "sample_cnt": 21, "yara_rule_name": "Windows_Trojan_Emotet_db7d33fa", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 22:29:03" } ], "2693": [ { "sample_cnt": 21, "yara_rule_name": "Windows_Trojan_Metasploit_0f5a852d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.", "last_hit_utc": "2025-12-04 20:23:16" } ], "2694": [ { "sample_cnt": 21, "yara_rule_name": "Windows_Trojan_RedLineStealer_f54632eb", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-24 21:08:04" } ], "2695": [ { "sample_cnt": 21, "yara_rule_name": "win_conti_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.conti.", "last_hit_utc": "2022-11-16 06:52:06" } ], "2696": [ { "sample_cnt": 21, "yara_rule_name": "win_jaku_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.jaku.", "last_hit_utc": "2022-10-17 09:32:03" } ], "2697": [ { "sample_cnt": 21, "yara_rule_name": "win_kronos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-04 09:28:20" } ], "2698": [ { "sample_cnt": 21, "yara_rule_name": "win_lumma", "yara_rule_author": "GovCERT.ch", "yara_rule_reference": null, "yara_rule_description": "Matches unpacked Lumma stealer samples", "last_hit_utc": "2025-01-05 15:46:45" } ], "2699": [ { "sample_cnt": 21, "yara_rule_name": "win_r77_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.r77.", "last_hit_utc": "2023-10-15 12:48:48" } ], "2700": [ { "sample_cnt": 21, "yara_rule_name": "win_redline_stealer_f34d5f2d4577ed6d9ceec516c1f5a744", "yara_rule_author": "dubfib", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-04 09:00:22" } ], "2701": [ { "sample_cnt": 21, "yara_rule_name": "win_sinowal_w1", "yara_rule_author": "Seth Hardy", "yara_rule_reference": "", "yara_rule_description": "Quarian code features", "last_hit_utc": "2022-11-04 09:01:21" } ], "2702": [ { "sample_cnt": 21, "yara_rule_name": "win_vidar_generic", "yara_rule_author": "dubfib", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:34:40" } ], "2703": [ { "sample_cnt": 20, "yara_rule_name": "AgentTeslaV2", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "AgenetTesla Type 2 Keylogger payload", "last_hit_utc": "2022-11-04 11:29:03" } ], "2704": [ { "sample_cnt": 20, "yara_rule_name": "APT_NK_BabyShark_KimJoingRAT_Apr19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/", "yara_rule_description": "Detects BabyShark KimJongRAT", "last_hit_utc": "2021-10-18 09:30:07" } ], "2705": [ { "sample_cnt": 20, "yara_rule_name": "BatModifier2", "yara_rule_author": "Madhav", "yara_rule_reference": null, "yara_rule_description": "This is a bat file which is setup a game. 49509", "last_hit_utc": "2026-04-02 09:37:19" } ], "2706": [ { "sample_cnt": 20, "yara_rule_name": "BazaSpacedDaisy", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-31 15:20:23" } ], "2707": [ { "sample_cnt": 20, "yara_rule_name": "Cobaltbaltstrike_Beacon_XORed_x64", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2025-02-21 12:59:10" } ], "2708": [ { "sample_cnt": 20, "yara_rule_name": "CobaltStrike_Resources_Httpsstager_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/httpsstager.bin signature for versions 2.5 to 4.x", "last_hit_utc": "2025-08-02 23:42:14" } ], "2709": [ { "sample_cnt": 20, "yara_rule_name": "CobaltStrike__Resources_Httpsstager_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-02 23:42:13" } ], "2710": [ { "sample_cnt": 20, "yara_rule_name": "CobaltStrike__Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-11-26 10:16:03" } ], "2711": [ { "sample_cnt": 20, "yara_rule_name": "CRIME_WIN32_RANSOM_BLACKMATTER", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": "", "yara_rule_description": "Detects Blackmatter ransomware", "last_hit_utc": "2022-11-16 11:04:03" } ], "2712": [ { "sample_cnt": 20, "yara_rule_name": "Emotet", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": null, "yara_rule_description": "Yara Rule To Detect Emotet", "last_hit_utc": "2025-06-16 16:30:42" } ], "2713": [ { "sample_cnt": 20, "yara_rule_name": "fbrobot_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/317642cd-924b-4fe4-ba97-0c648f89c7a0", "yara_rule_description": "fbrobot stealer", "last_hit_utc": "2025-01-05 14:49:19" } ], "2714": [ { "sample_cnt": 20, "yara_rule_name": "Gen_Net_LocalGroup_Administrators_Add_Command", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an executable that contains a command to add a user account to the local administrators group", "last_hit_utc": "2026-01-11 15:40:32" } ], "2715": [ { "sample_cnt": 20, "yara_rule_name": "INDICATOR_KB_CERT_03e9eb4dff67d4f9a554a422d5ed86f3", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2023-04-03 14:52:05" } ], "2716": [ { "sample_cnt": 20, "yara_rule_name": "INDICATOR_KB_CERT_0ddeb53f957337fbeaf98c4a615b149d", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 15:58:46" } ], "2717": [ { "sample_cnt": 20, "yara_rule_name": "laplas_golang", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Laplas Clipper Golang Payload", "last_hit_utc": "2026-03-31 04:55:23" } ], "2718": [ { "sample_cnt": 20, "yara_rule_name": "Linux_Exploit_CVE_2021_4034_1c8f235d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-30 03:42:16" } ], "2719": [ { "sample_cnt": 20, "yara_rule_name": "Linux_Trojan_Tsunami_2462067e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-10 15:55:26" } ], "2720": [ { "sample_cnt": 20, "yara_rule_name": "MALWARE_Win_AgentTeslaV2", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "AgenetTesla Type 2 Keylogger payload", "last_hit_utc": "2022-11-04 11:29:03" } ], "2721": [ { "sample_cnt": 20, "yara_rule_name": "MALWARE_Win_CelestyBinderLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Celesty Binder loader", "last_hit_utc": "2025-12-05 21:04:24" } ], "2722": [ { "sample_cnt": 20, "yara_rule_name": "MALWARE_Win_DLInjector04", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects downloader / injector", "last_hit_utc": "2022-10-18 17:23:03" } ], "2723": [ { "sample_cnt": 20, "yara_rule_name": "MALWARE_Win_LimeRAT", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "LimeRAT payload", "last_hit_utc": "2025-09-28 08:39:21" } ], "2724": [ { "sample_cnt": 20, "yara_rule_name": "MALWARE_Win_LummaStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Lumma Stealer", "last_hit_utc": "2025-11-30 15:41:11" } ], "2725": [ { "sample_cnt": 20, "yara_rule_name": "MALWARE_Win_SoranoStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects SoranoStealer / HogGrabber. Available on Github: /Alexuiop1337/SoranoStealer", "last_hit_utc": "2022-10-24 13:21:03" } ], "2726": [ { "sample_cnt": 20, "yara_rule_name": "OBFUS_VBS_Reverse_StartUp", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detecs reversed StartUp Path. Sometimes used as obfuscation", "last_hit_utc": "2025-01-03 22:37:14" } ], "2727": [ { "sample_cnt": 20, "yara_rule_name": "privateloader", "yara_rule_author": "andre@tavares.re", "yara_rule_reference": "", "yara_rule_description": "PrivateLoader pay-per-install malware", "last_hit_utc": "2022-08-25 11:35:49" } ], "2728": [ { "sample_cnt": 20, "yara_rule_name": "ProjectM_DarkComet_1_RID2E9E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/", "yara_rule_description": "Detects ProjectM Malware", "last_hit_utc": "2025-12-23 20:32:14" } ], "2729": [ { "sample_cnt": 20, "yara_rule_name": "rootkit", "yara_rule_author": "xorseed", "yara_rule_reference": "https://stuff.rop.io/", "yara_rule_description": null, "last_hit_utc": "2026-02-13 15:19:17" } ], "2730": [ { "sample_cnt": 20, "yara_rule_name": "Shifu", "yara_rule_author": "McAfee Labs", "yara_rule_reference": "https://blogs.mcafee.com/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools/", "yara_rule_description": "", "last_hit_utc": "2022-10-17 09:18:03" } ], "2731": [ { "sample_cnt": 20, "yara_rule_name": "silentbuilder_03_05", "yara_rule_author": "James Quinn", "yara_rule_reference": null, "yara_rule_description": "SilentBuilder xls sheets", "last_hit_utc": "2021-03-17 10:33:30" } ], "2732": [ { "sample_cnt": 20, "yara_rule_name": "Spynote_craxsrat_strings", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects Spynote Android Malware", "last_hit_utc": "2026-04-02 12:47:21" } ], "2733": [ { "sample_cnt": 20, "yara_rule_name": "SUSP_Modified_SystemExeFileName_in_File", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", "yara_rule_description": "Detecst a variant of a system file name often used by attackers to cloak their activity", "last_hit_utc": "2025-12-26 05:31:17" } ], "2734": [ { "sample_cnt": 20, "yara_rule_name": "SUSP_PowerShell_IEX_Download_Combo", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/JaromirHorejsi/status/1047084277920411648", "yara_rule_description": "Detects strings found in sample from CN group repo leak in October 2018", "last_hit_utc": "2025-12-09 17:05:25" } ], "2735": [ { "sample_cnt": 20, "yara_rule_name": "Win32_Ransomware_Reveton", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Reveton ransomware.", "last_hit_utc": "2025-04-19 17:06:44" } ], "2736": [ { "sample_cnt": 20, "yara_rule_name": "Windows_Generic_Threat_4578ee8c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 20:27:24" } ], "2737": [ { "sample_cnt": 20, "yara_rule_name": "Windows_Trojan_DCRat_1aeea1ac", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-24 04:41:03" } ], "2738": [ { "sample_cnt": 20, "yara_rule_name": "Windows_Trojan_Netwire_f42cb379", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-14 20:45:03" } ], "2739": [ { "sample_cnt": 20, "yara_rule_name": "Windows_Trojan_PrivateLoader_96ac2734", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:09:24" } ], "2740": [ { "sample_cnt": 20, "yara_rule_name": "win_5t_downloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.5t_downloader.", "last_hit_utc": "2025-10-24 15:29:59" } ], "2741": [ { "sample_cnt": 20, "yara_rule_name": "win_blacknet_rat_w0", "yara_rule_author": "K7 Security Labs", "yara_rule_reference": null, "yara_rule_description": "BlackNet Payload", "last_hit_utc": "2025-12-26 05:31:17" } ], "2742": [ { "sample_cnt": 20, "yara_rule_name": "win_gandcrab_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-08-30 21:04:05" } ], "2743": [ { "sample_cnt": 20, "yara_rule_name": "win_pushdo_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-10-10 07:28:56" } ], "2744": [ { "sample_cnt": 20, "yara_rule_name": "win_shylock_w0", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "Shylock Banker", "last_hit_utc": "2026-03-06 11:19:17" } ], "2745": [ { "sample_cnt": 20, "yara_rule_name": "wsh_rat_vbs_decoded", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "Alerts on the decoded WSH RAT VBScript", "last_hit_utc": "2022-11-04 17:16:04" } ], "2746": [ { "sample_cnt": 20, "yara_rule_name": "XtremeRAT", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "XtremeRAT", "last_hit_utc": "2026-01-30 08:06:27" } ], "2747": [ { "sample_cnt": 20, "yara_rule_name": "XtremeRATStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "XtremeRAT Identifying Strings", "last_hit_utc": "2026-01-30 08:06:27" } ], "2748": [ { "sample_cnt": 20, "yara_rule_name": "ZeusPanda", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "ZeusPanda Payload", "last_hit_utc": "2021-01-27 02:56:05" } ], "2749": [ { "sample_cnt": 19, "yara_rule_name": "ach_202412_sh_hailbot", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects HailBot shell scripts", "last_hit_utc": "2025-03-03 11:53:12" } ], "2750": [ { "sample_cnt": 19, "yara_rule_name": "ach_Dridex_xls_20200522", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/49fd01ae576df142c40cc554d5bcf024/", "yara_rule_description": null, "last_hit_utc": "2021-01-12 06:18:05" } ], "2751": [ { "sample_cnt": 19, "yara_rule_name": "APK_SpyNote_May_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Spynote", "last_hit_utc": "2025-01-05 17:35:10" } ], "2752": [ { "sample_cnt": 19, "yara_rule_name": "bumblebee_v2", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "BumbleBee Payload v2", "last_hit_utc": "2026-03-19 13:36:03" } ], "2753": [ { "sample_cnt": 19, "yara_rule_name": "Cobaltbaltstrike_Beacon_x86", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2025-01-05 17:02:34" } ], "2754": [ { "sample_cnt": 19, "yara_rule_name": "CobaltStrike_Resources_Httpstager64_Bin_v3_2_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/httpstager64.bin signature for versions v3.2 to v4.x", "last_hit_utc": "2026-02-07 18:35:18" } ], "2755": [ { "sample_cnt": 19, "yara_rule_name": "CobaltStrike__Resources_Httpstager64_Bin_v3_2_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-07 18:35:17" } ], "2756": [ { "sample_cnt": 19, "yara_rule_name": "crime_win32_ransom_lockbit_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "twitter", "yara_rule_description": "Detects LockBit ransomware", "last_hit_utc": "2023-09-11 16:27:04" } ], "2757": [ { "sample_cnt": 19, "yara_rule_name": "CryptoLocker_rule2", "yara_rule_author": "Christiaan Beek, Christiaan_Beek@McAfee.com", "yara_rule_reference": null, "yara_rule_description": "Detection of CryptoLocker Variants", "last_hit_utc": "2025-10-04 10:38:41" } ], "2758": [ { "sample_cnt": 19, "yara_rule_name": "Detect_BazarISO", "yara_rule_author": "@johnk3r", "yara_rule_reference": "", "yara_rule_description": "Detects BazarISO", "last_hit_utc": "2022-05-25 10:22:03" } ], "2759": [ { "sample_cnt": 19, "yara_rule_name": "HKTL_NET_GUID_Stealer", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/malwares/Stealer", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-05 14:45:13" } ], "2760": [ { "sample_cnt": 19, "yara_rule_name": "Linux_Trojan_Gafgyt_d996d335", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "2761": [ { "sample_cnt": 19, "yara_rule_name": "MALWARE_Linux_Akira", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Akira Ransomware Linux", "last_hit_utc": "2025-06-16 16:56:08" } ], "2762": [ { "sample_cnt": 19, "yara_rule_name": "MALWARE_Win_FloodFix", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects FloodFix", "last_hit_utc": "2022-10-20 01:32:46" } ], "2763": [ { "sample_cnt": 19, "yara_rule_name": "MALWARE_Win_Rhysida", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Rhysida ransomware", "last_hit_utc": "2025-04-12 13:49:03" } ], "2764": [ { "sample_cnt": 19, "yara_rule_name": "MAL_Ransomware_Wadhrama", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Wadhrama Ransomware via Imphash", "last_hit_utc": "2025-01-05 16:44:33" } ], "2765": [ { "sample_cnt": 19, "yara_rule_name": "mimikatz_kiwikey", "yara_rule_author": "SBousseaden", "yara_rule_reference": null, "yara_rule_description": "hunt for default mimikatz kiwikey", "last_hit_utc": "2026-01-05 11:30:23" } ], "2766": [ { "sample_cnt": 19, "yara_rule_name": "poverty_stealer_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:34:33" } ], "2767": [ { "sample_cnt": 19, "yara_rule_name": "power_pe_injection", "yara_rule_author": "Benjamin DELPY (gentilkiwi)", "yara_rule_reference": null, "yara_rule_description": "PowerShell with PE Reflective Injection", "last_hit_utc": "2025-10-28 13:44:58" } ], "2768": [ { "sample_cnt": 19, "yara_rule_name": "Ransom_Babuk", "yara_rule_author": "TS @ McAfee ATR", "yara_rule_reference": null, "yara_rule_description": "Rule to detect Babuk Locker", "last_hit_utc": "2025-08-08 17:53:15" } ], "2769": [ { "sample_cnt": 19, "yara_rule_name": "rhadamanthys_", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked rhadamanthys malware samples.", "last_hit_utc": "2026-01-26 18:53:54" } ], "2770": [ { "sample_cnt": 19, "yara_rule_name": "sodinokibi_2020_06_10", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:54:35" } ], "2771": [ { "sample_cnt": 19, "yara_rule_name": "SparkRAT", "yara_rule_author": "t-mtsmt", "yara_rule_reference": null, "yara_rule_description": "SparkRAT Payload", "last_hit_utc": "2026-04-23 10:02:48" } ], "2772": [ { "sample_cnt": 19, "yara_rule_name": "Windows_Hacktool_COFFLoader_81ba13b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-20 22:47:48" } ], "2773": [ { "sample_cnt": 19, "yara_rule_name": "Windows_Ransomware_Medusa_fda487fd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-26 18:38:14" } ], "2774": [ { "sample_cnt": 19, "yara_rule_name": "Windows_Trojan_Lumma_693a5234", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-27 12:23:08" } ], "2775": [ { "sample_cnt": 19, "yara_rule_name": "WinRAR_ADS_Traversal", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/", "yara_rule_description": "Identifies potential ADS traversal in RAR archives, seen in vulnerabilities such as CVE\u20112025\u20116218 and CVE-2025-8088.", "last_hit_utc": "2026-04-16 18:16:32" } ], "2776": [ { "sample_cnt": 19, "yara_rule_name": "win_cerber_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-03-04 23:02:16" } ], "2777": [ { "sample_cnt": 19, "yara_rule_name": "win_mofksys_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mofksys.", "last_hit_utc": "2022-10-17 09:32:03" } ], "2778": [ { "sample_cnt": 19, "yara_rule_name": "win_netwire_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.netwire.", "last_hit_utc": "2026-01-24 20:46:24" } ], "2779": [ { "sample_cnt": 19, "yara_rule_name": "win_servhelper_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-12-20 08:44:05" } ], "2780": [ { "sample_cnt": 19, "yara_rule_name": "win_systembc_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-13 13:58:44" } ], "2781": [ { "sample_cnt": 19, "yara_rule_name": "win_whispergate_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.whispergate.", "last_hit_utc": "2022-10-17 06:46:02" } ], "2782": [ { "sample_cnt": 18, "yara_rule_name": "Andromeda_MalBot_Jun_1A", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/", "yara_rule_description": "Detects a malicious Worm Andromeda / RETADUP", "last_hit_utc": "2025-01-05 17:16:43" } ], "2783": [ { "sample_cnt": 18, "yara_rule_name": "apt_CN_Tetris_JS_simple", "yara_rule_author": "@imp0rtp3", "yara_rule_reference": "https://imp0rtp3.wordpress.com/2021/08/12/tetris", "yara_rule_description": "Jetriz, Swid & Jeniva from Tetris framework signature", "last_hit_utc": "2026-03-25 19:22:20" } ], "2784": [ { "sample_cnt": 18, "yara_rule_name": "Bloated_RL", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Search for certain section names", "last_hit_utc": "2023-05-30 10:17:02" } ], "2785": [ { "sample_cnt": 18, "yara_rule_name": "BumbleBee2024", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "BumbleBee 2024", "last_hit_utc": "2025-12-15 08:16:30" } ], "2786": [ { "sample_cnt": 18, "yara_rule_name": "CobaltStrike_Sleeve_Beacon_x64_v4_4_v_4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.4 through at least 4.6", "last_hit_utc": "2025-07-09 19:20:34" } ], "2787": [ { "sample_cnt": 18, "yara_rule_name": "DROPPER_njrat_VBS", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "https://bazaar.abuse.ch/sample/daea0b5dfcc3e20b75292df60fe5f0e16a40735254485ff6cc7884697a007c0d/", "yara_rule_description": null, "last_hit_utc": "2025-07-28 03:15:37" } ], "2788": [ { "sample_cnt": 18, "yara_rule_name": "Empire_Invoke_Gen_RID2DB7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "2789": [ { "sample_cnt": 18, "yara_rule_name": "Hancitor", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": null, "yara_rule_description": "Yara Rule To Detect Hancitor", "last_hit_utc": "2026-04-17 13:28:38" } ], "2790": [ { "sample_cnt": 18, "yara_rule_name": "HKTL_CobaltStrike_Beacon_XOR_Strings", "yara_rule_author": "Elastic", "yara_rule_reference": "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "yara_rule_description": "Identifies XOR'd strings used in Cobalt Strike Beacon DLL", "last_hit_utc": "2026-03-18 09:05:33" } ], "2791": [ { "sample_cnt": 18, "yara_rule_name": "Impacket_Keyword_RID2D83", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Impacket Keyword in Executable", "last_hit_utc": "2025-06-16 16:48:09" } ], "2792": [ { "sample_cnt": 18, "yara_rule_name": "Impacket_Lateral_Movement_RID310D", "yara_rule_author": "Markus Neis", "yara_rule_reference": "https://github.com/CoreSecurity/impacket", "yara_rule_description": "Detects Impacket Network Aktivity for Lateral Movement", "last_hit_utc": "2025-06-16 16:48:10" } ], "2793": [ { "sample_cnt": 18, "yara_rule_name": "IMPLANT_4_v5", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "BlackEnergy / Voodoo Bear Implant by APT28", "last_hit_utc": "2026-04-19 19:38:28" } ], "2794": [ { "sample_cnt": 18, "yara_rule_name": "INDICATOR_EXE_DotNET_Encrypted", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects encrypted or obfuscated .NET executables", "last_hit_utc": "2022-11-04 18:28:02" } ], "2795": [ { "sample_cnt": 18, "yara_rule_name": "INDICATOR_EXE_Packed_DotNetReactor", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with unregistered version of .NET Reactor", "last_hit_utc": "2022-07-10 10:22:03" } ], "2796": [ { "sample_cnt": 18, "yara_rule_name": "INDICATOR_KB_ID_PowerShellSMTPKeyLogger", "yara_rule_author": "ditekShen", "yara_rule_reference": "", "yara_rule_description": "Detects email accounts used for exfiltration observed in PowerShellSMTPKeyLogger", "last_hit_utc": "2023-10-22 18:11:30" } ], "2797": [ { "sample_cnt": 18, "yara_rule_name": "Kronos", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Kronos Payload", "last_hit_utc": "2022-01-19 15:46:47" } ], "2798": [ { "sample_cnt": 18, "yara_rule_name": "Linux_Trojan_Gafgyt_9a62845f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-04 06:28:16" } ], "2799": [ { "sample_cnt": 18, "yara_rule_name": "Linux_Trojan_Getshell_98d002bf", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-23 10:57:44" } ], "2800": [ { "sample_cnt": 18, "yara_rule_name": "Linux_Trojan_Mirai_95e0056c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-23 18:14:03" } ], "2801": [ { "sample_cnt": 18, "yara_rule_name": "MALWARE_Emotet_OneNote_Delivery_vbs_Mar23", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://www.secuinfra.com/en/news/the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns/", "yara_rule_description": "Detects Microsoft OneNote files used to deliver Emotet (VBScript Payload)", "last_hit_utc": "2023-03-24 08:27:03" } ], "2802": [ { "sample_cnt": 18, "yara_rule_name": "MALWARE_Win_Echelon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Echelon information stealer payload", "last_hit_utc": "2025-01-05 15:06:19" } ], "2803": [ { "sample_cnt": 18, "yara_rule_name": "MALWARE_Win_FatalRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects FatalRAT", "last_hit_utc": "2022-10-10 14:10:34" } ], "2804": [ { "sample_cnt": 18, "yara_rule_name": "MALW_cobaltrike", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "", "yara_rule_description": "Rule to detect CobaltStrike beacon", "last_hit_utc": "2021-09-03 12:26:15" } ], "2805": [ { "sample_cnt": 18, "yara_rule_name": "MAL_AgentTesla_Stage_1", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "https://bazaar.abuse.ch/sample/bd257d674778100639b298ea35550bf3bcb8b518978c502453e9839846f9bbec/", "yara_rule_description": "Detects the first stage of AgentTesla (JavaScript)", "last_hit_utc": "2025-01-05 16:34:23" } ], "2806": [ { "sample_cnt": 18, "yara_rule_name": "Mimikatz_Samples_2014b_Family_2", "yara_rule_author": "Florian Roth with the help of YarGen Rule Generator", "yara_rule_reference": null, "yara_rule_description": "Mimikatz pwassword dumper samples from the second half of 2014", "last_hit_utc": "2026-01-05 11:30:23" } ], "2807": [ { "sample_cnt": 18, "yara_rule_name": "mscan", "yara_rule_author": "Nicklas", "yara_rule_reference": null, "yara_rule_description": "Rule to find mscan", "last_hit_utc": "2025-10-16 10:37:33" } ], "2808": [ { "sample_cnt": 18, "yara_rule_name": "MSI_AteraAgent_RemoteAdmin_April_2024", "yara_rule_author": "NDA0N", "yara_rule_reference": null, "yara_rule_description": "Detects AteraAgent Remote Admin Tool", "last_hit_utc": "2025-01-05 17:36:00" } ], "2809": [ { "sample_cnt": 18, "yara_rule_name": "PellesC28x45xPelleOrinius", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 11:06:42" } ], "2810": [ { "sample_cnt": 18, "yara_rule_name": "pony", "yara_rule_author": "Brian Wallace @botnet_hunter", "yara_rule_reference": "", "yara_rule_description": "Identify Pony", "last_hit_utc": "2022-11-26 03:32:03" } ], "2811": [ { "sample_cnt": 18, "yara_rule_name": "ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection_RID3A9A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "2812": [ { "sample_cnt": 18, "yara_rule_name": "RAN_Nitro_Aug_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://bazaar.abuse.ch/browse/tag/NitroRansomware/", "yara_rule_description": "Detect Nitro ransomware", "last_hit_utc": "2025-05-28 17:32:12" } ], "2813": [ { "sample_cnt": 18, "yara_rule_name": "RAT_remcos_strings", "yara_rule_author": "0x0d4y", "yara_rule_reference": "Internal Research", "yara_rule_description": "This rule detects the remcos through your specific strings.", "last_hit_utc": "2026-03-06 15:08:01" } ], "2814": [ { "sample_cnt": 18, "yara_rule_name": "Solarmarker_Packer_May_2023", "yara_rule_author": "Lucas Acha (http://www.lukeacha.com)", "yara_rule_reference": "http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", "yara_rule_description": "another version showing observed possible packer in hexdump at specific offset ranges.", "last_hit_utc": "2026-04-10 21:19:30" } ], "2815": [ { "sample_cnt": 18, "yara_rule_name": "SUSP_LNX_SH_CryptoMiner_Indicators_Dec20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/", "yara_rule_description": "Detects helper script used in a crypto miner campaign", "last_hit_utc": "2025-12-12 07:27:15" } ], "2816": [ { "sample_cnt": 18, "yara_rule_name": "SUSP_PS1_FromBase64String_Content_Indicator", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639", "yara_rule_description": "Detects suspicious base64 encoded PowerShell expressions", "last_hit_utc": "2022-12-20 11:19:10" } ], "2817": [ { "sample_cnt": 18, "yara_rule_name": "SUSP_Unsigned_GoogleUpdate", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious unsigned GoogleUpdate.exe", "last_hit_utc": "2025-01-05 15:27:32" } ], "2818": [ { "sample_cnt": 18, "yara_rule_name": "SUSP_URL_SMB_exe", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious internet shortcuts linking an executable on an SMB share", "last_hit_utc": "2025-01-05 16:36:52" } ], "2819": [ { "sample_cnt": 18, "yara_rule_name": "Webshell_PHP_r57142_RID2D62", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file r57142.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "2820": [ { "sample_cnt": 18, "yara_rule_name": "Win32_Ransomware_Xorist", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Xorist ransomware.", "last_hit_utc": "2025-11-18 16:01:50" } ], "2821": [ { "sample_cnt": 18, "yara_rule_name": "Windows_Ransomware_Stop_1e8d48ff", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-18 23:09:14" } ], "2822": [ { "sample_cnt": 18, "yara_rule_name": "win_kronos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.kronos.", "last_hit_utc": "2022-01-19 15:46:47" } ], "2823": [ { "sample_cnt": 18, "yara_rule_name": "win_troldesh_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2024-02-03 13:32:02" } ], "2824": [ { "sample_cnt": 18, "yara_rule_name": "ZxShell_Related_Malware_CN_Group_Jul17_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell related sample from a CN threat group", "last_hit_utc": "2025-04-28 01:41:09" } ], "2825": [ { "sample_cnt": 17, "yara_rule_name": "ach_202408_html_TelegramBot", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects potential JavaScript Telegram Bot inside HTML code", "last_hit_utc": "2026-04-11 11:28:26" } ], "2826": [ { "sample_cnt": 17, "yara_rule_name": "apt_CN_Tetris_JS_advanced_1", "yara_rule_author": "@imp0rtp3", "yara_rule_reference": "https://imp0rtp3.wordpress.com/2021/08/12/tetris", "yara_rule_description": "Unique code from Jetriz, Swid & Jeniva of the Tetris framework", "last_hit_utc": "2026-02-23 12:02:23" } ], "2827": [ { "sample_cnt": 17, "yara_rule_name": "BuerLoader", "yara_rule_author": "Brandon George", "yara_rule_reference": null, "yara_rule_description": "Yara rules for the updated and unpacked payload of BuerLoader", "last_hit_utc": "2021-03-15 19:00:06" } ], "2828": [ { "sample_cnt": 17, "yara_rule_name": "crime_win32_dridex_ldr_40300", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/baberpervez2/status/1240801518959370240", "yara_rule_description": "Detects latest Dridex loader botnet 40300", "last_hit_utc": "2025-05-21 03:16:55" } ], "2829": [ { "sample_cnt": 17, "yara_rule_name": "Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1", "last_hit_utc": "2025-10-28 13:44:07" } ], "2830": [ { "sample_cnt": 17, "yara_rule_name": "Empire_Invoke_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "2831": [ { "sample_cnt": 17, "yara_rule_name": "Empire_PowerShell_Framework_Gen1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2025-10-28 13:44:09" } ], "2832": [ { "sample_cnt": 17, "yara_rule_name": "EternalRomance", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "EternalRomance Exploit", "last_hit_utc": "2026-02-06 16:52:15" } ], "2833": [ { "sample_cnt": 17, "yara_rule_name": "EXE_Stealer_Azorult_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 15:28:24" } ], "2834": [ { "sample_cnt": 17, "yara_rule_name": "EXPL_Shitrix_Exploit_Code_Jan20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/", "yara_rule_description": "Detects payloads used in Shitrix exploitation CVE-2019-19781", "last_hit_utc": "2026-03-27 09:11:23" } ], "2835": [ { "sample_cnt": 17, "yara_rule_name": "EXPL_Shitrix_Exploit_Code_Jan20_1_RID331C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/", "yara_rule_description": "Detects payloads used in Shitrix exploitation CVE-2019-19781", "last_hit_utc": "2026-03-27 09:11:23" } ], "2836": [ { "sample_cnt": 17, "yara_rule_name": "GoldDragon_RunningRAT", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/rW1yvZ", "yara_rule_description": "Detects Running RAT from Gold Dragon report", "last_hit_utc": "2025-01-03 23:00:32" } ], "2837": [ { "sample_cnt": 17, "yara_rule_name": "HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1_RID3752", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/sbousseaden/status/1292143504131600384?s=12", "yara_rule_description": "Detects Mimikatz SkeletonKey in Memory", "last_hit_utc": "2025-10-06 10:22:12" } ], "2838": [ { "sample_cnt": 17, "yara_rule_name": "IcedIDLoader", "yara_rule_author": "kevoreilly, threathive, enzo", "yara_rule_reference": null, "yara_rule_description": "IcedID Loader", "last_hit_utc": "2023-03-02 17:33:45" } ], "2839": [ { "sample_cnt": 17, "yara_rule_name": "INDICATOR_EXE_Packed_KoiVM", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with or use KoiVM", "last_hit_utc": "2026-04-04 14:51:20" } ], "2840": [ { "sample_cnt": 17, "yara_rule_name": "INDICATOR_KB_CERT_00bfb15001bbf592d4962a7797ea736fa3", "yara_rule_author": "ditekSHen", "yara_rule_reference": "https://capesandbox.com/analysis/444899/", "yara_rule_description": "Detects executables signed with stolen, revoked, fake or invalid certificate", "last_hit_utc": "2025-01-05 17:02:12" } ], "2841": [ { "sample_cnt": 17, "yara_rule_name": "INDICATOR_KB_CERT_06aea76bac46a9e8cfe6d29e45aaf033", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-02-16 23:22:34" } ], "2842": [ { "sample_cnt": 17, "yara_rule_name": "INDICATOR_KB_ID_Infostealer", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "Detects exfiltration email addresses correlated from various infostealers. The same email can be observed in multiple families.", "last_hit_utc": "2021-11-02 10:23:04" } ], "2843": [ { "sample_cnt": 17, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Reversed", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects reversed executables. Observed N-stage drop", "last_hit_utc": "2025-08-03 14:09:23" } ], "2844": [ { "sample_cnt": 17, "yara_rule_name": "Linux_Generic_Threat_5d5fd28e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-06 08:03:23" } ], "2845": [ { "sample_cnt": 17, "yara_rule_name": "Linux_Generic_Threat_900ffdd4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 10:43:42" } ], "2846": [ { "sample_cnt": 17, "yara_rule_name": "Linux_Packer_Patched_UPX_62e11c64", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/", "yara_rule_description": "", "last_hit_utc": "2022-11-25 09:42:03" } ], "2847": [ { "sample_cnt": 17, "yara_rule_name": "Linux_Trojan_Mirai_24c5b7d6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-16 17:27:16" } ], "2848": [ { "sample_cnt": 17, "yara_rule_name": "MALWARE_Win_CoinMiner04", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects coinmining malware", "last_hit_utc": "2022-04-12 09:08:02" } ], "2849": [ { "sample_cnt": 17, "yara_rule_name": "MALWARE_Win_DLInjector03", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects unknown loader / injector", "last_hit_utc": "2025-05-06 03:04:11" } ], "2850": [ { "sample_cnt": 17, "yara_rule_name": "MALWARE_Win_JesterStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects JesterStealer", "last_hit_utc": "2022-11-25 20:44:03" } ], "2851": [ { "sample_cnt": 17, "yara_rule_name": "MALWARE_Win_ParallaxRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ParallaxRAT", "last_hit_utc": "2024-03-15 19:15:05" } ], "2852": [ { "sample_cnt": 17, "yara_rule_name": "MALWARE_Win_SmokeLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects SmokeLoader variants", "last_hit_utc": "2021-12-26 01:06:09" } ], "2853": [ { "sample_cnt": 17, "yara_rule_name": "MALWARE_Win_UnamedStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects unknown infostealer. Observed as 2nd stage and injects into .NET AppLaunch.exe", "last_hit_utc": "2025-06-16 15:38:56" } ], "2854": [ { "sample_cnt": 17, "yara_rule_name": "MALWARE_Win_Vidar", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Vidar infostealer variants", "last_hit_utc": "2021-03-30 12:56:05" } ], "2855": [ { "sample_cnt": 17, "yara_rule_name": "MAL_44Caliber_Feb_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect the 44caliber stealer", "last_hit_utc": "2026-01-10 19:05:27" } ], "2856": [ { "sample_cnt": 17, "yara_rule_name": "MAL_Babuk_Locker_January_2021", "yara_rule_author": "DGRANGE, Insikt Group, Recorded Future", "yara_rule_reference": "https://app.recordedfuture.com/live/sc/6dhqszaQk7wH", "yara_rule_description": "Detects updated Babuk Locker payloads first observed in January 2021", "last_hit_utc": "2025-08-08 17:53:15" } ], "2857": [ { "sample_cnt": 17, "yara_rule_name": "MAL_Lokibot_Stealer", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects Lokibot Stealer Variants", "last_hit_utc": "2025-01-05 15:00:18" } ], "2858": [ { "sample_cnt": 17, "yara_rule_name": "MAL_unspecified_Jan18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects unspecified malware sample", "last_hit_utc": "2026-04-24 23:31:42" } ], "2859": [ { "sample_cnt": 17, "yara_rule_name": "msxls_zloader_anti_sandbox_biff_formula", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Finding XLS2003 documents with a specific anti-sandbox expression", "last_hit_utc": "2020-08-11 20:00:12" } ], "2860": [ { "sample_cnt": 17, "yara_rule_name": "multiple_php_webshells", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files multiple_php_webshells", "last_hit_utc": "2025-11-25 20:48:17" } ], "2861": [ { "sample_cnt": 17, "yara_rule_name": "Packmanv10BrandonLaCombe", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:54:16" } ], "2862": [ { "sample_cnt": 17, "yara_rule_name": "PellesC300400450EXEX86CRTLIB", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 11:06:42" } ], "2863": [ { "sample_cnt": 17, "yara_rule_name": "poverty_stealer", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Poverty Stealer Payload", "last_hit_utc": "2025-06-16 16:34:33" } ], "2864": [ { "sample_cnt": 17, "yara_rule_name": "Privateloader_Main_Component", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects PrivateLoader Main Component", "last_hit_utc": "2022-11-23 20:49:38" } ], "2865": [ { "sample_cnt": 17, "yara_rule_name": "ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "2866": [ { "sample_cnt": 17, "yara_rule_name": "ps1_toolkit_Invoke_Mimikatz_RID31FA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - file Invoke-Mimikatz.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "2867": [ { "sample_cnt": 17, "yara_rule_name": "Ransomware_Kangaroo_Strings", "yara_rule_author": "albertzsigovits", "yara_rule_reference": "https://bazaar.abuse.ch/browse/tag/kangaroo/", "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:05:45" } ], "2868": [ { "sample_cnt": 17, "yara_rule_name": "sig_6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b", "yara_rule_author": "Ian Harte", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "CS Payload CVE-2021-40444", "last_hit_utc": "2025-01-05 14:46:59" } ], "2869": [ { "sample_cnt": 17, "yara_rule_name": "SUSP_EnableContent_String_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious string that asks to enable active content in Office Doc", "last_hit_utc": "2025-12-01 07:47:18" } ], "2870": [ { "sample_cnt": 17, "yara_rule_name": "susp_hex_string_Jun2021_1", "yara_rule_author": "3c7", "yara_rule_reference": null, "yara_rule_description": "Triggers on suspiciously long hex string that seems to be common in a lot of samples.", "last_hit_utc": "2023-08-06 10:02:03" } ], "2871": [ { "sample_cnt": 17, "yara_rule_name": "SUSP_LNX_Linux_Malware_Indicators_Aug20_1_RID3621", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects indicators often found in linux malware samples", "last_hit_utc": "2026-04-13 20:25:25" } ], "2872": [ { "sample_cnt": 17, "yara_rule_name": "susp_winsvc_upx", "yara_rule_author": "SBousseaden", "yara_rule_reference": "", "yara_rule_description": "broad hunt for any PE exporting ServiceMain API and upx packed", "last_hit_utc": "2021-12-20 08:44:05" } ], "2873": [ { "sample_cnt": 17, "yara_rule_name": "Upackv029Betav031BetaDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 02:26:14" } ], "2874": [ { "sample_cnt": 17, "yara_rule_name": "Webshell_multiple_php_webshells_RID33E1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files multiple_php_webshells", "last_hit_utc": "2025-11-25 20:48:18" } ], "2875": [ { "sample_cnt": 17, "yara_rule_name": "webshell_PHP_r57142", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file r57142.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "2876": [ { "sample_cnt": 17, "yara_rule_name": "WiltedTulip_WindowsTask_RID3065", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects hack tool used in Operation Wilted Tulip - Windows Tasks", "last_hit_utc": "2025-11-13 04:48:20" } ], "2877": [ { "sample_cnt": 17, "yara_rule_name": "Windows_Backdoor_TeamViewer_df8e7326", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://vms.drweb.com/virus/?i=8172096", "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:44:25" } ], "2878": [ { "sample_cnt": 17, "yara_rule_name": "Windows_Hacktool_Mimikatz_355d5d3a", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detection for Invoke-Mimikatz", "last_hit_utc": "2025-10-28 13:45:50" } ], "2879": [ { "sample_cnt": 17, "yara_rule_name": "Windows_Hacktool_Mimikatz_355d5d3a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Detection for Invoke-Mimikatz", "last_hit_utc": "2025-10-28 13:45:50" } ], "2880": [ { "sample_cnt": 17, "yara_rule_name": "Windows_Rootkit_AbyssWorker_4ef8536c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-08 07:34:41" } ], "2881": [ { "sample_cnt": 17, "yara_rule_name": "Windows_Trojan_CyberGate_9996d800", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-29 05:45:46" } ], "2882": [ { "sample_cnt": 17, "yara_rule_name": "win_babuk_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.babuk.", "last_hit_utc": "2022-10-09 12:43:03" } ], "2883": [ { "sample_cnt": 17, "yara_rule_name": "win_darkcomet_g0", "yara_rule_author": "Kevin Breen / Jean-Philippe Teissier / botherder / Florian Roth / David Cannings / Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-02 17:16:06" } ], "2884": [ { "sample_cnt": 17, "yara_rule_name": "win_gcleaner_w0", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": "", "yara_rule_description": "detects GCleaner", "last_hit_utc": "2022-11-24 17:12:49" } ], "2885": [ { "sample_cnt": 17, "yara_rule_name": "win_houdini_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-06-14 08:19:03" } ], "2886": [ { "sample_cnt": 17, "yara_rule_name": "win_marsStealer_encryption_bytecodes", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Encryption observed in MarsStealer", "last_hit_utc": "2025-07-15 23:11:14" } ], "2887": [ { "sample_cnt": 17, "yara_rule_name": "win_phorpiex_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-11 07:00:22" } ], "2888": [ { "sample_cnt": 17, "yara_rule_name": "win_privateloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.privateloader.", "last_hit_utc": "2025-04-10 11:37:52" } ], "2889": [ { "sample_cnt": 17, "yara_rule_name": "win_zeppelin_ransomware_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-23 02:57:03" } ], "2890": [ { "sample_cnt": 17, "yara_rule_name": "Zeppelin", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Zeppelin ransomware and variants (Buran, Vega etc.)", "last_hit_utc": "2025-01-23 02:57:03" } ], "2891": [ { "sample_cnt": 17, "yara_rule_name": "ZxShell_Related_Malware_CN_Group_Jul17_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell related sample from a CN threat group", "last_hit_utc": "2025-01-05 15:30:29" } ], "2892": [ { "sample_cnt": 16, "yara_rule_name": "ach_SmokeLoader_xlsb_20201112_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/737f08448ad4a56a4ded7b2e06f33a3a/", "yara_rule_description": "Detects Quakbot XLSB", "last_hit_utc": "2020-11-12 19:42:05" } ], "2893": [ { "sample_cnt": 16, "yara_rule_name": "Android_Admin_And_Accessibility", "yara_rule_author": "Buga :3", "yara_rule_reference": null, "yara_rule_description": "This detects apps which request access to both device admin and the Android accessibility suite.", "last_hit_utc": "2025-11-11 14:21:16" } ], "2894": [ { "sample_cnt": 16, "yara_rule_name": "APT_Lazarus_LNK_20211105", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects Lazarus Group LNK", "last_hit_utc": "2026-04-01 18:24:15" } ], "2895": [ { "sample_cnt": 16, "yara_rule_name": "async_RAT", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked AsyncRAT malware samples.", "last_hit_utc": "2025-09-11 12:47:51" } ], "2896": [ { "sample_cnt": 16, "yara_rule_name": "cybercrime_swica_html", "yara_rule_author": "Marc", "yara_rule_reference": null, "yara_rule_description": "HTML with swica", "last_hit_utc": "2026-04-25 20:23:29" } ], "2897": [ { "sample_cnt": 16, "yara_rule_name": "eicar", "yara_rule_author": "Marc Rivero | @seifreed", "yara_rule_reference": null, "yara_rule_description": "Rule to detect Eicar pattern", "last_hit_utc": "2021-03-02 07:21:48" } ], "2898": [ { "sample_cnt": 16, "yara_rule_name": "Empire_PowerShell_Framework_Gen2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2025-10-28 13:44:09" } ], "2899": [ { "sample_cnt": 16, "yara_rule_name": "EXPL_PaloAlto_CVE_2024_3400_Apr24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/", "yara_rule_description": "Detects characteristics of the exploit code used in attacks against Palo Alto GlobalProtect CVE-2024-3400", "last_hit_utc": "2026-02-18 16:31:15" } ], "2900": [ { "sample_cnt": 16, "yara_rule_name": "GoziRule", "yara_rule_author": "CCN-CERT", "yara_rule_reference": null, "yara_rule_description": "Win32.Gozi", "last_hit_utc": "2021-04-22 10:37:06" } ], "2901": [ { "sample_cnt": 16, "yara_rule_name": "Heuristics_ChromeCookieMonster", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match strings related to Chromium's CookieMonster; typically used in Chromium secrets scanning by stealers; heuristics rule - may match false positives", "last_hit_utc": "2025-11-12 12:24:19" } ], "2902": [ { "sample_cnt": 16, "yara_rule_name": "HKTL_NET_GUID_BlackNET", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/BlackHacker511/BlackNET", "yara_rule_description": "Detects VB.NET red/black-team tools via typelibguid", "last_hit_utc": "2025-12-26 05:31:17" } ], "2903": [ { "sample_cnt": 16, "yara_rule_name": "INDICATOR_TOOL_Ngrok", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Ngrok", "last_hit_utc": "2025-01-05 17:43:11" } ], "2904": [ { "sample_cnt": 16, "yara_rule_name": "jackskid_debug_build", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": null, "yara_rule_description": "Jackskid/RCtea - debug/development build with cleartext C2", "last_hit_utc": "2026-03-11 08:53:17" } ], "2905": [ { "sample_cnt": 16, "yara_rule_name": "Kronos", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Kronos Payload", "last_hit_utc": "2021-05-04 09:28:20" } ], "2906": [ { "sample_cnt": 16, "yara_rule_name": "Linux_Generic_Threat_d7802b0a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-11 18:25:41" } ], "2907": [ { "sample_cnt": 16, "yara_rule_name": "Linux_Trojan_Mirai_ae9d0fa6", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "2908": [ { "sample_cnt": 16, "yara_rule_name": "Linux_Trojan_Rekoobe_de9e7bdf", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-13 06:33:19" } ], "2909": [ { "sample_cnt": 16, "yara_rule_name": "LNK_Malicious_Nov1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/", "yara_rule_description": "Detects a suspicious LNK file", "last_hit_utc": "2023-01-26 23:25:05" } ], "2910": [ { "sample_cnt": 16, "yara_rule_name": "Malicious_BAT_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://pastebin.com/8qaiyPxs", "yara_rule_description": "Detects a string also used in Netwire RAT auxilliary", "last_hit_utc": "2026-04-24 23:31:42" } ], "2911": [ { "sample_cnt": 16, "yara_rule_name": "MALWARE_Win_Fiber", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Fiber .NET injector", "last_hit_utc": "2026-03-03 06:51:18" } ], "2912": [ { "sample_cnt": 16, "yara_rule_name": "MALWARE_Win_JesterStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects JesterStealer", "last_hit_utc": "2025-01-05 15:14:47" } ], "2913": [ { "sample_cnt": 16, "yara_rule_name": "MALWARE_Win_RunningRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RunningRAT", "last_hit_utc": "2022-09-05 18:41:03" } ], "2914": [ { "sample_cnt": 16, "yara_rule_name": "MALWARE_Win_Xorist", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Xorist ransomware", "last_hit_utc": "2025-11-18 16:01:49" } ], "2915": [ { "sample_cnt": 16, "yara_rule_name": "Mimikatz_Memory_Rule_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects password dumper mimikatz in memory", "last_hit_utc": "2026-03-21 00:49:34" } ], "2916": [ { "sample_cnt": 16, "yara_rule_name": "mimikatz_memssp_hookfn", "yara_rule_author": "SBousseaden", "yara_rule_reference": null, "yara_rule_description": "hunt for default mimikatz memssp module both ondisk and in memory artifacts", "last_hit_utc": "2025-11-05 08:22:41" } ], "2917": [ { "sample_cnt": 16, "yara_rule_name": "Mirai_Pack", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-20 05:02:28" } ], "2918": [ { "sample_cnt": 16, "yara_rule_name": "Multi_Trojan_Merlin_32643f4c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-10 16:35:23" } ], "2919": [ { "sample_cnt": 16, "yara_rule_name": "pcshare_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://blogs.blackberry.com/en/2019/09/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware", "yara_rule_description": "PCShare Backdoor", "last_hit_utc": "2025-08-06 16:07:18" } ], "2920": [ { "sample_cnt": 16, "yara_rule_name": "ps1_toolkit_Invoke_Mimikatz", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - file Invoke-Mimikatz.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "2921": [ { "sample_cnt": 16, "yara_rule_name": "RAN_GlobeImposter_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect GlobeImposter ransomware (reuse old build)", "last_hit_utc": "2025-08-25 19:16:46" } ], "2922": [ { "sample_cnt": 16, "yara_rule_name": "RAN_Rook_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect Rook ransomware", "last_hit_utc": "2026-02-12 12:56:44" } ], "2923": [ { "sample_cnt": 16, "yara_rule_name": "Suspicious_BAT_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://pastebin.com/8qaiyPxs", "yara_rule_description": "Detects a string also used in Netwire RAT auxilliary", "last_hit_utc": "2026-04-24 23:31:42" } ], "2924": [ { "sample_cnt": 16, "yara_rule_name": "suspicious_sfx_files_size_rule", "yara_rule_author": "Razvan.A.B", "yara_rule_reference": "", "yara_rule_description": "Detects suspicious files containing sfx", "last_hit_utc": "2022-07-11 12:27:03" } ], "2925": [ { "sample_cnt": 16, "yara_rule_name": "Upack024027beta028alphaDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 02:26:14" } ], "2926": [ { "sample_cnt": 16, "yara_rule_name": "Upackv01xv02xDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 02:26:14" } ], "2927": [ { "sample_cnt": 16, "yara_rule_name": "Upackv024v028AlphaDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 02:26:14" } ], "2928": [ { "sample_cnt": 16, "yara_rule_name": "webshell_asp_generic", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file", "last_hit_utc": "2022-06-21 13:09:02" } ], "2929": [ { "sample_cnt": 16, "yara_rule_name": "Win32_Ransomware_TechandStrat", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects TechandStrat ransomware.", "last_hit_utc": "2025-04-10 14:56:42" } ], "2930": [ { "sample_cnt": 16, "yara_rule_name": "Win32_Ransomware_Zeppelin", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Zeppelin ransomware.", "last_hit_utc": "2025-01-23 02:57:03" } ], "2931": [ { "sample_cnt": 16, "yara_rule_name": "Windows_Generic_Threat_deb82e8c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:34:34" } ], "2932": [ { "sample_cnt": 16, "yara_rule_name": "Windows_Hacktool_Mimikatz_674fd079", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detection for default mimikatz memssp module", "last_hit_utc": "2025-11-05 08:22:49" } ], "2933": [ { "sample_cnt": 16, "yara_rule_name": "Windows_Trojan_IcedID_48029e37", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-04-21 06:11:05" } ], "2934": [ { "sample_cnt": 16, "yara_rule_name": "Windows_Trojan_Metasploit_a91a6571", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-12 05:56:37" } ], "2935": [ { "sample_cnt": 16, "yara_rule_name": "Windows_Trojan_Remotemanipulator_9ec52153", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-04 10:38:16" } ], "2936": [ { "sample_cnt": 16, "yara_rule_name": "win_conti_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.conti.", "last_hit_utc": "2025-05-10 12:40:15" } ], "2937": [ { "sample_cnt": 16, "yara_rule_name": "win_heodo", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-03 02:37:02" } ], "2938": [ { "sample_cnt": 16, "yara_rule_name": "win_pony_g0", "yara_rule_author": "Various authors / Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-04 13:18:25" } ], "2939": [ { "sample_cnt": 16, "yara_rule_name": "win_revil_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.revil.", "last_hit_utc": "2023-11-16 23:47:03" } ], "2940": [ { "sample_cnt": 16, "yara_rule_name": "win_shifu_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/52n8WE", "yara_rule_description": "Detects SHIFU Banking Trojan", "last_hit_utc": "2025-11-05 08:21:41" } ], "2941": [ { "sample_cnt": 16, "yara_rule_name": "win_troldesh_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": "Unpacked Shade binary, non-statically-linked part and specific strings (vs. CMSBrute)", "last_hit_utc": "2020-04-25 12:34:36" } ], "2942": [ { "sample_cnt": 15, "yara_rule_name": "abused_screenconnect_config", "yara_rule_author": "Ariel Davidpur (arield9)", "yara_rule_reference": null, "yara_rule_description": "Detect ScreenConnect EXEs with suspicious host in ?h= parameter", "last_hit_utc": "2025-06-16 16:55:49" } ], "2943": [ { "sample_cnt": 15, "yara_rule_name": "ach_ZLoader_xls_20200522", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/7b9a8cb9e221a752507a766411b9cc69/", "yara_rule_description": null, "last_hit_utc": "2020-08-19 12:14:08" } ], "2944": [ { "sample_cnt": 15, "yara_rule_name": "AgentTesla_mod_tough_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/", "yara_rule_description": "", "last_hit_utc": "2022-11-04 11:29:03" } ], "2945": [ { "sample_cnt": 15, "yara_rule_name": "avemaria_rat_yhub", "yara_rule_author": "Billy Austin", "yara_rule_reference": "", "yara_rule_description": "Detects AveMaria RAT a.k.a. WarZone", "last_hit_utc": "2022-11-22 11:27:03" } ], "2946": [ { "sample_cnt": 15, "yara_rule_name": "BAT_Begin_Substring_Env", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": "https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale", "yara_rule_description": "Detects suspicious substring syntax at the begining of batch script", "last_hit_utc": "2026-04-24 19:27:27" } ], "2947": [ { "sample_cnt": 15, "yara_rule_name": "CarbonOrchestrator_v3_77_", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-19 01:27:30" } ], "2948": [ { "sample_cnt": 15, "yara_rule_name": "CarbonOrchestrator_v3_79_", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-19 01:27:31" } ], "2949": [ { "sample_cnt": 15, "yara_rule_name": "CarbonOrchestrator_v3_81_", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-19 01:27:31" } ], "2950": [ { "sample_cnt": 15, "yara_rule_name": "cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2026-04-27 05:18:16" } ], "2951": [ { "sample_cnt": 15, "yara_rule_name": "CobaltStrike_Sleeve_BeaconLoader_x86_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/BeaconLoader.x86.o Versions 4.3 through at least 4.6", "last_hit_utc": "2026-04-15 11:33:57" } ], "2952": [ { "sample_cnt": 15, "yara_rule_name": "CobaltStrike__Sleeve_BeaconLoader_x86_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-15 11:33:57" } ], "2953": [ { "sample_cnt": 15, "yara_rule_name": "CobaltStrike__Sleeve_Beacon_x64_v4_5_variant", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-19 18:46:03" } ], "2954": [ { "sample_cnt": 15, "yara_rule_name": "crime_generic_suspicious_hex_string_Jun2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": null, "yara_rule_description": "Triggers on parts of a big hex string available in lots of crime'ish PE files.", "last_hit_utc": "2023-08-06 10:02:02" } ], "2955": [ { "sample_cnt": 15, "yara_rule_name": "crime_win32_ldr_buer_1_29", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1262391041581342722", "yara_rule_description": "Detects Buer loader 1.29 (unpacked)", "last_hit_utc": "2020-11-10 09:09:29" } ], "2956": [ { "sample_cnt": 15, "yara_rule_name": "CS_encrypted_beacon_x86_64", "yara_rule_author": "Etienne Maynier tek@randhome.io", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-02-16 15:20:06" } ], "2957": [ { "sample_cnt": 15, "yara_rule_name": "DROPPER_njrat_VBS", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "https://bazaar.abuse.ch/sample/daea0b5dfcc3e20b75292df60fe5f0e16a40735254485ff6cc7884697a007c0d/", "yara_rule_description": "", "last_hit_utc": "2022-11-02 17:38:02" } ], "2958": [ { "sample_cnt": 15, "yara_rule_name": "Empire_PowerShell_Framework_Gen3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2025-10-14 12:09:40" } ], "2959": [ { "sample_cnt": 15, "yara_rule_name": "Erbium_Loader", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "", "yara_rule_description": "Detects Erbium Stealer's loader", "last_hit_utc": "2022-11-24 13:12:37" } ], "2960": [ { "sample_cnt": 15, "yara_rule_name": "EXPL_Log4j_CVE_2021_44228_Dec21_Soft", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/h113sdx/status/1469010902183661568?s=20", "yara_rule_description": "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228", "last_hit_utc": "2026-03-27 09:11:23" } ], "2961": [ { "sample_cnt": 15, "yara_rule_name": "gen_Excel_xll_addin_suspicious", "yara_rule_author": "@JohnLaTwC", "yara_rule_reference": "", "yara_rule_description": "Detects suspicious XLL add-ins to Excel", "last_hit_utc": "2022-04-28 17:12:02" } ], "2962": [ { "sample_cnt": 15, "yara_rule_name": "Impacket_Tools_psexec_RID2F96", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2025-06-16 16:48:10" } ], "2963": [ { "sample_cnt": 15, "yara_rule_name": "INDICATOR_TOOL_CNC_Chisel", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect binaries using Chisel", "last_hit_utc": "2026-03-23 04:30:17" } ], "2964": [ { "sample_cnt": 15, "yara_rule_name": "js_formbook", "yara_rule_author": "dubfib", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-13 09:41:10" } ], "2965": [ { "sample_cnt": 15, "yara_rule_name": "KoiLoader", "yara_rule_author": "YungBinary", "yara_rule_reference": null, "yara_rule_description": "KoiLoader", "last_hit_utc": "2025-11-14 13:06:22" } ], "2966": [ { "sample_cnt": 15, "yara_rule_name": "Linux_Generic_Threat_6bed4416", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-11 18:25:44" } ], "2967": [ { "sample_cnt": 15, "yara_rule_name": "Linux_Trojan_Mirai_6d96ae91", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-12 18:41:16" } ], "2968": [ { "sample_cnt": 15, "yara_rule_name": "MALWARE_Win_Kutaki", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Kutaki", "last_hit_utc": "2025-01-05 14:55:39" } ], "2969": [ { "sample_cnt": 15, "yara_rule_name": "MALWARE_Win_Phobos", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "Detects Phobos ransomware", "last_hit_utc": "2022-11-09 06:12:04" } ], "2970": [ { "sample_cnt": 15, "yara_rule_name": "MAL_Unknown_PWDumper_Apr18_3_RID312A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects sample from unknown sample set - IL origin", "last_hit_utc": "2025-11-23 10:26:52" } ], "2971": [ { "sample_cnt": 15, "yara_rule_name": "Ransom_Babuk", "yara_rule_author": "TS @ McAfee ATR", "yara_rule_reference": "", "yara_rule_description": "Rule to detect Babuk Locker", "last_hit_utc": "2022-11-07 18:20:03" } ], "2972": [ { "sample_cnt": 15, "yara_rule_name": "RemcosRat", "yara_rule_author": "Mohamed Ashraf", "yara_rule_reference": "", "yara_rule_description": "Detects Remcos Rat", "last_hit_utc": "2022-08-04 07:26:03" } ], "2973": [ { "sample_cnt": 15, "yara_rule_name": "screencap", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file screencap.exe", "last_hit_utc": "2020-11-17 16:08:02" } ], "2974": [ { "sample_cnt": 15, "yara_rule_name": "SHIFU_Banking_Trojan", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/52n8WE", "yara_rule_description": "Detects SHIFU Banking Trojan", "last_hit_utc": "2022-10-17 09:24:15" } ], "2975": [ { "sample_cnt": 15, "yara_rule_name": "SUSP_GObfuscate_May21", "yara_rule_author": "James Quinn", "yara_rule_reference": "https://github.com/unixpickle/gobfuscate", "yara_rule_description": "Identifies binaries obfuscated with gobfuscate", "last_hit_utc": "2022-11-10 01:14:03" } ], "2976": [ { "sample_cnt": 15, "yara_rule_name": "SUSP_NullSoftInst_Combo_Oct20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1313023627177193472", "yara_rule_description": "Detects suspicious NullSoft Installer combination with common Copyright strings", "last_hit_utc": "2025-01-05 15:27:03" } ], "2977": [ { "sample_cnt": 15, "yara_rule_name": "SysInternals_Tool_Anomaly", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "SysInternals Tool Anomaly - does not contain Mark Russinovich as author", "last_hit_utc": "2025-08-17 09:19:28" } ], "2978": [ { "sample_cnt": 15, "yara_rule_name": "SysInternals_Tool_Anomaly_RID312D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "SysInternals Tool Anomaly - does not contain Mark Russinovich as author", "last_hit_utc": "2025-08-17 09:19:28" } ], "2979": [ { "sample_cnt": 15, "yara_rule_name": "webshell_PHP_r57142", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file r57142.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "2980": [ { "sample_cnt": 15, "yara_rule_name": "Windows_Generic_MalCert_b650c953", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-09 13:47:15" } ], "2981": [ { "sample_cnt": 15, "yara_rule_name": "Windows_Hacktool_Mimikatz_674fd079", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Detection for default mimikatz memssp module", "last_hit_utc": "2025-11-05 08:22:49" } ], "2982": [ { "sample_cnt": 15, "yara_rule_name": "Windows_Trojan_Havoc_9c7bb863", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-07 13:07:50" } ], "2983": [ { "sample_cnt": 15, "yara_rule_name": "Windows_Trojan_OskiStealer_a158b1e3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:33:41" } ], "2984": [ { "sample_cnt": 15, "yara_rule_name": "WinRAR_CVE_2023_38831_Exploit", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day", "yara_rule_description": "Detects ZIP archives exploiting CVE-2023-38831 in WinRAR", "last_hit_utc": "2026-03-04 12:42:18" } ], "2985": [ { "sample_cnt": 15, "yara_rule_name": "win_agent_tesla_g1", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-12-09 14:30:07" } ], "2986": [ { "sample_cnt": 15, "yara_rule_name": "win_cryptbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-08 16:11:10" } ], "2987": [ { "sample_cnt": 15, "yara_rule_name": "win_dridex_g2", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-09-09 12:28:15" } ], "2988": [ { "sample_cnt": 15, "yara_rule_name": "win_limerat_j1_00cfd931", "yara_rule_author": "Johannes Bader", "yara_rule_reference": "", "yara_rule_description": "detects the lime rat", "last_hit_utc": "2022-10-30 10:17:04" } ], "2989": [ { "sample_cnt": 15, "yara_rule_name": "win_mespinoza_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-08 05:07:21" } ], "2990": [ { "sample_cnt": 15, "yara_rule_name": "win_nymaim_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.nymaim.", "last_hit_utc": "2022-10-29 05:09:02" } ], "2991": [ { "sample_cnt": 15, "yara_rule_name": "win_oski_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.oski.", "last_hit_utc": "2025-01-03 19:33:41" } ], "2992": [ { "sample_cnt": 15, "yara_rule_name": "win_runningrat_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-05 18:41:03" } ], "2993": [ { "sample_cnt": 15, "yara_rule_name": "win_svcready_w0", "yara_rule_author": "@AndreGironda", "yara_rule_reference": "", "yara_rule_description": "packed SVCReady / win.svcready", "last_hit_utc": "2022-08-18 18:38:08" } ], "2994": [ { "sample_cnt": 15, "yara_rule_name": "win_unidentified_045_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.unidentified_045.", "last_hit_utc": "2022-09-10 06:06:39" } ], "2995": [ { "sample_cnt": 15, "yara_rule_name": "Xtreme_Sep17_1_RID2C05", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects XTREME sample analyzed in September 2017", "last_hit_utc": "2024-04-11 15:43:05" } ], "2996": [ { "sample_cnt": 14, "yara_rule_name": "ach_202510_elf_hailbot", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects HailBot ELF files", "last_hit_utc": "2025-11-02 16:33:31" } ], "2997": [ { "sample_cnt": 14, "yara_rule_name": "Agenttesla_telegram_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/b4ceef1e-a649-44b7-9e0c-e53c3ab05354", "yara_rule_description": "", "last_hit_utc": "2022-11-04 11:29:03" } ], "2998": [ { "sample_cnt": 14, "yara_rule_name": "babuk_copycat_esxi", "yara_rule_author": "Nicklas Keijser / Truesec", "yara_rule_reference": null, "yara_rule_description": "Detection of Babuk esxi ransomware copies", "last_hit_utc": "2025-04-21 06:44:08" } ], "2999": [ { "sample_cnt": 14, "yara_rule_name": "Blacknet", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "BlackNet Payload", "last_hit_utc": "2023-06-14 05:03:10" } ], "3000": [ { "sample_cnt": 14, "yara_rule_name": "CobaltStrike__Sleeve_Beacon_x64_v4_4_v_4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-02 16:02:26" } ], "3001": [ { "sample_cnt": 14, "yara_rule_name": "Detect_Decrypt_Key_Banker", "yara_rule_author": "johnk3r", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-21 15:06:01" } ], "3002": [ { "sample_cnt": 14, "yara_rule_name": "Empire_Invoke_Mimikatz_1_RID3073", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/PowerShellEmpire/Empire", "yara_rule_description": "Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1", "last_hit_utc": "2025-10-14 12:09:40" } ], "3003": [ { "sample_cnt": 14, "yara_rule_name": "EXE_Loader_WikiLoader_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:50:52" } ], "3004": [ { "sample_cnt": 14, "yara_rule_name": "gh0st", "yara_rule_author": "https://github.com/jackcr/", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-17 02:47:14" } ], "3005": [ { "sample_cnt": 14, "yara_rule_name": "GoldenEyeRansomware_Dropper_MalformedZoomit", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/jp2SkT", "yara_rule_description": "Auto-generated rule", "last_hit_utc": "2025-01-03 19:39:26" } ], "3006": [ { "sample_cnt": 14, "yara_rule_name": "GoldenEyeRansomware_Dropper_MalformedZoomit_RID385F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/jp2SkT", "yara_rule_description": "Dropped Executable -", "last_hit_utc": "2025-01-03 19:39:26" } ], "3007": [ { "sample_cnt": 14, "yara_rule_name": "HKTL_NET_GUID_Disable_Windows_Defender", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Disable-Windows-Defender", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-05 15:12:18" } ], "3008": [ { "sample_cnt": 14, "yara_rule_name": "hunt_susp_vhd", "yara_rule_author": "SBousseaden", "yara_rule_reference": null, "yara_rule_description": "Virtual hard disk file with embedded PE", "last_hit_utc": "2025-01-05 15:27:13" } ], "3009": [ { "sample_cnt": 14, "yara_rule_name": "Image_With_BaseMarkers", "yara_rule_author": "ShadowOpCode", "yara_rule_reference": null, "yara_rule_description": "Immages containing the markers 'BaseStart' and '-BaseEnd' Crypter-And-Tools", "last_hit_utc": "2026-03-02 11:58:24" } ], "3010": [ { "sample_cnt": 14, "yara_rule_name": "INDICATOR_EXE_Packed_MEW", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with MEW", "last_hit_utc": "2025-10-04 11:05:55" } ], "3011": [ { "sample_cnt": 14, "yara_rule_name": "INDICATOR_TOOL_PWS_Mimikatz", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Mimikatz", "last_hit_utc": "2025-11-25 20:47:30" } ], "3012": [ { "sample_cnt": 14, "yara_rule_name": "Jupyter_infostealer", "yara_rule_author": "CD_R0M_", "yara_rule_reference": "", "yara_rule_description": "Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022", "last_hit_utc": "2022-10-22 09:27:02" } ], "3013": [ { "sample_cnt": 14, "yara_rule_name": "Linux_Cryptominer_Generic_e0cca9dc", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:38:56" } ], "3014": [ { "sample_cnt": 14, "yara_rule_name": "Linux_Ransomware_Akira_02237952", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:56:08" } ], "3015": [ { "sample_cnt": 14, "yara_rule_name": "Linux_Ransomware_Babuk_bd216cab", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-21 06:44:08" } ], "3016": [ { "sample_cnt": 14, "yara_rule_name": "Linux_Trojan_Gafgyt_6122acdf", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:12:03" } ], "3017": [ { "sample_cnt": 14, "yara_rule_name": "Linux_Trojan_Gafgyt_751acb94", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-03 08:18:03" } ], "3018": [ { "sample_cnt": 14, "yara_rule_name": "Linux_Trojan_Gafgyt_d608cf3b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628", "yara_rule_description": null, "last_hit_utc": "2026-01-18 19:22:27" } ], "3019": [ { "sample_cnt": 14, "yara_rule_name": "Linux_Trojan_Mettle_e8fdbcbd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-09 16:40:45" } ], "3020": [ { "sample_cnt": 14, "yara_rule_name": "lnk_emotet", "yara_rule_author": "HP Threat Research @HPSecurity", "yara_rule_reference": null, "yara_rule_description": "LNK file which downloads Emotet", "last_hit_utc": "2025-09-20 17:29:18" } ], "3021": [ { "sample_cnt": 14, "yara_rule_name": "MALWARE_Win_CyberGate", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects CyberGate/Spyrat/Rebhip RTA", "last_hit_utc": "2022-08-31 05:30:03" } ], "3022": [ { "sample_cnt": 14, "yara_rule_name": "MALWARE_Win_DLAgent02", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects known downloader agent downloading encoded binaries in patches from paste-like websites, most notably hastebin", "last_hit_utc": "2025-06-16 15:53:53" } ], "3023": [ { "sample_cnt": 14, "yara_rule_name": "MALWARE_Win_GravityRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects GravityRAT", "last_hit_utc": "2026-04-12 13:11:28" } ], "3024": [ { "sample_cnt": 14, "yara_rule_name": "MALWARE_Win_Phoenix", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Phoenix/404KeyLogger keylogger payload", "last_hit_utc": "2025-10-28 13:44:47" } ], "3025": [ { "sample_cnt": 14, "yara_rule_name": "MALWARE_Win_XpertRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "XpertRAT payload", "last_hit_utc": "2023-06-10 18:06:03" } ], "3026": [ { "sample_cnt": 14, "yara_rule_name": "MAL_ArtraDownloader2_Aug19_1_RID30FB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", "yara_rule_description": "Detects ArtraDownloader malware", "last_hit_utc": "2025-11-24 16:37:32" } ], "3027": [ { "sample_cnt": 14, "yara_rule_name": "MAL_Emotet_Jan20_1_RID2D22", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/", "yara_rule_description": "Detects Emotet malware", "last_hit_utc": "2025-07-03 01:30:18" } ], "3028": [ { "sample_cnt": 14, "yara_rule_name": "msxls_zloader_formula_ptg_ref_num_add_count", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Finding XLS2003 documents with a large number of PtgRef->PtgAdd->PtgNum entries", "last_hit_utc": "2020-08-08 07:12:23" } ], "3029": [ { "sample_cnt": 14, "yara_rule_name": "multiple_concats_in_excel4_formula_exec", "yara_rule_author": "Will Metcalf", "yara_rule_reference": "https://support.microsoft.com/en-us/office/excel-specifications-and-limits-1672b34d-7043-467e-8e27-269d656771c3", "yara_rule_description": "Behold The Great And Powerful Match Iterator. Multiple Concats Inside of exec Function", "last_hit_utc": "2021-05-26 12:51:06" } ], "3030": [ { "sample_cnt": 14, "yara_rule_name": "OdysseyStealer", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match the strings found in OdysseyStealer", "last_hit_utc": "2026-03-06 14:13:20" } ], "3031": [ { "sample_cnt": 14, "yara_rule_name": "OpCloudHopper_Malware_3_RID2FEF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects Operation CloudHopper malware samples", "last_hit_utc": "2026-04-13 06:03:07" } ], "3032": [ { "sample_cnt": 14, "yara_rule_name": "ProjectM_DarkComet_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/", "yara_rule_description": "Detects ProjectM Malware", "last_hit_utc": "2025-12-23 20:32:14" } ], "3033": [ { "sample_cnt": 14, "yara_rule_name": "PUA_AnyDesk_Compromised_Certificate_Revoked_Jan24", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://anydesk.com/en/public-statement", "yara_rule_description": "Detects binaries signed with a compromised signing certificate of AnyDesk (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8) after it was revoked. This is not a threat detection. It detects an outdated version of AnyDesk that was signed with a certificate that has been revoked.", "last_hit_utc": "2025-08-19 14:16:04" } ], "3034": [ { "sample_cnt": 14, "yara_rule_name": "SUSP_Four_Byte_XOR_PE_And_MZ", "yara_rule_author": "Wesley Shields ", "yara_rule_reference": "https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83", "yara_rule_description": "Look for 4 byte xor of a PE starting at offset 0", "last_hit_utc": "2026-02-17 22:02:16" } ], "3035": [ { "sample_cnt": 14, "yara_rule_name": "SUSP_PowerShell_String_K32_RemProcess_RID3507", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/nccgroup/redsnarf", "yara_rule_description": "Detects suspicious PowerShell code that uses Kernel32, RemoteProccess handles or shellcode", "last_hit_utc": "2025-10-14 12:09:40" } ], "3036": [ { "sample_cnt": 14, "yara_rule_name": "Updater", "yara_rule_author": "Malman", "yara_rule_reference": null, "yara_rule_description": "Detects a malware script with specific characteristics and strings such as Updater", "last_hit_utc": "2025-11-30 12:48:16" } ], "3037": [ { "sample_cnt": 14, "yara_rule_name": "vklogger_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://www.hybrid-analysis.com/string-search/results/1e75a1d90f3a4e8c2d657f7cfa663947d02f98515db97881487e528e0ade4099", "yara_rule_description": "Unknown Keylogger", "last_hit_utc": "2025-02-26 04:26:27" } ], "3038": [ { "sample_cnt": 14, "yara_rule_name": "win32_dotnet_loader", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting .NET loader malware", "last_hit_utc": "2025-10-29 19:37:00" } ], "3039": [ { "sample_cnt": 14, "yara_rule_name": "win32_xworm", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting XWorm malware", "last_hit_utc": "2025-10-16 07:31:42" } ], "3040": [ { "sample_cnt": 14, "yara_rule_name": "Windows_Generic_Threat_dbceec58", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-27 13:11:33" } ], "3041": [ { "sample_cnt": 14, "yara_rule_name": "Windows_Ransomware_Lockbit_89e64044", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:57:47" } ], "3042": [ { "sample_cnt": 14, "yara_rule_name": "Windows_Ransomware_Lockbit_a1c60939", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:57:47" } ], "3043": [ { "sample_cnt": 14, "yara_rule_name": "Windows_Trojan_AgentTesla_e577e17e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-12-07 13:54:05" } ], "3044": [ { "sample_cnt": 14, "yara_rule_name": "Windows_Trojan_Arechclient2_b6ea1c83", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-21 13:40:26" } ], "3045": [ { "sample_cnt": 14, "yara_rule_name": "Windows_Trojan_CyberGate_517aac7d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-29 05:46:13" } ], "3046": [ { "sample_cnt": 14, "yara_rule_name": "Windows_Trojan_Netwire_1b43df38", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-22 08:06:03" } ], "3047": [ { "sample_cnt": 14, "yara_rule_name": "Windows_Trojan_Netwire_1b43df38", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction", "yara_rule_description": null, "last_hit_utc": "2026-04-24 23:31:42" } ], "3048": [ { "sample_cnt": 14, "yara_rule_name": "win_agent_tesla_w1", "yara_rule_author": "govcert_ch", "yara_rule_reference": "", "yara_rule_description": "Detect Agent Tesla based on common .NET code sequences", "last_hit_utc": "2022-11-04 11:29:03" } ], "3049": [ { "sample_cnt": 14, "yara_rule_name": "win_batel_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-04-25 12:21:39" } ], "3050": [ { "sample_cnt": 14, "yara_rule_name": "win_blacksoul_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.blacksoul.", "last_hit_utc": "2025-01-05 15:18:27" } ], "3051": [ { "sample_cnt": 14, "yara_rule_name": "win_locky_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.locky.", "last_hit_utc": "2025-03-09 04:11:18" } ], "3052": [ { "sample_cnt": 14, "yara_rule_name": "win_mimikatz_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mimikatz.", "last_hit_utc": "2025-10-06 10:22:13" } ], "3053": [ { "sample_cnt": 14, "yara_rule_name": "win_modern_loader_v1_01_1edf", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "matches unpacked ModernLoader samples", "last_hit_utc": "2023-05-13 08:17:29" } ], "3054": [ { "sample_cnt": 14, "yara_rule_name": "win_sality_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.sality.", "last_hit_utc": "2022-10-17 09:19:09" } ], "3055": [ { "sample_cnt": 13, "yara_rule_name": "ach_SmokeLoader_xlsb_20201112", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/1a4c3a2a418f90c08c5c5341d517753d/", "yara_rule_description": "Detects Smoke Loader XLSB", "last_hit_utc": "2021-06-30 04:54:37" } ], "3056": [ { "sample_cnt": 13, "yara_rule_name": "APT_MAL_LNX_RedMenshen_BPFDoor_Controller_Generic_May22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", "yara_rule_description": "Detects BPFDoor malware", "last_hit_utc": "2022-11-15 13:10:04" } ], "3057": [ { "sample_cnt": 13, "yara_rule_name": "ArechClient", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies ArechClient, infostealer.", "last_hit_utc": "2025-01-05 15:08:32" } ], "3058": [ { "sample_cnt": 13, "yara_rule_name": "azorult", "yara_rule_author": "c3rb3ru5", "yara_rule_reference": "", "yara_rule_description": "Azorult Configuration Extractor", "last_hit_utc": "2022-08-10 11:12:03" } ], "3059": [ { "sample_cnt": 13, "yara_rule_name": "BAT_Chunked_Payload_SetEnv", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": null, "yara_rule_description": "Detects batch script storing chunks of payload in random environment variables", "last_hit_utc": "2026-02-05 15:04:23" } ], "3060": [ { "sample_cnt": 13, "yara_rule_name": "BuerLoader", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-11-17 08:22:06" } ], "3061": [ { "sample_cnt": 13, "yara_rule_name": "bumblebee_win_generic", "yara_rule_author": "_kphi", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-24 04:19:03" } ], "3062": [ { "sample_cnt": 13, "yara_rule_name": "CN_Honker__builder_shift_SkinH", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe", "last_hit_utc": "2022-07-11 13:30:33" } ], "3063": [ { "sample_cnt": 13, "yara_rule_name": "CommonBase64ReverseShellStrings", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects common powershell base64 reverse shell strings", "last_hit_utc": "2026-03-26 16:58:19" } ], "3064": [ { "sample_cnt": 13, "yara_rule_name": "crime_unidentified_118", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Detects malware family unidentified_118", "last_hit_utc": "2025-08-06 16:08:30" } ], "3065": [ { "sample_cnt": 13, "yara_rule_name": "crime_win32_zloader_load_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1240664014121828352", "yara_rule_description": "Detects Zloader loader 1.1.20", "last_hit_utc": "2020-11-10 09:19:04" } ], "3066": [ { "sample_cnt": 13, "yara_rule_name": "DarkGate", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "DarkGate Payload", "last_hit_utc": "2025-01-17 10:47:30" } ], "3067": [ { "sample_cnt": 13, "yara_rule_name": "DbatLoader", "yara_rule_author": "Harish Kumar P", "yara_rule_reference": "", "yara_rule_description": "Yara Rule to Detect DbatLoader", "last_hit_utc": "2022-11-25 13:45:02" } ], "3068": [ { "sample_cnt": 13, "yara_rule_name": "Detect_JanelaRat", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "https://x.com/johnk3r/status/1808285754105180496", "last_hit_utc": "2025-06-16 17:00:28" } ], "3069": [ { "sample_cnt": 13, "yara_rule_name": "elf_bpfdoor_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/jcksnsec/status/1522163033585467393", "yara_rule_description": "Detects unknown Linux implants (uploads from KR and MO)", "last_hit_utc": "2026-04-25 22:06:32" } ], "3070": [ { "sample_cnt": 13, "yara_rule_name": "Empire_Invoke_Mimikatz", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/PowerShellEmpire/Empire", "yara_rule_description": "Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1", "last_hit_utc": "2025-10-14 12:09:39" } ], "3071": [ { "sample_cnt": 13, "yara_rule_name": "EXE_Ransomware_Phobos_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-04 12:13:31" } ], "3072": [ { "sample_cnt": 13, "yara_rule_name": "EXE_Stealer_Phemedrone_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-15 12:34:02" } ], "3073": [ { "sample_cnt": 13, "yara_rule_name": "EXPL_Log4j_CVE_2021_44228_Dec21_Soft", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/h113sdx/status/1469010902183661568?s=20", "yara_rule_description": "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228", "last_hit_utc": "2022-04-18 20:52:03" } ], "3074": [ { "sample_cnt": 13, "yara_rule_name": "HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/sbousseaden/status/1292143504131600384?s=12", "yara_rule_description": "Detects Mimikatz SkeletonKey in Memory", "last_hit_utc": "2025-10-06 10:22:12" } ], "3075": [ { "sample_cnt": 13, "yara_rule_name": "HKTL_NET_GUID_SharpHide", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/outflanknl/SharpHide", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-02-13 07:25:31" } ], "3076": [ { "sample_cnt": 13, "yara_rule_name": "Impacket_Keyword", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Impacket Keyword in Executable", "last_hit_utc": "2025-06-16 16:48:09" } ], "3077": [ { "sample_cnt": 13, "yara_rule_name": "INDICATOR_EXE_Packed_BoxedApp", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with BoxedApp", "last_hit_utc": "2022-07-14 10:17:02" } ], "3078": [ { "sample_cnt": 13, "yara_rule_name": "INDICATOR_SUSPICIOUS_AMSI_Bypass", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects AMSI bypass pattern", "last_hit_utc": "2026-04-15 13:14:21" } ], "3079": [ { "sample_cnt": 13, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing base64 encoded User Agent", "last_hit_utc": "2022-11-04 18:28:02" } ], "3080": [ { "sample_cnt": 13, "yara_rule_name": "INDICATOR_TOOL_ChromeCookiesView", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects ChromeCookiesView", "last_hit_utc": "2022-10-21 15:47:03" } ], "3081": [ { "sample_cnt": 13, "yara_rule_name": "INDICATOR_TOOL_EXP_EternalBlue", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Windows executables containing EternalBlue explitation artifacts", "last_hit_utc": "2026-01-07 13:42:14" } ], "3082": [ { "sample_cnt": 13, "yara_rule_name": "informational_win_ole_exist", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": "", "yara_rule_description": "Identify OLE Packages embedded in Office 97-2K3 Doc Files.", "last_hit_utc": "2022-11-14 18:59:06" } ], "3083": [ { "sample_cnt": 13, "yara_rule_name": "kkrunchy023alpha2Ryd", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:11:27" } ], "3084": [ { "sample_cnt": 13, "yara_rule_name": "latrodectus_decrypt_string", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/", "yara_rule_description": "This rule detects the Latrodectus DLL Decrypt String Algorithm.", "last_hit_utc": "2025-04-16 13:08:07" } ], "3085": [ { "sample_cnt": 13, "yara_rule_name": "LimeRAT", "yara_rule_author": "RustyNoob619", "yara_rule_reference": null, "yara_rule_description": "Detects Lime RAT malware samples based on the strings matched", "last_hit_utc": "2025-09-28 08:39:21" } ], "3086": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Cryptominer_Flystudio_0a370634", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-08 21:55:24" } ], "3087": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Hacktool_LigoloNG_027c0134", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-12 09:35:36" } ], "3088": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Ransomware_Hive_bdc7de59", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:49:38" } ], "3089": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Trojan_Gafgyt_09c3070e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "3090": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Trojan_Gafgyt_32eb0c81", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "3091": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Trojan_Gafgyt_779e142f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "3092": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Trojan_Gafgyt_9abf7e0c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 23:55:42" } ], "3093": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Trojan_Gafgyt_a6a2adb9", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "3094": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Trojan_Gafgyt_d0c57a2e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "3095": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Trojan_Gafgyt_f3d83a74", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "3096": [ { "sample_cnt": 13, "yara_rule_name": "Linux_Trojan_Zerobot_185e2396", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Strings found in the zerobot startup / persistanse functions", "last_hit_utc": "2025-08-02 07:52:23" } ], "3097": [ { "sample_cnt": 13, "yara_rule_name": "Lockbit2_Jul21", "yara_rule_author": "CB @ ATR", "yara_rule_reference": null, "yara_rule_description": "simple rule to detect latest Lockbit ransomware Jul 2021", "last_hit_utc": "2025-01-05 15:57:47" } ], "3098": [ { "sample_cnt": 13, "yara_rule_name": "MALWARE_Linux_XORDDoS", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects XORDDoS", "last_hit_utc": "2022-10-05 11:40:04" } ], "3099": [ { "sample_cnt": 13, "yara_rule_name": "MALWARE_Win_BotSh1zoid", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects BotSh1zoid", "last_hit_utc": "2022-02-03 14:45:04" } ], "3100": [ { "sample_cnt": 13, "yara_rule_name": "MALWARE_Win_GoBrut", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects unknown Go multi-bruteforcer bot (StealthWorker / GoBrut) against multiple systems: QNAP, MagOcart, WordPress, Opencart, Bitrix, Postgers, MySQL, Drupal, Joomla, SSH, FTP, Magneto, CPanel", "last_hit_utc": "2022-05-03 07:42:04" } ], "3101": [ { "sample_cnt": 13, "yara_rule_name": "MALWARE_Win_MedusaLocker", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects MedusaLocker ransomware", "last_hit_utc": "2023-03-12 07:17:38" } ], "3102": [ { "sample_cnt": 13, "yara_rule_name": "MALWARE_Win_PandaStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Panda Stealer", "last_hit_utc": "2025-06-21 21:48:47" } ], "3103": [ { "sample_cnt": 13, "yara_rule_name": "MAL_JRAT_Oct18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects JRAT malware", "last_hit_utc": "2022-11-09 11:34:04" } ], "3104": [ { "sample_cnt": 13, "yara_rule_name": "MAL_Ryuk_Ransomware", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", "yara_rule_description": "Detects strings known from Ryuk Ransomware", "last_hit_utc": "2022-12-20 10:42:04" } ], "3105": [ { "sample_cnt": 13, "yara_rule_name": "medusa_stealer", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Medusa/Meduza Stealer Payload", "last_hit_utc": "2025-01-03 20:48:00" } ], "3106": [ { "sample_cnt": 13, "yara_rule_name": "metasploit_rev_tcp_64", "yara_rule_author": "Javier Rascon", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-18 21:22:03" } ], "3107": [ { "sample_cnt": 13, "yara_rule_name": "MINER_monero_mining_detection", "yara_rule_author": "Christiaan Beek | McAfee ATR Team", "yara_rule_reference": "", "yara_rule_description": "Monero mining software", "last_hit_utc": "2022-01-27 07:39:04" } ], "3108": [ { "sample_cnt": 13, "yara_rule_name": "NET_RedLine_AntiDebug", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects RedLine evading .NET debuggers", "last_hit_utc": "2025-01-03 21:17:13" } ], "3109": [ { "sample_cnt": 13, "yara_rule_name": "NotPetya_Ransomware_Jun17_RID30B7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/h6iaGj", "yara_rule_description": "Detects new NotPetya Ransomware variant from June 2017", "last_hit_utc": "2025-09-30 14:11:35" } ], "3110": [ { "sample_cnt": 13, "yara_rule_name": "OBFUS_PowerShell_Execution", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects some variations of obfuscated PowerShell code to execute further PowerShell code", "last_hit_utc": "2025-10-07 14:29:39" } ], "3111": [ { "sample_cnt": 13, "yara_rule_name": "PlugX_EncodedBlob", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-08 06:44:48" } ], "3112": [ { "sample_cnt": 13, "yara_rule_name": "Reflective_DLL_Loader_Aug17_1_RID317F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Reflective DLL Loader", "last_hit_utc": "2025-11-19 15:44:24" } ], "3113": [ { "sample_cnt": 13, "yara_rule_name": "Saudi_Phish_Trojan", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/Z3JUAA", "yara_rule_description": "Detects a trojan used in Saudi Aramco Phishing", "last_hit_utc": "2022-11-02 12:02:03" } ], "3114": [ { "sample_cnt": 13, "yara_rule_name": "signed_infostealer1122", "yara_rule_author": "Valton Tahiri", "yara_rule_reference": null, "yara_rule_description": "Signed Infostealer spreading", "last_hit_utc": "2025-10-23 08:17:36" } ], "3115": [ { "sample_cnt": 13, "yara_rule_name": "Suspicious_PowerShell_WebDownload_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious PowerShell code that downloads from web sites", "last_hit_utc": "2022-10-22 09:42:43" } ], "3116": [ { "sample_cnt": 13, "yara_rule_name": "SUSP_GIF_Anomalies", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://en.wikipedia.org/wiki/GIF", "yara_rule_description": "Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type", "last_hit_utc": "2022-08-31 04:29:02" } ], "3117": [ { "sample_cnt": 13, "yara_rule_name": "SUSP_html_base64", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious base64 strings in HTML", "last_hit_utc": "2025-08-29 17:46:52" } ], "3118": [ { "sample_cnt": 13, "yara_rule_name": "SUSP_OBFUSC_PowerShell_True_Jun20_1_RID335E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/corneacristian/mimikatz-bypass/", "yara_rule_description": "Detects indicators often found in obfuscated PowerShell scripts", "last_hit_utc": "2026-04-10 18:26:22" } ], "3119": [ { "sample_cnt": 13, "yara_rule_name": "SUSP_OneNote_Embedded_FileDataStoreObject_Type_Jan23_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blog.didierstevens.com/", "yara_rule_description": "Detects suspicious embedded file types in OneNote files", "last_hit_utc": "2025-01-05 15:41:58" } ], "3120": [ { "sample_cnt": 13, "yara_rule_name": "SUSP_PowerShell_Download_Temp_Rundll", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detect a Download to %temp% and execution with rundll32.exe", "last_hit_utc": "2025-11-15 16:32:17" } ], "3121": [ { "sample_cnt": 13, "yara_rule_name": "SUSP_Script_Base64_Blocks_Jun20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", "yara_rule_description": "Detects suspicious file with base64 encoded payload in blocks", "last_hit_utc": "2022-03-21 16:04:05" } ], "3122": [ { "sample_cnt": 13, "yara_rule_name": "SUSP_Script_Base64_Blocks_Jun20_1_RID32AF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", "yara_rule_description": "Detects suspicious file with base64 encoded payload in blocks", "last_hit_utc": "2022-03-21 16:04:05" } ], "3123": [ { "sample_cnt": 13, "yara_rule_name": "UA_Havoc_July_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Havoc based on User Agent", "last_hit_utc": "2025-01-03 21:14:34" } ], "3124": [ { "sample_cnt": 13, "yara_rule_name": "upx_1_00_to_1_07", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "UPX 1.00 to 1.07", "last_hit_utc": "2026-03-23 07:49:22" } ], "3125": [ { "sample_cnt": 13, "yara_rule_name": "Win32_Ransomware_LockBit", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects LockBit ransomware.", "last_hit_utc": "2025-01-05 15:57:47" } ], "3126": [ { "sample_cnt": 13, "yara_rule_name": "Windows_Trojan_Emotet_8b9449c1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-03 02:37:02" } ], "3127": [ { "sample_cnt": 13, "yara_rule_name": "Windows_Trojan_Fickerstealer_f2159bec", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-02-24 04:41:03" } ], "3128": [ { "sample_cnt": 13, "yara_rule_name": "Windows_Trojan_Vidar_65d3d7e5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-26 06:19:55" } ], "3129": [ { "sample_cnt": 13, "yara_rule_name": "win_blacksoul_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.blacksoul.", "last_hit_utc": "2022-03-09 09:16:04" } ], "3130": [ { "sample_cnt": 13, "yara_rule_name": "win_cutwail_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-24 05:57:38" } ], "3131": [ { "sample_cnt": 13, "yara_rule_name": "win_danabot", "yara_rule_author": "Johannes Bader", "yara_rule_reference": "", "yara_rule_description": "detects DanaBot", "last_hit_utc": "2022-07-11 09:26:02" } ], "3132": [ { "sample_cnt": 13, "yara_rule_name": "win_fickerstealer_w0", "yara_rule_author": "Ben Cohen, CyberArk", "yara_rule_reference": null, "yara_rule_description": "Yara rule for Ficker Stealer", "last_hit_utc": "2023-02-24 04:41:03" } ], "3133": [ { "sample_cnt": 13, "yara_rule_name": "win_fickerstealer_w0", "yara_rule_author": "Ben Cohen, CyberArk", "yara_rule_reference": "", "yara_rule_description": "Yara rule for Ficker Stealer", "last_hit_utc": "2022-11-11 06:49:06" } ], "3134": [ { "sample_cnt": 13, "yara_rule_name": "win_globeimposter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.globeimposter.", "last_hit_utc": "2023-01-08 12:25:04" } ], "3135": [ { "sample_cnt": 13, "yara_rule_name": "win_neshta_g0", "yara_rule_author": "gpalazolo", "yara_rule_reference": "https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest", "yara_rule_description": "This rule identifies Neshta Malware.", "last_hit_utc": "2021-04-06 09:04:08" } ], "3136": [ { "sample_cnt": 13, "yara_rule_name": "win_redline_updated_bytecodes_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Configuration related bytecodes in redline .net files", "last_hit_utc": "2025-06-16 15:53:35" } ], "3137": [ { "sample_cnt": 13, "yara_rule_name": "xtremrat", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "Xtrem RAT v3.5", "last_hit_utc": "2025-01-05 17:28:06" } ], "3138": [ { "sample_cnt": 13, "yara_rule_name": "ZLoader", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies ZLoader in memory or unpacked.", "last_hit_utc": "2020-11-10 09:19:04" } ], "3139": [ { "sample_cnt": 12, "yara_rule_name": "ach_LimeRAT", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/b8ae86c2afee9948e6f949892e0162e5/", "yara_rule_description": "", "last_hit_utc": "2022-06-08 17:48:03" } ], "3140": [ { "sample_cnt": 12, "yara_rule_name": "Agenttesla", "yara_rule_author": "Stormshield", "yara_rule_reference": "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", "yara_rule_description": "Detecting HTML strings used by Agent Tesla malware", "last_hit_utc": "2021-06-20 16:26:12" } ], "3141": [ { "sample_cnt": 12, "yara_rule_name": "BAT_Obfuscated_SetEnv", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": "https://twitter.com/wdormann/status/1651631372438585344", "yara_rule_description": "Detects batch script with obfuscated SET command located directly after @echo off", "last_hit_utc": "2026-04-05 00:52:17" } ], "3142": [ { "sample_cnt": 12, "yara_rule_name": "CN_disclosed_20180208_lsls", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/cyberintproject/status/961714165550342146", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2025-09-12 12:45:45" } ], "3143": [ { "sample_cnt": 12, "yara_rule_name": "crime_Qakbot_excel_lure_Feb2022_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": "", "yara_rule_description": "Triggers on lure graphic and macro sheet used.", "last_hit_utc": "2022-04-07 20:56:03" } ], "3144": [ { "sample_cnt": 12, "yara_rule_name": "CryLock", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies CryLock aka Cryakl ransomware.", "last_hit_utc": "2025-01-05 17:28:01" } ], "3145": [ { "sample_cnt": 12, "yara_rule_name": "DevC4992BloodshedSoftware", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-18 07:53:25" } ], "3146": [ { "sample_cnt": 12, "yara_rule_name": "dUP2xPatcherwwwdiablo2oo2cjbnet", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-03 12:21:45" } ], "3147": [ { "sample_cnt": 12, "yara_rule_name": "Generic_KeyGen_Patcher_RID2F96", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Keygen from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe", "last_hit_utc": "2026-03-26 15:37:13" } ], "3148": [ { "sample_cnt": 12, "yara_rule_name": "hdata_section", "yara_rule_author": "CD_R0M_", "yara_rule_reference": null, "yara_rule_description": "check for existence of hdata section. This is rarely used legitimately", "last_hit_utc": "2025-05-26 15:14:22" } ], "3149": [ { "sample_cnt": 12, "yara_rule_name": "HKTL_NET_GUID_Lime_RAT", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Lime-RAT", "yara_rule_description": "Detects VB.NET red/black-team tools via typelibguid", "last_hit_utc": "2022-11-30 15:56:03" } ], "3150": [ { "sample_cnt": 12, "yara_rule_name": "IDATDropper", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects modified versions of dialer.exe, BthUdTask.exe, and dvdplay containing embedded JavaScript. The JS executes an obfuscated PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).", "last_hit_utc": "2025-01-03 20:12:31" } ], "3151": [ { "sample_cnt": 12, "yara_rule_name": "Impacket_Tools_psexec", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2025-06-16 16:48:10" } ], "3152": [ { "sample_cnt": 12, "yara_rule_name": "INDICATOR_EXE_Packed_ConfuserEx_Custom", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with ConfuserEx Custom; outside of GIT", "last_hit_utc": "2022-11-25 13:45:03" } ], "3153": [ { "sample_cnt": 12, "yara_rule_name": "INDICATOR_KB_CERT_06aea76bac46a9e8cfe6d29e45aaf033", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-06-27 06:42:23" } ], "3154": [ { "sample_cnt": 12, "yara_rule_name": "INDICATOR_KB_CERT_43bb437d609866286dd839e1d00309f5", "yara_rule_author": "ditekSHen", "yara_rule_reference": "https://bazaar.abuse.ch/faq/#cscb", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2026-03-19 11:48:06" } ], "3155": [ { "sample_cnt": 12, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables with modified PE resources using the unpaid version of Resource Tuner", "last_hit_utc": "2025-06-16 15:15:58" } ], "3156": [ { "sample_cnt": 12, "yara_rule_name": "INDICATOR_TOOL_PWS_Rubeus", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Rubeus kerberos defensive/offensive toolset", "last_hit_utc": "2026-02-22 18:16:18" } ], "3157": [ { "sample_cnt": 12, "yara_rule_name": "JKornevHidden", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match the strings found in JKornev's Hidden rootkit", "last_hit_utc": "2026-04-27 05:18:16" } ], "3158": [ { "sample_cnt": 12, "yara_rule_name": "LinuxUnknownCode", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 13:10:03" } ], "3159": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Backdoor_NoodRAT", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects NoodRAT backdoor.", "last_hit_utc": "2025-12-13 06:33:19" } ], "3160": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Gafgyt_cf84c9f2", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "3161": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Gafgyt_dd0d6173", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "3162": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Generic_7b82a21c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 13:10:04" } ], "3163": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Metasploit_849cc5d5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-05 23:15:29" } ], "3164": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Metasploit_da378432", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-05 23:15:29" } ], "3165": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Meterpreter_a82f5d21", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-09 16:40:44" } ], "3166": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Mirai_fa3ad9d0", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "3167": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Tsunami_019f0e75", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-08 21:19:05" } ], "3168": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Xorddos_0eb147ca", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-23 02:39:20" } ], "3169": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Xorddos_2084099a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-23 02:39:20" } ], "3170": [ { "sample_cnt": 12, "yara_rule_name": "Linux_Trojan_Xorddos_ba961ed2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-23 02:39:20" } ], "3171": [ { "sample_cnt": 12, "yara_rule_name": "MalScript_Tricks", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.", "last_hit_utc": "2022-05-06 12:29:02" } ], "3172": [ { "sample_cnt": 12, "yara_rule_name": "malware_CobaltStrike_beacon", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "CobaltStrike encoding code", "last_hit_utc": "2022-10-30 18:15:04" } ], "3173": [ { "sample_cnt": 12, "yara_rule_name": "MALWARE_Win_Meteorite", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Meteorite downloader", "last_hit_utc": "2022-08-10 09:32:33" } ], "3174": [ { "sample_cnt": 12, "yara_rule_name": "MALWARE_Win_PandaStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Panda Stealer", "last_hit_utc": "2022-11-07 16:57:04" } ], "3175": [ { "sample_cnt": 12, "yara_rule_name": "MALWARE_Win_Spyro", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Spyro / VoidCrypt / Limbozar ransomware", "last_hit_utc": "2025-01-05 15:26:10" } ], "3176": [ { "sample_cnt": 12, "yara_rule_name": "MALWARE_Win_Xorist", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Xorist ransomware", "last_hit_utc": "2022-10-29 23:27:03" } ], "3177": [ { "sample_cnt": 12, "yara_rule_name": "MAL_Netsha_Mar20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Netsha malware", "last_hit_utc": "2021-01-18 13:10:05" } ], "3178": [ { "sample_cnt": 12, "yara_rule_name": "Matanbuchus_name_only", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://twitter.com/pr0xylife/status/1537511268591992840", "yara_rule_description": "Matanbuchus", "last_hit_utc": "2025-11-05 08:22:41" } ], "3179": [ { "sample_cnt": 12, "yara_rule_name": "mirai_botnet_pack", "yara_rule_author": "bozer", "yara_rule_reference": null, "yara_rule_description": "Use to detect packed mirai, and there variants", "last_hit_utc": "2025-01-05 16:41:16" } ], "3180": [ { "sample_cnt": 12, "yara_rule_name": "Multi_EICAR_ac8f42d6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-15 08:17:16" } ], "3181": [ { "sample_cnt": 12, "yara_rule_name": "NetWiredRC_B", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "NetWiredRC", "last_hit_utc": "2025-11-24 16:35:35" } ], "3182": [ { "sample_cnt": 12, "yara_rule_name": "pe_packer_pecompact2", "yara_rule_author": "@jstrosch", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-24 10:16:50" } ], "3183": [ { "sample_cnt": 12, "yara_rule_name": "PurpleFox_Dropper", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies PurpleFox aka DirtyMoe botnet, dropper CAB or MSI package.", "last_hit_utc": "2022-10-11 01:10:03" } ], "3184": [ { "sample_cnt": 12, "yara_rule_name": "RANSOM_Lockbit_Black_Packer", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "https://twitter.com/vxunderground/status/1543661557883740161", "yara_rule_description": "Detects the packer used by Lockbit Black (Version 3)", "last_hit_utc": "2025-12-19 11:59:14" } ], "3185": [ { "sample_cnt": 12, "yara_rule_name": "RAN_Lockbit_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect Lockbit ransomware", "last_hit_utc": "2025-01-05 15:57:47" } ], "3186": [ { "sample_cnt": 12, "yara_rule_name": "RoyalRoad_RTF_v7", "yara_rule_author": "nao_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2023-05-30 12:13:03" } ], "3187": [ { "sample_cnt": 12, "yara_rule_name": "Royal_Ran_V1", "yara_rule_author": "DigitalPanda", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-29 11:46:02" } ], "3188": [ { "sample_cnt": 12, "yara_rule_name": "Rust_Stealer", "yara_rule_author": "HunterHT94", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-29 03:35:21" } ], "3189": [ { "sample_cnt": 12, "yara_rule_name": "SilverRAT", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects SilverRAT", "last_hit_utc": "2025-11-08 09:43:14" } ], "3190": [ { "sample_cnt": 12, "yara_rule_name": "Start2__mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e", "yara_rule_description": "SystemBC", "last_hit_utc": "2026-02-14 15:29:26" } ], "3191": [ { "sample_cnt": 12, "yara_rule_name": "Suspicious_Encoded_PS_String_20251105", "yara_rule_author": "ShadowOpCode", "yara_rule_reference": "internally crafted rule", "yara_rule_description": "Detects ASCII string", "last_hit_utc": "2025-12-11 08:55:19" } ], "3192": [ { "sample_cnt": 12, "yara_rule_name": "SUSP_PE_Signed_by_Suspicious_Entitiy_Mar23", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/", "yara_rule_description": "Find driver signed by suspicious company (see references)", "last_hit_utc": "2025-11-05 08:22:45" } ], "3193": [ { "sample_cnt": 12, "yara_rule_name": "swfdoc_hunter", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 11:12:34" } ], "3194": [ { "sample_cnt": 12, "yara_rule_name": "SystemBC_Config", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies SystemBC RAT, decrypted config.", "last_hit_utc": "2025-01-05 15:09:44" } ], "3195": [ { "sample_cnt": 12, "yara_rule_name": "Unspecified_Malware_Oct16_A_RID3134", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an unspecififed malware - October 2016", "last_hit_utc": "2026-04-23 08:36:37" } ], "3196": [ { "sample_cnt": 12, "yara_rule_name": "webshell_filesman_base64", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "Webshell FilesMan", "last_hit_utc": "2025-01-23 05:09:02" } ], "3197": [ { "sample_cnt": 12, "yara_rule_name": "WiltedTulip_WindowsTask", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects hack tool used in Operation Wilted Tulip - Windows Tasks", "last_hit_utc": "2025-11-13 04:48:20" } ], "3198": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Generic_Threat_7a49053e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-20 04:03:20" } ], "3199": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Generic_Threat_89efd1b4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-13 09:03:24" } ], "3200": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Generic_Threat_eab96cf2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:25:57" } ], "3201": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Ransomware_Makop_3e388338", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-06 02:17:42" } ], "3202": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Trojan_AgentTesla_e577e17e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-12-11 11:18:24" } ], "3203": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Trojan_IcedID_0b62e783", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-21 12:34:06" } ], "3204": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Trojan_IcedID_48029e37", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-21 12:34:06" } ], "3205": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Trojan_IcedID_91562d18", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-21 12:34:06" } ], "3206": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Trojan_Vidar_114258d5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:35:31" } ], "3207": [ { "sample_cnt": 12, "yara_rule_name": "Windows_Trojan_Vidar_9007feb2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 14:50:30" } ], "3208": [ { "sample_cnt": 12, "yara_rule_name": "WinZip32bitSFXv8xmodule", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:53:15" } ], "3209": [ { "sample_cnt": 12, "yara_rule_name": "win_akira_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.akira.", "last_hit_utc": "2025-06-16 16:56:38" } ], "3210": [ { "sample_cnt": 12, "yara_rule_name": "win_betabot_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-10-03 11:56:04" } ], "3211": [ { "sample_cnt": 12, "yara_rule_name": "win_darkcomet_a0", "yara_rule_author": "David Cannings", "yara_rule_reference": null, "yara_rule_description": "Strings from the Dark Comet 5.2 stub", "last_hit_utc": "2021-03-02 17:16:06" } ], "3212": [ { "sample_cnt": 12, "yara_rule_name": "win_darktrack_rat_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-22 22:07:41" } ], "3213": [ { "sample_cnt": 12, "yara_rule_name": "Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026", "yara_rule_author": "SixHands", "yara_rule_reference": null, "yara_rule_description": "Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits", "last_hit_utc": "2026-04-26 15:48:27" } ], "3214": [ { "sample_cnt": 12, "yara_rule_name": "win_ghost_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.ghost_rat.", "last_hit_utc": "2026-01-11 15:40:33" } ], "3215": [ { "sample_cnt": 12, "yara_rule_name": "win_nullmixer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.nullmixer.", "last_hit_utc": "2025-05-06 03:04:11" } ], "3216": [ { "sample_cnt": 12, "yara_rule_name": "win_privateloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.privateloader.", "last_hit_utc": "2022-11-12 14:27:03" } ], "3217": [ { "sample_cnt": 12, "yara_rule_name": "win_qakbot", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-10-15 15:48:04" } ], "3218": [ { "sample_cnt": 12, "yara_rule_name": "win_qakbot_a0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-10-15 15:48:04" } ], "3219": [ { "sample_cnt": 12, "yara_rule_name": "win_unidentified_045_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-09 23:18:06" } ], "3220": [ { "sample_cnt": 12, "yara_rule_name": "XTinyLoader", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Detects XTiny Loader", "last_hit_utc": "2026-02-17 11:01:30" } ], "3221": [ { "sample_cnt": 12, "yara_rule_name": "ZIP_High_Ratio_Single_Doc", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": null, "yara_rule_description": "Detects ZIP archives containing single MS Word document with unusually high compression ratio", "last_hit_utc": "2025-01-05 15:49:17" } ], "3222": [ { "sample_cnt": 11, "yara_rule_name": "ach_DarkVNC", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/54f5f7c5c74cb688f97f99aef2279beb/", "yara_rule_description": "Detects DarkVNC", "last_hit_utc": "2021-03-25 06:09:04" } ], "3223": [ { "sample_cnt": 11, "yara_rule_name": "ach_Gozi_doc_20201215", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/3195d6ee0ab770936634b7a4c6433699/", "yara_rule_description": "Detects Gozi ISFB doc", "last_hit_utc": "2020-12-15 08:57:21" } ], "3224": [ { "sample_cnt": 11, "yara_rule_name": "anyburn_iso_with_date", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": null, "yara_rule_description": "Triggers on ISOs created with AnyBurn using volume names such as 12_19_2022.", "last_hit_utc": "2026-02-14 16:23:14" } ], "3225": [ { "sample_cnt": 11, "yara_rule_name": "ByteCode_MSIL_Backdoor_LimeRAT", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects LimeRAT backdoor.", "last_hit_utc": "2025-09-28 08:39:21" } ], "3226": [ { "sample_cnt": 11, "yara_rule_name": "cert_blocklist_07cef66a71c35bc3aed6d100c6493863", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2021-09-01 07:55:13" } ], "3227": [ { "sample_cnt": 11, "yara_rule_name": "crime_win64_bumbleebee_loader_packed", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:12:55" } ], "3228": [ { "sample_cnt": 11, "yara_rule_name": "crime_win64_emotet_unpacked", "yara_rule_author": "Rony (r0ny_123)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-03 02:37:02" } ], "3229": [ { "sample_cnt": 11, "yara_rule_name": "CrimsonRAT", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "Matches CrimsonRAT", "last_hit_utc": "2026-02-13 08:04:14" } ], "3230": [ { "sample_cnt": 11, "yara_rule_name": "CryptoLocker_set1", "yara_rule_author": "Christiaan Beek, Christiaan_Beek@McAfee.com", "yara_rule_reference": null, "yara_rule_description": "Detection of Cryptolocker Samples", "last_hit_utc": "2025-10-04 10:38:41" } ], "3231": [ { "sample_cnt": 11, "yara_rule_name": "DarkTortilla_2ndStage", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "Matches DarkTortilla second stage loader strings/bytecode", "last_hit_utc": "2026-03-24 13:50:23" } ], "3232": [ { "sample_cnt": 11, "yara_rule_name": "darktrack_rat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-22 22:07:40" } ], "3233": [ { "sample_cnt": 11, "yara_rule_name": "detection_havoc_c2_config", "yara_rule_author": "smisraa@gmail.com", "yara_rule_reference": null, "yara_rule_description": "this rule covers config from implants from havoc c2 (https://github.com/HavocFramework/Havoc)", "last_hit_utc": "2025-01-05 15:44:49" } ], "3234": [ { "sample_cnt": 11, "yara_rule_name": "detect_certum_issuer", "yara_rule_author": "Certum", "yara_rule_reference": null, "yara_rule_description": "Looks for files signed with certificate issued by Certum", "last_hit_utc": "2026-04-08 14:00:50" } ], "3235": [ { "sample_cnt": 11, "yara_rule_name": "Discord_RAT_C_sharp", "yara_rule_author": "malwquinn", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 20:04:26" } ], "3236": [ { "sample_cnt": 11, "yara_rule_name": "elf_bpfdoor_w2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/jcksnsec/status/1522163033585467393", "yara_rule_description": "Detects BPFDoor implants used by Chinese actor Red Menshen", "last_hit_utc": "2025-10-28 13:44:07" } ], "3237": [ { "sample_cnt": 11, "yara_rule_name": "Emotet_EP4", "yara_rule_author": "@MarceloRivero", "yara_rule_reference": "", "yara_rule_description": "Emotet EP4 unpacked", "last_hit_utc": "2022-07-14 06:38:03" } ], "3238": [ { "sample_cnt": 11, "yara_rule_name": "Empire_Invoke_Mimikatz_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-Mimikatz.ps1", "last_hit_utc": "2025-10-14 12:09:40" } ], "3239": [ { "sample_cnt": 11, "yara_rule_name": "focusbot_ddos_botnet", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": null, "yara_rule_description": "FocusBot DDoS botnet - plaintext HTTP C2 with UDP/TCP flood attacks", "last_hit_utc": "2026-03-14 12:33:27" } ], "3240": [ { "sample_cnt": 11, "yara_rule_name": "HackTool_Samples", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Hacktool", "last_hit_utc": "2026-02-18 12:19:18" } ], "3241": [ { "sample_cnt": 11, "yara_rule_name": "HKTL_NET_GUID_njRAT", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/mwsrc/njRAT", "yara_rule_description": "Detects VB.NET red/black-team tools via typelibguid", "last_hit_utc": "2026-04-19 16:48:17" } ], "3242": [ { "sample_cnt": 11, "yara_rule_name": "HKTL_NET_GUID_StormKitty", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/LimerBoy/StormKitty", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-08-29 12:37:36" } ], "3243": [ { "sample_cnt": 11, "yara_rule_name": "INDICATOR_EXE_Packed_TriumphLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects TriumphLoader", "last_hit_utc": "2021-02-24 07:51:05" } ], "3244": [ { "sample_cnt": 11, "yara_rule_name": "INDICATOR_KB_CERT_03e9eb4dff67d4f9a554a422d5ed86f3", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2023-01-08 06:07:02" } ], "3245": [ { "sample_cnt": 11, "yara_rule_name": "INDICATOR_KB_CERT_07cef66a71c35bc3aed6d100c6493863", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-09-01 07:55:14" } ], "3246": [ { "sample_cnt": 11, "yara_rule_name": "INDICATOR_KB_CERT_0ddeb53f957337fbeaf98c4a615b149d", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-11-26 13:18:38" } ], "3247": [ { "sample_cnt": 11, "yara_rule_name": "INDICATOR_KB_CERT_21c9a6daff942f2db6a0614d", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-05-18 10:28:02" } ], "3248": [ { "sample_cnt": 11, "yara_rule_name": "INDICATOR_KB_ID_Infostealer", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects exfiltration email addresses correlated from various infostealers. The same email can be observed in multiple families.", "last_hit_utc": "2021-06-23 06:45:12" } ], "3249": [ { "sample_cnt": 11, "yara_rule_name": "INDICATOR_RTF_EXPLOIT_CVE_2017_11882_2", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects an obfuscated RTF variant documents potentially exploiting CVE-2017-11882", "last_hit_utc": "2021-06-16 09:54:56" } ], "3250": [ { "sample_cnt": 11, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_fodhelper", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects Windows exceutables potentially bypassing UAC using fodhelper.exe", "last_hit_utc": "2026-03-16 23:39:16" } ], "3251": [ { "sample_cnt": 11, "yara_rule_name": "INDICATOR_TOOL_EdgeCookiesView", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects EdgeCookiesView", "last_hit_utc": "2022-10-21 15:47:03" } ], "3252": [ { "sample_cnt": 11, "yara_rule_name": "LinuxAESDDoS", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-16 11:14:43" } ], "3253": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Cryptominer_Camelot_cdd631c1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-16 20:45:50" } ], "3254": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Generic_Threat_2c8d824c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-10 16:35:23" } ], "3255": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Generic_Threat_fc5b5b86", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-11 18:25:44" } ], "3256": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Rootkit_Generic_61229bdf", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 16:26:29" } ], "3257": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Trojan_Ebury_7b13e9b6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:46:37" } ], "3258": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Trojan_Gafgyt_9c18716c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-31 06:34:14" } ], "3259": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Trojan_Meterpreter_1bda891e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-09 16:40:44" } ], "3260": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Trojan_Mirai_575f5bc8", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-19 15:52:03" } ], "3261": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Trojan_Mirai_804f8e7c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "3262": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Trojan_Mirai_93fc3657", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "3263": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Trojan_Mirai_99d78950", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "3264": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Trojan_Mirai_a68e498c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 13:52:03" } ], "3265": [ { "sample_cnt": 11, "yara_rule_name": "Linux_Trojan_Mirai_fe721dc5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-03 07:02:04" } ], "3266": [ { "sample_cnt": 11, "yara_rule_name": "LockBit3_ransomware", "yara_rule_author": "BlackBerry", "yara_rule_reference": null, "yara_rule_description": "Rule detecting Lockbit3 ransomware samples", "last_hit_utc": "2025-12-19 11:59:14" } ], "3267": [ { "sample_cnt": 11, "yara_rule_name": "malware_StealthWorker", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "detect StealthWorker", "last_hit_utc": "2022-05-03 07:42:04" } ], "3268": [ { "sample_cnt": 11, "yara_rule_name": "MALWARE_Win_DLAgent06", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects known downloader agent downloading encoded binaries in patches", "last_hit_utc": "2022-06-23 12:18:28" } ], "3269": [ { "sample_cnt": 11, "yara_rule_name": "MALWARE_Win_MargulasRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects MargulasRAT", "last_hit_utc": "2021-08-06 12:44:00" } ], "3270": [ { "sample_cnt": 11, "yara_rule_name": "MALWARE_Win_Mercurial", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Mercurial infostealer", "last_hit_utc": "2026-03-03 13:27:15" } ], "3271": [ { "sample_cnt": 11, "yara_rule_name": "MALWARE_Win_RisePro", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects RisePro infostealer", "last_hit_utc": "2025-11-05 08:22:41" } ], "3272": [ { "sample_cnt": 11, "yara_rule_name": "MALWARE_Win_Snatch", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Snatch / GoRansome / MauriGo ransomware", "last_hit_utc": "2023-09-11 16:27:07" } ], "3273": [ { "sample_cnt": 11, "yara_rule_name": "MALWARE_Win_Thanos", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Thanos / Prometheus / Spook ransomware", "last_hit_utc": "2025-01-23 02:33:03" } ], "3274": [ { "sample_cnt": 11, "yara_rule_name": "MALWARE_Win_Unknown_PackedLoader_01", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects unknown loader / packer. Observed running LummaStealer", "last_hit_utc": "2026-03-17 12:35:19" } ], "3275": [ { "sample_cnt": 11, "yara_rule_name": "MALWARE_Win_WobbyChipMBR", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects WobbyChipMBR / Covid-21 ransomware", "last_hit_utc": "2025-06-16 15:55:05" } ], "3276": [ { "sample_cnt": 11, "yara_rule_name": "Mimikatz_Gen_Strings", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Mimikatz by using some special strings", "last_hit_utc": "2025-11-25 20:47:30" } ], "3277": [ { "sample_cnt": 11, "yara_rule_name": "Octowave_Installer_03_2025", "yara_rule_author": "Jai Minton (@CyberRaiju) - HuntressLabs", "yara_rule_reference": "https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19", "yara_rule_description": "Detects resources embedded within Octowave Loader MSI installers", "last_hit_utc": "2025-08-21 05:43:34" } ], "3278": [ { "sample_cnt": 11, "yara_rule_name": "Powerkatz_DLL_Generic", "yara_rule_author": "Florian Roth", "yara_rule_reference": "PowerKatz Analysis", "yara_rule_description": "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)", "last_hit_utc": "2025-11-25 20:47:30" } ], "3279": [ { "sample_cnt": 11, "yara_rule_name": "RANSOM_7ev3n", "yara_rule_author": "KrknSec", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n", "yara_rule_description": "Detects 7ev3n ransomware.", "last_hit_utc": "2022-12-21 22:32:04" } ], "3280": [ { "sample_cnt": 11, "yara_rule_name": "RANSOM_mountlocker", "yara_rule_author": "McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect Mount Locker ransomware", "last_hit_utc": "2025-01-03 20:34:51" } ], "3281": [ { "sample_cnt": 11, "yara_rule_name": "RAT_Vertex", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Vertex", "yara_rule_description": "Detects Vertex RAT", "last_hit_utc": "2026-03-03 13:01:21" } ], "3282": [ { "sample_cnt": 11, "yara_rule_name": "Scarhikn", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Scarhikn", "last_hit_utc": "2025-07-16 05:00:42" } ], "3283": [ { "sample_cnt": 11, "yara_rule_name": "ScarhiknStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Scarhikn Identifying Strings", "last_hit_utc": "2025-07-16 05:00:42" } ], "3284": [ { "sample_cnt": 11, "yara_rule_name": "SecurityXploded_Producer_String", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://securityxploded.com/browser-password-dump.php", "yara_rule_description": "Detects hacktools by SecurityXploded", "last_hit_utc": "2022-11-23 23:32:03" } ], "3285": [ { "sample_cnt": 11, "yara_rule_name": "shells_PHP_wso", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file wso.txt", "last_hit_utc": "2025-10-28 13:45:07" } ], "3286": [ { "sample_cnt": 11, "yara_rule_name": "SnakeKeyLogger_July_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects SnakeKeyLogger payload", "last_hit_utc": "2025-01-10 14:08:48" } ], "3287": [ { "sample_cnt": 11, "yara_rule_name": "WannaCry", "yara_rule_author": "Marius 'f0wL' Genheimer ", "yara_rule_reference": "https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html", "yara_rule_description": "Detects WannaCry Ransomware", "last_hit_utc": "2025-01-05 15:29:59" } ], "3288": [ { "sample_cnt": 11, "yara_rule_name": "Webshell_shells_PHP_wso_RID3030", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file wso.txt", "last_hit_utc": "2025-10-28 13:45:40" } ], "3289": [ { "sample_cnt": 11, "yara_rule_name": "WIN32_MAL_TROJ_UPATRE_SMBG", "yara_rule_author": "Auto-generated rule", "yara_rule_reference": "Not provided", "yara_rule_description": "Detects UPATRE Trojan variant.", "last_hit_utc": "2025-06-16 15:51:04" } ], "3290": [ { "sample_cnt": 11, "yara_rule_name": "win64_valley_rat", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting ValleyRAT malware", "last_hit_utc": "2025-11-20 13:15:31" } ], "3291": [ { "sample_cnt": 11, "yara_rule_name": "WinDivert_Driver", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.reqrypt.org/windivert.html", "yara_rule_description": "Detects WinDivert User-Mode packet capturing driver", "last_hit_utc": "2026-01-29 07:59:25" } ], "3292": [ { "sample_cnt": 11, "yara_rule_name": "Windows_Generic_Threat_fca7f863", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-01 05:56:56" } ], "3293": [ { "sample_cnt": 11, "yara_rule_name": "Windows_Ransomware_Thanos_c3522fd0", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/", "yara_rule_description": "Identifies THANOS (Hakbit) ransomware", "last_hit_utc": "2025-01-03 21:07:47" } ], "3294": [ { "sample_cnt": 11, "yara_rule_name": "Windows_Rootkit_R77_ee853c9f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", "yara_rule_description": null, "last_hit_utc": "2026-01-14 09:59:25" } ], "3295": [ { "sample_cnt": 11, "yara_rule_name": "Windows_Trojan_Adaptix_b2cda978", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-01 11:04:58" } ], "3296": [ { "sample_cnt": 11, "yara_rule_name": "Windows_Trojan_BruteRatel_4110d879", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-05 20:14:16" } ], "3297": [ { "sample_cnt": 11, "yara_rule_name": "Windows_Trojan_Clipbanker", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:14:03" } ], "3298": [ { "sample_cnt": 11, "yara_rule_name": "Windows_Trojan_Metasploit_4a1c4da8", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Identifies Metasploit 64 bit reverse tcp shellcode.", "last_hit_utc": "2022-11-22 20:36:03" } ], "3299": [ { "sample_cnt": 11, "yara_rule_name": "win_7ev3n_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.7ev3n.", "last_hit_utc": "2022-12-21 22:32:04" } ], "3300": [ { "sample_cnt": 11, "yara_rule_name": "win_babylon_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-28 07:48:14" } ], "3301": [ { "sample_cnt": 11, "yara_rule_name": "win_blacknet_rat_w0", "yara_rule_author": "K7 Security Labs", "yara_rule_reference": "", "yara_rule_description": "BlackNet Payload", "last_hit_utc": "2022-10-04 21:23:04" } ], "3302": [ { "sample_cnt": 11, "yara_rule_name": "win_cryakl_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-03 21:41:29" } ], "3303": [ { "sample_cnt": 11, "yara_rule_name": "win_darktrack_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-09 08:45:03" } ], "3304": [ { "sample_cnt": 11, "yara_rule_name": "win_isfb_a4", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-01-03 10:36:05" } ], "3305": [ { "sample_cnt": 11, "yara_rule_name": "win_laplas_clipper_9c96", "yara_rule_author": "Johannes Bader", "yara_rule_reference": "", "yara_rule_description": "detects unpacked Laplas Clipper", "last_hit_utc": "2022-11-25 02:31:03" } ], "3306": [ { "sample_cnt": 11, "yara_rule_name": "win_pushdo_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.pushdo.", "last_hit_utc": "2024-01-31 14:35:04" } ], "3307": [ { "sample_cnt": 11, "yara_rule_name": "win_pykspa_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.pykspa.", "last_hit_utc": "2022-08-31 02:34:04" } ], "3308": [ { "sample_cnt": 10, "yara_rule_name": "ach_Ostap_xlsm_20201016", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/9b9cc8bcf52baa61eda74d0828b072fa/", "yara_rule_description": "Detects Ostap XLSM", "last_hit_utc": "2020-10-20 06:55:54" } ], "3309": [ { "sample_cnt": 10, "yara_rule_name": "AgentTesla", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "AgentTesla Payload", "last_hit_utc": "2022-07-31 06:06:15" } ], "3310": [ { "sample_cnt": 10, "yara_rule_name": "aix", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": "", "yara_rule_description": "AIX binary", "last_hit_utc": "2022-10-22 12:14:03" } ], "3311": [ { "sample_cnt": 10, "yara_rule_name": "AndeLoader", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects AndeLoader", "last_hit_utc": "2025-01-03 21:00:10" } ], "3312": [ { "sample_cnt": 10, "yara_rule_name": "APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", "yara_rule_description": "Detects BPFDoor implants used by Chinese actor Red Menshen", "last_hit_utc": "2022-11-15 13:10:04" } ], "3313": [ { "sample_cnt": 10, "yara_rule_name": "APT_MAL_LNX_RedMenshen_BPFDoor_Tricephalic_Implant_May22", "yara_rule_author": "Exatrack", "yara_rule_reference": "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "yara_rule_description": "Detects BPFDoor/Tricephalic Hellkeeper passive implant", "last_hit_utc": "2022-11-15 13:10:04" } ], "3314": [ { "sample_cnt": 10, "yara_rule_name": "Atmos_Malware", "yara_rule_author": "xylitol@temari.fr", "yara_rule_reference": "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", "yara_rule_description": "Generic Spyware.Citadel.Atmos Signature", "last_hit_utc": "2020-11-17 12:56:22" } ], "3315": [ { "sample_cnt": 10, "yara_rule_name": "Atmos_Packed_Malware", "yara_rule_author": "xylitol@temari.fr", "yara_rule_reference": "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", "yara_rule_description": "Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer", "last_hit_utc": "2020-11-17 12:56:22" } ], "3316": [ { "sample_cnt": 10, "yara_rule_name": "BruteRatel", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "BruteRatel Payload", "last_hit_utc": "2026-01-05 20:14:16" } ], "3317": [ { "sample_cnt": 10, "yara_rule_name": "CN_Honker_smsniff_smsniff_RID3112", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file smsniff.exe", "last_hit_utc": "2024-02-04 07:11:02" } ], "3318": [ { "sample_cnt": 10, "yara_rule_name": "CobaltStrike_Sleeve_Beacon_x64_v4_3", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/beacon.x64.dll Version 4.3", "last_hit_utc": "2025-07-28 01:15:08" } ], "3319": [ { "sample_cnt": 10, "yara_rule_name": "DevCv4", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-27 09:05:23" } ], "3320": [ { "sample_cnt": 10, "yara_rule_name": "golang_build_id_strings", "yara_rule_author": "Jonathan Cole", "yara_rule_reference": null, "yara_rule_description": "Matches on string Golang build ID", "last_hit_utc": "2025-01-05 15:28:10" } ], "3321": [ { "sample_cnt": 10, "yara_rule_name": "gorilla", "yara_rule_author": "Marc", "yara_rule_reference": null, "yara_rule_description": "Samples used by gorilla botnet (mirai variant)", "last_hit_utc": "2025-07-31 05:03:20" } ], "3322": [ { "sample_cnt": 10, "yara_rule_name": "Havex", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-09 17:07:08" } ], "3323": [ { "sample_cnt": 10, "yara_rule_name": "IcedIDStage1", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "IcedID Payload", "last_hit_utc": "2021-03-27 17:42:06" } ], "3324": [ { "sample_cnt": 10, "yara_rule_name": "IcedIDStage1", "yara_rule_author": "kevoreilly, threathive, enzo", "yara_rule_reference": "", "yara_rule_description": "IcedID Payload", "last_hit_utc": "2022-04-20 06:08:35" } ], "3325": [ { "sample_cnt": 10, "yara_rule_name": "IMPLANT_4_v7", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "BlackEnergy / Voodoo Bear Implant by APT28", "last_hit_utc": "2026-04-17 08:58:32" } ], "3326": [ { "sample_cnt": 10, "yara_rule_name": "INDICATOR_KB_CERT_0139dde119bb320dfb9f5defe3f71245", "yara_rule_author": "ditekSHen", "yara_rule_reference": "https://bazaar.abuse.ch/faq/#cscb", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2026-04-26 19:05:45" } ], "3327": [ { "sample_cnt": 10, "yara_rule_name": "INDICATOR_KB_CERT_02fa994d660de659ee9037ecb437d766", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 16:57:19" } ], "3328": [ { "sample_cnt": 10, "yara_rule_name": "INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-10-24 07:27:02" } ], "3329": [ { "sample_cnt": 10, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_PasswordManagers", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many Password Manager software clients. Observed in infostealers", "last_hit_utc": "2026-04-23 12:31:37" } ], "3330": [ { "sample_cnt": 10, "yara_rule_name": "INDICATOR_TOOL_EXP_PetitPotam01", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect tool potentially exploiting/attempting PetitPotam", "last_hit_utc": "2026-01-05 11:30:22" } ], "3331": [ { "sample_cnt": 10, "yara_rule_name": "InnoSetupModule", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:41:39" } ], "3332": [ { "sample_cnt": 10, "yara_rule_name": "js_downloader_gootloader", "yara_rule_author": "HP Threat Research @HP_Bromium", "yara_rule_reference": null, "yara_rule_description": "JavaScript downloader known to deliver Gootkit or REvil ransomware", "last_hit_utc": "2021-05-10 15:42:39" } ], "3333": [ { "sample_cnt": 10, "yara_rule_name": "LinuxHacktool_eyes_pscan2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file pscan2", "last_hit_utc": "2026-03-17 01:18:17" } ], "3334": [ { "sample_cnt": 10, "yara_rule_name": "Linux_Cryptominer_Xmrig_af809eea", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 19:54:29" } ], "3335": [ { "sample_cnt": 10, "yara_rule_name": "Linux_Generic_Threat_08e4ee8c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-14 12:26:11" } ], "3336": [ { "sample_cnt": 10, "yara_rule_name": "Linux_Hacktool_Cleanlog_400b7595", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-10 00:38:12" } ], "3337": [ { "sample_cnt": 10, "yara_rule_name": "Linux_Trojan_Gafgyt_5bf62ce4", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:50:02" } ], "3338": [ { "sample_cnt": 10, "yara_rule_name": "Linux_Trojan_Gafgyt_9127f7be", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 11:57:04" } ], "3339": [ { "sample_cnt": 10, "yara_rule_name": "Linux_Trojan_Gafgyt_a0a4de11", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "3340": [ { "sample_cnt": 10, "yara_rule_name": "Linux_Trojan_Gafgyt_eaa9a668", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-18 18:23:15" } ], "3341": [ { "sample_cnt": 10, "yara_rule_name": "Linux_Trojan_Tsunami_0e52c842", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:45:32" } ], "3342": [ { "sample_cnt": 10, "yara_rule_name": "Linux_Trojan_Xorddos_884cab60", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:23:47" } ], "3343": [ { "sample_cnt": 10, "yara_rule_name": "LucaStealer", "yara_rule_author": "Chat3ux", "yara_rule_reference": null, "yara_rule_description": "Lucasstealer", "last_hit_utc": "2026-03-31 20:05:17" } ], "3344": [ { "sample_cnt": 10, "yara_rule_name": "malware_Hawkeye_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect HawkEye in memory", "last_hit_utc": "2025-03-25 16:03:35" } ], "3345": [ { "sample_cnt": 10, "yara_rule_name": "MALWARE_Win_CobianRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects CobianRAT, a fork of Njrat", "last_hit_utc": "2022-08-17 06:49:03" } ], "3346": [ { "sample_cnt": 10, "yara_rule_name": "MALWARE_Win_CoinMiner04", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects coinmining malware", "last_hit_utc": "2025-01-05 14:45:15" } ], "3347": [ { "sample_cnt": 10, "yara_rule_name": "MALWARE_Win_ImminentRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects ImminentRAT", "last_hit_utc": "2022-06-09 14:39:38" } ], "3348": [ { "sample_cnt": 10, "yara_rule_name": "MALWARE_Win_LockDown", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Lockdown / cantopen ransomware", "last_hit_utc": "2023-03-13 06:22:32" } ], "3349": [ { "sample_cnt": 10, "yara_rule_name": "MALWARE_Win_Quantum", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Quantum locker / ransomware", "last_hit_utc": "2026-03-11 15:01:27" } ], "3350": [ { "sample_cnt": 10, "yara_rule_name": "MALWARE_Win_Thanos", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Thanos / Prometheus / Spook ransomware", "last_hit_utc": "2022-09-24 09:41:09" } ], "3351": [ { "sample_cnt": 10, "yara_rule_name": "MAL_CN_FlyStudio_May18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects malware / hacktool detected in May 2018", "last_hit_utc": "2026-01-02 22:17:12" } ], "3352": [ { "sample_cnt": 10, "yara_rule_name": "MAL_CN_FlyStudio_May18_1_RID2F5C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects malware / hacktool detected in May 2018", "last_hit_utc": "2026-01-02 22:17:12" } ], "3353": [ { "sample_cnt": 10, "yara_rule_name": "MAL_JRAT_Oct18_1_RID2BF9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects JRAT malware", "last_hit_utc": "2025-07-23 17:52:26" } ], "3354": [ { "sample_cnt": 10, "yara_rule_name": "MAL_Ramnit_May19_1_RID2D35", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/", "yara_rule_description": "Detects Ramnit malware", "last_hit_utc": "2025-01-03 19:38:56" } ], "3355": [ { "sample_cnt": 10, "yara_rule_name": "MAL_Trickbot_Oct19_4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Trickbot malware", "last_hit_utc": "2020-11-17 19:10:37" } ], "3356": [ { "sample_cnt": 10, "yara_rule_name": "mew_11_xx", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "MEW 11", "last_hit_utc": "2025-08-06 23:31:51" } ], "3357": [ { "sample_cnt": 10, "yara_rule_name": "mimikatz", "yara_rule_author": "Benjamin DELPY (gentilkiwi)", "yara_rule_reference": "", "yara_rule_description": "mimikatz", "last_hit_utc": "2025-11-25 20:47:30" } ], "3358": [ { "sample_cnt": 10, "yara_rule_name": "Multi_Trojan_SparkRat_9a21e541", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-06 10:15:25" } ], "3359": [ { "sample_cnt": 10, "yara_rule_name": "PECompactv25RetailBitsumTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-25 18:40:21" } ], "3360": [ { "sample_cnt": 10, "yara_rule_name": "PUA_CryptoMiner_Jan19_1_RID2F44", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Crypto Miner strings", "last_hit_utc": "2025-11-23 10:45:39" } ], "3361": [ { "sample_cnt": 10, "yara_rule_name": "Pupy_Backdoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/n1nj4sec/pupy-binaries", "yara_rule_description": "Detects Pupy backdoor", "last_hit_utc": "2026-03-06 09:57:18" } ], "3362": [ { "sample_cnt": 10, "yara_rule_name": "Pupy_Backdoor_RID2C43", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/n1nj4sec/pupy-binaries", "yara_rule_description": "Detects Pupy backdoor", "last_hit_utc": "2026-03-06 09:57:18" } ], "3363": [ { "sample_cnt": 10, "yara_rule_name": "py_BraodoStealer", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Braodo Stealer python payload", "last_hit_utc": "2025-01-03 21:11:09" } ], "3364": [ { "sample_cnt": 10, "yara_rule_name": "RAN_Lockbit_v3_Jun_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/vxunderground/status/1543661557883740161", "yara_rule_description": "Detect the lockbit ransomware", "last_hit_utc": "2025-12-19 11:59:14" } ], "3365": [ { "sample_cnt": 10, "yara_rule_name": "RAT_LuminosityLink", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/LuminosityLink", "yara_rule_description": "Detects LuminosityLink RAT", "last_hit_utc": "2025-11-05 08:22:43" } ], "3366": [ { "sample_cnt": 10, "yara_rule_name": "redline_win_generic", "yara_rule_author": "_kphi", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-25 15:24:02" } ], "3367": [ { "sample_cnt": 10, "yara_rule_name": "Reflective_DLL_Loader_Aug17_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Reflective DLL Loader", "last_hit_utc": "2025-11-19 15:44:24" } ], "3368": [ { "sample_cnt": 10, "yara_rule_name": "Rookie", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Rookie", "last_hit_utc": "2026-03-02 07:48:16" } ], "3369": [ { "sample_cnt": 10, "yara_rule_name": "RookieStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Rookie Identifying Strings", "last_hit_utc": "2026-03-02 07:48:16" } ], "3370": [ { "sample_cnt": 10, "yara_rule_name": "Sality_Malware_Oct16", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an unspecififed malware - October 2016", "last_hit_utc": "2026-02-12 16:31:15" } ], "3371": [ { "sample_cnt": 10, "yara_rule_name": "Sality_Malware_Oct16_RID2E9B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an unspecififed malware - October 2016", "last_hit_utc": "2026-02-12 16:31:15" } ], "3372": [ { "sample_cnt": 10, "yara_rule_name": "SHIFU_Banking_Trojan_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/52n8WE", "yara_rule_description": "Detects SHIFU Banking Trojan", "last_hit_utc": "2020-07-06 07:12:28" } ], "3373": [ { "sample_cnt": 10, "yara_rule_name": "suspicious_sfx_files_simple_rule", "yara_rule_author": "Razvan.A.B", "yara_rule_reference": "", "yara_rule_description": "Detects suspicious files containing sfx", "last_hit_utc": "2022-07-11 10:51:03" } ], "3374": [ { "sample_cnt": 10, "yara_rule_name": "SUSP_VHD_Suspicious_Small_Size_RID3285", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/MeltX0R/status/1208095892877774850", "yara_rule_description": "Detects suspicious VHD files", "last_hit_utc": "2026-02-23 07:14:22" } ], "3375": [ { "sample_cnt": 10, "yara_rule_name": "VanHelsing_Ransomware", "yara_rule_author": "Vasilis Orlof", "yara_rule_reference": "https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/", "yara_rule_description": "Detects VanHelsing Ransomware using file markers and behaviors", "last_hit_utc": "2025-12-17 20:47:15" } ], "3376": [ { "sample_cnt": 10, "yara_rule_name": "VBOXv43v46", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-04 09:00:38" } ], "3377": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Generic_Threat_073909cf", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-29 05:46:13" } ], "3378": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Generic_Threat_2c80562d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:18:12" } ], "3379": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Hacktool_Rubeus_43f18623", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-22 18:16:18" } ], "3380": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Infostealer_PhemedroneStealer_bed8ea8a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-16 12:11:57" } ], "3381": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Rootkit_R77_5bab748b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", "yara_rule_description": null, "last_hit_utc": "2025-07-16 20:46:23" } ], "3382": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Trojan_Clipbanker_787b130b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-24 12:52:54" } ], "3383": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Trojan_Clipbanker_f9f9e79d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-24 12:52:54" } ], "3384": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Trojan_Emotet_77c667b9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-03 02:37:02" } ], "3385": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Trojan_Generic_a160ca52", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-24 04:33:51" } ], "3386": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Trojan_IcedID_11d24d35", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-04-21 06:11:05" } ], "3387": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Trojan_PlugX_f338dab5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-08 06:44:48" } ], "3388": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Trojan_Pony_d5516fe8", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-26 03:32:02" } ], "3389": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Trojan_PoshC2_e2d3881e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-02 05:40:03" } ], "3390": [ { "sample_cnt": 10, "yara_rule_name": "Windows_Trojan_WikiLoader_c57f3f88", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:20:25" } ], "3391": [ { "sample_cnt": 10, "yara_rule_name": "win_blacksuit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.blacksuit.", "last_hit_utc": "2025-07-04 14:50:11" } ], "3392": [ { "sample_cnt": 10, "yara_rule_name": "win_devopt_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.devopt.", "last_hit_utc": "2025-06-16 16:12:40" } ], "3393": [ { "sample_cnt": 10, "yara_rule_name": "win_extreme_rat_w0", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": "", "yara_rule_description": "Xtrem RAT v3.5", "last_hit_utc": "2022-10-12 16:51:56" } ], "3394": [ { "sample_cnt": 10, "yara_rule_name": "win_ffdroider_w0", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": "", "yara_rule_description": "detects FFDroider", "last_hit_utc": "2022-10-23 18:16:32" } ], "3395": [ { "sample_cnt": 10, "yara_rule_name": "win_grandsteal_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-04 11:23:15" } ], "3396": [ { "sample_cnt": 10, "yara_rule_name": "win_hawkeye_keylogger_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-11-01 06:47:05" } ], "3397": [ { "sample_cnt": 10, "yara_rule_name": "win_icedid_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-27 06:46:11" } ], "3398": [ { "sample_cnt": 10, "yara_rule_name": "win_icexloader", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-10 01:07:03" } ], "3399": [ { "sample_cnt": 10, "yara_rule_name": "win_neutrino_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-14 19:46:16" } ], "3400": [ { "sample_cnt": 10, "yara_rule_name": "win_nosu_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.nosu.", "last_hit_utc": "2023-03-30 07:30:05" } ], "3401": [ { "sample_cnt": 10, "yara_rule_name": "win_nosu_w0", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "Detect_Nosu_stealer", "last_hit_utc": "2023-03-30 07:30:05" } ], "3402": [ { "sample_cnt": 10, "yara_rule_name": "win_onliner_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.onliner.", "last_hit_utc": "2023-12-01 07:19:03" } ], "3403": [ { "sample_cnt": 10, "yara_rule_name": "win_pitou_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.pitou.", "last_hit_utc": "2024-01-10 21:13:02" } ], "3404": [ { "sample_cnt": 10, "yara_rule_name": "win_qakbot_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-10-15 15:48:04" } ], "3405": [ { "sample_cnt": 10, "yara_rule_name": "win_quirkyloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.quirkyloader.", "last_hit_utc": "2026-03-25 00:14:17" } ], "3406": [ { "sample_cnt": 10, "yara_rule_name": "win_tinba_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-02 04:10:05" } ], "3407": [ { "sample_cnt": 10, "yara_rule_name": "win_tinba_w0", "yara_rule_author": "n3sfox ", "yara_rule_reference": "https://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world", "yara_rule_description": "Tinba 2 (DGA) banking trojan", "last_hit_utc": "2020-07-02 04:10:05" } ], "3408": [ { "sample_cnt": 10, "yara_rule_name": "win_zloader_g1", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-04 08:56:00" } ], "3409": [ { "sample_cnt": 9, "yara_rule_name": "ach_Emotet_xls_20221107", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/e99144862c6a3bb1d25846e962dc1633/", "yara_rule_description": "Detects Emotet XLS", "last_hit_utc": "2025-01-05 15:39:54" } ], "3410": [ { "sample_cnt": 9, "yara_rule_name": "ach_Gozi_xls_20200528", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/14f3f5fc046eb06b0e8dc184d9ecd0d6/", "yara_rule_description": "Detects Gozi XLS", "last_hit_utc": "2020-04-28 20:15:15" } ], "3411": [ { "sample_cnt": 9, "yara_rule_name": "Ammyy_Admin_AA_v3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/gkAg2E", "yara_rule_description": "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe", "last_hit_utc": "2025-10-28 13:43:47" } ], "3412": [ { "sample_cnt": 9, "yara_rule_name": "apt28_win_zebrocy_golang_loader_modified", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html", "yara_rule_description": "Detects unpacked modified APT28/Sofacy Zebrocy Golang.", "last_hit_utc": "2026-01-09 21:10:53" } ], "3413": [ { "sample_cnt": 9, "yara_rule_name": "APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", "yara_rule_description": "Detects unknown Linux implants (uploads from KR and MO)", "last_hit_utc": "2022-11-15 13:10:04" } ], "3414": [ { "sample_cnt": 9, "yara_rule_name": "ASProtectvxx", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 09:09:16" } ], "3415": [ { "sample_cnt": 9, "yara_rule_name": "Backdoor_Redosdru_Jun17", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/OOB3mH", "yara_rule_description": "Detects malware Redosdru - file systemHome.exe", "last_hit_utc": "2023-02-03 15:48:03" } ], "3416": [ { "sample_cnt": 9, "yara_rule_name": "Backdoor_Redosdru_Jun17_RID2FD1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/OOB3mH", "yara_rule_description": "Detects malware Redosdru - file systemHome.exe", "last_hit_utc": "2025-10-28 13:43:58" } ], "3417": [ { "sample_cnt": 9, "yara_rule_name": "BuerLoader_payload", "yara_rule_author": "Brandon George", "yara_rule_reference": null, "yara_rule_description": "Yara rules for the updated and unpacked payload of BuerLoader", "last_hit_utc": "2020-12-24 00:58:04" } ], "3418": [ { "sample_cnt": 9, "yara_rule_name": "certum_issuer", "yara_rule_author": "Certum", "yara_rule_reference": null, "yara_rule_description": "Looks for files signed with certificate issued by Certum", "last_hit_utc": "2026-04-08 14:00:50" } ], "3419": [ { "sample_cnt": 9, "yara_rule_name": "CN_Actor_AmmyyAdmin", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research - CN Actor", "yara_rule_description": "Detects Ammyy Admin Downloader", "last_hit_utc": "2025-10-04 10:44:42" } ], "3420": [ { "sample_cnt": 9, "yara_rule_name": "CN_Actor_RA_Tool_Ammyy_mscorsvw", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research - CN Actor", "yara_rule_description": "Detects Ammyy remote access tool", "last_hit_utc": "2025-10-04 10:44:42" } ], "3421": [ { "sample_cnt": 9, "yara_rule_name": "CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x", "last_hit_utc": "2026-02-26 11:55:28" } ], "3422": [ { "sample_cnt": 9, "yara_rule_name": "CobaltStrike__Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-26 11:55:28" } ], "3423": [ { "sample_cnt": 9, "yara_rule_name": "crime_printer_loader", "yara_rule_author": "Rony (r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects printer loader", "last_hit_utc": "2025-09-17 06:58:21" } ], "3424": [ { "sample_cnt": 9, "yara_rule_name": "CVE_2017_11882_RTF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882", "last_hit_utc": "2022-08-08 15:18:03" } ], "3425": [ { "sample_cnt": 9, "yara_rule_name": "cybercrime_admin_ch_html", "yara_rule_author": "Marc", "yara_rule_reference": null, "yara_rule_description": "HTML with admin.ch", "last_hit_utc": "2026-03-14 06:44:17" } ], "3426": [ { "sample_cnt": 9, "yara_rule_name": "CyberCrime_LockBit_Ransomware", "yara_rule_author": "gmrdkd@s2w.inc", "yara_rule_reference": null, "yara_rule_description": "Detection LockBit 3.0/Black rule", "last_hit_utc": "2025-12-19 11:59:14" } ], "3427": [ { "sample_cnt": 9, "yara_rule_name": "cybercrime_swisscom_html", "yara_rule_author": "Marc", "yara_rule_reference": null, "yara_rule_description": "HTML with swisscom", "last_hit_utc": "2026-03-18 01:14:23" } ], "3428": [ { "sample_cnt": 9, "yara_rule_name": "Detect_Mimic_Ransomware", "yara_rule_author": "@MalGamy12", "yara_rule_reference": null, "yara_rule_description": "Detect_Mimic_Ransomware", "last_hit_utc": "2025-12-29 08:46:14" } ], "3429": [ { "sample_cnt": 9, "yara_rule_name": "detect_rifdoor", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_rifdoor", "last_hit_utc": "2025-01-05 17:28:02" } ], "3430": [ { "sample_cnt": 9, "yara_rule_name": "Executable_Converted_to_MSI", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-30 14:39:03" } ], "3431": [ { "sample_cnt": 9, "yara_rule_name": "Generic_Dropper", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/JAHZVL", "yara_rule_description": "Detects Dropper PDB string in file", "last_hit_utc": "2022-01-21 03:20:11" } ], "3432": [ { "sample_cnt": 9, "yara_rule_name": "GEN_PowerShell", "yara_rule_author": "https://github.com/interleaved", "yara_rule_reference": null, "yara_rule_description": "Generic PowerShell Malware Rule", "last_hit_utc": "2023-05-06 12:32:30" } ], "3433": [ { "sample_cnt": 9, "yara_rule_name": "HKTL_NET_GUID_DInvoke", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/TheWover/DInvoke", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-01-03 22:44:50" } ], "3434": [ { "sample_cnt": 9, "yara_rule_name": "HTKL_BlackBone_DriverInjector_RID320D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/DarthTon/Blackbone", "yara_rule_description": "Detects BlackBone Driver injector", "last_hit_utc": "2025-01-05 17:10:17" } ], "3435": [ { "sample_cnt": 9, "yara_rule_name": "HTML_Smuggling_A", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": null, "yara_rule_description": "Generic detection for HTML smuggling (T1027.006)", "last_hit_utc": "2025-12-12 07:26:20" } ], "3436": [ { "sample_cnt": 9, "yara_rule_name": "Impacket_Tools_Generic_1_RID305B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2025-10-28 13:44:33" } ], "3437": [ { "sample_cnt": 9, "yara_rule_name": "INDICATOR_EXE_Packed_DNGuard", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with DNGuard", "last_hit_utc": "2026-04-21 03:24:12" } ], "3438": [ { "sample_cnt": 9, "yara_rule_name": "INDICATOR_EXE_Packed_RLPack", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with RLPACK", "last_hit_utc": "2025-01-05 17:28:02" } ], "3439": [ { "sample_cnt": 9, "yara_rule_name": "INDICATOR_KB_CERT_01803bc7537a1818c4ab135469963c10", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-07-23 03:14:03" } ], "3440": [ { "sample_cnt": 9, "yara_rule_name": "INDICATOR_KB_CERT_01ea62e443cb2250c870ff6bb13ba98e", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-08-05 19:53:24" } ], "3441": [ { "sample_cnt": 9, "yara_rule_name": "INDICATOR_MSI_EXE2MSI", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables converted to .MSI packages using a free online converter.", "last_hit_utc": "2022-09-30 14:39:03" } ], "3442": [ { "sample_cnt": 9, "yara_rule_name": "INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects JS potentially executing WMI queries", "last_hit_utc": "2022-10-11 03:58:04" } ], "3443": [ { "sample_cnt": 9, "yara_rule_name": "infostealer_win_acrstealer_str", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Finds ACR Stealer standalone samples based on specific strings.", "last_hit_utc": "2025-02-08 07:19:24" } ], "3444": [ { "sample_cnt": 9, "yara_rule_name": "Invoke_Mimikatz", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz", "yara_rule_description": "Detects Invoke-Mimikatz String", "last_hit_utc": "2022-10-31 13:35:06" } ], "3445": [ { "sample_cnt": 9, "yara_rule_name": "Linux_Trojan_BPFDoor_f690fe3b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 13:10:03" } ], "3446": [ { "sample_cnt": 9, "yara_rule_name": "Linux_Trojan_Gafgyt_1b2e2a3a", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 11:57:04" } ], "3447": [ { "sample_cnt": 9, "yara_rule_name": "Linux_Trojan_Mirai_b548632d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-07 08:13:20" } ], "3448": [ { "sample_cnt": 9, "yara_rule_name": "Linux_Trojan_Tsunami_0c6686b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-25 18:47:08" } ], "3449": [ { "sample_cnt": 9, "yara_rule_name": "Linux_Trojan_Tsunami_c94eec37", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-07 13:28:18" } ], "3450": [ { "sample_cnt": 9, "yara_rule_name": "Linux_Trojan_Xorddos_e41143e1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-13 13:38:21" } ], "3451": [ { "sample_cnt": 9, "yara_rule_name": "LockbitBlack_Loader", "yara_rule_author": "Zander Work", "yara_rule_reference": null, "yara_rule_description": "Hunting rule for the Lockbit Black loader, based on https://twitter.com/vxunderground/status/1543661557883740161", "last_hit_utc": "2025-12-19 11:59:14" } ], "3452": [ { "sample_cnt": 9, "yara_rule_name": "LummaInjector", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects LummaStealer injection into RegAsm.exe", "last_hit_utc": "2025-01-03 20:44:26" } ], "3453": [ { "sample_cnt": 9, "yara_rule_name": "maldoc_getEIP_method_4", "yara_rule_author": "Didier Stevens (https://DidierStevens.com)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:28:03" } ], "3454": [ { "sample_cnt": 9, "yara_rule_name": "MALWARE_Win_BlackNET", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects BlackNET RAT", "last_hit_utc": "2022-10-03 16:23:03" } ], "3455": [ { "sample_cnt": 9, "yara_rule_name": "MALWARE_Win_GloomaneStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects GloomaneStealer", "last_hit_utc": "2022-07-08 09:54:06" } ], "3456": [ { "sample_cnt": 9, "yara_rule_name": "MALWARE_Win_GuLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Shellcode injector and downloader", "last_hit_utc": "2026-01-29 15:56:32" } ], "3457": [ { "sample_cnt": 9, "yara_rule_name": "MALWARE_Win_NPlusMiner", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects PowerShell based NPlusMiner", "last_hit_utc": "2022-02-08 16:31:03" } ], "3458": [ { "sample_cnt": 9, "yara_rule_name": "MALWARE_Win_ObliqueRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "ObliqueRAT payload", "last_hit_utc": "2023-09-11 16:27:07" } ], "3459": [ { "sample_cnt": 9, "yara_rule_name": "MALWARE_Win_SolarMarker", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SolarMarker", "last_hit_utc": "2025-01-05 16:47:47" } ], "3460": [ { "sample_cnt": 9, "yara_rule_name": "MALWARE_Win_SoranoStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SoranoStealer / HogGrabber. Available on Github: /Alexuiop1337/SoranoStealer", "last_hit_utc": "2025-12-12 13:39:18" } ], "3461": [ { "sample_cnt": 9, "yara_rule_name": "MALWARE_Win_UnamedStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects unknown infostealer. Observed as 2nd stage and injects into .NET AppLaunch.exe", "last_hit_utc": "2022-10-21 06:28:03" } ], "3462": [ { "sample_cnt": 9, "yara_rule_name": "MAL_EXE_LockBit_v2", "yara_rule_author": "Silas Cutler, modified by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detection for LockBit version 2.x from 2011", "last_hit_utc": "2025-01-05 15:57:47" } ], "3463": [ { "sample_cnt": 9, "yara_rule_name": "mal_packer_0", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Native packer used to inject .NET payloads to InstallUtil.exe", "last_hit_utc": "2025-01-05 16:20:10" } ], "3464": [ { "sample_cnt": 9, "yara_rule_name": "NotPetya_Ransomware_Jun17", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/h6iaGj", "yara_rule_description": "Detects new NotPetya Ransomware variant from June 2017", "last_hit_utc": "2025-09-30 14:11:35" } ], "3465": [ { "sample_cnt": 9, "yara_rule_name": "OBFUS_PowerShell_Execution", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects some variations of obfuscated PowerShell code to execute further PowerShell code", "last_hit_utc": "2022-04-05 11:07:02" } ], "3466": [ { "sample_cnt": 9, "yara_rule_name": "Packer_Android_src", "yara_rule_author": "R3R0K", "yara_rule_reference": null, "yara_rule_description": "Android.Packer_Android_src", "last_hit_utc": "2025-10-31 09:18:23" } ], "3467": [ { "sample_cnt": 9, "yara_rule_name": "PUP_InstallRex_AntiFWb", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Malware InstallRex / AntiFW", "last_hit_utc": "2022-08-31 04:34:03" } ], "3468": [ { "sample_cnt": 9, "yara_rule_name": "Quasar_RAT_Jan18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2025-11-23 01:30:52" } ], "3469": [ { "sample_cnt": 9, "yara_rule_name": "Quasar_RAT_Jan18_1_RID2D35", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2025-11-23 01:30:53" } ], "3470": [ { "sample_cnt": 9, "yara_rule_name": "RAN_ELF_QNAPCrypt_Aug_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://bazaar.abuse.ch/browse/tag/QNAPCrypt/", "yara_rule_description": "Detect QNAPCrypt ransomware (x86 version)", "last_hit_utc": "2025-01-05 14:58:29" } ], "3471": [ { "sample_cnt": 9, "yara_rule_name": "RAN_HelloKitty_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect the HelloKitty ransomware", "last_hit_utc": "2025-04-10 08:31:08" } ], "3472": [ { "sample_cnt": 9, "yara_rule_name": "RAT_BlackShades", "yara_rule_author": "Brian Wallace (@botnet_hunter)", "yara_rule_reference": "http://blog.cylance.com/a-study-in-bots-blackshades-net", "yara_rule_description": "Detects BlackShades RAT", "last_hit_utc": "2025-10-28 13:45:02" } ], "3473": [ { "sample_cnt": 9, "yara_rule_name": "RemoteStrings", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "indicators for remote.dll - surtr stage 2", "last_hit_utc": "2025-01-03 19:38:32" } ], "3474": [ { "sample_cnt": 9, "yara_rule_name": "SMB_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:57:21" } ], "3475": [ { "sample_cnt": 9, "yara_rule_name": "SUSP_PDB_Path_Keywords", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/stvemillertime/status/1179832666285326337?s=20", "yara_rule_description": "Detects suspicious PDB paths", "last_hit_utc": "2023-01-28 15:48:29" } ], "3476": [ { "sample_cnt": 9, "yara_rule_name": "SUSP_Unsigned_GoogleUpdate", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious unsigned GoogleUpdate.exe", "last_hit_utc": "2025-12-28 17:29:15" } ], "3477": [ { "sample_cnt": 9, "yara_rule_name": "SUSP_VHD_Suspicious_Small_Size", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/MeltX0R/status/1208095892877774850", "yara_rule_description": "Detects suspicious VHD files", "last_hit_utc": "2025-01-05 15:27:13" } ], "3478": [ { "sample_cnt": 9, "yara_rule_name": "svg_file_with_ref", "yara_rule_author": "Anish Bogati", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious SVG content referencing external URLs.", "last_hit_utc": "2025-10-02 05:37:36" } ], "3479": [ { "sample_cnt": 9, "yara_rule_name": "Sysmain", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-08 07:06:37" } ], "3480": [ { "sample_cnt": 9, "yara_rule_name": "Unknown", "yara_rule_author": "_langly", "yara_rule_reference": null, "yara_rule_description": "detect file packed with NimSyscallPacker created by S3cur3Th1sSh1t", "last_hit_utc": "2023-10-02 18:05:03" } ], "3481": [ { "sample_cnt": 9, "yara_rule_name": "Unk_Crime_Downloader_2", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies what appears to be related to PureLogs stealer, but it's likely a 2nd stage with the final stage to be downloaded.", "last_hit_utc": "2026-04-04 11:43:46" } ], "3482": [ { "sample_cnt": 9, "yara_rule_name": "Unspecified_Malware_Oct16_A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an unspecififed malware - October 2016", "last_hit_utc": "2023-01-30 20:03:03" } ], "3483": [ { "sample_cnt": 9, "yara_rule_name": "vbs_loader", "yara_rule_author": "Randy McEoin", "yara_rule_reference": "", "yara_rule_description": "VBS Loader containing lots of Arrays with integers that get decoded and executed", "last_hit_utc": "2022-04-27 17:25:03" } ], "3484": [ { "sample_cnt": 9, "yara_rule_name": "vklogger_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://www.hybrid-analysis.com/string-search/results/1e75a1d90f3a4e8c2d657f7cfa663947d02f98515db97881487e528e0ade4099", "yara_rule_description": "Unknown Keylogger", "last_hit_utc": "2025-05-24 03:51:32" } ], "3485": [ { "sample_cnt": 9, "yara_rule_name": "VULN_PUA_GIGABYTE_Driver_Jul22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/malmoeb/status/1551449425842786306", "yara_rule_description": "Detects a vulnerable GIGABYTE driver sometimes used by malicious actors to escalate privileges", "last_hit_utc": "2025-08-21 05:29:37" } ], "3486": [ { "sample_cnt": 9, "yara_rule_name": "WebDAV_in_LNK", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies WebDAV in shortcut (LNK) file.", "last_hit_utc": "2026-04-09 14:40:29" } ], "3487": [ { "sample_cnt": 9, "yara_rule_name": "webshell_csharp_generic", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Webshell in c#", "last_hit_utc": "2022-06-16 17:03:02" } ], "3488": [ { "sample_cnt": 9, "yara_rule_name": "win32_njrat", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting njRAT malware", "last_hit_utc": "2025-11-23 10:26:06" } ], "3489": [ { "sample_cnt": 9, "yara_rule_name": "Windows_Generic_Threat_20469956", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 19:41:17" } ], "3490": [ { "sample_cnt": 9, "yara_rule_name": "Windows_Generic_Threat_c34e19e9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 04:44:25" } ], "3491": [ { "sample_cnt": 9, "yara_rule_name": "Windows_Trojan_AveMaria_e01305a0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 08:46:23" } ], "3492": [ { "sample_cnt": 9, "yara_rule_name": "Windows_Trojan_CobaltStrike_29374056", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Identifies Cobalt Strike MZ Reflective Loader.", "last_hit_utc": "2025-05-16 14:21:51" } ], "3493": [ { "sample_cnt": 9, "yara_rule_name": "Windows_Trojan_Emotet_5528b3b0", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction", "yara_rule_description": null, "last_hit_utc": "2026-03-24 15:29:15" } ], "3494": [ { "sample_cnt": 9, "yara_rule_name": "Windows_Trojan_Netwire_f42cb379", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-23 21:25:04" } ], "3495": [ { "sample_cnt": 9, "yara_rule_name": "Windows_Trojan_RedLineStealer_3d9371fd", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-12-22 21:51:08" } ], "3496": [ { "sample_cnt": 9, "yara_rule_name": "WinLock", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies WinLock (aka Blocker) ransomware variants generically.", "last_hit_utc": "2026-02-27 21:49:16" } ], "3497": [ { "sample_cnt": 9, "yara_rule_name": "WinPayloads_Payload", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/nccgroup/Winpayloads", "yara_rule_description": "Detects WinPayloads Payload", "last_hit_utc": "2021-04-21 10:42:44" } ], "3498": [ { "sample_cnt": 9, "yara_rule_name": "win_adhubllka_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.adhubllka.", "last_hit_utc": "2022-01-24 07:00:26" } ], "3499": [ { "sample_cnt": 9, "yara_rule_name": "win_babylon_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.babylon_rat.", "last_hit_utc": "2022-09-06 12:27:20" } ], "3500": [ { "sample_cnt": 9, "yara_rule_name": "win_betabot_w0", "yara_rule_author": "Venom23", "yara_rule_reference": "", "yara_rule_description": "Neurevt Malware Sig", "last_hit_utc": "2022-10-17 14:17:04" } ], "3501": [ { "sample_cnt": 9, "yara_rule_name": "win_blackremote_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-04-25 11:26:08" } ], "3502": [ { "sample_cnt": 9, "yara_rule_name": "win_brute_ratel_c4_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.brute_ratel_c4.", "last_hit_utc": "2026-04-11 09:42:25" } ], "3503": [ { "sample_cnt": 9, "yara_rule_name": "win_coviper_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-06-16 15:51:18" } ], "3504": [ { "sample_cnt": 9, "yara_rule_name": "win_Emmenhtal_w0", "yara_rule_author": "cert-orangecyberdefense", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-13 07:18:24" } ], "3505": [ { "sample_cnt": 9, "yara_rule_name": "win_extreme_rat_w1", "yara_rule_author": "Seth Hardy ", "yara_rule_reference": "", "yara_rule_description": "XtremeRAT", "last_hit_utc": "2022-07-15 17:13:01" } ], "3506": [ { "sample_cnt": 9, "yara_rule_name": "win_hakbit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-09-21 04:06:42" } ], "3507": [ { "sample_cnt": 9, "yara_rule_name": "win_hive_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.hive.", "last_hit_utc": "2025-01-05 15:09:30" } ], "3508": [ { "sample_cnt": 9, "yara_rule_name": "win_icexloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.icexloader.", "last_hit_utc": "2022-11-10 01:07:03" } ], "3509": [ { "sample_cnt": 9, "yara_rule_name": "win_m00nd3v_j1", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": null, "yara_rule_description": "detects the M00nD3v keylogger", "last_hit_utc": "2020-06-30 18:50:00" } ], "3510": [ { "sample_cnt": 9, "yara_rule_name": "win_matanbuchus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.matanbuchus.", "last_hit_utc": "2025-06-16 16:30:26" } ], "3511": [ { "sample_cnt": 9, "yara_rule_name": "win_medusalocker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.medusalocker.", "last_hit_utc": "2023-03-11 04:47:02" } ], "3512": [ { "sample_cnt": 9, "yara_rule_name": "win_mimikatz_w0", "yara_rule_author": "Benjamin DELPY (gentilkiwi)", "yara_rule_reference": "", "yara_rule_description": "mimikatz", "last_hit_utc": "2025-11-25 20:47:30" } ], "3513": [ { "sample_cnt": 9, "yara_rule_name": "win_powerpool_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-11 22:06:19" } ], "3514": [ { "sample_cnt": 9, "yara_rule_name": "win_quasar_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-11-23 01:29:11" } ], "3515": [ { "sample_cnt": 9, "yara_rule_name": "win_rifdoor_w0", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_rifdoor", "last_hit_utc": "2025-01-05 17:28:05" } ], "3516": [ { "sample_cnt": 9, "yara_rule_name": "win_teslacrypt_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.teslacrypt.", "last_hit_utc": "2025-01-05 15:51:53" } ], "3517": [ { "sample_cnt": 9, "yara_rule_name": "win_tinba_g1", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-07-02 04:10:05" } ], "3518": [ { "sample_cnt": 9, "yara_rule_name": "WobbyChipMBR", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects WobbyChipMBR / Covid-21 ransomware", "last_hit_utc": "2025-06-16 15:55:05" } ], "3519": [ { "sample_cnt": 9, "yara_rule_name": "XOR_4byte_Key_RID2BD9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family", "yara_rule_description": "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)", "last_hit_utc": "2025-01-05 15:54:10" } ], "3520": [ { "sample_cnt": 9, "yara_rule_name": "ZxShell_Related_Malware_CN_Group_Jul17_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell related sample from a CN threat group", "last_hit_utc": "2025-06-16 16:17:25" } ], "3521": [ { "sample_cnt": 8, "yara_rule_name": "ach_LimeRAT", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/b8ae86c2afee9948e6f949892e0162e5/", "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:23:30" } ], "3522": [ { "sample_cnt": 8, "yara_rule_name": "AgentTesla_extracted_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": null, "yara_rule_description": "AgentTesla extracted", "last_hit_utc": "2025-01-05 16:23:42" } ], "3523": [ { "sample_cnt": 8, "yara_rule_name": "Agenttesla_telegram_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/b4ceef1e-a649-44b7-9e0c-e53c3ab05354", "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:23:42" } ], "3524": [ { "sample_cnt": 8, "yara_rule_name": "agent_tesla", "yara_rule_author": "Stormshield", "yara_rule_reference": "", "yara_rule_description": "Detecting HTML strings used by Agent Tesla malware", "last_hit_utc": "2022-07-31 06:06:15" } ], "3525": [ { "sample_cnt": 8, "yara_rule_name": "ASPXspy2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Web shell - file ASPXspy2.aspx", "last_hit_utc": "2025-01-05 16:42:05" } ], "3526": [ { "sample_cnt": 8, "yara_rule_name": "AsyncRAT_057B", "yara_rule_author": "kirkderp", "yara_rule_reference": "https://github.com/kirkderp/yara", "yara_rule_description": "AsyncRAT 0.5.7B -- minimal .NET RAT with PBKDF2 key derivation and MessagePack serialization", "last_hit_utc": "2026-04-20 23:03:03" } ], "3527": [ { "sample_cnt": 8, "yara_rule_name": "azorult", "yara_rule_author": "c3rb3ru5", "yara_rule_reference": null, "yara_rule_description": "Azorult Configuration Extractor", "last_hit_utc": "2025-06-16 15:57:59" } ], "3528": [ { "sample_cnt": 8, "yara_rule_name": "BadRabbit_Gen_RID2BE5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://pastebin.com/Y7pJv3tK", "yara_rule_description": "Detects BadRabbit Ransomware", "last_hit_utc": "2025-09-30 14:11:35" } ], "3529": [ { "sample_cnt": 8, "yara_rule_name": "Base64_decoding", "yara_rule_author": "iam-py-test", "yara_rule_reference": "", "yara_rule_description": "Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)", "last_hit_utc": "2022-11-10 16:26:05" } ], "3530": [ { "sample_cnt": 8, "yara_rule_name": "Base64_PS1_Shellcode", "yara_rule_author": "Nick Carr, David Ledbetter", "yara_rule_reference": "https://twitter.com/ItsReallyNick/status/1062601684566843392", "yara_rule_description": "Detects Base64 encoded PS1 Shellcode", "last_hit_utc": "2025-10-28 13:43:58" } ], "3531": [ { "sample_cnt": 8, "yara_rule_name": "BazarLoader", "yara_rule_author": "Dhanunjaya ", "yara_rule_reference": null, "yara_rule_description": "Yara Rule to Detect Bazar Loader", "last_hit_utc": "2025-01-05 14:45:04" } ], "3532": [ { "sample_cnt": 8, "yara_rule_name": "blustealer_core", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "BluStealer Core Payload", "last_hit_utc": "2025-01-05 15:57:54" } ], "3533": [ { "sample_cnt": 8, "yara_rule_name": "CN_Honker_smsniff_smsniff", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file smsniff.exe", "last_hit_utc": "2025-01-05 16:56:10" } ], "3534": [ { "sample_cnt": 8, "yara_rule_name": "Cobaltstrike1", "yara_rule_author": "Ahmet Payaslioglu | Binalyze DFIR LAB", "yara_rule_reference": "", "yara_rule_description": "Cobalt Strike Detection", "last_hit_utc": "2022-10-30 07:51:04" } ], "3535": [ { "sample_cnt": 8, "yara_rule_name": "Cobaltstrike2", "yara_rule_author": "Ahmet Payaslioglu | Binalyze DFIR LAB", "yara_rule_reference": "", "yara_rule_description": "Cobalt Strike Detection", "last_hit_utc": "2022-10-30 07:51:04" } ], "3536": [ { "sample_cnt": 8, "yara_rule_name": "CredentialStealer_Generic_Backdoor_RID347C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects credential stealer byed on many strings that indicate password store access", "last_hit_utc": "2025-01-05 17:29:00" } ], "3537": [ { "sample_cnt": 8, "yara_rule_name": "crime_win64_bumblebee_powershell_loader", "yara_rule_author": "Rony", "yara_rule_reference": null, "yara_rule_description": "Detects a Powershell Loader used to load bumblebee in memory", "last_hit_utc": "2025-01-05 15:34:01" } ], "3538": [ { "sample_cnt": 8, "yara_rule_name": "DelBat1", "yara_rule_author": "Madhav", "yara_rule_reference": null, "yara_rule_description": "This is a bat file which deletes the malicious file after the malicious files are executed", "last_hit_utc": "2026-04-25 00:25:42" } ], "3539": [ { "sample_cnt": 8, "yara_rule_name": "detect_RWS_pe_rule", "yara_rule_author": "wonderkun", "yara_rule_reference": null, "yara_rule_description": "Detects RWX-S signed binaries. This only verifies that the image contains a signature, not that it is valid.", "last_hit_utc": "2025-08-17 09:57:27" } ], "3540": [ { "sample_cnt": 8, "yara_rule_name": "Detect_Squirrel_Banker", "yara_rule_author": "@johnk3r", "yara_rule_reference": "https://twitter.com/johnk3r/status/1770244020637192398", "yara_rule_description": "Detect first stage of TRJ_Banker using squirrel", "last_hit_utc": "2025-01-05 17:24:48" } ], "3541": [ { "sample_cnt": 8, "yara_rule_name": "Disable_Defender", "yara_rule_author": "iam-py-test", "yara_rule_reference": "", "yara_rule_description": "Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen", "last_hit_utc": "2022-12-06 11:38:03" } ], "3542": [ { "sample_cnt": 8, "yara_rule_name": "ELF_RANSOMWARE_BLACKCAT", "yara_rule_author": "Jesper Mikkelsen", "yara_rule_reference": "https://www.virustotal.com/gui/file/056d28621dca8990caf159f8e14069a2343b48146473d2ac586ca9a51dfbbba7", "yara_rule_description": "Detect Linux version of BlackCat Ransomware", "last_hit_utc": "2025-06-24 07:12:35" } ], "3543": [ { "sample_cnt": 8, "yara_rule_name": "Empire_PowerShell_Framework_Gen4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2022-08-02 12:07:03" } ], "3544": [ { "sample_cnt": 8, "yara_rule_name": "Erbium_Stealer_Obfuscated", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": null, "yara_rule_description": "Erbium Stealer in its obfuscated format", "last_hit_utc": "2025-01-05 15:20:26" } ], "3545": [ { "sample_cnt": 8, "yara_rule_name": "EXE_Python_Stealer_Jan2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:31:27" } ], "3546": [ { "sample_cnt": 8, "yara_rule_name": "FSGv20", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-16 00:38:07" } ], "3547": [ { "sample_cnt": 8, "yara_rule_name": "Gh0stKCP", "yara_rule_author": "Netresec", "yara_rule_reference": null, "yara_rule_description": "Checks for Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.", "last_hit_utc": "2025-09-28 19:30:35" } ], "3548": [ { "sample_cnt": 8, "yara_rule_name": "GolangDetection", "yara_rule_author": "Randy Balzer", "yara_rule_reference": null, "yara_rule_description": "Detect binaries compiled with Golang.", "last_hit_utc": "2025-01-03 22:41:55" } ], "3549": [ { "sample_cnt": 8, "yara_rule_name": "HackTool_MSIL_Rubeus_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project.", "last_hit_utc": "2026-02-22 18:16:18" } ], "3550": [ { "sample_cnt": 8, "yara_rule_name": "HKTL_NET_GUID_Quasar", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/quasar/Quasar", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-03-31 15:07:20" } ], "3551": [ { "sample_cnt": 8, "yara_rule_name": "HKTL_NET_GUID_Rubeus", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/Rubeus", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-02-22 18:16:18" } ], "3552": [ { "sample_cnt": 8, "yara_rule_name": "HKTL_NET_GUID_StormKitty", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/LimerBoy/StormKitty", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2023-03-22 14:38:03" } ], "3553": [ { "sample_cnt": 8, "yara_rule_name": "HKTL_NET_GUID_ToxicEye", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/LimerBoy/ToxicEye", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-03-08 16:10:21" } ], "3554": [ { "sample_cnt": 8, "yara_rule_name": "IMPLANT_4_v3_AlternativeRule", "yara_rule_author": "Florian Roth", "yara_rule_reference": "US CERT Grizzly Steppe Report", "yara_rule_description": "BlackEnergy / Voodoo Bear Implant by APT28", "last_hit_utc": "2022-07-13 14:17:02" } ], "3555": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_EXE_Packed_aPLib", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with aPLib.", "last_hit_utc": "2025-04-28 05:46:08" } ], "3556": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_KB_CERT_559cb90fd16e9d1ad375f050ab6a6616", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-06-16 16:48:10" } ], "3557": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2024-06-25 20:17:44" } ], "3558": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_BlackCat", "yara_rule_author": "ditekShen", "yara_rule_reference": "", "yara_rule_description": "Detects files referencing identities associated with BlackCat ransomware", "last_hit_utc": "2022-11-15 12:30:03" } ], "3559": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_SUSPICIOUS_DeleteShimCache", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables embedding anti-forensic artifacts of deleting shim cache", "last_hit_utc": "2025-06-16 16:30:42" } ], "3560": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_VPN", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many VPN software clients", "last_hit_utc": "2021-12-20 08:43:04" } ], "3561": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing many base64-encoded IR and analysis tools names", "last_hit_utc": "2022-09-24 09:41:09" } ], "3562": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_SUSPICOIUS_B64_Encoded_UserAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables containing base64 encoded User Agent", "last_hit_utc": "2021-07-14 10:49:53" } ], "3563": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_TOOL_EXP_SeriousSAM02", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect tool variants potentially exploiting SeriousSAM / HiveNightmare CVE-2021-36934", "last_hit_utc": "2026-02-28 09:57:16" } ], "3564": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_TOOL_PWS_Blackbone", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "detects Blackbone password dumping tool on Windows 7-10 operating system.", "last_hit_utc": "2025-01-05 17:10:17" } ], "3565": [ { "sample_cnt": 8, "yara_rule_name": "INDICATOR_TOOL_Sliver", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Sliver implant cross-platform adversary emulation/red team", "last_hit_utc": "2022-11-16 18:18:01" } ], "3566": [ { "sample_cnt": 8, "yara_rule_name": "kimwolf_dropper_apk", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": null, "yara_rule_description": "Kimwolf residential proxy botnet - Android APK dropper", "last_hit_utc": "2026-04-23 15:13:34" } ], "3567": [ { "sample_cnt": 8, "yara_rule_name": "kimwolf_proxy", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": null, "yara_rule_description": "Kimwolf residential proxy botnet - C/C++ variants with ENS C2 (Gen 1-3)", "last_hit_utc": "2026-04-23 15:13:33" } ], "3568": [ { "sample_cnt": 8, "yara_rule_name": "Kovter", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Kovter Payload", "last_hit_utc": "2022-11-04 00:09:04" } ], "3569": [ { "sample_cnt": 8, "yara_rule_name": "lb_stack_string_decrypt_0001", "yara_rule_author": "CTI Purple Team", "yara_rule_reference": null, "yara_rule_description": "This rule detects the code pattern of the Stack Strings decryption algorithm.", "last_hit_utc": "2024-05-25 01:20:02" } ], "3570": [ { "sample_cnt": 8, "yara_rule_name": "lb_stack_string_decrypt_100", "yara_rule_author": "CTI Purple Team", "yara_rule_reference": null, "yara_rule_description": "This rule detects the code pattern of the Stack Strings decryption algorithm.", "last_hit_utc": "2024-05-25 01:20:03" } ], "3571": [ { "sample_cnt": 8, "yara_rule_name": "LinuxUnknownCode", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-25 22:06:33" } ], "3572": [ { "sample_cnt": 8, "yara_rule_name": "Linux_Generic_Threat_23d54a0e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-11 18:25:41" } ], "3573": [ { "sample_cnt": 8, "yara_rule_name": "Linux_Hacktool_Flooder_9417f77b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "60ff13e27dad5e6eadb04011aa653a15e1a07200b6630fdd0d0d72a9ba797d68", "yara_rule_description": null, "last_hit_utc": "2026-01-23 16:18:27" } ], "3574": [ { "sample_cnt": 8, "yara_rule_name": "Linux_Trojan_Gafgyt_e4a1982b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-09 16:36:04" } ], "3575": [ { "sample_cnt": 8, "yara_rule_name": "Linux_Trojan_Mettle_78aead1c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-09 16:40:44" } ], "3576": [ { "sample_cnt": 8, "yara_rule_name": "Linux_Trojan_Mirai_d33095d4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-02 10:23:25" } ], "3577": [ { "sample_cnt": 8, "yara_rule_name": "Linux_Trojan_Mirai_e0cf29e2", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "3578": [ { "sample_cnt": 8, "yara_rule_name": "Linux_Trojan_Ngioweb_d57aa841", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-08 00:09:33" } ], "3579": [ { "sample_cnt": 8, "yara_rule_name": "Linux_Trojan_Tsunami_30c039e2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-25 18:47:08" } ], "3580": [ { "sample_cnt": 8, "yara_rule_name": "Linux_Trojan_Tsunami_97288af8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-20 19:37:15" } ], "3581": [ { "sample_cnt": 8, "yara_rule_name": "malware_bumblebee_packed", "yara_rule_author": "Marc Salinas @ CheckPoint Research", "yara_rule_reference": "", "yara_rule_description": "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic.", "last_hit_utc": "2022-11-24 04:19:03" } ], "3582": [ { "sample_cnt": 8, "yara_rule_name": "malware_QakBot", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect QakBot(a.k.a. Qbot, Quakbot, Pinkslipbot) in memory", "last_hit_utc": "2026-02-02 11:14:26" } ], "3583": [ { "sample_cnt": 8, "yara_rule_name": "Malware_QA_not_copy", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file not copy.exe", "last_hit_utc": "2022-09-17 14:52:03" } ], "3584": [ { "sample_cnt": 8, "yara_rule_name": "malware_Ursnif_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory", "last_hit_utc": "2025-11-05 08:22:40" } ], "3585": [ { "sample_cnt": 8, "yara_rule_name": "MALWARE_Win_BlackshadesRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "BlackshadesRAT / Cambot POS payload", "last_hit_utc": "2022-08-31 02:34:18" } ], "3586": [ { "sample_cnt": 8, "yara_rule_name": "MALWARE_Win_Fabookie", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Fabookie / ElysiumStealer", "last_hit_utc": "2023-08-11 09:50:05" } ], "3587": [ { "sample_cnt": 8, "yara_rule_name": "MALWARE_Win_Hive", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Hive ransomware", "last_hit_utc": "2022-03-18 11:57:04" } ], "3588": [ { "sample_cnt": 8, "yara_rule_name": "MALWARE_Win_PYSA", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PYSA/Mespinoza ransomware", "last_hit_utc": "2021-04-08 05:07:21" } ], "3589": [ { "sample_cnt": 8, "yara_rule_name": "MALWARE_Win_Ratty", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "Detects Ratty Java RAT", "last_hit_utc": "2023-01-13 18:06:03" } ], "3590": [ { "sample_cnt": 8, "yara_rule_name": "MALWRE_Win_DarkGate", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects DarkGate infostealer and coinminer", "last_hit_utc": "2025-01-03 20:04:23" } ], "3591": [ { "sample_cnt": 8, "yara_rule_name": "MAL_HawkEye_Keylogger_Gen_Dec18_RID324D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/James_inthe_box/status/1072116224652324870", "yara_rule_description": "Detects HawkEye Keylogger Reborn", "last_hit_utc": "2025-11-05 08:22:40" } ], "3592": [ { "sample_cnt": 8, "yara_rule_name": "MAL_Ramnit_May19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/", "yara_rule_description": "Detects Ramnit malware", "last_hit_utc": "2022-08-23 14:56:03" } ], "3593": [ { "sample_cnt": 8, "yara_rule_name": "MAL_Sednit_DelphiDownloader_Apr18_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "yara_rule_description": "Detects malware from Sednit Delphi Downloader report", "last_hit_utc": "2025-04-28 19:17:10" } ], "3594": [ { "sample_cnt": 8, "yara_rule_name": "MoleBoxV23XMoleStudiocom", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-25 02:13:15" } ], "3595": [ { "sample_cnt": 8, "yara_rule_name": "Multi_Hacktool_Nps_c6eb4a27", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657", "yara_rule_description": null, "last_hit_utc": "2025-06-10 20:34:49" } ], "3596": [ { "sample_cnt": 8, "yara_rule_name": "Nautilus", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-26 14:11:31" } ], "3597": [ { "sample_cnt": 8, "yara_rule_name": "OnionDuke", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-24 00:37:53" } ], "3598": [ { "sample_cnt": 8, "yara_rule_name": "OpCloudHopper_Malware_2_RID2FEE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects Operation CloudHopper malware samples", "last_hit_utc": "2025-11-05 08:21:38" } ], "3599": [ { "sample_cnt": 8, "yara_rule_name": "OpCloudHopper_Malware_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects malware from Operation Cloud Hopper", "last_hit_utc": "2026-04-13 06:03:07" } ], "3600": [ { "sample_cnt": 8, "yara_rule_name": "Petitev14", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:24:36" } ], "3601": [ { "sample_cnt": 8, "yara_rule_name": "Petitev211", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:11:59" } ], "3602": [ { "sample_cnt": 8, "yara_rule_name": "PEtitev22", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:11:59" } ], "3603": [ { "sample_cnt": 8, "yara_rule_name": "PEtitevxx", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:24:36" } ], "3604": [ { "sample_cnt": 8, "yara_rule_name": "PseudoSigner02ASProtectAnorganix", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 09:09:16" } ], "3605": [ { "sample_cnt": 8, "yara_rule_name": "PUA_CryptoMiner_Jan19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Crypto Miner strings", "last_hit_utc": "2025-11-23 10:45:39" } ], "3606": [ { "sample_cnt": 8, "yara_rule_name": "Qakbot", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": "", "yara_rule_description": "Yara Rule To Detect Qakbot", "last_hit_utc": "2021-12-15 16:40:50" } ], "3607": [ { "sample_cnt": 8, "yara_rule_name": "Ramnit", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Ramnit Payload", "last_hit_utc": "2026-04-23 15:13:27" } ], "3608": [ { "sample_cnt": 8, "yara_rule_name": "ransomware_darkbit_windows_asm", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:55:07" } ], "3609": [ { "sample_cnt": 8, "yara_rule_name": "RANSOM_wastedlocker", "yara_rule_author": "McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect unpacked samples of WastedLocker", "last_hit_utc": "2020-11-03 14:27:27" } ], "3610": [ { "sample_cnt": 8, "yara_rule_name": "Ran_Buran_Oct_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/JAMESWT_MHT/status/1323956405976600579", "yara_rule_description": "Detect Buran ransomware", "last_hit_utc": "2023-02-09 14:37:03" } ], "3611": [ { "sample_cnt": 8, "yara_rule_name": "silentbuilder_03_03", "yara_rule_author": "James Quinn", "yara_rule_reference": null, "yara_rule_description": "SilentBuilder xls sheets", "last_hit_utc": "2021-03-05 10:57:07" } ], "3612": [ { "sample_cnt": 8, "yara_rule_name": "SUSP_LNX_Linux_Malware_Indicators_Aug20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects indicators often found in linux malware samples. Note: This detection is based on common characteristics typically associated with the mentioned threats, must be considered a clue and does not conclusively prove maliciousness.", "last_hit_utc": "2026-04-13 20:25:25" } ], "3613": [ { "sample_cnt": 8, "yara_rule_name": "SUSP_NET_Base64_Xor_Implementation", "yara_rule_author": "Jonathan Peters (cod3nym)", "yara_rule_reference": null, "yara_rule_description": "Detects .NET applications implementing xor encryption/decryption for Base64 strings", "last_hit_utc": "2026-04-23 12:02:41" } ], "3614": [ { "sample_cnt": 8, "yara_rule_name": "SUSP_Patcher_Keygen_Indicators_Jun15", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset", "last_hit_utc": "2026-03-26 15:37:13" } ], "3615": [ { "sample_cnt": 8, "yara_rule_name": "SUSP_RTF_with_potential_CVE_2026_21509_exploit_nows", "yara_rule_author": "Philippe Lagadec", "yara_rule_reference": "https://decalage.info/CVE-2026-21509/", "yara_rule_description": "Detects RTF files containing a Shell.Explorer.1 OLE object, possibly an exploit for CVE-2026-21509", "last_hit_utc": "2026-04-01 13:52:24" } ], "3616": [ { "sample_cnt": 8, "yara_rule_name": "SUSP_Two_Byte_XOR_PE_And_MZ", "yara_rule_author": "Wesley Shields ", "yara_rule_reference": "https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83", "yara_rule_description": "Look for 2 byte xor of a PE starting at offset 0", "last_hit_utc": "2026-02-17 22:02:16" } ], "3617": [ { "sample_cnt": 8, "yara_rule_name": "S_MultiFunction_Scanners_s", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file s.exe", "last_hit_utc": "2026-01-02 22:17:12" } ], "3618": [ { "sample_cnt": 8, "yara_rule_name": "S_MultiFunction_Scanners_s_RID3182", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file s.exe", "last_hit_utc": "2026-01-02 22:17:12" } ], "3619": [ { "sample_cnt": 8, "yara_rule_name": "test2910", "yara_rule_author": "lampulima", "yara_rule_reference": null, "yara_rule_description": "test abuse.ch", "last_hit_utc": "2026-03-06 09:57:18" } ], "3620": [ { "sample_cnt": 8, "yara_rule_name": "TrickBot", "yara_rule_author": "sysopfb & kevoreilly", "yara_rule_reference": "", "yara_rule_description": "TrickBot Payload", "last_hit_utc": "2022-10-06 15:26:05" } ], "3621": [ { "sample_cnt": 8, "yara_rule_name": "UpackV037Dwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-07 15:34:20" } ], "3622": [ { "sample_cnt": 8, "yara_rule_name": "VideoLanClient", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 10:28:09" } ], "3623": [ { "sample_cnt": 8, "yara_rule_name": "webshell_php_404", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file 404.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "3624": [ { "sample_cnt": 8, "yara_rule_name": "win32_lumma_stealer", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting LummaStealer malware", "last_hit_utc": "2025-11-23 10:26:06" } ], "3625": [ { "sample_cnt": 8, "yara_rule_name": "Win32_Ransomware_Kovter", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Kovter ransomware.", "last_hit_utc": "2022-11-04 00:09:04" } ], "3626": [ { "sample_cnt": 8, "yara_rule_name": "Win32_Ransomware_Teslacrypt", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Teslacrypt ransomware.", "last_hit_utc": "2025-01-05 15:51:53" } ], "3627": [ { "sample_cnt": 8, "yara_rule_name": "Win32_Ransomware_Zeppelin", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Zeppelin ransomware.", "last_hit_utc": "2022-10-04 09:55:03" } ], "3628": [ { "sample_cnt": 8, "yara_rule_name": "Win32_Trojan_Dridex", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Dridex trojan.", "last_hit_utc": "2022-08-30 22:53:43" } ], "3629": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Generic_Threat_9c7d2333", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-30 19:15:18" } ], "3630": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Generic_Threat_c3c8f21a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 11:06:42" } ], "3631": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Hacktool_EDRrecon_ca314aa1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-30 17:32:14" } ], "3632": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Rootkit_R77_99050e7d", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", "yara_rule_description": null, "last_hit_utc": "2025-09-02 12:54:36" } ], "3633": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Rootkit_R77_d0367e28", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-30 01:48:36" } ], "3634": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Trojan_ArkeiStealer_84c7086a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-15 23:11:14" } ], "3635": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Trojan_IcedID_11d24d35", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-11 14:46:03" } ], "3636": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Trojan_MassLogger_511b001e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:31:54" } ], "3637": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Trojan_Matanbuchus_4ce9affb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:30:26" } ], "3638": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Trojan_Netwire_6a7df287", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-06-25 21:36:03" } ], "3639": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Trojan_Netwire_6a7df287", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction", "yara_rule_description": null, "last_hit_utc": "2026-01-24 20:46:24" } ], "3640": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Trojan_Netwire_f85e4abc", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-02-15 12:36:04" } ], "3641": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Trojan_XtremeRAT_cd5b60be", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-11 15:43:05" } ], "3642": [ { "sample_cnt": 8, "yara_rule_name": "Windows_Trojan_XtremeRAT_cd5b60be", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-11 15:43:05" } ], "3643": [ { "sample_cnt": 8, "yara_rule_name": "Windows_VulnDriver_WinDivert_25991186", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:18:25" } ], "3644": [ { "sample_cnt": 8, "yara_rule_name": "win_avzhan_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.avzhan.", "last_hit_utc": "2022-10-17 09:21:03" } ], "3645": [ { "sample_cnt": 8, "yara_rule_name": "win_coldseal_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.coldseal.", "last_hit_utc": "2025-01-03 21:21:52" } ], "3646": [ { "sample_cnt": 8, "yara_rule_name": "win_cryptowall_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cryptowall.", "last_hit_utc": "2023-04-28 20:16:04" } ], "3647": [ { "sample_cnt": 8, "yara_rule_name": "win_darkbit_w3", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:55:07" } ], "3648": [ { "sample_cnt": 8, "yara_rule_name": "win_gratem_w0", "yara_rule_author": "Omri AT Minerva Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-14 14:33:34" } ], "3649": [ { "sample_cnt": 8, "yara_rule_name": "win_hakbit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-05 15:12:15" } ], "3650": [ { "sample_cnt": 8, "yara_rule_name": "win_matanbuchus", "yara_rule_author": "andretavare5", "yara_rule_reference": null, "yara_rule_description": "Detects Matanbuchus MaaS loader and core", "last_hit_utc": "2025-06-16 16:30:26" } ], "3651": [ { "sample_cnt": 8, "yara_rule_name": "win_miancha_w0", "yara_rule_author": "Context Threat Intelligence", "yara_rule_reference": "http://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf", "yara_rule_description": "Bytes inside", "last_hit_utc": "2026-03-29 12:12:15" } ], "3652": [ { "sample_cnt": 8, "yara_rule_name": "win_pykspa_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.pykspa.", "last_hit_utc": "2025-03-26 12:59:30" } ], "3653": [ { "sample_cnt": 8, "yara_rule_name": "win_sidetwist_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.sidetwist.", "last_hit_utc": "2025-12-26 20:23:15" } ], "3654": [ { "sample_cnt": 8, "yara_rule_name": "win_tinynuke_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-12-25 15:55:47" } ], "3655": [ { "sample_cnt": 8, "yara_rule_name": "win_xpertrat_a0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-04-23 19:44:12" } ], "3656": [ { "sample_cnt": 8, "yara_rule_name": "win_zeppelin_ransomware_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-10-04 09:55:03" } ], "3657": [ { "sample_cnt": 8, "yara_rule_name": "XOR_4byte_Key", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family", "yara_rule_description": "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)", "last_hit_utc": "2025-01-05 15:54:10" } ], "3658": [ { "sample_cnt": 8, "yara_rule_name": "Xtreme_Sep17_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects XTREME sample analyzed in September 2017", "last_hit_utc": "2024-04-11 15:43:05" } ], "3659": [ { "sample_cnt": 8, "yara_rule_name": "Zeppelin", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Zeppelin ransomware and variants (Buran, Vega etc.)", "last_hit_utc": "2022-10-04 09:55:03" } ], "3660": [ { "sample_cnt": 7, "yara_rule_name": "ach_Guildma_2024_LNK", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects malicious LNK files spreading Guildma malware (June 2024)", "last_hit_utc": "2025-01-03 20:08:56" } ], "3661": [ { "sample_cnt": 7, "yara_rule_name": "ach_IcedID_xlsm_20210326", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/dc68b5b41a6d8d4972a57fecb7d630b2/", "yara_rule_description": "Detects IcedID xlsm", "last_hit_utc": "2021-05-12 10:31:05" } ], "3662": [ { "sample_cnt": 7, "yara_rule_name": "ach_JAR_in_oleObject", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects JAR files in Office oleObjects", "last_hit_utc": "2025-06-16 16:39:53" } ], "3663": [ { "sample_cnt": 7, "yara_rule_name": "Agent_BTZ", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-02 08:13:04" } ], "3664": [ { "sample_cnt": 7, "yara_rule_name": "agent_tesla_2019", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-01-16 21:48:05" } ], "3665": [ { "sample_cnt": 7, "yara_rule_name": "Android_Accessibility_Service_Abuse", "yara_rule_author": "Buga :3", "yara_rule_reference": "https://developer.android.com/reference/android/accessibilityservice/AccessibilityService", "yara_rule_description": "Detects Android malware abusing Accessibility Service for auto-clicking, credential theft, overlay attacks, or device takeover", "last_hit_utc": "2026-04-21 13:20:57" } ], "3666": [ { "sample_cnt": 7, "yara_rule_name": "APT_Dropper_Win64_TEARDROP_1", "yara_rule_author": "FireEye", "yara_rule_reference": null, "yara_rule_description": "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.", "last_hit_utc": "2025-01-05 16:00:34" } ], "3667": [ { "sample_cnt": 7, "yara_rule_name": "APT_MAL_RANSOM_ViceSociety_Chily_Jan23_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/", "yara_rule_description": "Detects Chily or SunnyDay malware used by Vice Society", "last_hit_utc": "2025-01-03 22:48:55" } ], "3668": [ { "sample_cnt": 7, "yara_rule_name": "apt_RU_MoonlightMaze_cle_tool", "yara_rule_author": "Kaspersky Lab", "yara_rule_reference": "https://en.wikipedia.org/wiki/Moonlight_Maze", "yara_rule_description": "Rule to detect Moonlight Maze 'cle' log cleaning tool", "last_hit_utc": "2025-10-28 13:43:56" } ], "3669": [ { "sample_cnt": 7, "yara_rule_name": "ASPXspy2_RID29DB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Web shell - file ASPXspy2_RID29DB.aspx", "last_hit_utc": "2025-01-05 16:42:05" } ], "3670": [ { "sample_cnt": 7, "yara_rule_name": "AuroraStealer", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": null, "yara_rule_description": "detects Aurora Stealer samples", "last_hit_utc": "2025-01-05 15:52:15" } ], "3671": [ { "sample_cnt": 7, "yara_rule_name": "Avaddon", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Avaddon ransomware.", "last_hit_utc": "2025-06-16 16:33:40" } ], "3672": [ { "sample_cnt": 7, "yara_rule_name": "blackcat_fcn_00401e20", "yara_rule_author": "Michael Davis", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:53:56" } ], "3673": [ { "sample_cnt": 7, "yara_rule_name": "blackguard_stealer", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked blackguard malware samples.", "last_hit_utc": "2025-09-30 09:26:32" } ], "3674": [ { "sample_cnt": 7, "yara_rule_name": "BlackMatter", "yara_rule_author": "ATR McAfee", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-08-25 09:28:05" } ], "3675": [ { "sample_cnt": 7, "yara_rule_name": "BTC_Miner_lsass1_chrome_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - CN Actor", "yara_rule_description": "Detects a Bitcoin Miner", "last_hit_utc": "2023-01-22 05:32:06" } ], "3676": [ { "sample_cnt": 7, "yara_rule_name": "BTC_Miner_lsass1_chrome_2_RID3068", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - CN Actor", "yara_rule_description": "Detects a Bitcoin Miner", "last_hit_utc": "2025-11-23 10:45:39" } ], "3677": [ { "sample_cnt": 7, "yara_rule_name": "CN_Honker_Injection_transit", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file Injection_transit.exe", "last_hit_utc": "2025-01-03 22:03:38" } ], "3678": [ { "sample_cnt": 7, "yara_rule_name": "CN_Honker_Injection_transit_RID31CE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file Injection_transit.exe", "last_hit_utc": "2025-01-03 22:03:38" } ], "3679": [ { "sample_cnt": 7, "yara_rule_name": "CN_Honker_Webshell_ASPX_aspx_RID31B3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Webshell from CN Honker Pentest Toolset - file aspx.txt", "last_hit_utc": "2025-01-05 16:42:05" } ], "3680": [ { "sample_cnt": 7, "yara_rule_name": "CN_Honker_WordpressScanner", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file WordpressScanner.exe", "last_hit_utc": "2025-01-05 15:31:20" } ], "3681": [ { "sample_cnt": 7, "yara_rule_name": "CN_Honker__builder_shift_SkinH_RID32C6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe", "last_hit_utc": "2023-02-27 18:25:19" } ], "3682": [ { "sample_cnt": 7, "yara_rule_name": "CobaltStrike__Sleeve_Beacon_x64_v4_3", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-21 13:49:10" } ], "3683": [ { "sample_cnt": 7, "yara_rule_name": "crime_warmcookie", "yara_rule_author": "Rony (r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detectes warmcookie malware", "last_hit_utc": "2025-04-02 08:45:34" } ], "3684": [ { "sample_cnt": 7, "yara_rule_name": "DarkVision_upload", "yara_rule_author": "01Xyris", "yara_rule_reference": null, "yara_rule_description": "DarkVision_upload", "last_hit_utc": "2025-06-16 16:57:56" } ], "3685": [ { "sample_cnt": 7, "yara_rule_name": "DefenderControl", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.sordum.org/9480/defender-control-v1-8/", "yara_rule_description": "Identifies Defender Control, used by attackers to disable Windows Defender.", "last_hit_utc": "2025-05-20 17:07:16" } ], "3686": [ { "sample_cnt": 7, "yara_rule_name": "Detect_PDB_LATAM_Banker", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-14 19:57:39" } ], "3687": [ { "sample_cnt": 7, "yara_rule_name": "DoejoCrypt", "yara_rule_author": "James Quinn", "yara_rule_reference": null, "yara_rule_description": "DoejoCrypt Detection", "last_hit_utc": "2021-03-13 20:51:01" } ], "3688": [ { "sample_cnt": 7, "yara_rule_name": "dotfuscator", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "Dotfuscator", "last_hit_utc": "2025-11-15 14:14:18" } ], "3689": [ { "sample_cnt": 7, "yara_rule_name": "elf_moose_w1", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-13 15:19:17" } ], "3690": [ { "sample_cnt": 7, "yara_rule_name": "EXE_NetWire_RAT_Unpacked_April_2024", "yara_rule_author": "NDA0N", "yara_rule_reference": null, "yara_rule_description": "Detects unpacked NetWire RAT executable", "last_hit_utc": "2025-01-05 17:29:01" } ], "3691": [ { "sample_cnt": 7, "yara_rule_name": "Gen_Net_LocalGroup_Administrators_Add_Command", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an executable that contains a command to add a user account to the local administrators group", "last_hit_utc": "2023-08-03 12:55:32" } ], "3692": [ { "sample_cnt": 7, "yara_rule_name": "GuLoader", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-07-07 13:45:02" } ], "3693": [ { "sample_cnt": 7, "yara_rule_name": "HKTL_NET_GUID_Stealer", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/malwares/Stealer", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "3694": [ { "sample_cnt": 7, "yara_rule_name": "HTKL_BlackBone_DriverInjector", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/DarthTon/Blackbone", "yara_rule_description": "Detects BlackBone Driver injector", "last_hit_utc": "2025-01-05 17:10:16" } ], "3695": [ { "sample_cnt": 7, "yara_rule_name": "Icedid_Unpacked_in_Memory", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/icedid-technical-analysis/", "yara_rule_description": "This rule detects samples from the IcedID family unpacked in memory, identifying code reuse of key functions.", "last_hit_utc": "2025-02-20 02:17:21" } ], "3696": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_EXE_Packed_eXPressor", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with eXPressor", "last_hit_utc": "2025-10-04 11:05:59" } ], "3697": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_EXE_Packed_SimplePolyEngine", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality", "last_hit_utc": "2022-08-31 04:24:19" } ], "3698": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_KB_CERT_033ed5eda065d1b8c91dfcf92a6c9bd8", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2021-11-27 18:51:04" } ], "3699": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_KB_CERT_65628c146ace93037fc58659f14bd35f", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 14:46:34" } ], "3700": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_KB_CERT_731d40ae3f3a1fb2bc3d8395", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2021-07-15 10:55:59" } ], "3701": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_RTF_Embedded_Excel_SheetMacroEnabled", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RTF documents embedding an Excel sheet with macros enabled. Observed in exploit followed by dropper behavior", "last_hit_utc": "2021-04-02 06:42:50" } ], "3702": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables with modified PE resources using the unpaid version of Resource Tuner", "last_hit_utc": "2022-08-12 06:07:04" } ], "3703": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_SUSPICIOUS_IMG_Embedded_B64_EXE", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects images with specific base64 markers and/or embedding (reversed) base64-encoded executables", "last_hit_utc": "2026-04-13 10:57:41" } ], "3704": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_SUSPICOUS_EXE_UNC_Regex", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables with considerable number of regexes often observed in infostealers", "last_hit_utc": "2025-06-21 21:46:56" } ], "3705": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_TOOL_PET_DefenderControl", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Defender Control", "last_hit_utc": "2025-05-20 17:07:16" } ], "3706": [ { "sample_cnt": 7, "yara_rule_name": "INDICATOR_TOOL_SCR_Amady", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects screenshot stealer DLL. Dropped by Amadey", "last_hit_utc": "2021-06-13 13:24:33" } ], "3707": [ { "sample_cnt": 7, "yara_rule_name": "IronTiger_Gh0stRAT_variant", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "This is a detection for a s.exe variant seen in Op. Iron Tiger", "last_hit_utc": "2025-08-17 18:38:27" } ], "3708": [ { "sample_cnt": 7, "yara_rule_name": "LaZagne", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://github.com/AlessandroZ/LaZagne", "yara_rule_description": "Identifies LaZagne, credentials recovery project.", "last_hit_utc": "2026-02-17 12:07:15" } ], "3709": [ { "sample_cnt": 7, "yara_rule_name": "LimeRAT_May_2024", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects LimeRAT", "last_hit_utc": "2025-01-05 17:27:06" } ], "3710": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Generic_Threat_a8faf785", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-16 07:10:26" } ], "3711": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Rootkit_Jynx_c470eaff", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-12 17:06:14" } ], "3712": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Trojan_Ddostf_dc47a873", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-07 13:28:18" } ], "3713": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Trojan_Dropperl_39f4cd0d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-09 10:55:19" } ], "3714": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Trojan_Mirai_01e4a728", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "3715": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Trojan_Mirai_1754b331", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 18:11:49" } ], "3716": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Trojan_Mirai_3fe3c668", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:04" } ], "3717": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Trojan_Mirai_520deeb8", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "3718": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Trojan_Patpooty_f90c7e43", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 09:57:18" } ], "3719": [ { "sample_cnt": 7, "yara_rule_name": "Linux_Trojan_Rbot_96625c8c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-28 01:55:06" } ], "3720": [ { "sample_cnt": 7, "yara_rule_name": "Locky", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Locky Payload", "last_hit_utc": "2023-11-20 22:57:02" } ], "3721": [ { "sample_cnt": 7, "yara_rule_name": "LokiBot_Dropper_Packed_R11_Feb18_RID328F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5", "yara_rule_description": "Semiautomatically generated YARA rule - file scan copy.pdf.r11", "last_hit_utc": "2025-09-03 09:32:24" } ], "3722": [ { "sample_cnt": 7, "yara_rule_name": "MALWARE_Win_Avalon", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Avalon infostealer payload", "last_hit_utc": "2022-07-11 12:26:03" } ], "3723": [ { "sample_cnt": 7, "yara_rule_name": "MALWARE_Win_CookieStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects generic cookie stealer", "last_hit_utc": "2025-01-05 15:04:03" } ], "3724": [ { "sample_cnt": 7, "yara_rule_name": "MALWARE_Win_DLAgent14", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects downloader injector", "last_hit_utc": "2021-12-16 09:16:51" } ], "3725": [ { "sample_cnt": 7, "yara_rule_name": "MALWARE_Win_IAmTheKingScrCap", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "IAmTheKing screen capture payload", "last_hit_utc": "2021-07-11 22:06:19" } ], "3726": [ { "sample_cnt": 7, "yara_rule_name": "MALWARE_Win_LokiLocker", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects LokiLocker ransomware", "last_hit_utc": "2025-11-23 10:45:15" } ], "3727": [ { "sample_cnt": 7, "yara_rule_name": "MALWARE_Win_Thanos", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Thanos ransomware", "last_hit_utc": "2022-09-21 04:06:42" } ], "3728": [ { "sample_cnt": 7, "yara_rule_name": "MALW_PE_PirateStealer_1_4_5", "yara_rule_author": "skyeto", "yara_rule_reference": "https://twitter.com/skyetothefox/status/1444442313367998467", "yara_rule_description": "PirateStealer v1.4.5 malware", "last_hit_utc": "2025-08-13 21:04:27" } ], "3729": [ { "sample_cnt": 7, "yara_rule_name": "MAL_JRAT_Oct18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects JRAT malware", "last_hit_utc": "2025-07-23 17:52:26" } ], "3730": [ { "sample_cnt": 7, "yara_rule_name": "MAL_Msdt_MSProtocolURI_May22", "yara_rule_author": "Tobias Michalski, Christian Burkard", "yara_rule_reference": "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "yara_rule_description": "Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190", "last_hit_utc": "2022-07-13 09:55:03" } ], "3731": [ { "sample_cnt": 7, "yara_rule_name": "MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/", "yara_rule_description": "Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group", "last_hit_utc": "2025-01-05 14:45:17" } ], "3732": [ { "sample_cnt": 7, "yara_rule_name": "MAL_RANSOM_LockBit_Apr23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://objective-see.org/blog/blog_0x75.html", "yara_rule_description": "Detects indicators found in LockBit ransomware", "last_hit_utc": "2025-09-15 06:19:51" } ], "3733": [ { "sample_cnt": 7, "yara_rule_name": "MAL_Unknown_PWDumper_Apr18_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects sample from unknown sample set - IL origin", "last_hit_utc": "2025-11-23 10:26:52" } ], "3734": [ { "sample_cnt": 7, "yara_rule_name": "Mimikatz_SampleSet_5", "yara_rule_author": "Florian Roth - Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Mimikatz Rule generated from a big Mimikatz sample set", "last_hit_utc": "2025-12-03 07:14:18" } ], "3735": [ { "sample_cnt": 7, "yara_rule_name": "mybillgates", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "billgates", "last_hit_utc": "2025-01-05 14:50:56" } ], "3736": [ { "sample_cnt": 7, "yara_rule_name": "Oyster", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "Oyster Payload", "last_hit_utc": "2024-06-19 23:34:03" } ], "3737": [ { "sample_cnt": 7, "yara_rule_name": "p0wnedPotato_RID2BD6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato_RID2BD6.cs", "last_hit_utc": "2025-10-28 13:44:55" } ], "3738": [ { "sample_cnt": 7, "yara_rule_name": "PureCryptCMD", "yara_rule_author": "01Xyris", "yara_rule_reference": null, "yara_rule_description": "Detects PureCrypters .cmd output", "last_hit_utc": "2025-06-16 16:25:59" } ], "3739": [ { "sample_cnt": 7, "yara_rule_name": "Pysa", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Pysa aka Mespinoza ransomware.", "last_hit_utc": "2021-04-08 05:07:21" } ], "3740": [ { "sample_cnt": 7, "yara_rule_name": "Record_Breaker_Similarities", "yara_rule_author": "DigitalPanda", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:14:21" } ], "3741": [ { "sample_cnt": 7, "yara_rule_name": "RemCom_RemoteCommandExecution_RID3292", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/tezXZt", "yara_rule_description": "Detects strings from RemCom tool", "last_hit_utc": "2025-11-05 08:22:43" } ], "3742": [ { "sample_cnt": 7, "yara_rule_name": "Sig_RemoteAdmin_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects strings from well-known APT malware", "last_hit_utc": "2021-02-18 13:32:49" } ], "3743": [ { "sample_cnt": 7, "yara_rule_name": "SocGholish_Obfuscated", "yara_rule_author": "Ankit Anubhav -ankitanubhav.info", "yara_rule_reference": "", "yara_rule_description": "Detects reverse obfuscated socgholish string", "last_hit_utc": "2022-07-16 12:13:02" } ], "3744": [ { "sample_cnt": 7, "yara_rule_name": "SUSP_LNK_lnkfileoverRFC", "yara_rule_author": "@Grotezinfosec, modified by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects APT lnk files that run double extraction and launch routines with autoruns", "last_hit_utc": "2026-02-06 22:13:14" } ], "3745": [ { "sample_cnt": 7, "yara_rule_name": "susp_msoffice_addins_wxll", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://twitter.com/JohnLaTwC/status/1315287078855352326", "yara_rule_description": "hunt for suspicious MS Office Addins with code injection capabilities", "last_hit_utc": "2025-11-04 08:50:04" } ], "3746": [ { "sample_cnt": 7, "yara_rule_name": "SUSP_OBFUSC_PowerShell_True_Jun20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/corneacristian/mimikatz-bypass/", "yara_rule_description": "Detects indicators often found in obfuscated PowerShell scripts. Note: This detection is based on common characteristics typically associated with the mentioned threats, must be considered a clue and does not conclusively prove maliciousness.", "last_hit_utc": "2026-04-10 18:26:22" } ], "3747": [ { "sample_cnt": 7, "yara_rule_name": "SUSP_PowerShell_IEX_Download_Combo", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/JaromirHorejsi/status/1047084277920411648", "yara_rule_description": "Detects strings found in sample from CN group repo leak in October 2018", "last_hit_utc": "2022-10-04 21:23:04" } ], "3748": [ { "sample_cnt": 7, "yara_rule_name": "SUSP_SFX_cmd", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious SFX as used by Gamaredon group", "last_hit_utc": "2022-11-04 18:29:03" } ], "3749": [ { "sample_cnt": 7, "yara_rule_name": "SUSP_SFX_cmd_RID2B3F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious SFX as used by Gamaredon group", "last_hit_utc": "2025-01-22 19:06:01" } ], "3750": [ { "sample_cnt": 7, "yara_rule_name": "SUSP_XMRIG_String", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious XMRIG crypto miner executable string in filr", "last_hit_utc": "2025-01-05 15:07:58" } ], "3751": [ { "sample_cnt": 7, "yara_rule_name": "sus_python_evilai", "yara_rule_author": "Luke Acha", "yara_rule_reference": null, "yara_rule_description": "Suspected fake conversion and productivity apps (EvilAI) as Python compiled executables", "last_hit_utc": "2026-03-04 11:51:15" } ], "3752": [ { "sample_cnt": 7, "yara_rule_name": "tico_android", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects tico Android bots files", "last_hit_utc": "2026-04-15 22:16:03" } ], "3753": [ { "sample_cnt": 7, "yara_rule_name": "tispy_payload_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-03 17:20:28" } ], "3754": [ { "sample_cnt": 7, "yara_rule_name": "W32JeefoPEFileInfector", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 10:28:09" } ], "3755": [ { "sample_cnt": 7, "yara_rule_name": "webshell_asp_sql", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "ASP webshell giving SQL access. Might also be a dual use tool.", "last_hit_utc": "2022-06-21 13:09:02" } ], "3756": [ { "sample_cnt": 7, "yara_rule_name": "Webshell_c100_RID2B9A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/nikicat/web-malware-collection", "yara_rule_description": "Detects Webshell - rule generated from from files c100 v. 777shell", "last_hit_utc": "2023-08-29 13:01:14" } ], "3757": [ { "sample_cnt": 7, "yara_rule_name": "Webshell_PHP_404_b_RID2D46", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file 404.php", "last_hit_utc": "2025-01-05 15:37:22" } ], "3758": [ { "sample_cnt": 7, "yara_rule_name": "Webshell_Shell_Biz_c100_RID2F75", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php", "last_hit_utc": "2025-06-16 15:19:36" } ], "3759": [ { "sample_cnt": 7, "yara_rule_name": "Win32_Ransomware_Xorist", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Xorist ransomware.", "last_hit_utc": "2022-10-29 23:27:03" } ], "3760": [ { "sample_cnt": 7, "yara_rule_name": "Win32_Trojan_Dridex", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Dridex trojan.", "last_hit_utc": "2025-01-28 04:31:33" } ], "3761": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Exploit_FakePipe_6bc93551", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 14:20:35" } ], "3762": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Exploit_Generic_e95cc41c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-10 15:36:25" } ], "3763": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Generic_MalCert_eb360bb1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-30 09:31:07" } ], "3764": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Hacktool_Mimikatz_1ff74f7e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-05 11:30:23" } ], "3765": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Hacktool_WinPEAS_ng_94474b0b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "WinPEAS detection based on the bat script", "last_hit_utc": "2026-03-21 00:49:34" } ], "3766": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Infostealer_Generic_acde9261", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Observed in Stealc/Vidar samples", "last_hit_utc": "2025-11-12 12:24:19" } ], "3767": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Ransomware_Phobos_ff55774d", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos", "yara_rule_description": "Identifies Phobos ransomware", "last_hit_utc": "2023-04-15 03:12:03" } ], "3768": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Trojan_Afdk_c952fcfa", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-08 06:19:20" } ], "3769": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Trojan_AgentTesla_f2a90d14", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-07-19 12:52:02" } ], "3770": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Trojan_BruteRatel_5b12cbab", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-05 20:20:50" } ], "3771": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Trojan_DarkGate_07ef6f14", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-17 10:47:30" } ], "3772": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Trojan_Metasploit_66140f58", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-13 08:49:09" } ], "3773": [ { "sample_cnt": 7, "yara_rule_name": "Windows_Trojan_Metasploit_dd5ce989", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/", "yara_rule_description": "Identifies Meterpreter DLL used by Metasploit", "last_hit_utc": "2025-11-05 08:22:50" } ], "3774": [ { "sample_cnt": 7, "yara_rule_name": "WinRing0x64", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "rig_win64 - file WinRing0x64.sys", "last_hit_utc": "2026-03-25 09:04:20" } ], "3775": [ { "sample_cnt": 7, "yara_rule_name": "win_7ev3n_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.7ev3n.", "last_hit_utc": "2022-09-14 07:46:03" } ], "3776": [ { "sample_cnt": 7, "yara_rule_name": "win_astralocker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.astralocker.", "last_hit_utc": "2025-08-08 17:53:16" } ], "3777": [ { "sample_cnt": 7, "yara_rule_name": "win_avzhan_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.avzhan.", "last_hit_utc": "2025-01-05 15:30:29" } ], "3778": [ { "sample_cnt": 7, "yara_rule_name": "win_bqtlock_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.bqtlock.", "last_hit_utc": "2026-04-27 18:00:06" } ], "3779": [ { "sample_cnt": 7, "yara_rule_name": "win_darkgate_w1", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "DarkGate Payload", "last_hit_utc": "2025-01-17 10:47:30" } ], "3780": [ { "sample_cnt": 7, "yara_rule_name": "win_hellokitty_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.hellokitty.", "last_hit_utc": "2025-04-10 08:27:08" } ], "3781": [ { "sample_cnt": 7, "yara_rule_name": "win_keybase_w0", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies KeyBase aka Kibex.", "last_hit_utc": "2025-01-05 15:05:24" } ], "3782": [ { "sample_cnt": 7, "yara_rule_name": "win_koadic_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.koadic.", "last_hit_utc": "2025-12-31 17:26:14" } ], "3783": [ { "sample_cnt": 7, "yara_rule_name": "win_krbanker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-09 16:18:07" } ], "3784": [ { "sample_cnt": 7, "yara_rule_name": "win_lockbit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.lockbit.", "last_hit_utc": "2022-10-12 03:41:03" } ], "3785": [ { "sample_cnt": 7, "yara_rule_name": "win_nitrogen_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.nitrogen.", "last_hit_utc": "2026-04-14 09:23:34" } ], "3786": [ { "sample_cnt": 7, "yara_rule_name": "win_poulight_stealer_w0", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/d9e4933b-3229-4cb4-84e6-c45a336b15be/", "yara_rule_description": "Poullight stealer", "last_hit_utc": "2021-08-15 04:52:03" } ], "3787": [ { "sample_cnt": 7, "yara_rule_name": "win_pushdo_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.pushdo.", "last_hit_utc": "2022-11-06 18:04:03" } ], "3788": [ { "sample_cnt": 7, "yara_rule_name": "win_ramnit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.ramnit.", "last_hit_utc": "2026-04-23 15:13:28" } ], "3789": [ { "sample_cnt": 7, "yara_rule_name": "WIN_RANSOM_DEARCRY", "yara_rule_author": "!j", "yara_rule_reference": null, "yara_rule_description": "DEARCRY ransomware", "last_hit_utc": "2021-03-13 20:51:02" } ], "3790": [ { "sample_cnt": 7, "yara_rule_name": "win_socelars_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-13 10:43:35" } ], "3791": [ { "sample_cnt": 7, "yara_rule_name": "win_warlock_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.warlock.", "last_hit_utc": "2026-03-30 15:18:16" } ], "3792": [ { "sample_cnt": 6, "yara_rule_name": "ach_Gozi_doc_20210128", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/e0111eeb2d6c967876fcb1878e94f30d/", "yara_rule_description": "Detects Gozi ISFB doc", "last_hit_utc": "2021-12-25 20:51:47" } ], "3793": [ { "sample_cnt": 6, "yara_rule_name": "ach_Quakbot_doc_20200812_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/bb1fb000955711b71146dfa29b9171fe/", "yara_rule_description": "Detects Quakbot DOC", "last_hit_utc": "2020-08-18 10:03:05" } ], "3794": [ { "sample_cnt": 6, "yara_rule_name": "Adfind", "yara_rule_author": "@bartblaze", "yara_rule_reference": "http://www.joeware.net/freetools/tools/adfind/", "yara_rule_description": "Identifies Adfind, a Command line Active Directory query tool.", "last_hit_utc": "2025-11-05 08:22:22" } ], "3795": [ { "sample_cnt": 6, "yara_rule_name": "ando", "yara_rule_author": "Hugo Porcher", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "yara_rule_description": "Rule to detect Ando family", "last_hit_utc": "2026-02-13 15:19:16" } ], "3796": [ { "sample_cnt": 6, "yara_rule_name": "apk_flubot_w0", "yara_rule_author": "Thomas Barabosch, Telekom Security", "yara_rule_reference": "", "yara_rule_description": "matches on dumped, decrypted V/DEX files of Flubot version > 4.2", "last_hit_utc": "2022-10-28 22:47:02" } ], "3797": [ { "sample_cnt": 6, "yara_rule_name": "APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_4_RID32D6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "yara_rule_description": "Detects HAFNIUM ASPX files dropped on compromised servers", "last_hit_utc": "2025-01-05 16:11:08" } ], "3798": [ { "sample_cnt": 6, "yara_rule_name": "APT_NK_Methodology_Artificial_UserAgent_IE_Win7", "yara_rule_author": "Steve Miller aka @stvemillertime", "yara_rule_reference": null, "yara_rule_description": "Detects hard-coded User-Agent string that has been present in several APT37 malware families.", "last_hit_utc": "2025-12-03 14:15:10" } ], "3799": [ { "sample_cnt": 6, "yara_rule_name": "Arkei", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Arkei Payload", "last_hit_utc": "2023-02-13 19:32:03" } ], "3800": [ { "sample_cnt": 6, "yara_rule_name": "ASProtectSKE21xexeAlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 20:27:25" } ], "3801": [ { "sample_cnt": 6, "yara_rule_name": "ASProtectv20", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 20:27:25" } ], "3802": [ { "sample_cnt": 6, "yara_rule_name": "bespin", "yara_rule_author": "Hugo Porcher", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "yara_rule_description": "Rule to detect Bespin family", "last_hit_utc": "2026-02-13 15:19:16" } ], "3803": [ { "sample_cnt": 6, "yara_rule_name": "BlackShades_25052015", "yara_rule_author": "Brian Wallace (@botnet_hunter)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:43:59" } ], "3804": [ { "sample_cnt": 6, "yara_rule_name": "bonadan", "yara_rule_author": "Hugo Porcher", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "yara_rule_description": "Rule to detect Bonadan family", "last_hit_utc": "2026-02-13 15:19:16" } ], "3805": [ { "sample_cnt": 6, "yara_rule_name": "cert_blocklist_0cf1ed2a6ff4bee621efdf725ea174b7", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2021-03-16 07:50:44" } ], "3806": [ { "sample_cnt": 6, "yara_rule_name": "cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "cf5e - file cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8", "last_hit_utc": "2025-01-03 19:31:16" } ], "3807": [ { "sample_cnt": 6, "yara_rule_name": "ciscotools", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Cisco tools", "last_hit_utc": "2025-10-28 13:44:00" } ], "3808": [ { "sample_cnt": 6, "yara_rule_name": "Cobaltbaltstrike_RAW_Payload_https_stager_x64", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2025-09-18 08:51:58" } ], "3809": [ { "sample_cnt": 6, "yara_rule_name": "CobaltStrike_Sleeve_Beacon_Dll_v4_1_and_v4_2", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/beacon.dll Versions 4.1 and 4.2", "last_hit_utc": "2025-01-05 17:02:34" } ], "3810": [ { "sample_cnt": 6, "yara_rule_name": "CobaltStrike__Sleeve_Beacon_Dll_v4_1_and_v4_2", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:02:34" } ], "3811": [ { "sample_cnt": 6, "yara_rule_name": "Code_Sign_Cert_APT45_July2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:55:03" } ], "3812": [ { "sample_cnt": 6, "yara_rule_name": "CredentialStealer_Generic_Backdoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects credential stealer byed on many strings that indicate password store access", "last_hit_utc": "2025-01-05 17:29:00" } ], "3813": [ { "sample_cnt": 6, "yara_rule_name": "CVE_2025_8088_rar_ADS_traversal", "yara_rule_author": "Travis Green ", "yara_rule_reference": "https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/", "yara_rule_description": "Detects CVE-2025-8088 WinRAR NTFS ADS path traversal exploitation", "last_hit_utc": "2026-02-10 08:35:16" } ], "3814": [ { "sample_cnt": 6, "yara_rule_name": "darktortilla", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "DarkTortilla Crypter Payload", "last_hit_utc": "2026-03-24 13:50:23" } ], "3815": [ { "sample_cnt": 6, "yara_rule_name": "Detect_Dead_Family", "yara_rule_author": "Your Name", "yara_rule_reference": null, "yara_rule_description": "YARA rule for detecting files related to dead.dll family", "last_hit_utc": "2026-01-28 14:34:18" } ], "3816": [ { "sample_cnt": 6, "yara_rule_name": "Detect_Go_Module_Inject_Mekotio_Picanha", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Mekotio: Detecta presenca de strings e padroes especificos de um modulo Go malicioso", "last_hit_utc": "2025-02-03 15:41:12" } ], "3817": [ { "sample_cnt": 6, "yara_rule_name": "Detect_JanelaRat", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-07 12:58:33" } ], "3818": [ { "sample_cnt": 6, "yara_rule_name": "Detect_SSL_JA3_Fingerprints", "yara_rule_author": "Kali", "yara_rule_reference": null, "yara_rule_description": "Detects specific JA3 SSL client fingerprints and TLS version in network traffic", "last_hit_utc": "2025-01-05 17:28:24" } ], "3819": [ { "sample_cnt": 6, "yara_rule_name": "Detect_Submitting", "yara_rule_author": "NCSC-CH / GovCERT", "yara_rule_reference": null, "yara_rule_description": "Detects login forms in HTML content", "last_hit_utc": "2025-11-20 07:45:51" } ], "3820": [ { "sample_cnt": 6, "yara_rule_name": "discord_rat", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked discord_rat malware samples.", "last_hit_utc": "2025-08-30 20:21:48" } ], "3821": [ { "sample_cnt": 6, "yara_rule_name": "Emotet_string_hashing", "yara_rule_author": "Embee_Research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-17 09:23:42" } ], "3822": [ { "sample_cnt": 6, "yara_rule_name": "Enigma_Protected_Malware", "yara_rule_author": "Florian Roth with the help of binar.ly", "yara_rule_reference": "https://goo.gl/OEVQ9w", "yara_rule_description": "Detects samples packed by Enigma Protector", "last_hit_utc": "2022-09-19 20:22:05" } ], "3823": [ { "sample_cnt": 6, "yara_rule_name": "Enigma_Protected_Malware_May17_RhxFiles_RID3605", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Enigma protected malware samples", "last_hit_utc": "2025-01-03 22:24:40" } ], "3824": [ { "sample_cnt": 6, "yara_rule_name": "esxi_commands_ransomware", "yara_rule_author": "Marius 'f0wL' Genheimer ", "yara_rule_reference": "", "yara_rule_description": "Detects commands issued by Ransomware to interact with ESXi VMs", "last_hit_utc": "2022-11-15 12:32:04" } ], "3825": [ { "sample_cnt": 6, "yara_rule_name": "EXE_Ransomware_Mimic", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": "Detects Mimic ransomware samples based on the strings matched", "last_hit_utc": "2025-12-29 08:46:14" } ], "3826": [ { "sample_cnt": 6, "yara_rule_name": "FSGv20bartxt", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-16 00:38:08" } ], "3827": [ { "sample_cnt": 6, "yara_rule_name": "GhostDragon_Gh0stRAT_Sample3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.cylance.com/the-ghost-dragon", "yara_rule_description": "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report", "last_hit_utc": "2022-08-20 22:17:02" } ], "3828": [ { "sample_cnt": 6, "yara_rule_name": "GhostDragon_Gh0stRAT_Sample3_RID3171", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.cylance.com/the-ghost-dragon", "yara_rule_description": "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report", "last_hit_utc": "2025-01-03 19:36:19" } ], "3829": [ { "sample_cnt": 6, "yara_rule_name": "hdata_section", "yara_rule_author": "CD_R0M_", "yara_rule_reference": "", "yara_rule_description": "check for existence of hdata section. This is rarely used legitimately", "last_hit_utc": "2022-11-25 01:22:03" } ], "3830": [ { "sample_cnt": 6, "yara_rule_name": "HKTL_Lazagne_Gen_18_RID2DA6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/AlessandroZ/LaZagne", "yara_rule_description": "Detects Lazagne password extractor hacktool", "last_hit_utc": "2026-02-17 12:07:15" } ], "3831": [ { "sample_cnt": 6, "yara_rule_name": "HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/sbousseaden/status/1292143504131600384?s=12", "yara_rule_description": "Detects Mimikatz SkeletonKey in Memory", "last_hit_utc": "2024-01-13 03:21:03" } ], "3832": [ { "sample_cnt": 6, "yara_rule_name": "HKTL_NET_GUID_ToxicEye", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/LimerBoy/ToxicEye", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-05 15:32:27" } ], "3833": [ { "sample_cnt": 6, "yara_rule_name": "icedid_photoloader", "yara_rule_author": "4rchib4ld", "yara_rule_reference": "https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/", "yara_rule_description": "IcedID PhotoLoader", "last_hit_utc": "2022-04-14 19:54:04" } ], "3834": [ { "sample_cnt": 6, "yara_rule_name": "iKAT_gpdisable_customcmd_kitrap0d_uacpoc", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html", "yara_rule_description": "iKAT hack tool set generic rule - from files gpdisable.exe, customcmd.exe, kitrap0d.exe, uacpoc.exe", "last_hit_utc": "2025-08-11 22:57:31" } ], "3835": [ { "sample_cnt": 6, "yara_rule_name": "Impacket_Tools_Generic_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2025-10-28 13:44:33" } ], "3836": [ { "sample_cnt": 6, "yara_rule_name": "INDICATOR_EXE_Packed_MEW", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with MEW", "last_hit_utc": "2022-08-08 14:37:02" } ], "3837": [ { "sample_cnt": 6, "yara_rule_name": "INDICATOR_EXE_Packed_PS2EXE", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables built or packed with PS2EXE", "last_hit_utc": "2025-01-03 20:14:33" } ], "3838": [ { "sample_cnt": 6, "yara_rule_name": "INDICATOR_KB_CERT_01342592a0010cb1109c11c0519cfd24", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-11-30 06:20:04" } ], "3839": [ { "sample_cnt": 6, "yara_rule_name": "INDICATOR_KB_CERT_0407abb64e9990180789eacb81f5f914", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 15:30:06" } ], "3840": [ { "sample_cnt": 6, "yara_rule_name": "INDICATOR_KB_CERT_0537f25a88e24cafdd7919fa301e8146", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-05-23 17:43:02" } ], "3841": [ { "sample_cnt": 6, "yara_rule_name": "INDICATOR_KB_CERT_0ca5acafb5fdca6f8b5d66d1339a5d85", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-12-11 15:38:05" } ], "3842": [ { "sample_cnt": 6, "yara_rule_name": "INDICATOR_KB_CERT_1e508bb2398808bc420a5a1f67ba5d0b", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-06-17 17:59:03" } ], "3843": [ { "sample_cnt": 6, "yara_rule_name": "INDICATOR_KB_CERT_21c9a6daff942f2db6a0614d", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2024-01-27 18:43:03" } ], "3844": [ { "sample_cnt": 6, "yara_rule_name": "INDICATOR_TOOL_ReverseSSH_Go", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects golang reverse ssh tool", "last_hit_utc": "2025-08-27 12:19:35" } ], "3845": [ { "sample_cnt": 6, "yara_rule_name": "ISFB_Crypter", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:02:21" } ], "3846": [ { "sample_cnt": 6, "yara_rule_name": "ismail_2010_samples", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-12 05:06:25" } ], "3847": [ { "sample_cnt": 6, "yara_rule_name": "ISO_exec", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies execution artefacts in ISO files, seen in malware such as Bumblebee.", "last_hit_utc": "2022-11-25 00:57:03" } ], "3848": [ { "sample_cnt": 6, "yara_rule_name": "jakuu", "yara_rule_author": "Hugo Porcher", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "yara_rule_description": "Rule to detect Jakuu family", "last_hit_utc": "2026-02-13 15:19:17" } ], "3849": [ { "sample_cnt": 6, "yara_rule_name": "jh__1995_ZipWithPass_20210105", "yara_rule_author": "jh__1995", "yara_rule_reference": null, "yara_rule_description": "ZIP with password - early detection - HIGH FP!", "last_hit_utc": "2025-01-05 15:39:49" } ], "3850": [ { "sample_cnt": 6, "yara_rule_name": "KeyBase", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies KeyBase aka Kibex.", "last_hit_utc": "2025-01-05 15:05:24" } ], "3851": [ { "sample_cnt": 6, "yara_rule_name": "kraken_cryptor_ransomware", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/", "yara_rule_description": "Rule to detect the Kraken Cryptor Ransomware", "last_hit_utc": "2025-10-28 13:44:40" } ], "3852": [ { "sample_cnt": 6, "yara_rule_name": "Lazarus_defaultdownpy_python", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "Python downloader for Lazarus", "last_hit_utc": "2025-04-12 16:21:15" } ], "3853": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Cryptominer_Camelot_b8552fff", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-05 20:54:19" } ], "3854": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Exploit_CVE_2022_0847_e831c285", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-12 07:26:20" } ], "3855": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Generic_Threat_9cf10f10", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-14 12:31:37" } ], "3856": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Hacktool_Flooder_761ad88e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-10 04:10:22" } ], "3857": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Trojan_Gafgyt_30444846", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 18:19:03" } ], "3858": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Trojan_Metasploit_e5b61173", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Detects x86 msfvenom stageless TCP reverse shell payload", "last_hit_utc": "2025-07-10 09:16:19" } ], "3859": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Trojan_Mirai_d2205527", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:11:25" } ], "3860": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Trojan_Mirai_dca3b9b4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-22 10:43:42" } ], "3861": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Trojan_Ngioweb_7926bc8e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-08 00:09:33" } ], "3862": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Trojan_Sdbot_98628ea1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-28 01:55:06" } ], "3863": [ { "sample_cnt": 6, "yara_rule_name": "Linux_Trojan_Tsunami_9ce5b69f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-08 21:19:04" } ], "3864": [ { "sample_cnt": 6, "yara_rule_name": "Lockbit_Unpacked", "yara_rule_author": "DigitalPanda", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-11 16:27:06" } ], "3865": [ { "sample_cnt": 6, "yara_rule_name": "MacOS_Stealer", "yara_rule_author": "dogsafetyforeverone", "yara_rule_reference": "MacOS stealer malware", "yara_rule_description": "Detects MacOS stealer malware attributed to 'mentalpositive'", "last_hit_utc": "2025-06-16 15:12:57" } ], "3866": [ { "sample_cnt": 6, "yara_rule_name": "malware_IcedID_loader", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "IcedID Loader", "last_hit_utc": "2024-04-09 10:34:03" } ], "3867": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_Arkei", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect Arkei infostealer variants", "last_hit_utc": "2023-02-13 19:32:03" } ], "3868": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_BabylonRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects BabylonRAT / CollectorStealer / ParadoxRAT", "last_hit_utc": "2026-01-24 22:59:45" } ], "3869": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_BlackCat", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects BlackCat ransomware", "last_hit_utc": "2025-11-05 08:22:40" } ], "3870": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_CoreBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects CoreBot", "last_hit_utc": "2025-06-16 16:13:31" } ], "3871": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_DLInjector07", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects downloader injector", "last_hit_utc": "2025-10-02 20:39:33" } ], "3872": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_HakunaMatata", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects HakunaMatata ransomware", "last_hit_utc": "2025-11-22 23:20:28" } ], "3873": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_HawkEyeV9", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "Detects HawkEyeV9 payload", "last_hit_utc": "2022-04-23 17:23:23" } ], "3874": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_JanelaRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects JanelaRAT", "last_hit_utc": "2025-09-08 13:40:41" } ], "3875": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_Multi_Family_InfoStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Prynt, WorldWind, DarkEye and Stealerium infostealers", "last_hit_utc": "2025-01-05 16:21:15" } ], "3876": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_PYSA", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects PYSA/Mespinoza ransomware", "last_hit_utc": "2022-05-25 22:53:02" } ], "3877": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_RevCodeRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RevCode/WebMonitor RAT", "last_hit_utc": "2021-06-29 07:04:09" } ], "3878": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_RevCodeRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RevCode/WebMonitor RAT", "last_hit_utc": "2021-09-17 16:57:39" } ], "3879": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_TWarBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect TWarBot IRC Bot", "last_hit_utc": "2025-04-03 23:06:49" } ], "3880": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_WobbyChipMBR", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects WobbyChipMBR / Covid-21 ransomware", "last_hit_utc": "2025-11-03 14:21:40" } ], "3881": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_WSHRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "WSHRAT keylogger plugin payload", "last_hit_utc": "2022-10-21 13:06:02" } ], "3882": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_Zeppelin", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Zeppelin (Delphi) ransomware", "last_hit_utc": "2022-10-04 09:55:03" } ], "3883": [ { "sample_cnt": 6, "yara_rule_name": "MALWARE_Win_ZombieBoy", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ZombieBoy Downloader", "last_hit_utc": "2025-09-25 01:29:33" } ], "3884": [ { "sample_cnt": 6, "yara_rule_name": "MALW_KeyBase", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies KeyBase aka Kibex.", "last_hit_utc": "2020-10-22 17:03:00" } ], "3885": [ { "sample_cnt": 6, "yara_rule_name": "MAL_Sednit_DelphiDownloader_Apr18_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "yara_rule_description": "Detects malware from Sednit Delphi Downloader report", "last_hit_utc": "2021-10-15 18:12:06" } ], "3886": [ { "sample_cnt": 6, "yara_rule_name": "mimikatz_kiwikey", "yara_rule_author": "SBousseaden", "yara_rule_reference": "", "yara_rule_description": "hunt for default mimikatz kiwikey", "last_hit_utc": "2025-11-25 20:47:30" } ], "3887": [ { "sample_cnt": 6, "yara_rule_name": "msil_rc4", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-18 17:23:03" } ], "3888": [ { "sample_cnt": 6, "yara_rule_name": "mybillgates", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "billgates", "last_hit_utc": "2022-10-29 11:16:02" } ], "3889": [ { "sample_cnt": 6, "yara_rule_name": "njRat_violet_client", "yara_rule_author": "R4ruk", "yara_rule_reference": "https://sidequest-lab.com/2025/09/07/njrat-part-2-c2-command-investigation/", "yara_rule_description": "Matches NjRat violet-client payload.", "last_hit_utc": "2025-10-05 19:36:41" } ], "3890": [ { "sample_cnt": 6, "yara_rule_name": "Olyx", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Olyx", "last_hit_utc": "2025-06-16 17:01:04" } ], "3891": [ { "sample_cnt": 6, "yara_rule_name": "OlyxCode", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Olyx code tricks", "last_hit_utc": "2025-06-16 17:01:04" } ], "3892": [ { "sample_cnt": 6, "yara_rule_name": "OpCloudHopper_Malware_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects Operation CloudHopper malware samples", "last_hit_utc": "2025-11-05 08:21:38" } ], "3893": [ { "sample_cnt": 6, "yara_rule_name": "OpCloudHopper_Malware_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects malware from Operation Cloud Hopper", "last_hit_utc": "2022-12-16 13:20:06" } ], "3894": [ { "sample_cnt": 6, "yara_rule_name": "p0wnedPotato", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs", "last_hit_utc": "2025-10-28 13:44:55" } ], "3895": [ { "sample_cnt": 6, "yara_rule_name": "PlugX_J16_Gen", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Research", "yara_rule_description": "Detects PlugX Malware samples from June 2016", "last_hit_utc": "2022-10-20 20:04:03" } ], "3896": [ { "sample_cnt": 6, "yara_rule_name": "PowerShell_Emp_Eval_Jul17_A1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "PowerShell Empire Eval", "yara_rule_description": "Detects suspicious sample with PowerShell content", "last_hit_utc": "2025-01-03 22:00:39" } ], "3897": [ { "sample_cnt": 6, "yara_rule_name": "PowerShell_Emp_Eval_Jul17_A1_RID3141", "yara_rule_author": "Florian Roth", "yara_rule_reference": "PowerShell Empire Eval", "yara_rule_description": "Detects suspicious sample with PowerShell content", "last_hit_utc": "2025-01-03 22:00:39" } ], "3898": [ { "sample_cnt": 6, "yara_rule_name": "PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64", "last_hit_utc": "2026-03-25 09:04:20" } ], "3899": [ { "sample_cnt": 6, "yara_rule_name": "PureBasicDLLNeilHodgson", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-06-16 17:21:02" } ], "3900": [ { "sample_cnt": 6, "yara_rule_name": "Pysa", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Pysa aka Mespinoza ransomware.", "last_hit_utc": "2022-05-25 22:53:02" } ], "3901": [ { "sample_cnt": 6, "yara_rule_name": "RansomwareTest1", "yara_rule_author": "Daoyuan Wu", "yara_rule_reference": null, "yara_rule_description": "Test Ransomware YARA rules", "last_hit_utc": "2025-01-05 15:15:23" } ], "3902": [ { "sample_cnt": 6, "yara_rule_name": "RANSOM_makop", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "", "yara_rule_description": "Rule to detect the unpacked Makop ransomware samples", "last_hit_utc": "2022-11-11 18:34:04" } ], "3903": [ { "sample_cnt": 6, "yara_rule_name": "RAN_ALPHV_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect AlphV ransomware (Nov and Dec 2021)", "last_hit_utc": "2022-06-21 10:46:04" } ], "3904": [ { "sample_cnt": 6, "yara_rule_name": "RAN_BlackMatter_Aug_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/abuse_ch/status/1421834305416933376", "yara_rule_description": "Detect BlackMatter ransomware", "last_hit_utc": "2025-01-05 15:31:02" } ], "3905": [ { "sample_cnt": 6, "yara_rule_name": "Ran_Mespinoza_Nov_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect Mespinoza ransomware", "last_hit_utc": "2022-05-25 22:53:02" } ], "3906": [ { "sample_cnt": 6, "yara_rule_name": "RAT_BlueBanana", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/BlueBanana", "yara_rule_description": "Detects BlueBanana RAT", "last_hit_utc": "2025-10-28 13:45:03" } ], "3907": [ { "sample_cnt": 6, "yara_rule_name": "RAT_Bozok", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Bozok", "yara_rule_description": "Detects Bozok RAT", "last_hit_utc": "2025-10-28 13:45:03" } ], "3908": [ { "sample_cnt": 6, "yara_rule_name": "Recon_Commands_Windows_Gen1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/MSJCxP", "yara_rule_description": "Detects a set of reconnaissance commands on Windows systems", "last_hit_utc": "2023-01-05 15:41:03" } ], "3909": [ { "sample_cnt": 6, "yara_rule_name": "RedLine_b", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies RedLine stealer.", "last_hit_utc": "2025-01-05 16:49:23" } ], "3910": [ { "sample_cnt": 6, "yara_rule_name": "Reflective_DLL_Loader_Aug17_2_RID3180", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Reflective DLL Loader - suspicious - Possible FP could be program crack", "last_hit_utc": "2025-10-28 13:45:05" } ], "3911": [ { "sample_cnt": 6, "yara_rule_name": "RemCom_RemoteCommandExecution", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/tezXZt", "yara_rule_description": "Detects strings from RemCom tool", "last_hit_utc": "2025-11-05 08:22:43" } ], "3912": [ { "sample_cnt": 6, "yara_rule_name": "sendsafe", "yara_rule_author": " J from THL ", "yara_rule_reference": "http://pastebin.com/WPWWs406", "yara_rule_description": null, "last_hit_utc": "2021-07-07 02:25:17" } ], "3913": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_AnyDesk_Compromised_Certificate_Jan24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://anydesk.com/en/public-statement", "yara_rule_description": "Detects binaries signed with a compromised signing certificate of AnyDesk that aren't AnyDesk itself (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8; strict version)", "last_hit_utc": "2025-01-03 19:57:19" } ], "3914": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_AnyDesk_Compromised_Certificate_Jan24_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://anydesk.com/en/public-statement", "yara_rule_description": "Detects binaries signed with a compromised signing certificate of AnyDesk that aren't AnyDesk itself (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8; permissive version)", "last_hit_utc": "2025-01-03 19:57:19" } ], "3915": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_AnyDesk_Compromised_Certificate_Jan24_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://anydesk.com/en/public-statement", "yara_rule_description": "Detects binaries signed with a compromised signing certificate of AnyDesk after it was revoked (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8; version that uses dates for validation)", "last_hit_utc": "2025-01-03 19:57:19" } ], "3916": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_BAT2EXE_BDargo_Converted_BAT", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.majorgeeks.com/files/details/advanced_bat_to_exe_converter.html", "yara_rule_description": "Detects binaries created with BDARGO Advanced BAT to EXE converter", "last_hit_utc": "2026-03-06 15:32:21" } ], "3917": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_Doc_WindowsInstaller_Call_Feb22_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": "https://inquest.net/blog/2022/02/24/dangerously-thinbasic", "yara_rule_description": "Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.", "last_hit_utc": "2022-04-20 06:46:03" } ], "3918": [ { "sample_cnt": 6, "yara_rule_name": "susp_lure_xls_WindowsInstaller_Feb2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": "https://twitter.com/threatinsight/status/1497355737844133895", "yara_rule_description": "Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.", "last_hit_utc": "2022-04-20 06:46:03" } ], "3919": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_Microsoft_7z_SFX_Combo", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious file that has a Microsoft copyright and is a 7z SFX", "last_hit_utc": "2022-11-04 18:29:03" } ], "3920": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_Netsh_PortProxy_Command_RID3201", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy", "yara_rule_description": "Detects a suspicious command line with netsh and the portproxy command", "last_hit_utc": "2025-10-28 13:45:12" } ], "3921": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_Office_Dropper_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Office droppers that include a notice to enable active content", "last_hit_utc": "2025-05-07 09:22:08" } ], "3922": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_Office_Dropper_Strings_RID318B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Office droppers that include a notice to enable active content", "last_hit_utc": "2025-05-07 09:22:08" } ], "3923": [ { "sample_cnt": 6, "yara_rule_name": "Susp_PowerShell_Sep17_1_RID2F9F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious PowerShell script in combo with VBS or JS", "last_hit_utc": "2025-12-15 15:28:16" } ], "3924": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_PS1_Msdt_Execution_May22", "yara_rule_author": "Nasreddine Bencherchali, Christian Burkard", "yara_rule_reference": "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "yara_rule_description": "Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation", "last_hit_utc": "2022-08-30 22:58:03" } ], "3925": [ { "sample_cnt": 6, "yara_rule_name": "SUSP_WordDoc_VBA_Macro_Strings", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious strings in Word Doc that indcate malicious use of VBA macros", "last_hit_utc": "2021-08-21 18:53:08" } ], "3926": [ { "sample_cnt": 6, "yara_rule_name": "TA17_318A_success_fail_codes_fallchill", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-318B", "yara_rule_description": "HiddenCobra FallChill - success_fail_codes", "last_hit_utc": "2025-11-05 08:22:45" } ], "3927": [ { "sample_cnt": 6, "yara_rule_name": "TelegramBot_APIs", "yara_rule_author": "Gery St\u00f6ckli, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-23 07:37:02" } ], "3928": [ { "sample_cnt": 6, "yara_rule_name": "TeslaCryptUnpackedMalware", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:51:53" } ], "3929": [ { "sample_cnt": 6, "yara_rule_name": "Themida18xxOreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:37:29" } ], "3930": [ { "sample_cnt": 6, "yara_rule_name": "Upack_PatchoranyVersionDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-07 15:34:20" } ], "3931": [ { "sample_cnt": 6, "yara_rule_name": "Uroburos", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-13 18:50:27" } ], "3932": [ { "sample_cnt": 6, "yara_rule_name": "Wabot", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "Wabot Trojan Worm", "last_hit_utc": "2025-04-03 23:06:50" } ], "3933": [ { "sample_cnt": 6, "yara_rule_name": "WanaCry", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "WanaCry Payload", "last_hit_utc": "2025-11-13 21:36:44" } ], "3934": [ { "sample_cnt": 6, "yara_rule_name": "Webshell_c100", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/nikicat/web-malware-collection", "yara_rule_description": "Detects Webshell - rule generated from from files c100 v. 777shell", "last_hit_utc": "2022-08-31 04:29:02" } ], "3935": [ { "sample_cnt": 6, "yara_rule_name": "Webshell_in_image", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies a webshell or backdoor in image files.", "last_hit_utc": "2026-01-06 19:16:16" } ], "3936": [ { "sample_cnt": 6, "yara_rule_name": "Webshell_in_image", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies a webshell or backdoor in image files.", "last_hit_utc": "2022-07-25 04:39:03" } ], "3937": [ { "sample_cnt": 6, "yara_rule_name": "webshell_php_404", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file 404.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "3938": [ { "sample_cnt": 6, "yara_rule_name": "webshell_Shell_ci_Biz_was_here_c100_v_xxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Web Shell", "last_hit_utc": "2022-08-31 04:29:02" } ], "3939": [ { "sample_cnt": 6, "yara_rule_name": "Webshell_Txt_aspx_RID2E01", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - Webshells - file aspx.jpg", "last_hit_utc": "2024-01-05 22:26:03" } ], "3940": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Generic_Threat_06dcb833", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-10 09:01:22" } ], "3941": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Ransomware_BlackBasta_494d3c54", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-03 07:56:05" } ], "3942": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Ransomware_Blackmatter_8394f6d5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:31:02" } ], "3943": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Shellcode_Generic_8c487e57", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:56:41" } ], "3944": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Trojan_BruteRatel_644ac114", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-05 20:14:16" } ], "3945": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Trojan_CobaltStrike_29374056", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies Cobalt Strike MZ Reflective Loader.", "last_hit_utc": "2025-01-05 17:02:35" } ], "3946": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Trojan_Donutloader_21e801e0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-13 08:18:26" } ], "3947": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Trojan_Generic_9e4bb0ce", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 05:18:16" } ], "3948": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Trojan_Generic_a681f24a", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 01:14:01" } ], "3949": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Trojan_Grandoreiro_ac4cea59", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-27 14:10:57" } ], "3950": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Trojan_Lumma_30608a8c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-24 13:19:29" } ], "3951": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Trojan_Stealc_a2b71dc4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-09 16:07:32" } ], "3952": [ { "sample_cnt": 6, "yara_rule_name": "Windows_Trojan_WikiLoader_99681f1c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:20:22" } ], "3953": [ { "sample_cnt": 6, "yara_rule_name": "Windows_VulnDriver_GDrv_5368078b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Name: gdrv.sys, Version: 5.2.3790.1830", "last_hit_utc": "2025-07-23 09:23:06" } ], "3954": [ { "sample_cnt": 6, "yara_rule_name": "Windows_VulnDriver_ProcExp_aeb4e5c0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Name: procexp.Sys, Version: 16.65535.65535.65535", "last_hit_utc": "2025-01-05 16:11:48" } ], "3955": [ { "sample_cnt": 6, "yara_rule_name": "WinUpackv039finalrelocatedimagebaseByDwingc2005h2", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-07 15:34:20" } ], "3956": [ { "sample_cnt": 6, "yara_rule_name": "win_arkei_stealer_w0", "yara_rule_author": "Fumik0_", "yara_rule_reference": null, "yara_rule_description": "Arkei Stealer", "last_hit_utc": "2023-02-13 19:32:04" } ], "3957": [ { "sample_cnt": 6, "yara_rule_name": "win_biodata_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-06-28 18:12:10" } ], "3958": [ { "sample_cnt": 6, "yara_rule_name": "win_buer_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-09-23 13:20:04" } ], "3959": [ { "sample_cnt": 6, "yara_rule_name": "win_bunitu_g1", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", "yara_rule_description": null, "last_hit_utc": "2021-01-12 02:26:08" } ], "3960": [ { "sample_cnt": 6, "yara_rule_name": "win_cerber_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-04 23:02:17" } ], "3961": [ { "sample_cnt": 6, "yara_rule_name": "win_conficker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.conficker.", "last_hit_utc": "2022-07-23 12:53:04" } ], "3962": [ { "sample_cnt": 6, "yara_rule_name": "win_dosia_w0", "yara_rule_author": "B42 Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-24 16:34:03" } ], "3963": [ { "sample_cnt": 6, "yara_rule_name": "win_dreambot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.dreambot.", "last_hit_utc": "2025-01-05 16:41:33" } ], "3964": [ { "sample_cnt": 6, "yara_rule_name": "win_hawkeye_keylogger_w0", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-01 06:47:05" } ], "3965": [ { "sample_cnt": 6, "yara_rule_name": "win_hookinjex_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.hookinjex.", "last_hit_utc": "2022-10-18 11:10:04" } ], "3966": [ { "sample_cnt": 6, "yara_rule_name": "win_locky_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-27 15:34:13" } ], "3967": [ { "sample_cnt": 6, "yara_rule_name": "win_mespinoza_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mespinoza.", "last_hit_utc": "2022-05-25 22:53:02" } ], "3968": [ { "sample_cnt": 6, "yara_rule_name": "win_mylobot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mylobot.", "last_hit_utc": "2025-03-06 07:07:18" } ], "3969": [ { "sample_cnt": 6, "yara_rule_name": "win_nettraveler_w0", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "Identifiers for NetTraveler DLL", "last_hit_utc": "2025-01-05 17:28:05" } ], "3970": [ { "sample_cnt": 6, "yara_rule_name": "win_octowave_w0", "yara_rule_author": "Jai Minton (@CyberRaiju) - HuntressLabs", "yara_rule_reference": "https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19", "yara_rule_description": "Detects resources embedded within Octowave Loader MSI installers", "last_hit_utc": "2025-08-21 05:43:34" } ], "3971": [ { "sample_cnt": 6, "yara_rule_name": "win_plugx_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.plugx.", "last_hit_utc": "2022-10-20 20:04:03" } ], "3972": [ { "sample_cnt": 6, "yara_rule_name": "win_runningrat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.runningrat.", "last_hit_utc": "2026-04-27 11:54:27" } ], "3973": [ { "sample_cnt": 6, "yara_rule_name": "win_sendsafe_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-07 02:25:18" } ], "3974": [ { "sample_cnt": 6, "yara_rule_name": "win_squirrelwaffle_loader", "yara_rule_author": "Rony(@r0ny_123)", "yara_rule_reference": "", "yara_rule_description": "Detects unpacked squirrelwaffle loader", "last_hit_utc": "2021-10-27 10:42:04" } ], "3975": [ { "sample_cnt": 6, "yara_rule_name": "win_stowaway_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.stowaway.", "last_hit_utc": "2025-01-05 16:20:42" } ], "3976": [ { "sample_cnt": 6, "yara_rule_name": "win_unidentified_045_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": "Unknown 045", "last_hit_utc": "2021-05-09 23:18:06" } ], "3977": [ { "sample_cnt": 6, "yara_rule_name": "win_zeppelin_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-10-04 09:55:03" } ], "3978": [ { "sample_cnt": 6, "yara_rule_name": "WobbyChipMBR", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects WobbyChipMBR / Covid-21 ransomware", "last_hit_utc": "2025-11-03 14:21:40" } ], "3979": [ { "sample_cnt": 6, "yara_rule_name": "wsh_rat_keylogger", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "Alerts on the WSH RAT .NET keylogger module", "last_hit_utc": "2023-09-23 08:04:03" } ], "3980": [ { "sample_cnt": 6, "yara_rule_name": "wsh_rat_keylogger", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "Alerts on the WSH RAT .NET keylogger module", "last_hit_utc": "2022-10-21 13:06:02" } ], "3981": [ { "sample_cnt": 6, "yara_rule_name": "XData", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-06 06:28:51" } ], "3982": [ { "sample_cnt": 6, "yara_rule_name": "XOREngine_Misc_XOR_Func", "yara_rule_author": "smiller cc @florian @wesley idea on implementation with yara's built in XOR function", "yara_rule_reference": null, "yara_rule_description": "Use with care, https://twitter.com/cyb3rops/status/1237042104406355968", "last_hit_utc": "2025-01-05 14:45:14" } ], "3983": [ { "sample_cnt": 6, "yara_rule_name": "ZloaderXLSInvoice", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-18 16:59:48" } ], "3984": [ { "sample_cnt": 6, "yara_rule_name": "ZxShell_Related_Malware_CN_Group_Jul17_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell related sample from a CN threat group", "last_hit_utc": "2022-04-27 01:18:02" } ], "3985": [ { "sample_cnt": 5, "yara_rule_name": "ach_Gozi_doc_20201218", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/d655ea1e55871c89ae52024f28de570c/", "yara_rule_description": "Detects Gozi ISFB doc", "last_hit_utc": "2020-12-18 08:19:22" } ], "3986": [ { "sample_cnt": 5, "yara_rule_name": "ach_TrickBot_doc_20200917", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/098104c5c48c3633e9630092d72127ee/", "yara_rule_description": "Detects TrickBot doc", "last_hit_utc": "2020-09-17 09:14:08" } ], "3987": [ { "sample_cnt": 5, "yara_rule_name": "Amatera", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Amatera Payload", "last_hit_utc": "2025-11-10 16:18:14" } ], "3988": [ { "sample_cnt": 5, "yara_rule_name": "APT_ArtraDownloader2_Aug19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", "yara_rule_description": "Detects ArtraDownloader malware", "last_hit_utc": "2025-11-24 16:37:31" } ], "3989": [ { "sample_cnt": 5, "yara_rule_name": "APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "yara_rule_description": "Detects HAFNIUM ASPX files dropped on compromised servers", "last_hit_utc": "2025-01-05 16:11:08" } ], "3990": [ { "sample_cnt": 5, "yara_rule_name": "APT_PupyRAT_PY_RID2BF2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "yara_rule_description": "Detects Pupy RAT", "last_hit_utc": "2025-12-04 15:38:27" } ], "3991": [ { "sample_cnt": 5, "yara_rule_name": "APT_UNC2447_MAL_RANSOM_HelloKitty_May21_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects HelloKitty Ransomware samples from UNC2447 campaign", "last_hit_utc": "2022-11-30 16:02:04" } ], "3992": [ { "sample_cnt": 5, "yara_rule_name": "BadRabbitWiper", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-30 14:11:35" } ], "3993": [ { "sample_cnt": 5, "yara_rule_name": "BadRabbit_Gen", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://pastebin.com/Y7pJv3tK", "yara_rule_description": "Detects BadRabbit Ransomware", "last_hit_utc": "2023-06-09 08:09:13" } ], "3994": [ { "sample_cnt": 5, "yara_rule_name": "bitrat_3_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b", "yara_rule_description": "BitRAT", "last_hit_utc": "2023-03-21 06:23:09" } ], "3995": [ { "sample_cnt": 5, "yara_rule_name": "Blacknet", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "BlackNet Payload", "last_hit_utc": "2021-09-07 06:12:07" } ], "3996": [ { "sample_cnt": 5, "yara_rule_name": "BlackShades_3", "yara_rule_author": "botherder https://github.com/botherder", "yara_rule_reference": null, "yara_rule_description": "BlackShades RAT", "last_hit_utc": "2025-05-04 07:27:09" } ], "3997": [ { "sample_cnt": 5, "yara_rule_name": "BTC_Miner_lsass1_chrome_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research - CN Actor", "yara_rule_description": "Detects a Bitcoin Miner", "last_hit_utc": "2025-11-23 10:45:39" } ], "3998": [ { "sample_cnt": 5, "yara_rule_name": "cert_blocklist_ef9d0cf071d463cd63d13083046a7b8d", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2021-03-03 09:41:54" } ], "3999": [ { "sample_cnt": 5, "yara_rule_name": "cleanup_loader_payload_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-25 07:08:24" } ], "4000": [ { "sample_cnt": 5, "yara_rule_name": "CN_Honker_Webshell_ASPX_aspx", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Webshell from CN Honker Pentest Toolset - file aspx.txt", "last_hit_utc": "2022-10-27 20:57:03" } ], "4001": [ { "sample_cnt": 5, "yara_rule_name": "Cobaltbaltstrike_RAW_Payload_https_stager_x86", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2025-06-10 10:55:15" } ], "4002": [ { "sample_cnt": 5, "yara_rule_name": "crime_win64_bumbleebee_loader_packed", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects Bumblebee loader dll", "last_hit_utc": "2025-01-05 15:22:42" } ], "4003": [ { "sample_cnt": 5, "yara_rule_name": "CS_encrypted_beacon_x86_64", "yara_rule_author": "Etienne Maynier tek@randhome.io", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-21 12:59:10" } ], "4004": [ { "sample_cnt": 5, "yara_rule_name": "Detect_BlotchyQuasar_Banker", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-17 19:54:32" } ], "4005": [ { "sample_cnt": 5, "yara_rule_name": "Enigma_Protected_Malware_May17_RhxFiles", "yara_rule_author": "Florian Roth (Nextron Systems) with the help of binar.ly", "yara_rule_reference": "Internal Research", "yara_rule_description": "Auto-generated rule - file RhxFiles.dll", "last_hit_utc": "2025-01-03 22:24:40" } ], "4006": [ { "sample_cnt": 5, "yara_rule_name": "Erbium_Loader", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": null, "yara_rule_description": "Detects Erbium Stealer's loader", "last_hit_utc": "2025-06-03 22:21:27" } ], "4007": [ { "sample_cnt": 5, "yara_rule_name": "EXE_RustDesk_RemoteAdmin_April_2024", "yara_rule_author": "NDA0N", "yara_rule_reference": null, "yara_rule_description": "Detects RustDesk Remote Admin Tool", "last_hit_utc": "2025-01-05 17:31:05" } ], "4008": [ { "sample_cnt": 5, "yara_rule_name": "eXPressorv13CGSoftLabs", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 11:05:59" } ], "4009": [ { "sample_cnt": 5, "yara_rule_name": "Gentlemen_Ransomware_Binary", "yara_rule_author": "Bedrock Safeguard Inc.", "yara_rule_reference": "https://github.com/Bedrock-Safeguard/gentlemen-decryptor", "yara_rule_description": "Detects The Gentlemen ransomware binary (Go/Garble)", "last_hit_utc": "2026-04-25 17:45:44" } ], "4010": [ { "sample_cnt": 5, "yara_rule_name": "GHISLER_Stealer_1", "yara_rule_author": "Andre Gironda", "yara_rule_reference": null, "yara_rule_description": "GHISLER Golang based GO Stealer , POST /sendlog to http port 5000 , Userid HTTP header", "last_hit_utc": "2025-01-05 15:30:23" } ], "4011": [ { "sample_cnt": 5, "yara_rule_name": "GhostWeaver_Persistence_Installer", "yara_rule_author": "derp.ca", "yara_rule_reference": "https://www.derp.ca/blog/ghostweaver-tag124-powershell-rat", "yara_rule_description": "GhostWeaver/Pantera persistence installer delivered via C2 iex command", "last_hit_utc": "2026-04-26 16:39:26" } ], "4012": [ { "sample_cnt": 5, "yara_rule_name": "GoogleBot_UserAgent", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects the GoogleBot UserAgent String in an Executable", "last_hit_utc": "2021-03-14 22:32:08" } ], "4013": [ { "sample_cnt": 5, "yara_rule_name": "Grandoreiro", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Grandoreiro", "last_hit_utc": "2026-02-08 16:22:17" } ], "4014": [ { "sample_cnt": 5, "yara_rule_name": "Hacktools_CN_WinEggDrop", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file s.exe", "last_hit_utc": "2025-10-28 13:44:26" } ], "4015": [ { "sample_cnt": 5, "yara_rule_name": "HawkEye_Keylogger_Feb18_1_RID302C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9", "yara_rule_description": "Semiautomatically generated YARA rule", "last_hit_utc": "2023-06-18 08:18:03" } ], "4016": [ { "sample_cnt": 5, "yara_rule_name": "HKTL_Lazagne_Gen_18", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/AlessandroZ/LaZagne", "yara_rule_description": "Detects Lazagne password extractor hacktool", "last_hit_utc": "2026-02-17 12:07:15" } ], "4017": [ { "sample_cnt": 5, "yara_rule_name": "HKTL_NET_GUID_SharpShooter", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/mdsecactivebreach/SharpShooter", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2022-07-16 08:01:03" } ], "4018": [ { "sample_cnt": 5, "yara_rule_name": "HKTL_NET_GUID_VanillaRAT", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/DannyTheSloth/VanillaRAT", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-12-29 07:35:18" } ], "4019": [ { "sample_cnt": 5, "yara_rule_name": "HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine_RID379E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1", "yara_rule_description": "Detects PowerShell Oneliner in Nishang's repository", "last_hit_utc": "2025-11-05 08:22:36" } ], "4020": [ { "sample_cnt": 5, "yara_rule_name": "hunt_credaccess_iis", "yara_rule_author": "SBousseaden", "yara_rule_reference": null, "yara_rule_description": "hunt for strings related to iis credential access", "last_hit_utc": "2025-10-28 13:44:31" } ], "4021": [ { "sample_cnt": 5, "yara_rule_name": "icedid_2stager", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/icedid-technical-analysis/", "yara_rule_description": "This rule detects samples from the IcedID family unpacked in memory, identifying code reuse of key functions.", "last_hit_utc": "2025-02-20 02:17:21" } ], "4022": [ { "sample_cnt": 5, "yara_rule_name": "icedid_unpacked", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/icedid-technical-analysis/", "yara_rule_description": "This rule detects samples from the IcedID family unpacked in memory, identifying code reuse of key functions.", "last_hit_utc": "2025-02-20 02:17:21" } ], "4023": [ { "sample_cnt": 5, "yara_rule_name": "Imphash_Malware_2_TA17_293A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-293A", "yara_rule_description": "Detects malware based on Imphash of malware used in TA17-293A", "last_hit_utc": "2022-07-15 16:28:02" } ], "4024": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_EXE_Packed_PS2EXE", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables built or packed with PS2EXE", "last_hit_utc": "2022-10-07 20:53:02" } ], "4025": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_KB_CERT_028aa6e7b516c0d155f15d6290a430e3", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-08-19 14:34:47" } ], "4026": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_KB_CERT_030ba877daf788a0048d04a85b1f6eca", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-12-27 21:10:08" } ], "4027": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_KB_CERT_23389161e45a218bd24e6e859ae11153", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-23 19:25:02" } ], "4028": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_KB_CERT_26279f0f2f11970dccf63eba88f2d4c4", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-23 19:25:02" } ], "4029": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_KB_CERT_635517466b67bd4bba805bc67ac3328c", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-06-15 10:19:57" } ], "4030": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_KB_CERT_731d40ae3f3a1fb2bc3d8395", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2022-02-26 17:38:05" } ], "4031": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_LockerGoga", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with LockerGoga ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "4032": [ { "sample_cnt": 5, "yara_rule_name": "Indicator_MiniDumpUsage", "yara_rule_author": "Obscurity Labs LLC", "yara_rule_reference": null, "yara_rule_description": "Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references", "last_hit_utc": "2025-06-16 17:01:55" } ], "4033": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_RMM_AeroAdmin_CERT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects AeroAdmin by certificate. Review RMM Inventory", "last_hit_utc": "2025-06-16 16:36:15" } ], "4034": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Enable_OfficeMacro", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Windows executables referencing Office macro registry keys. Observed modifying Office configurations via the registy to enable macros", "last_hit_utc": "2025-11-23 10:28:25" } ], "4035": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_PublicServiceInterface", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect executables referencing public and free service interface testing and dev services as means of CnC", "last_hit_utc": "2026-02-02 14:36:25" } ], "4036": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_SandboxUserNames", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing possible sandbox analysis VM usernames", "last_hit_utc": "2022-07-15 16:54:03" } ], "4037": [ { "sample_cnt": 5, "yara_rule_name": "INDICATOR_TOOL_EXP_ApacheStrusts", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Windows executables containing ApacheStruts exploit artifatcs", "last_hit_utc": "2022-11-20 15:26:03" } ], "4038": [ { "sample_cnt": 5, "yara_rule_name": "iot_spread_botnet", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-24 07:56:05" } ], "4039": [ { "sample_cnt": 5, "yara_rule_name": "iot_spread_botnet", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-09-20 17:52:05" } ], "4040": [ { "sample_cnt": 5, "yara_rule_name": "IronTiger_HTTPBrowser_Dropper", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "Iron Tiger Malware - HTTPBrowser Dropper", "last_hit_utc": "2025-11-22 23:01:25" } ], "4041": [ { "sample_cnt": 5, "yara_rule_name": "IronTiger_NBDDos_Gh0stvariant_dropper", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "Iron Tiger Malware - NBDDos Gh0stvariant Dropper", "last_hit_utc": "2025-04-27 22:53:07" } ], "4042": [ { "sample_cnt": 5, "yara_rule_name": "jackskid_unpacked", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": null, "yara_rule_description": "Jackskid/RCtea - unpacked variant with full string artifacts", "last_hit_utc": "2026-03-26 20:50:30" } ], "4043": [ { "sample_cnt": 5, "yara_rule_name": "Jaff", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Jaff Payload", "last_hit_utc": "2026-02-07 12:23:25" } ], "4044": [ { "sample_cnt": 5, "yara_rule_name": "jsp_godzilla_webshell_w0", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": null, "yara_rule_description": "Generic JSP webshell which uses reflection to execute user input", "last_hit_utc": "2025-12-12 09:53:16" } ], "4045": [ { "sample_cnt": 5, "yara_rule_name": "Jupyter_Infostealer_PowerShell", "yara_rule_author": "Lucas Acha (http://www.lukeacha.com)", "yara_rule_reference": "http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", "yara_rule_description": "observed powershell command strings", "last_hit_utc": "2026-03-03 17:39:25" } ], "4046": [ { "sample_cnt": 5, "yara_rule_name": "justforfun_linux_trojan", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects unknown linux malware - 2018-2021", "last_hit_utc": "2022-11-15 13:09:03" } ], "4047": [ { "sample_cnt": 5, "yara_rule_name": "kimwolf_dropper_script", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": null, "yara_rule_description": "Kimwolf residential proxy botnet - ADB sideload install script", "last_hit_utc": "2026-04-23 15:12:37" } ], "4048": [ { "sample_cnt": 5, "yara_rule_name": "KoiLoader", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects KoiLoader", "last_hit_utc": "2025-06-16 16:02:43" } ], "4049": [ { "sample_cnt": 5, "yara_rule_name": "lb4_hashing_alg", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "This rule detects the custom hashing algorithm of Lockbit4.0 unpacked", "last_hit_utc": "2025-06-25 08:15:42" } ], "4050": [ { "sample_cnt": 5, "yara_rule_name": "lb_apihashing_code_0001", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "This rule detects samples from the Lockbit3.0 (and BlackMatter) family unpacked in memory, identifying code reuse of key functions.", "last_hit_utc": "2024-05-25 01:20:02" } ], "4051": [ { "sample_cnt": 5, "yara_rule_name": "lb_apihashing_code_100", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "This rule detects samples from the Lockbit3.0 (and BlackMatter) family unpacked in memory, identifying code reuse of key functions.", "last_hit_utc": "2024-05-25 01:20:02" } ], "4052": [ { "sample_cnt": 5, "yara_rule_name": "LinuxHacktool_eyes_pscan2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file pscan2", "last_hit_utc": "2026-03-17 01:18:17" } ], "4053": [ { "sample_cnt": 5, "yara_rule_name": "LinuxHacktool_eyes_scanner", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file scanner", "last_hit_utc": "2025-10-28 13:44:41" } ], "4054": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Cryptominer_Camelot_209b02dd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-09 08:10:46" } ], "4055": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Cryptominer_Malxmr_f35a670c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-29 14:59:44" } ], "4056": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Cryptominer_Xmrminer_67bf4b54", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-09 08:10:46" } ], "4057": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Ransomware_Conti_53a640f4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:18:29" } ], "4058": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Ddostf_32c35334", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-20 17:59:20" } ], "4059": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Ddostf_cb0358a0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-20 17:59:20" } ], "4060": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Ddostf_e4874cd4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-20 17:59:21" } ], "4061": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Gafgyt_656bf077", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "4062": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Gafgyt_7167d08f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:12:03" } ], "4063": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Gafgyt_c573932b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:12:03" } ], "4064": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Gafgyt_e0673a90", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "4065": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Mirai_6a77af0f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "4066": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Mirai_ab073861", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:41:18" } ], "4067": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Mirai_ea584243", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-16 07:39:16" } ], "4068": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Trojan_Rbot_366f1599", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-28 01:55:06" } ], "4069": [ { "sample_cnt": 5, "yara_rule_name": "Linux_Worm_Generic_98efcd38", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-22 06:48:55" } ], "4070": [ { "sample_cnt": 5, "yara_rule_name": "LockbitBlack_Loader", "yara_rule_author": "Zander Work", "yara_rule_reference": "", "yara_rule_description": "Hunting rule for the Lockbit Black loader, based on https://twitter.com/vxunderground/status/1543661557883740161", "last_hit_utc": "2022-07-16 20:38:04" } ], "4071": [ { "sample_cnt": 5, "yara_rule_name": "LockbitBlack_Loader_Rule", "yara_rule_author": "Luis Fabuel", "yara_rule_reference": "", "yara_rule_description": "Hunting rule for the Lockbit Black loader, based on https://twitter.com/vxunderground/status/1543661557883740161", "last_hit_utc": "2022-07-16 20:38:04" } ], "4072": [ { "sample_cnt": 5, "yara_rule_name": "lsi_dcrat", "yara_rule_author": "Rothenhaeuser Andreas", "yara_rule_reference": null, "yara_rule_description": "Identifies DCRat based on its string decoding routine", "last_hit_utc": "2026-01-22 15:26:34" } ], "4073": [ { "sample_cnt": 5, "yara_rule_name": "MacOS_Cryptominer_Xmrig_241780a1", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-06 13:39:03" } ], "4074": [ { "sample_cnt": 5, "yara_rule_name": "malformed_zip_file", "yara_rule_author": "nosh", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-19 07:18:27" } ], "4075": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_APT29_SVG_Delivery_Jul23", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://twitter.com/StopMalvertisin/status/1677192618118369280", "yara_rule_description": "Detects Javascript code in crafted SVG files delivering malware", "last_hit_utc": "2025-11-28 07:04:15" } ], "4076": [ { "sample_cnt": 5, "yara_rule_name": "Malware_QA_not_copy_RID2E95", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file not copy.exe", "last_hit_utc": "2025-11-05 08:21:38" } ], "4077": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_BabylonRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects BabylonRAT / CollectorStealer / ParadoxRAT", "last_hit_utc": "2022-09-06 12:27:20" } ], "4078": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_BlackshadesRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "BlackshadesRAT / Cambot POS payload", "last_hit_utc": "2025-05-04 07:27:09" } ], "4079": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_CobianRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects CobianRAT, a fork of Njrat", "last_hit_utc": "2025-06-26 20:05:19" } ], "4080": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_DarkTrackRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects OzoneRAT / DarkTrack / DarkSky", "last_hit_utc": "2025-06-22 22:07:41" } ], "4081": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_Dharma", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Dharma ransomware", "last_hit_utc": "2022-11-09 06:10:05" } ], "4082": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_DLAgent06", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects known downloader agent downloading encoded binaries in patches", "last_hit_utc": "2022-06-28 20:48:04" } ], "4083": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_Echelon", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Echelon information stealer payload", "last_hit_utc": "2022-07-11 12:26:03" } ], "4084": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_FirebirdRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Firebird/Hive RAT payload", "last_hit_utc": "2021-06-20 07:32:43" } ], "4085": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_Meteorite", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Meteorite downloader", "last_hit_utc": "2025-01-03 23:12:32" } ], "4086": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_MoDiRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "MoDiRAT payload", "last_hit_utc": "2025-03-07 11:58:12" } ], "4087": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_Poullight", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Poullight infostealer", "last_hit_utc": "2021-04-17 08:15:10" } ], "4088": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_PowerPool_STG1", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects first stage PowerPool backdoor", "last_hit_utc": "2021-07-11 22:06:19" } ], "4089": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_Raccoon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Raccoon stealer payload", "last_hit_utc": "2025-01-05 14:44:47" } ], "4090": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_Thanos", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Thanos ransomware", "last_hit_utc": "2021-06-02 15:32:40" } ], "4091": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_VanillaRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects VanillaRAT", "last_hit_utc": "2025-12-29 07:35:19" } ], "4092": [ { "sample_cnt": 5, "yara_rule_name": "MALWARE_Win_XFiles", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects X-Files infostealer (formerly BotSh1zoid)", "last_hit_utc": "2022-07-07 17:26:03" } ], "4093": [ { "sample_cnt": 5, "yara_rule_name": "MAL_LNX_RedMenshen_BPFDoor_May23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game", "yara_rule_description": "Detects BPFDoor malware", "last_hit_utc": "2026-03-28 08:31:19" } ], "4094": [ { "sample_cnt": 5, "yara_rule_name": "mal_metasploit_encode_xor_x64", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://github.com/rapid7/metasploit-framework/blob/b8178397a9aba19dc7a80ee1346d8685674cc0ff/modules/encoders/x64/xor.rb#L36-L42", "yara_rule_description": "Detects XOR-encoded Metasploit shellcode", "last_hit_utc": "2025-01-03 22:48:15" } ], "4095": [ { "sample_cnt": 5, "yara_rule_name": "MAL_RANSOM_ContiCrypter", "yara_rule_author": "James Quinn, Binary Defense", "yara_rule_reference": "", "yara_rule_description": "Signature for a crypter associated with Conti", "last_hit_utc": "2022-09-08 14:55:04" } ], "4096": [ { "sample_cnt": 5, "yara_rule_name": "MAL_RANSOM_Stealbit_Aug21", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Lockbit2.Stealbit.yar", "yara_rule_description": "Detects Stealbit used by Lockbit 2.0 Ransomware Gang", "last_hit_utc": "2022-03-03 01:55:06" } ], "4097": [ { "sample_cnt": 5, "yara_rule_name": "MAL_Ryuk_Ransomware_RID2E73", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", "yara_rule_description": "Detects strings known from Ryuk Ransomware", "last_hit_utc": "2023-08-11 03:08:03" } ], "4098": [ { "sample_cnt": 5, "yara_rule_name": "maritime_RAR_v3", "yara_rule_author": "CERT OWN", "yara_rule_reference": null, "yara_rule_description": "This rule is designed to monitor RAR archive files that contain certain maritime-related keywords. The monitored patterns include variations of MV (Motor Vessel) or MT(Motor Tanker) keywords followed by a combination of letters, numbers, and special characters, and ending with .exe. There are also patterns that match CTM, vessel, stowage, vsl.part, and agency followed by similar combinations of characters and .exe", "last_hit_utc": "2023-07-22 12:21:04" } ], "4099": [ { "sample_cnt": 5, "yara_rule_name": "Mimikatz_SampleSet_1", "yara_rule_author": "Florian Roth - Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Mimikatz Rule generated from a big Mimikatz sample set", "last_hit_utc": "2025-12-03 07:14:17" } ], "4100": [ { "sample_cnt": 5, "yara_rule_name": "Msfpayloads_msf_6", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.vbs", "last_hit_utc": "2025-01-03 21:20:48" } ], "4101": [ { "sample_cnt": 5, "yara_rule_name": "Msfpayloads_msf_6_RID2DCE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.vbs", "last_hit_utc": "2025-01-03 21:20:48" } ], "4102": [ { "sample_cnt": 5, "yara_rule_name": "Multi_Hacktool_SuperShell_f7486598", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-27 12:19:35" } ], "4103": [ { "sample_cnt": 5, "yara_rule_name": "NetTraveler", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "Nettravelr", "last_hit_utc": "2025-01-05 17:28:03" } ], "4104": [ { "sample_cnt": 5, "yara_rule_name": "NetTravStrings", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "Identifiers for NetTraveler DLL", "last_hit_utc": "2025-01-05 17:28:04" } ], "4105": [ { "sample_cnt": 5, "yara_rule_name": "NotPetya_Ransomware_Jun17", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/h6iaGj", "yara_rule_description": "Detects new NotPetya Ransomware variant from June 2017", "last_hit_utc": "2023-06-09 08:09:13" } ], "4106": [ { "sample_cnt": 5, "yara_rule_name": "NsPackv23NorthStar", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 10:38:50" } ], "4107": [ { "sample_cnt": 5, "yara_rule_name": "OLE_LNK_InternetExplorer_IDLIST_Suspicious", "yara_rule_author": "node5", "yara_rule_reference": null, "yara_rule_description": "Detects OLE-embedded LNK with Internet Explorer IDLIST containing suspicious WebDAV/UNC/file:// strings within item boundaries", "last_hit_utc": "2026-04-13 13:04:32" } ], "4108": [ { "sample_cnt": 5, "yara_rule_name": "parallax_rat_2020", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-02-02 08:15:06" } ], "4109": [ { "sample_cnt": 5, "yara_rule_name": "pcshare_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://blogs.blackberry.com/en/2019/09/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware", "yara_rule_description": "PCShare Backdoor", "last_hit_utc": "2025-06-16 16:13:01" } ], "4110": [ { "sample_cnt": 5, "yara_rule_name": "Petite21", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-21 03:14:05" } ], "4111": [ { "sample_cnt": 5, "yara_rule_name": "Pkg", "yara_rule_author": "nwunderly", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-23 16:07:03" } ], "4112": [ { "sample_cnt": 5, "yara_rule_name": "pos", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-24 11:46:02" } ], "4113": [ { "sample_cnt": 5, "yara_rule_name": "ProcessInjector_Gen_RID2EA7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c", "yara_rule_description": "Detects a process injection utility that can be used ofr good and bad purposes", "last_hit_utc": "2025-10-28 13:44:59" } ], "4114": [ { "sample_cnt": 5, "yara_rule_name": "PureBasic4xDLLNeilHodgson", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-02 02:27:03" } ], "4115": [ { "sample_cnt": 5, "yara_rule_name": "PureZip", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies ZIP files with a hidden file named '__.exe', as seen in a massive PureCrypt campaign in Q1 2024.", "last_hit_utc": "2024-05-20 23:49:04" } ], "4116": [ { "sample_cnt": 5, "yara_rule_name": "Qakbot_IsoCampaign", "yara_rule_author": "Malhuters", "yara_rule_reference": null, "yara_rule_description": "Qakbot New Campaign ISO", "last_hit_utc": "2025-08-05 13:22:20" } ], "4117": [ { "sample_cnt": 5, "yara_rule_name": "RANSOM_darkside", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect packed and unpacked samples of DarkSide", "last_hit_utc": "2021-05-11 04:27:38" } ], "4118": [ { "sample_cnt": 5, "yara_rule_name": "RANSOM_MedusaLocker_July22", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf", "yara_rule_description": "Detects MedusaLocker Ransomware", "last_hit_utc": "2023-01-25 18:45:04" } ], "4119": [ { "sample_cnt": 5, "yara_rule_name": "RAN_PYSA_Sept_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect the PYSA ransomware", "last_hit_utc": "2022-05-25 22:53:02" } ], "4120": [ { "sample_cnt": 5, "yara_rule_name": "RAT_Imminent", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Imminent", "yara_rule_description": "Detects Imminent RAT", "last_hit_utc": "2025-11-05 08:22:43" } ], "4121": [ { "sample_cnt": 5, "yara_rule_name": "RAT_SpyGate", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/SpyGate", "yara_rule_description": "Detects SpyGate RAT", "last_hit_utc": "2023-01-30 02:24:03" } ], "4122": [ { "sample_cnt": 5, "yara_rule_name": "Recordbreaker", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "https://twitter.com/_FirehaK/status/1534997159937982464", "yara_rule_description": "Recordbreaker is an information stealer capable of downloading and executing secondary payloads. It has been spreading through fake software cracks and keygens since May 2022.", "last_hit_utc": "2022-06-26 07:44:03" } ], "4123": [ { "sample_cnt": 5, "yara_rule_name": "Reflective_DLL_Loader_Aug17_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Reflective DLL Loader", "last_hit_utc": "2022-09-15 06:02:35" } ], "4124": [ { "sample_cnt": 5, "yara_rule_name": "regexpr_pos", "yara_rule_author": "@patrickrolsen", "yara_rule_reference": "POS malware - RegExpr", "yara_rule_description": null, "last_hit_utc": "2025-09-18 04:10:57" } ], "4125": [ { "sample_cnt": 5, "yara_rule_name": "ScanBox_Malware_Generic", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP", "last_hit_utc": "2022-03-23 09:36:05" } ], "4126": [ { "sample_cnt": 5, "yara_rule_name": "Script_Comments_SUSP", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects suspicious scripts with a lot of commented text", "last_hit_utc": "2022-09-23 06:37:06" } ], "4127": [ { "sample_cnt": 5, "yara_rule_name": "SecurityXploded_Producer_String_RID33B2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://securityxploded.com/browser-password-dump.php", "yara_rule_description": "Detects hacktools by SecurityXploded", "last_hit_utc": "2024-01-27 02:27:03" } ], "4128": [ { "sample_cnt": 5, "yara_rule_name": "Sliver__Implant_64bit", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-10 19:39:22" } ], "4129": [ { "sample_cnt": 5, "yara_rule_name": "success_fail_codes_fallchill", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "success_fail_codes", "last_hit_utc": "2021-02-04 09:51:41" } ], "4130": [ { "sample_cnt": 5, "yara_rule_name": "SurtrRansomware", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": "", "yara_rule_description": "Yara Rule To Detect Surtur Ransomware", "last_hit_utc": "2022-11-14 10:04:03" } ], "4131": [ { "sample_cnt": 5, "yara_rule_name": "SUSP_Doc_WordXMLRels_May22", "yara_rule_author": "Tobias Michalski, Christian Burkard, Wojciech Cieslak", "yara_rule_reference": "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "yara_rule_description": "Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation", "last_hit_utc": "2026-02-24 10:42:20" } ], "4132": [ { "sample_cnt": 5, "yara_rule_name": "SUSP_LNX_Linux_Malware_Indicators_Aug20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects indicators often found in linux malware samples", "last_hit_utc": "2022-07-16 05:12:03" } ], "4133": [ { "sample_cnt": 5, "yara_rule_name": "SUSP_OBFUSC_PowerShell_True_Jun20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/corneacristian/mimikatz-bypass/", "yara_rule_description": "Detects indicators often found in obfuscated PowerShell scripts", "last_hit_utc": "2025-01-05 17:23:45" } ], "4134": [ { "sample_cnt": 5, "yara_rule_name": "SUSP_Putty_Unnormal_Size_RID3086", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a putty version with a size different than the one provided by Simon Tatham (could be caused by an additional signature or malware)", "last_hit_utc": "2025-01-13 08:33:03" } ], "4135": [ { "sample_cnt": 5, "yara_rule_name": "SUSP_SFX_cmd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious SFX as used by Gamaredon group", "last_hit_utc": "2025-01-22 19:06:01" } ], "4136": [ { "sample_cnt": 5, "yara_rule_name": "SUSP_Unsigned_OSPPSVC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/", "yara_rule_description": "Detects a suspicious unsigned office software protection platform service binary", "last_hit_utc": "2025-01-05 15:19:00" } ], "4137": [ { "sample_cnt": 5, "yara_rule_name": "SUSP_Unsigned_OSPPSVC_RID2E85", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/", "yara_rule_description": "Detects a suspicious unsigned office software protection platform service binary", "last_hit_utc": "2025-01-05 15:19:00" } ], "4138": [ { "sample_cnt": 5, "yara_rule_name": "svg_auto_payload_download", "yara_rule_author": "Anish Bogati", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious SVG files with auto payload download behavior.", "last_hit_utc": "2026-03-02 18:14:17" } ], "4139": [ { "sample_cnt": 5, "yara_rule_name": "TA428_nccTrojan", "yara_rule_author": "Rintaro Koike (@nao_sec)", "yara_rule_reference": "https://vblocalhost.com/uploads/VB2020-20.pdf", "yara_rule_description": "TA428 - Operation LagTime IT - RAT", "last_hit_utc": "2022-03-29 13:42:24" } ], "4140": [ { "sample_cnt": 5, "yara_rule_name": "Telebots", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-30 14:11:35" } ], "4141": [ { "sample_cnt": 5, "yara_rule_name": "tgtoxic_vmprotector", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-13 09:20:50" } ], "4142": [ { "sample_cnt": 5, "yara_rule_name": "ThemidaWinLicenseV1802OreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:37:29" } ], "4143": [ { "sample_cnt": 5, "yara_rule_name": "Tmanger_Family_20210223", "yara_rule_author": "Rintaro Koike (@nao_sec)", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger", "yara_rule_description": "Tmanger Family", "last_hit_utc": "2025-11-05 08:22:46" } ], "4144": [ { "sample_cnt": 5, "yara_rule_name": "Txt_aspx", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - Webshells - file aspx.jpg", "last_hit_utc": "2022-10-27 20:57:03" } ], "4145": [ { "sample_cnt": 5, "yara_rule_name": "unknownpowershell1_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/1e00c3c3-b928-43a7-9dad-6da1b9d7818d/", "yara_rule_description": "Something silly", "last_hit_utc": "2021-04-10 12:20:43" } ], "4146": [ { "sample_cnt": 5, "yara_rule_name": "UNKNOWN_News_Penguin_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-21 19:06:41" } ], "4147": [ { "sample_cnt": 5, "yara_rule_name": "Unspecified_Malware_Sep1_A1_RID3131", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "yara_rule_description": "Detects malware from DrqgonFly APT report", "last_hit_utc": "2025-01-05 16:54:03" } ], "4148": [ { "sample_cnt": 5, "yara_rule_name": "Upackv039finalDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 19:23:19" } ], "4149": [ { "sample_cnt": 5, "yara_rule_name": "Ursnif", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:16" } ], "4150": [ { "sample_cnt": 5, "yara_rule_name": "V3_Lockbit_Black_Packer", "yara_rule_author": "Luis F.R", "yara_rule_reference": "https://twitter.com/vxunderground/status/1543661557883740161", "yara_rule_description": "Detects the packer used by Lockbit Black (Version 3)", "last_hit_utc": "2023-03-07 04:55:03" } ], "4151": [ { "sample_cnt": 5, "yara_rule_name": "VMProtectStub", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies VMProtect packer stub.", "last_hit_utc": "2022-07-06 14:10:03" } ], "4152": [ { "sample_cnt": 5, "yara_rule_name": "WanaCry", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "WanaCry Payload", "last_hit_utc": "2022-10-13 08:31:56" } ], "4153": [ { "sample_cnt": 5, "yara_rule_name": "webshell_asp_scan_writable", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "ASP webshell searching for writable directories (to hide more webshells ...)", "last_hit_utc": "2022-04-07 14:05:04" } ], "4154": [ { "sample_cnt": 5, "yara_rule_name": "webshell_in_image", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Webshell in GIF, PNG or JPG", "last_hit_utc": "2022-06-21 13:09:02" } ], "4155": [ { "sample_cnt": 5, "yara_rule_name": "webshell_simple_backdoor", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file simple-backdoor.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "4156": [ { "sample_cnt": 5, "yara_rule_name": "Webshell_simple_backdoor_RID30D4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file simple-backdoor.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "4157": [ { "sample_cnt": 5, "yara_rule_name": "WebShell_Simple_PHP_backdoor_by_DK", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php", "last_hit_utc": "2025-10-28 13:45:41" } ], "4158": [ { "sample_cnt": 5, "yara_rule_name": "WiltedTulip_WindowsTask", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects hack tool used in Operation Wilted Tulip - Windows Tasks", "last_hit_utc": "2023-02-02 14:57:04" } ], "4159": [ { "sample_cnt": 5, "yara_rule_name": "win32_async_rat", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting AsyncRAT malware", "last_hit_utc": "2025-11-17 00:36:23" } ], "4160": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Generic_Threat_0a640296", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-20 06:21:18" } ], "4161": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Generic_Threat_820fe9c9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-25 12:42:19" } ], "4162": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Generic_Threat_b1ef4828", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-16 11:25:33" } ], "4163": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Generic_Threat_d170474c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:47:54" } ], "4164": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Hacktool_GodPotato_5f1aad81", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-12 10:51:29" } ], "4165": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Infostealer_Strela_0dc3e4a1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-23 08:28:03" } ], "4166": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Loader_SquirrelWaffle", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Identifies strings/byte sequence used in unpacked SquirrelWaffle loader", "last_hit_utc": "2021-10-27 10:42:04" } ], "4167": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Ransomware_Thanos_e19feca1", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/", "yara_rule_description": "Identifies THANOS (Hakbit) ransomware", "last_hit_utc": "2025-01-23 02:33:03" } ], "4168": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Rootkit_R77_5bab748b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-11-20 09:10:12" } ], "4169": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Trojan_Amadey_c4df8d4a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-22 14:21:03" } ], "4170": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Trojan_Emotet_db7d33fa", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-01-23 16:33:03" } ], "4171": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Trojan_GhostPulse_bb38fcb3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:50:02" } ], "4172": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Trojan_Metasploit_b62aac1e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:04:20" } ], "4173": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Trojan_Metasploit_f7f826b4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies metasploit kernel->user shellcode. Likely used in ETERNALBLUE and BlueKeep exploits.", "last_hit_utc": "2026-04-22 20:38:24" } ], "4174": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Trojan_Netwire_1b43df38", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-23 21:25:04" } ], "4175": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Trojan_Quasarrat_e52df647", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-23 12:43:31" } ], "4176": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Trojan_RedLineStealer_17ee6a17", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-13 03:01:13" } ], "4177": [ { "sample_cnt": 5, "yara_rule_name": "Windows_Trojan_SolarMarker_d466e548", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-05-09 14:41:02" } ], "4178": [ { "sample_cnt": 5, "yara_rule_name": "Windows_VulnDriver_Iqvw_b8b45e6b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Name: iQVW64.SYS, Version: 1.4.0.0", "last_hit_utc": "2025-01-03 20:04:24" } ], "4179": [ { "sample_cnt": 5, "yara_rule_name": "WinosVariant", "yara_rule_author": "Still", "yara_rule_reference": "https://www.fortinet.com/blog/threat-research/seo-poisoning-attack-targets-chinese-speaking-users-with-fake-software-sites", "yara_rule_description": "attempts to match strings/instructions found in an alleged Winos variant", "last_hit_utc": "2026-01-22 16:24:18" } ], "4180": [ { "sample_cnt": 5, "yara_rule_name": "win_agent_btz_w0", "yara_rule_author": "Symantec", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-30 02:39:07" } ], "4181": [ { "sample_cnt": 5, "yara_rule_name": "win_amadey_bytecodes_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Detects bytecodes present in Amadey Bot malware", "last_hit_utc": "2024-05-28 20:31:03" } ], "4182": [ { "sample_cnt": 5, "yara_rule_name": "win_babylon_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.babylon_rat.", "last_hit_utc": "2026-01-24 22:59:45" } ], "4183": [ { "sample_cnt": 5, "yara_rule_name": "win_blackshades_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.blackshades.", "last_hit_utc": "2025-05-04 07:27:09" } ], "4184": [ { "sample_cnt": 5, "yara_rule_name": "win_broomstick_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.broomstick.", "last_hit_utc": "2025-11-24 16:38:22" } ], "4185": [ { "sample_cnt": 5, "yara_rule_name": "win_cerber_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cerber.", "last_hit_utc": "2025-08-27 16:03:24" } ], "4186": [ { "sample_cnt": 5, "yara_rule_name": "win_colibri_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.colibri.", "last_hit_utc": "2022-10-19 15:37:03" } ], "4187": [ { "sample_cnt": 5, "yara_rule_name": "win_cycbot_w0", "yara_rule_author": "anonymous", "yara_rule_reference": null, "yara_rule_description": "Captures characteristic strings of CycBot.", "last_hit_utc": "2026-03-22 19:28:28" } ], "4188": [ { "sample_cnt": 5, "yara_rule_name": "win_dharma_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.dharma.", "last_hit_utc": "2022-11-09 06:10:05" } ], "4189": [ { "sample_cnt": 5, "yara_rule_name": "win_dorkbot_ngrbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-08 00:10:47" } ], "4190": [ { "sample_cnt": 5, "yara_rule_name": "win_dridex_loader_v1", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": null, "yara_rule_description": "detects some Dridex loaders", "last_hit_utc": "2020-11-07 22:21:04" } ], "4191": [ { "sample_cnt": 5, "yara_rule_name": "win_grandoreiro_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-04-09 07:43:02" } ], "4192": [ { "sample_cnt": 5, "yara_rule_name": "win_grimagent_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.grimagent.", "last_hit_utc": "2023-01-19 18:45:16" } ], "4193": [ { "sample_cnt": 5, "yara_rule_name": "win_hawkeye_keylogger_w0", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-25 16:03:36" } ], "4194": [ { "sample_cnt": 5, "yara_rule_name": "win_hive_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.hive.", "last_hit_utc": "2022-08-11 12:10:04" } ], "4195": [ { "sample_cnt": 5, "yara_rule_name": "win_jaku_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.jaku.", "last_hit_utc": "2025-01-03 20:27:19" } ], "4196": [ { "sample_cnt": 5, "yara_rule_name": "win_konni_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.konni.", "last_hit_utc": "2025-01-03 22:44:43" } ], "4197": [ { "sample_cnt": 5, "yara_rule_name": "win_kronos_g1", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-17 10:44:08" } ], "4198": [ { "sample_cnt": 5, "yara_rule_name": "win_lumar_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.lumar.", "last_hit_utc": "2025-06-16 16:34:34" } ], "4199": [ { "sample_cnt": 5, "yara_rule_name": "win_makop_w0", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1242177227682390017", "yara_rule_description": "Detects MAKOP ransomware payload", "last_hit_utc": "2025-12-21 11:48:15" } ], "4200": [ { "sample_cnt": 5, "yara_rule_name": "win_mal_StealC_v2", "yara_rule_author": "AlexMM", "yara_rule_reference": null, "yara_rule_description": "Detects StealC v2", "last_hit_utc": "2026-04-25 11:19:28" } ], "4201": [ { "sample_cnt": 5, "yara_rule_name": "win_parallax_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-02-02 08:15:06" } ], "4202": [ { "sample_cnt": 5, "yara_rule_name": "win_raccoon_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.raccoon.", "last_hit_utc": "2025-01-05 14:44:47" } ], "4203": [ { "sample_cnt": 5, "yara_rule_name": "win_rad_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.rad.", "last_hit_utc": "2023-05-01 20:29:03" } ], "4204": [ { "sample_cnt": 5, "yara_rule_name": "win_ramnit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-09 23:14:06" } ], "4205": [ { "sample_cnt": 5, "yara_rule_name": "win_revenge_rat_g2", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-04-25 11:29:08" } ], "4206": [ { "sample_cnt": 5, "yara_rule_name": "win_sakula_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.sakula_rat.", "last_hit_utc": "2025-04-28 05:11:11" } ], "4207": [ { "sample_cnt": 5, "yara_rule_name": "win_sality_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.sality.", "last_hit_utc": "2025-03-17 04:14:05" } ], "4208": [ { "sample_cnt": 5, "yara_rule_name": "win_solarmarker_stage2_bytecodes_dec_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Patterns observed in Solarmarker stage2 dll", "last_hit_utc": "2024-05-09 14:41:02" } ], "4209": [ { "sample_cnt": 5, "yara_rule_name": "win_stealbit_w0", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Lockbit2.Stealbit.yar", "yara_rule_description": "Detects Stealbit used by Lockbit 2.0 Ransomware Gang", "last_hit_utc": "2022-03-03 01:55:06" } ], "4210": [ { "sample_cnt": 5, "yara_rule_name": "win_strelastealer", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc", "yara_rule_description": "Detects Strela Stealer", "last_hit_utc": "2025-01-05 17:08:50" } ], "4211": [ { "sample_cnt": 5, "yara_rule_name": "win_unidentified_030_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-08-17 08:10:41" } ], "4212": [ { "sample_cnt": 5, "yara_rule_name": "win_unidentified_098_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.unidentified_098.", "last_hit_utc": "2025-01-03 21:54:05" } ], "4213": [ { "sample_cnt": 5, "yara_rule_name": "win_ursnif_patterns_oct_2022", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:50" } ], "4214": [ { "sample_cnt": 5, "yara_rule_name": "win_wannacryptor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.wannacryptor.", "last_hit_utc": "2022-10-01 12:09:03" } ], "4215": [ { "sample_cnt": 5, "yara_rule_name": "win_warezov_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.warezov.", "last_hit_utc": "2025-03-24 06:02:07" } ], "4216": [ { "sample_cnt": 5, "yara_rule_name": "win_younglotus_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-24 10:02:18" } ], "4217": [ { "sample_cnt": 5, "yara_rule_name": "win_zeus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.zeus.", "last_hit_utc": "2025-04-28 01:57:58" } ], "4218": [ { "sample_cnt": 5, "yara_rule_name": "XehookStealer", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Xehook Stealer", "last_hit_utc": "2025-01-03 21:21:13" } ], "4219": [ { "sample_cnt": 5, "yara_rule_name": "XiaoBa", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies XiaoBa ransomware unpacked or in memory.", "last_hit_utc": "2025-01-18 12:50:03" } ], "4220": [ { "sample_cnt": 5, "yara_rule_name": "xls_yag", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Excel 2003 file format detection", "last_hit_utc": "2024-01-26 13:36:02" } ], "4221": [ { "sample_cnt": 5, "yara_rule_name": "xorkey_powerdoc_2025", "yara_rule_author": "Luke Acha", "yara_rule_reference": null, "yara_rule_description": "Detects presence of hardcoded XOR key in EvilAI PowerDoc applications. 06ffbbf87d7feb88bfa548800abacd2b", "last_hit_utc": "2026-03-04 10:41:18" } ], "4222": [ { "sample_cnt": 5, "yara_rule_name": "xtreme_rat_payload_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-11 15:43:05" } ], "4223": [ { "sample_cnt": 5, "yara_rule_name": "ZxShell_Related_Malware_CN_Group_Jul17_3_RID3603", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell related sample from a CN threat group", "last_hit_utc": "2024-03-01 14:47:03" } ], "4224": [ { "sample_cnt": 4, "yara_rule_name": "ach_IcedID_xlsm_20210324", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/143b94ac8d9e0b1416ae090e03cb8968/", "yara_rule_description": "Detects IcedID xlsm", "last_hit_utc": "2021-08-06 12:40:31" } ], "4225": [ { "sample_cnt": 4, "yara_rule_name": "ach_ZLoader_xls_20200514", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/00c5e69ed4b9559cc349f01c54270d36/", "yara_rule_description": "", "last_hit_utc": "2021-08-19 16:01:04" } ], "4226": [ { "sample_cnt": 4, "yara_rule_name": "Adaptix_Beacon", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://github.com/Adaptix-Framework/AdaptixC2", "yara_rule_description": "Identifies Adaptix beacon.", "last_hit_utc": "2026-03-31 08:00:34" } ], "4227": [ { "sample_cnt": 4, "yara_rule_name": "amba_ransomware", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://www.enigmasoftware.com/ambaransomware-removal/", "yara_rule_description": "Rule to detect Amba Ransomware", "last_hit_utc": "2025-01-03 19:31:27" } ], "4228": [ { "sample_cnt": 4, "yara_rule_name": "APT34_PICKPOCKET", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-27 19:20:28" } ], "4229": [ { "sample_cnt": 4, "yara_rule_name": "APT_DNSpionage_Karkoff_Malware_Apr19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", "yara_rule_description": "Detects DNSpionage Karkoff malware", "last_hit_utc": "2021-04-04 10:18:40" } ], "4230": [ { "sample_cnt": 4, "yara_rule_name": "APT_EvilNum_LNK_Jul_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect LNK file used by EvilNum group", "last_hit_utc": "2025-01-05 15:27:34" } ], "4231": [ { "sample_cnt": 4, "yara_rule_name": "APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", "yara_rule_description": "Detects unknown Linux implants (uploads from KR and MO)", "last_hit_utc": "2026-04-25 22:06:32" } ], "4232": [ { "sample_cnt": 4, "yara_rule_name": "APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", "yara_rule_description": "Detects BPFDoor implants used by Chinese actor Red Menshen", "last_hit_utc": "2022-11-15 13:09:04" } ], "4233": [ { "sample_cnt": 4, "yara_rule_name": "APT_MAL_RANSOM_ViceSociety_PolyVice_Jan23_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/", "yara_rule_description": "Detects NTRU-ChaChaPoly (PolyVice) malware used by Vice Society", "last_hit_utc": "2023-08-01 20:43:03" } ], "4234": [ { "sample_cnt": 4, "yara_rule_name": "APT_PupyRAT_PY", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "yara_rule_description": "Detects Pupy RAT", "last_hit_utc": "2025-12-04 15:38:27" } ], "4235": [ { "sample_cnt": 4, "yara_rule_name": "APT_SharpTongue_JS_SharpExt_Chrome_Extension", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "yara_rule_description": "A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim", "last_hit_utc": "2025-10-28 13:43:56" } ], "4236": [ { "sample_cnt": 4, "yara_rule_name": "Arkei", "yara_rule_author": "kevoreilly, YungBinary", "yara_rule_reference": null, "yara_rule_description": "Arkei Payload", "last_hit_utc": "2025-07-15 23:11:14" } ], "4237": [ { "sample_cnt": 4, "yara_rule_name": "AutoIT_Script", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies AutoIT script.", "last_hit_utc": "2022-01-22 08:16:26" } ], "4238": [ { "sample_cnt": 4, "yara_rule_name": "BackdoorFCKG", "yara_rule_author": "ISG", "yara_rule_reference": "https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker", "yara_rule_description": "CTB_Locker", "last_hit_utc": "2025-10-28 13:43:58" } ], "4239": [ { "sample_cnt": 4, "yara_rule_name": "BadRabbit_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://pastebin.com/Y7pJv3tK", "yara_rule_description": "Detects BadRabbit Ransomware", "last_hit_utc": "2025-09-30 14:11:35" } ], "4240": [ { "sample_cnt": 4, "yara_rule_name": "badrabbit_ransomware", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://securelist.com/bad-rabbit-ransomware/82851/", "yara_rule_description": "Rule to detect Bad Rabbit Ransomware", "last_hit_utc": "2025-09-30 14:11:35" } ], "4241": [ { "sample_cnt": 4, "yara_rule_name": "binaryObfuscation", "yara_rule_author": "Sean Dalnodar", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-08-30 08:58:04" } ], "4242": [ { "sample_cnt": 4, "yara_rule_name": "Blackcat_Ran_V1", "yara_rule_author": "DigitalPanda", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-17 09:02:04" } ], "4243": [ { "sample_cnt": 4, "yara_rule_name": "CACTUSTORCH_RID2A54", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/mdsecactivebreach/CACTUSTORCH_RID2A54", "yara_rule_description": "Detects CactusTorch Hacktool", "last_hit_utc": "2025-10-28 13:44:00" } ], "4244": [ { "sample_cnt": 4, "yara_rule_name": "CAPTCHA_and_Reverse_Shell", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell reverse shell behaviour and web-based reverse shell downloads on Windows", "last_hit_utc": "2025-11-05 08:22:25" } ], "4245": [ { "sample_cnt": 4, "yara_rule_name": "cerbere", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked cerbere malware samples.", "last_hit_utc": "2025-09-21 13:41:30" } ], "4246": [ { "sample_cnt": 4, "yara_rule_name": "CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe", "last_hit_utc": "2025-01-05 14:59:58" } ], "4247": [ { "sample_cnt": 4, "yara_rule_name": "CN_Portscan", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "CN Port Scanner", "last_hit_utc": "2025-01-05 15:31:19" } ], "4248": [ { "sample_cnt": 4, "yara_rule_name": "Cobaltbaltstrike_RAW_Payload_http_stager_x86", "yara_rule_author": "Avast Threat Intel Team", "yara_rule_reference": "https://github.com/avast/ioc", "yara_rule_description": "Detects CobaltStrike payloads", "last_hit_utc": "2025-01-05 14:48:58" } ], "4249": [ { "sample_cnt": 4, "yara_rule_name": "Cobaltstrike3", "yara_rule_author": "Ahmet Payaslioglu | Binalyze DFIR LAB", "yara_rule_reference": "", "yara_rule_description": "Cobalt Strike Detection", "last_hit_utc": "2022-10-19 21:49:03" } ], "4250": [ { "sample_cnt": 4, "yara_rule_name": "CobaltStrike_Sleeve_Beacon_Dll_v4_7_suspected", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/beacon.dll Versions 4.7 (suspected, not confirmed)", "last_hit_utc": "2025-02-14 17:33:11" } ], "4251": [ { "sample_cnt": 4, "yara_rule_name": "crime_h2miner_kinsing", "yara_rule_author": "Tony Lambert, Red Canary", "yara_rule_reference": null, "yara_rule_description": "Rule to find Kinsing malware", "last_hit_utc": "2026-02-10 12:54:15" } ], "4252": [ { "sample_cnt": 4, "yara_rule_name": "crime_win32_matanbuchus_loader", "yara_rule_author": "Rony", "yara_rule_reference": "", "yara_rule_description": "Detects Matanbuchus loader dll", "last_hit_utc": "2022-10-27 11:53:02" } ], "4253": [ { "sample_cnt": 4, "yara_rule_name": "crime_win32_ransomexx_locker__dot_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1275133575927562241", "yara_rule_description": "Detects RansomExx Ransomware Affected Texas DOT", "last_hit_utc": "2022-10-08 08:59:02" } ], "4254": [ { "sample_cnt": 4, "yara_rule_name": "CryLock", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies CryLock aka Cryakl ransomware.", "last_hit_utc": "2022-09-30 08:09:03" } ], "4255": [ { "sample_cnt": 4, "yara_rule_name": "CryptHunter_lnk_bitly", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect suspicious lnk file", "last_hit_utc": "2025-01-05 15:41:32" } ], "4256": [ { "sample_cnt": 4, "yara_rule_name": "DeepPanda_htran_exe", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Hack Deep Panda - htran-exe", "last_hit_utc": "2025-11-05 08:22:27" } ], "4257": [ { "sample_cnt": 4, "yara_rule_name": "DeepPanda_htran_exe_RID2E90", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Hack Deep Panda - htran-exe", "last_hit_utc": "2025-11-05 08:22:28" } ], "4258": [ { "sample_cnt": 4, "yara_rule_name": "Detect_ViceSociety_Ransomware", "yara_rule_author": "@MalGamy12", "yara_rule_reference": null, "yara_rule_description": "Detect_ViceSociety_Ransomware", "last_hit_utc": "2023-08-01 20:43:03" } ], "4259": [ { "sample_cnt": 4, "yara_rule_name": "Disclosed_0day_POCs_injector", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed 0day Repos", "yara_rule_description": "Detects POC code from disclosed 0day hacktool set", "last_hit_utc": "2025-10-28 13:44:05" } ], "4260": [ { "sample_cnt": 4, "yara_rule_name": "Disclosed_0day_POCs_injector_RID31E9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed 0day Repos", "yara_rule_description": "Detects POC code from disclosed 0day hacktool set", "last_hit_utc": "2025-10-28 13:44:05" } ], "4261": [ { "sample_cnt": 4, "yara_rule_name": "dl_shadow", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2025-08-19 14:17:02" } ], "4262": [ { "sample_cnt": 4, "yara_rule_name": "Dreambot", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Dreambot Payload", "last_hit_utc": "2021-01-25 17:04:06" } ], "4263": [ { "sample_cnt": 4, "yara_rule_name": "DROPPER_Vjw0rm_Stage_1", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "https://bazaar.abuse.ch/browse.php?search=tag%3AVjw0rm", "yara_rule_description": "", "last_hit_utc": "2022-04-04 18:15:02" } ], "4264": [ { "sample_cnt": 4, "yara_rule_name": "Ekans", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Ekans aka Snake ransomware unpacked or in memory.", "last_hit_utc": "2025-01-05 16:56:24" } ], "4265": [ { "sample_cnt": 4, "yara_rule_name": "elf_blackcat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects elf.blackcat.", "last_hit_utc": "2022-11-15 12:32:04" } ], "4266": [ { "sample_cnt": 4, "yara_rule_name": "elf_bpfdoor_w1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/jcksnsec/status/1522163033585467393", "yara_rule_description": "Detects BPFDoor implants used by Chinese actor Red Menshen", "last_hit_utc": "2022-11-15 13:09:04" } ], "4267": [ { "sample_cnt": 4, "yara_rule_name": "elf_bpfdoor_w3", "yara_rule_author": "Sorint.lab", "yara_rule_reference": null, "yara_rule_description": "Detects BPFDoor, new 2023 variant", "last_hit_utc": "2026-03-28 08:31:19" } ], "4268": [ { "sample_cnt": 4, "yara_rule_name": "elf_kaiten_w0", "yara_rule_author": "Akamai SIRT", "yara_rule_reference": "", "yara_rule_description": "Kaiten/STD DDoS malware", "last_hit_utc": "2022-03-09 17:41:03" } ], "4269": [ { "sample_cnt": 4, "yara_rule_name": "elf_kinsing_w0", "yara_rule_author": "Tony Lambert, Red Canary", "yara_rule_reference": null, "yara_rule_description": "Rule to find Kinsing malware", "last_hit_utc": "2026-02-10 12:54:15" } ], "4270": [ { "sample_cnt": 4, "yara_rule_name": "Emotet_2022", "yara_rule_author": "Marcelo Rivero", "yara_rule_reference": null, "yara_rule_description": "Emotet EP4 unpacked", "last_hit_utc": "2025-07-12 15:03:19" } ], "4271": [ { "sample_cnt": 4, "yara_rule_name": "Emotet_EP4up", "yara_rule_author": "Marcelo Rivero", "yara_rule_reference": null, "yara_rule_description": "Emotet EP4 unpacked", "last_hit_utc": "2025-07-12 15:03:20" } ], "4272": [ { "sample_cnt": 4, "yara_rule_name": "Empire_PowerShell_Framework_Gen5_RID3392", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1", "last_hit_utc": "2025-08-25 08:05:56" } ], "4273": [ { "sample_cnt": 4, "yara_rule_name": "feklsdfff", "yara_rule_author": "tslalovrr", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-06 15:52:03" } ], "4274": [ { "sample_cnt": 4, "yara_rule_name": "FeliksPack3___PHP_Shells_ssh", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file ssh.php", "last_hit_utc": "2025-10-28 13:44:19" } ], "4275": [ { "sample_cnt": 4, "yara_rule_name": "Find_Emotoet_LNK_File_VBS", "yara_rule_author": "David Ledbetter", "yara_rule_reference": null, "yara_rule_description": "Search for lnk files dropping vbs files.", "last_hit_utc": "2026-04-14 20:25:57" } ], "4276": [ { "sample_cnt": 4, "yara_rule_name": "Frost_Clipper_Native", "yara_rule_author": "3xp0rt", "yara_rule_reference": "https://twitter.com/3xp0rtblog/status/1415564081487138822", "yara_rule_description": "The rule for C++ version of Frost Clipper", "last_hit_utc": "2021-07-17 00:32:37" } ], "4277": [ { "sample_cnt": 4, "yara_rule_name": "Gazer_logfile_name", "yara_rule_author": "ESET", "yara_rule_reference": "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "yara_rule_description": "Detects Tura's Gazer malware", "last_hit_utc": "2025-01-05 17:28:02" } ], "4278": [ { "sample_cnt": 4, "yara_rule_name": "Generic_Dropper", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/JAHZVL", "yara_rule_description": "Detects Dropper PDB string in file", "last_hit_utc": "2025-09-01 14:16:44" } ], "4279": [ { "sample_cnt": 4, "yara_rule_name": "gen_unicorn_obfuscated_powershell", "yara_rule_author": "John Lambert @JohnLaTwC", "yara_rule_reference": "https://github.com/trustedsec/unicorn/", "yara_rule_description": "PowerShell payload obfuscated by Unicorn toolkit", "last_hit_utc": "2025-01-03 22:00:27" } ], "4280": [ { "sample_cnt": 4, "yara_rule_name": "Get2_loader_new_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/98bfc7a0-77de-49f6-a390-5b2307dcc1dd", "yara_rule_description": "Get2 loader", "last_hit_utc": "2020-12-17 17:09:04" } ], "4281": [ { "sample_cnt": 4, "yara_rule_name": "Godzilla_Webshells_303", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "yara_rule_description": "Detects various builds of Godzilla Webshell.", "last_hit_utc": "2025-12-12 09:53:16" } ], "4282": [ { "sample_cnt": 4, "yara_rule_name": "golang_duffcopy", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:52:19" } ], "4283": [ { "sample_cnt": 4, "yara_rule_name": "GoldDragon_Ghost419_RAT", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/rW1yvZ", "yara_rule_description": "Detects Ghost419 RAT from Gold Dragon report", "last_hit_utc": "2025-01-03 22:53:20" } ], "4284": [ { "sample_cnt": 4, "yara_rule_name": "HKTL_Keyword_InjectDLL", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/zerosum0x0/koadic", "yara_rule_description": "Detects suspicious InjectDLL keyword found in hacktools or possibly unwanted applications", "last_hit_utc": "2026-03-24 09:11:48" } ], "4285": [ { "sample_cnt": 4, "yara_rule_name": "HKTL_Keyword_InjectDLL_RID2F20", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/zerosum0x0/koadic", "yara_rule_description": "Detects suspicious InjectDLL keyword found in hacktools or possibly unwanted applications", "last_hit_utc": "2026-03-24 09:11:48" } ], "4286": [ { "sample_cnt": 4, "yara_rule_name": "HKTL_NET_GUID_Lime_RAT", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Lime-RAT", "yara_rule_description": "Detects VB.NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "4287": [ { "sample_cnt": 4, "yara_rule_name": "HKTL_NET_GUID_njRAT", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/mwsrc/njRAT", "yara_rule_description": "Detects VB.NET red/black-team tools via typelibguid", "last_hit_utc": "2022-08-06 20:06:04" } ], "4288": [ { "sample_cnt": 4, "yara_rule_name": "HKTL_NET_GUID_SharpByeBear", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/S3cur3Th1sSh1t/SharpByeBear", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2024-05-12 10:24:03" } ], "4289": [ { "sample_cnt": 4, "yara_rule_name": "HKTL_NET_GUID_UrbanBishopLocal", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/slyd0g/UrbanBishopLocal", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-05 17:02:10" } ], "4290": [ { "sample_cnt": 4, "yara_rule_name": "HKTL_Unknown_Feb19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1097423665472376832", "yara_rule_description": "Detetcs a tool used in the Australian Parliament House network compromise", "last_hit_utc": "2025-11-05 08:22:36" } ], "4291": [ { "sample_cnt": 4, "yara_rule_name": "HKTL_Unknown_Feb19_1_RID2DF9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1097423665472376832", "yara_rule_description": "Detetcs a tool used in the Australian Parliament House network compromise", "last_hit_utc": "2025-11-05 08:22:36" } ], "4292": [ { "sample_cnt": 4, "yara_rule_name": "HUN_Exchange_Gold_Mystic_Oct_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://asec.ahnlab.com/ko/39682/", "yara_rule_description": "Detect the implant used against vulnerable Exchange servers by the Gold Mystic group (Lockbit)", "last_hit_utc": "2023-05-03 03:36:03" } ], "4293": [ { "sample_cnt": 4, "yara_rule_name": "HydraDexManifestApk_strings", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects Hydra Android Banking malware (AndroidManifest.xml strings)", "last_hit_utc": "2026-04-03 06:52:11" } ], "4294": [ { "sample_cnt": 4, "yara_rule_name": "HydraManifestApk_strings", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects Hydra Android Banking malware (AndroidManifest.xml strings)", "last_hit_utc": "2026-04-03 06:52:11" } ], "4295": [ { "sample_cnt": 4, "yara_rule_name": "IcedID", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies IcedID (stage 1 and 2, loaders).", "last_hit_utc": "2021-08-02 18:36:04" } ], "4296": [ { "sample_cnt": 4, "yara_rule_name": "IcedIDPackerD", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "IcedID export selection", "last_hit_utc": "2023-03-08 00:23:03" } ], "4297": [ { "sample_cnt": 4, "yara_rule_name": "Imminent", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Imminent Payload", "last_hit_utc": "2022-06-09 13:15:05" } ], "4298": [ { "sample_cnt": 4, "yara_rule_name": "Impacket_Tools_Generic_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2022-10-12 03:41:04" } ], "4299": [ { "sample_cnt": 4, "yara_rule_name": "Impacket_Tools_tracer", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2025-01-05 15:15:51" } ], "4300": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_KB_CERT_3300000187721772155940c709000000000187", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-10-31 08:58:34" } ], "4301": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Ryzerlo", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Ryzerlo / HiddenTear / RSJON ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "4302": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_OLE_Suspicious_Reverse", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects OLE documents containing VB scripts with reversed suspicious strings", "last_hit_utc": "2021-11-28 00:17:05" } ], "4303": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_RTF_MultiExploit_Embedded_Files", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RTF documents potentially exploting multiple vulnerabilities and embeding next stage scripts and/or binaries", "last_hit_utc": "2023-03-10 05:54:03" } ], "4304": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Anti_WinJail", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables potentially checking for WinJail sandbox window", "last_hit_utc": "2025-04-28 05:28:08" } ], "4305": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_SUSPICIOUS_IMG_Embedded_Archive", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects images embedding archives. Observed in TheRat RAT.", "last_hit_utc": "2026-01-05 11:30:22" } ], "4306": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_SUSPICIOUS_PWS_CaptureScreenshot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell script with screenshot capture capability", "last_hit_utc": "2025-10-28 13:44:36" } ], "4307": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_TOOL_ChromeCookiesView", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ChromeCookiesView", "last_hit_utc": "2025-12-12 13:39:18" } ], "4308": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_TOOL_EdgeCookiesView", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects EdgeCookiesView", "last_hit_utc": "2025-12-12 13:39:18" } ], "4309": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_TOOL_LTM_CompiledImpacket", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables of compiled Impacket's python scripts", "last_hit_utc": "2022-10-12 03:41:04" } ], "4310": [ { "sample_cnt": 4, "yara_rule_name": "INDICATOR_TOOL_PWS_LaZagne", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects LaZagne post-exploitation password stealing tool. It is typically embedded with malware in the binary resources.", "last_hit_utc": "2026-02-17 12:07:15" } ], "4311": [ { "sample_cnt": 4, "yara_rule_name": "IPStorm", "yara_rule_author": "Intezer Labs", "yara_rule_reference": "https://www.intezer.com", "yara_rule_description": null, "last_hit_utc": "2023-11-18 00:55:03" } ], "4312": [ { "sample_cnt": 4, "yara_rule_name": "ISFB_Crypter", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-08-26 09:00:05" } ], "4313": [ { "sample_cnt": 4, "yara_rule_name": "js_downloader_gootloader", "yara_rule_author": "HP Threat Research @HPSecurity", "yara_rule_reference": "", "yara_rule_description": "JavaScript downloader known to deliver Gootkit or REvil ransomware", "last_hit_utc": "2022-10-12 23:04:02" } ], "4314": [ { "sample_cnt": 4, "yara_rule_name": "kryptina_encryptor", "yara_rule_author": "Mario De Tore, Corelight Labs", "yara_rule_reference": null, "yara_rule_description": "Matches on kryptina encryptor binary", "last_hit_utc": "2026-02-26 10:32:22" } ], "4315": [ { "sample_cnt": 4, "yara_rule_name": "lb4_packer_was_detected", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "Detect the packer used by Lockbit4.0", "last_hit_utc": "2025-06-25 07:59:29" } ], "4316": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Cryptominer_Generic_5e56d076", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:20:47" } ], "4317": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Cryptominer_Malxmr_979160f6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-21 01:14:13" } ], "4318": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Cryptominer_Xmrig_7e42bf80", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-08 22:10:41" } ], "4319": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Cryptominer_Zexaf_b90e7683", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-08 22:10:42" } ], "4320": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Hacktool_Earthworm_4de7b584", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:39" } ], "4321": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Hacktool_Flooder_b1ca2abd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 16:18:27" } ], "4322": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Hacktool_Flooder_f454ec10", "yara_rule_author": "Elastic Security", "yara_rule_reference": "0297e1ad6e180af85256a175183102776212d324a2ce0c4f32e8a44a2e2e9dad", "yara_rule_description": null, "last_hit_utc": "2026-04-22 20:38:23" } ], "4323": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Hacktool_Portscan_a40c7ef0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-21 12:37:15" } ], "4324": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Hacktool_Portscan_e191222d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-21 12:37:15" } ], "4325": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Ransomware_Agenda_4562a654", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-16 16:22:32" } ], "4326": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Rootkit_BrokePKG_7b7d4581", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 16:26:29" } ], "4327": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_BPFDoor_0f768f60", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 13:09:03" } ], "4328": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_BPFDoor_1a7d804b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 13:09:04" } ], "4329": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_BPFDoor_f1cd26ad", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "yara_rule_description": null, "last_hit_utc": "2026-03-28 08:31:19" } ], "4330": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Gafgyt_31796a40", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 18:19:02" } ], "4331": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Gafgyt_46eec778", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "4332": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Gafgyt_4f43b164", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-18 22:25:45" } ], "4333": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Gafgyt_6a510422", "yara_rule_author": "Elastic Security", "yara_rule_reference": "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628", "yara_rule_description": "", "last_hit_utc": "2022-11-14 11:57:04" } ], "4334": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Gafgyt_862c4e0e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:03" } ], "4335": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Gafgyt_ae01d978", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:54:08" } ], "4336": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Gafgyt_d2953f92", "yara_rule_author": "Elastic Security", "yara_rule_reference": "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628", "yara_rule_description": "", "last_hit_utc": "2022-11-14 11:57:04" } ], "4337": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Ladvix_c9888edb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-18 22:25:40" } ], "4338": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Mirai_5f7b67b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:50:03" } ], "4339": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Mirai_637f2c04", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 12:13:04" } ], "4340": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Mirai_aa39fb02", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:03" } ], "4341": [ { "sample_cnt": 4, "yara_rule_name": "Linux_Trojan_Rekoobe_7f7aba78", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-13 06:33:19" } ], "4342": [ { "sample_cnt": 4, "yara_rule_name": "LokiBot_Dropper_Packed_R11_Feb18", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5", "yara_rule_description": "Auto-generated rule - file scan copy.pdf.r11", "last_hit_utc": "2022-05-09 15:27:01" } ], "4343": [ { "sample_cnt": 4, "yara_rule_name": "MacOS_Trojan_Metasploit_293bfea9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:54:18" } ], "4344": [ { "sample_cnt": 4, "yara_rule_name": "MacOS_Trojan_Metasploit_448fa81d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:54:18" } ], "4345": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_DOC_KoadicDOC", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Koadic post-exploitation framework document payload", "last_hit_utc": "2021-04-29 13:06:55" } ], "4346": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Linux_Kinsing", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Kinsing RAT payload", "last_hit_utc": "2026-02-10 12:54:15" } ], "4347": [ { "sample_cnt": 4, "yara_rule_name": "malware_MedusaLocker3_str", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "MedusaLocker3 ransomware", "last_hit_utc": "2025-01-03 22:39:11" } ], "4348": [ { "sample_cnt": 4, "yara_rule_name": "malware_PoisonIvy", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect PoisonIvy in memory", "last_hit_utc": "2025-06-22 22:07:35" } ], "4349": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_PWSH_CUMII", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects multi-dropper PowerShell", "last_hit_utc": "2025-10-28 13:44:46" } ], "4350": [ { "sample_cnt": 4, "yara_rule_name": "malware_sakula_xorloop", "yara_rule_author": "David Cannings", "yara_rule_reference": "", "yara_rule_description": "XOR loops from Sakula malware", "last_hit_utc": "2022-03-23 09:36:05" } ], "4351": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_BlackshadesRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "BlackshadesRAT POS payload", "last_hit_utc": "2021-09-07 06:11:11" } ], "4352": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_Diavol", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Hunt for Diavol ransomware", "last_hit_utc": "2021-12-24 18:20:06" } ], "4353": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_HawkEyeV9", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects HawkEyeV9 payload", "last_hit_utc": "2021-03-02 21:44:06" } ], "4354": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_KrakenStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect Kraken infostealer", "last_hit_utc": "2023-09-19 18:58:41" } ], "4355": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_LilithRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects LilithRAT", "last_hit_utc": "2022-07-07 07:22:03" } ], "4356": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_Nitro", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Nitro Ransomware", "last_hit_utc": "2025-05-28 17:32:12" } ], "4357": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_ParallaxRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects ParallaxRAT", "last_hit_utc": "2021-11-10 11:08:08" } ], "4358": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_Purge", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Purge ransomware", "last_hit_utc": "2023-04-29 03:33:03" } ], "4359": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_PWSH_PoshWiFiStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell PoshWiFiStealer", "last_hit_utc": "2025-10-28 13:44:48" } ], "4360": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_Surtr", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Surtr ransomware. Ransom note is similar to LockFile", "last_hit_utc": "2022-11-14 10:04:03" } ], "4361": [ { "sample_cnt": 4, "yara_rule_name": "MALWARE_Win_Underground", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Underground ransomware", "last_hit_utc": "2025-06-17 13:48:34" } ], "4362": [ { "sample_cnt": 4, "yara_rule_name": "MAL_Cronos_Crypter_Assembly_Name", "yara_rule_author": "Tony Lambert", "yara_rule_reference": null, "yara_rule_description": "Detects Cronos Crypter based on .NET assembly name.", "last_hit_utc": "2025-12-31 01:13:20" } ], "4363": [ { "sample_cnt": 4, "yara_rule_name": "MAL_Cronos_Crypter_Salt", "yara_rule_author": "Tony Lambert", "yara_rule_reference": null, "yara_rule_description": "Detects Cronos Crypter based encryption salt value and string that should be seen in memory.", "last_hit_utc": "2025-12-31 01:13:20" } ], "4364": [ { "sample_cnt": 4, "yara_rule_name": "MAL_Cronos_Crypter_Strings", "yara_rule_author": "Tony Lambert", "yara_rule_reference": null, "yara_rule_description": "Detects Cronos Crypter based on strings found in file.", "last_hit_utc": "2025-12-31 01:13:20" } ], "4365": [ { "sample_cnt": 4, "yara_rule_name": "MAL_Driver_773B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys", "last_hit_utc": "2025-11-25 20:48:19" } ], "4366": [ { "sample_cnt": 4, "yara_rule_name": "MAL_Emotet_Jan20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/", "yara_rule_description": "Detects Emotet malware", "last_hit_utc": "2025-07-03 01:30:18" } ], "4367": [ { "sample_cnt": 4, "yara_rule_name": "mal_jinxv2loader", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "JinxLoader V2 Payload", "last_hit_utc": "2025-01-05 16:56:43" } ], "4368": [ { "sample_cnt": 4, "yara_rule_name": "mal_lockbit4_hashing_alg_win_feb24", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/lockbit4-0-evasion-tales/", "yara_rule_description": "This rule detects the custom hashing algorithm of Lockbit4.0 unpacked", "last_hit_utc": "2025-06-25 08:15:42" } ], "4369": [ { "sample_cnt": 4, "yara_rule_name": "MAL_lockbit4_rc4_alg", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "Detect the implementation of RC4 Algorithm by Lockbit4.0", "last_hit_utc": "2025-06-25 08:15:42" } ], "4370": [ { "sample_cnt": 4, "yara_rule_name": "MAL_PE_Type_BabyShark_Loader", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "yara_rule_description": "Detects PE Type babyShark loader mentioned in February 2019 blog post by PaloAltNetworks", "last_hit_utc": "2022-03-18 10:28:05" } ], "4371": [ { "sample_cnt": 4, "yara_rule_name": "MAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://objective-see.org/blog/blog_0x75.html", "yara_rule_description": "Detects forensic artifacts found in LockBit intrusions", "last_hit_utc": "2025-10-28 13:44:46" } ], "4372": [ { "sample_cnt": 4, "yara_rule_name": "MAL_RANSOM_Venus_Nov22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/dyngnosis/status/1592588860168421376", "yara_rule_description": "Detects Venus Ransomware samples", "last_hit_utc": "2023-02-03 15:50:03" } ], "4373": [ { "sample_cnt": 4, "yara_rule_name": "MAL_Visel_Sample_May18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://401trg.pw/burning-umbrella/", "yara_rule_description": "Detects Visel malware sample from Burning Umbrella report", "last_hit_utc": "2022-03-10 04:48:07" } ], "4374": [ { "sample_cnt": 4, "yara_rule_name": "massloger", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked massloger malware samples.", "last_hit_utc": "2025-09-06 06:57:38" } ], "4375": [ { "sample_cnt": 4, "yara_rule_name": "MATCH_INTERNAL_000001", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-20 06:35:40" } ], "4376": [ { "sample_cnt": 4, "yara_rule_name": "mimikatz_memssp_hookfn", "yara_rule_author": "SBousseaden", "yara_rule_reference": "", "yara_rule_description": "hunt for default mimikatz memssp module both ondisk and in memory artifacts", "last_hit_utc": "2024-01-13 03:21:02" } ], "4377": [ { "sample_cnt": 4, "yara_rule_name": "MiniRAT_Gen_1_RID2B8E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news", "yara_rule_description": "Detects Mini RAT malware", "last_hit_utc": "2023-03-10 18:30:05" } ], "4378": [ { "sample_cnt": 4, "yara_rule_name": "Mirai", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Mirai", "last_hit_utc": "2025-01-05 14:49:57" } ], "4379": [ { "sample_cnt": 4, "yara_rule_name": "Mirai_1_May17", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Mirai Malware", "last_hit_utc": "2025-12-25 19:20:22" } ], "4380": [ { "sample_cnt": 4, "yara_rule_name": "Mirai_1_May17_RID2B81", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Mirai Malware", "last_hit_utc": "2025-12-25 19:20:22" } ], "4381": [ { "sample_cnt": 4, "yara_rule_name": "Msfpayloads_msf_cmd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf-cmd.ps1", "last_hit_utc": "2025-10-28 13:44:50" } ], "4382": [ { "sample_cnt": 4, "yara_rule_name": "Msfpayloads_msf_cmd_RID2ECC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf-cmd.ps1", "last_hit_utc": "2025-10-28 13:44:50" } ], "4383": [ { "sample_cnt": 4, "yara_rule_name": "Multi_Hacktool_Stowaway_89f1d452", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-01 11:19:09" } ], "4384": [ { "sample_cnt": 4, "yara_rule_name": "Multi_Ransomware_BlackCat_c4b043e6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-24 07:12:36" } ], "4385": [ { "sample_cnt": 4, "yara_rule_name": "MythStealerLoader", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match the strings/instructions found in MythStealer loader; this is a very loose rule and may match fp", "last_hit_utc": "2025-10-07 03:14:28" } ], "4386": [ { "sample_cnt": 4, "yara_rule_name": "NetTravExports", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "Export names for dll component", "last_hit_utc": "2020-08-29 12:12:04" } ], "4387": [ { "sample_cnt": 4, "yara_rule_name": "nightingale_payload_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-17 07:28:15" } ], "4388": [ { "sample_cnt": 4, "yara_rule_name": "NikiHTTP", "yara_rule_author": "@bartblaze, @nsquar3", "yara_rule_reference": "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/", "yara_rule_description": "Identifies NikiHTTP aka HTTPSpy, a versatile backdoor by (likely) Kimsuky.", "last_hit_utc": "2025-09-05 06:34:18" } ], "4389": [ { "sample_cnt": 4, "yara_rule_name": "Njrat_test", "yara_rule_author": "refer to JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "njRAT in memory", "last_hit_utc": "2021-08-26 14:33:04" } ], "4390": [ { "sample_cnt": 4, "yara_rule_name": "OutlookBackdoor", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-20 13:14:03" } ], "4391": [ { "sample_cnt": 4, "yara_rule_name": "PECompactv14x", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-12 06:29:14" } ], "4392": [ { "sample_cnt": 4, "yara_rule_name": "PirateStealer", "yara_rule_author": "nwunderly", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:34:51" } ], "4393": [ { "sample_cnt": 4, "yara_rule_name": "PoisonIvy", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect PoisonIvy in memory", "last_hit_utc": "2025-06-22 22:07:36" } ], "4394": [ { "sample_cnt": 4, "yara_rule_name": "PoisonIvy", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:42" } ], "4395": [ { "sample_cnt": 4, "yara_rule_name": "Ponmocup", "yara_rule_author": "Danny Heppener, Fox-IT", "yara_rule_reference": "https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf", "yara_rule_description": "Ponmocup plugin detection (memory)", "last_hit_utc": "2021-06-26 16:21:07" } ], "4396": [ { "sample_cnt": 4, "yara_rule_name": "Possible_Solarmarker_Backdoor_Nov2023", "yara_rule_author": "Lucas Acha (http://www.lukeacha.com)", "yara_rule_reference": "https://security5magics.blogspot.com/2023/10/new-solarmarker-variant-october-2023.html", "yara_rule_description": "Observed strings in the latest obfuscated solarmarker backdoor dll.", "last_hit_utc": "2024-05-09 14:41:02" } ], "4397": [ { "sample_cnt": 4, "yara_rule_name": "PowerShdll", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/p3nt4/PowerShdll", "yara_rule_description": "Detects hack tool PowerShdll", "last_hit_utc": "2025-11-05 08:22:42" } ], "4398": [ { "sample_cnt": 4, "yara_rule_name": "PowerShell_JAB_B64_RID2D4D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/ItsReallyNick/status/980915287922040832", "yara_rule_description": "Detects base464 encoded $ sign at the beginning of a string", "last_hit_utc": "2026-02-25 16:14:21" } ], "4399": [ { "sample_cnt": 4, "yara_rule_name": "PrivateexeProtector21522XSetiSoftTeam", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-12 05:28:44" } ], "4400": [ { "sample_cnt": 4, "yara_rule_name": "privateloader", "yara_rule_author": "Andre Tavares", "yara_rule_reference": "", "yara_rule_description": "Detects downloader PrivateLoader loader and core, based on string encryption and an http header used on C2 comms", "last_hit_utc": "2022-06-18 19:16:03" } ], "4401": [ { "sample_cnt": 4, "yara_rule_name": "ps1_toolkit_Invoke_Shellcode", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - file Invoke-Shellcode.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "4402": [ { "sample_cnt": 4, "yara_rule_name": "ps1_toolkit_Invoke_Shellcode_RID3247", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - file Invoke-Shellcode.ps1", "last_hit_utc": "2025-10-28 13:45:01" } ], "4403": [ { "sample_cnt": 4, "yara_rule_name": "PUA_CryptoMiner_Jan19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Crypto Miner strings", "last_hit_utc": "2023-01-22 05:32:06" } ], "4404": [ { "sample_cnt": 4, "yara_rule_name": "PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys", "last_hit_utc": "2025-01-03 20:04:24" } ], "4405": [ { "sample_cnt": 4, "yara_rule_name": "PUP_InstallRex_AntiFWb", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Malware InstallRex / AntiFW", "last_hit_utc": "2026-03-22 06:24:24" } ], "4406": [ { "sample_cnt": 4, "yara_rule_name": "Quickbind", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "Quickbind", "last_hit_utc": "2025-11-05 10:16:49" } ], "4407": [ { "sample_cnt": 4, "yara_rule_name": "ragnarlocker_ransomware", "yara_rule_author": "Christiaan Beek | Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/", "yara_rule_description": "Rule to detect RagnarLocker samples", "last_hit_utc": "2020-08-03 10:03:40" } ], "4408": [ { "sample_cnt": 4, "yara_rule_name": "RansomPyShield_Antiransomware", "yara_rule_author": "XiAnzheng", "yara_rule_reference": null, "yara_rule_description": "Check for malicious import & string combination that ransomware mostly use(can create FP)", "last_hit_utc": "2025-01-03 21:59:44" } ], "4409": [ { "sample_cnt": 4, "yara_rule_name": "RAN_Decaf_Nov_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance", "yara_rule_description": "Detect Decaf ransomware (unpacked UPX)", "last_hit_utc": "2022-07-31 20:45:03" } ], "4410": [ { "sample_cnt": 4, "yara_rule_name": "RAN_ELF_Hive_Oct_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/ESETresearch/status/1454100591261667329", "yara_rule_description": "Detect ELF version of Hive ransomware", "last_hit_utc": "2025-01-05 16:18:29" } ], "4411": [ { "sample_cnt": 4, "yara_rule_name": "RAN_Lockbit_Green_Jan_2023_2", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://github.com/prodaft/malware-ioc/blob/master/LockBit/green.md", "yara_rule_description": "Detect the green variant used by lockbit group (x64)", "last_hit_utc": "2025-01-05 16:04:09" } ], "4412": [ { "sample_cnt": 4, "yara_rule_name": "RAN_Venus_Oct_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://www.bleepingcomputer.com/forums/t/777945/venus-ransomware-support-help-topic-venus-readmehtml/", "yara_rule_description": "Detect venus ransomware", "last_hit_utc": "2023-02-03 15:50:04" } ], "4413": [ { "sample_cnt": 4, "yara_rule_name": "RAT_PoisonIvy", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/PoisonIvy", "yara_rule_description": "Detects PoisonIvy RAT", "last_hit_utc": "2025-11-05 08:22:43" } ], "4414": [ { "sample_cnt": 4, "yara_rule_name": "Recordbreaker_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/631b83d3-0f5d-4766-9b84-c35919fc4db0", "yara_rule_description": "Recorderbreaker stealer", "last_hit_utc": "2023-09-24 10:41:03" } ], "4415": [ { "sample_cnt": 4, "yara_rule_name": "recordbreaker_win_generic", "yara_rule_author": "_kphi", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:28:04" } ], "4416": [ { "sample_cnt": 4, "yara_rule_name": "RedLine_Campaign_June2021", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html", "yara_rule_description": "Identifies RedLine stealer's June 2021 campaign.", "last_hit_utc": "2026-03-06 13:56:16" } ], "4417": [ { "sample_cnt": 4, "yara_rule_name": "ReflectiveLoader_RID2D71", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended", "last_hit_utc": "2025-01-05 17:28:04" } ], "4418": [ { "sample_cnt": 4, "yara_rule_name": "Revil", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": null, "yara_rule_description": "Yara to detect Revil", "last_hit_utc": "2025-01-03 19:38:55" } ], "4419": [ { "sample_cnt": 4, "yara_rule_name": "rig_win64_xmrig_6_13_1_start", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "rig_win64 - file start.cmd", "last_hit_utc": "2025-06-25 18:10:45" } ], "4420": [ { "sample_cnt": 4, "yara_rule_name": "ropo_dropper_v1", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:02:13" } ], "4421": [ { "sample_cnt": 4, "yara_rule_name": "Royal_Ran_V1", "yara_rule_author": "DigitalPanda", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-16 06:44:58" } ], "4422": [ { "sample_cnt": 4, "yara_rule_name": "rtf_cve2017_11882", "yara_rule_author": "John Davison", "yara_rule_reference": "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about", "yara_rule_description": "Attempts to identify the exploit CVE 2017 11882", "last_hit_utc": "2023-03-10 05:54:03" } ], "4423": [ { "sample_cnt": 4, "yara_rule_name": "SafeDiscv4", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-06 20:13:33" } ], "4424": [ { "sample_cnt": 4, "yara_rule_name": "Script_Comments_SUSP", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects suspicious scripts with a lot of commented text", "last_hit_utc": "2025-01-05 15:15:03" } ], "4425": [ { "sample_cnt": 4, "yara_rule_name": "SevenZipSelfExtractor", "yara_rule_author": "malcat", "yara_rule_reference": null, "yara_rule_description": "7z self extractor", "last_hit_utc": "2025-10-21 05:06:30" } ], "4426": [ { "sample_cnt": 4, "yara_rule_name": "sig_2008_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file 2008.php.php.txt", "last_hit_utc": "2025-11-25 20:48:17" } ], "4427": [ { "sample_cnt": 4, "yara_rule_name": "SiliconRealmsInstallStub", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-16 07:56:14" } ], "4428": [ { "sample_cnt": 4, "yara_rule_name": "SocGholish_JS_22_02_2022", "yara_rule_author": "Wojciech Cie\u015blak", "yara_rule_reference": "", "yara_rule_description": "Detects SocGholish fake update Javascript files 22.02.2022", "last_hit_utc": "2022-03-09 08:37:04" } ], "4429": [ { "sample_cnt": 4, "yara_rule_name": "Stealerium", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Stealerium Stealer", "last_hit_utc": "2025-01-03 21:21:02" } ], "4430": [ { "sample_cnt": 4, "yara_rule_name": "SteamReplacementsTool", "yara_rule_author": "3xp0rt", "yara_rule_reference": "https://twitter.com/3xp0rtblog/status/1421896169815478275", "yara_rule_description": "The rule for javascript SteamReplacementsTool", "last_hit_utc": "2023-07-24 06:53:03" } ], "4431": [ { "sample_cnt": 4, "yara_rule_name": "SurtrRansomware", "yara_rule_author": "Dhanunjaya", "yara_rule_reference": null, "yara_rule_description": "Yara Rule To Detect Surtur Ransomware", "last_hit_utc": "2023-05-07 03:22:03" } ], "4432": [ { "sample_cnt": 4, "yara_rule_name": "SUSP_LNK_Embedded_WordDoc", "yara_rule_author": "Greg Lesnewich", "yara_rule_reference": null, "yara_rule_description": "check for LNK files with indications of the Word program or an embedded doc", "last_hit_utc": "2026-04-23 15:14:28" } ], "4433": [ { "sample_cnt": 4, "yara_rule_name": "SUSP_LNX_Linux_Malware_Indicators_Aug20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects indicators often found in linux malware samples", "last_hit_utc": "2025-02-05 02:45:19" } ], "4434": [ { "sample_cnt": 4, "yara_rule_name": "Sus_Obf_Enc_Spoof_Hide_PE", "yara_rule_author": "XiAnzheng", "yara_rule_reference": null, "yara_rule_description": "Check for Suspicious, Obfuscating, Encrypting, Spoofing, or Hiding Technique(can create FP)", "last_hit_utc": "2025-01-03 21:59:44" } ], "4435": [ { "sample_cnt": 4, "yara_rule_name": "telnet_cgi", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file telnet.cgi.txt", "last_hit_utc": "2025-10-28 13:45:14" } ], "4436": [ { "sample_cnt": 4, "yara_rule_name": "Themida10xx18xxnocompressionOreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:12:09" } ], "4437": [ { "sample_cnt": 4, "yara_rule_name": "Tofu_Backdoor", "yara_rule_author": "Cylance", "yara_rule_reference": "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", "yara_rule_description": "Detects Tofu Trojan", "last_hit_utc": "2025-11-05 08:22:46" } ], "4438": [ { "sample_cnt": 4, "yara_rule_name": "Unspecified_Malware_Sep1_A1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "yara_rule_description": "Detects malware from DrqgonFly APT report", "last_hit_utc": "2025-01-05 16:54:03" } ], "4439": [ { "sample_cnt": 4, "yara_rule_name": "UrsnifV3", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "UrsnifV3 Payload", "last_hit_utc": "2024-05-29 00:35:39" } ], "4440": [ { "sample_cnt": 4, "yara_rule_name": "vbs_loader", "yara_rule_author": "Randy McEoin", "yara_rule_reference": null, "yara_rule_description": "VBS Loader containing lots of Arrays with integers that get decoded and executed", "last_hit_utc": "2021-06-05 09:49:19" } ], "4441": [ { "sample_cnt": 4, "yara_rule_name": "vulnerablity_driver2_PhysicalMemory", "yara_rule_author": "wonderkun", "yara_rule_reference": null, "yara_rule_description": "vulnerablity_driver2_PhysicalMemory", "last_hit_utc": "2025-07-23 09:23:05" } ], "4442": [ { "sample_cnt": 4, "yara_rule_name": "webshell_asp_generic_eval_on_input", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Generic ASP webshell which uses any eval/exec function directly on user input", "last_hit_utc": "2022-06-16 17:03:02" } ], "4443": [ { "sample_cnt": 4, "yara_rule_name": "webshell_asp_generic_registry_reader", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Generic ASP webshell which reads the registry (might look for passwords, license keys, database settings, general recon, ...", "last_hit_utc": "2022-06-16 17:03:02" } ], "4444": [ { "sample_cnt": 4, "yara_rule_name": "webshell_asp_obfuscated", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": null, "yara_rule_description": "ASP webshell obfuscated", "last_hit_utc": "2025-01-05 14:45:23" } ], "4445": [ { "sample_cnt": 4, "yara_rule_name": "webshell_c99_locus7s_c99_w4cking_xxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php", "last_hit_utc": "2025-11-25 20:48:18" } ], "4446": [ { "sample_cnt": 4, "yara_rule_name": "webshell_c99_locus7s_c99_w4cking_xxx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-11-25 20:48:17" } ], "4447": [ { "sample_cnt": 4, "yara_rule_name": "Webshell_c99_locus7s_c99_w4cking_xxx_RID34BB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects Web Shell from tennc webshell repo", "last_hit_utc": "2025-11-25 20:48:18" } ], "4448": [ { "sample_cnt": 4, "yara_rule_name": "Webshell_FeliksPack3___PHP_Shells_ssh_RID3532", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells PHP Webshell - file ssh.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "4449": [ { "sample_cnt": 4, "yara_rule_name": "webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php", "last_hit_utc": "2025-11-25 20:48:18" } ], "4450": [ { "sample_cnt": 4, "yara_rule_name": "webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-11-25 20:48:18" } ], "4451": [ { "sample_cnt": 4, "yara_rule_name": "Webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx_RID39AE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects Web Shell from tennc webshell repo", "last_hit_utc": "2025-11-25 20:48:18" } ], "4452": [ { "sample_cnt": 4, "yara_rule_name": "WEBSHELL_HAFNIUM_CISA_10328929_01", "yara_rule_author": "CISA Code & Media Analysis", "yara_rule_reference": "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a", "yara_rule_description": "Detects CVE-2021-27065 Webshellz", "last_hit_utc": "2025-11-05 08:22:47" } ], "4453": [ { "sample_cnt": 4, "yara_rule_name": "Webshell_jsp_cmd_1_RID2E16", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file cmd.jsp", "last_hit_utc": "2026-02-18 16:31:17" } ], "4454": [ { "sample_cnt": 4, "yara_rule_name": "Webshell_shellbot_pl_RID2F3E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file shellbot.pl.txt", "last_hit_utc": "2025-11-12 17:23:23" } ], "4455": [ { "sample_cnt": 4, "yara_rule_name": "Webshell_sig_2008_php_php_RID3060", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file 2008.php.php.txt", "last_hit_utc": "2025-11-25 20:48:18" } ], "4456": [ { "sample_cnt": 4, "yara_rule_name": "webshell_simple_backdoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file simple-backdoor.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "4457": [ { "sample_cnt": 4, "yara_rule_name": "WebShell_Simple_PHP_backdoor_by_DK", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php", "last_hit_utc": "2025-10-28 13:45:41" } ], "4458": [ { "sample_cnt": 4, "yara_rule_name": "WhisperGateStage2", "yara_rule_author": "Harish Kumar", "yara_rule_reference": null, "yara_rule_description": "Yara Rule to Detect WhisperGateStage2", "last_hit_utc": "2025-08-23 09:11:46" } ], "4459": [ { "sample_cnt": 4, "yara_rule_name": "win32_dcrat", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting DCRat malware", "last_hit_utc": "2025-06-16 16:16:52" } ], "4460": [ { "sample_cnt": 4, "yara_rule_name": "Win32_Ransomware_Balaclava", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Balaclava ransomware.", "last_hit_utc": "2020-10-09 08:09:26" } ], "4461": [ { "sample_cnt": 4, "yara_rule_name": "Win32_Ransomware_CryptoWall", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects CryptoWall ransomware.", "last_hit_utc": "2023-04-28 20:16:04" } ], "4462": [ { "sample_cnt": 4, "yara_rule_name": "Win32_Ransomware_GlobeImposter", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects GlobeImposter ransomware.", "last_hit_utc": "2023-02-25 05:10:03" } ], "4463": [ { "sample_cnt": 4, "yara_rule_name": "Win32_Ransomware_NotPetya", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects NotPetya ransomware.", "last_hit_utc": "2023-11-24 05:41:27" } ], "4464": [ { "sample_cnt": 4, "yara_rule_name": "Win32_Ransomware_Revil", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Revil ransomware.", "last_hit_utc": "2025-01-05 16:52:54" } ], "4465": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Exploit_Generic_8c54846d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-22 18:14:18" } ], "4466": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Generic_Threat_05f52e4d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-29 06:51:05" } ], "4467": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Generic_Threat_0a38c7d0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 11:34:42" } ], "4468": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Generic_Threat_1636c2bf", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-29 06:51:05" } ], "4469": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Generic_Threat_27a2994f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-10 21:40:23" } ], "4470": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Generic_Threat_347f9f54", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-28 02:45:14" } ], "4471": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Generic_Threat_45d1e986", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:25:12" } ], "4472": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Generic_Threat_b125fff2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-16 13:38:41" } ], "4473": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Generic_Threat_d8f834a9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-12 18:40:32" } ], "4474": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Hacktool_DinvokeRust_512d3b59", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-15 20:49:16" } ], "4475": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Ransomware_Makop_3ac2c13c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-10 05:19:02" } ], "4476": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Trojan_Bazar_3a2cc53b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-30 09:30:39" } ], "4477": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Trojan_Bitrat_54916275", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-20 16:31:02" } ], "4478": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Trojan_Clipbanker", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-17 07:50:53" } ], "4479": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Trojan_Diceloader_15eeb7b9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-24 17:51:03" } ], "4480": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Trojan_Fickerstealer_f2159bec", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-11 06:49:06" } ], "4481": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Trojan_Lobshot_013c1b0b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-07-05 10:52:03" } ], "4482": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Trojan_Netwire_f85e4abc", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-30 02:56:03" } ], "4483": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Trojan_Pandastealer_8b333e76", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-21 21:48:47" } ], "4484": [ { "sample_cnt": 4, "yara_rule_name": "Windows_Trojan_RedLineStealer_63e7e006", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-16 01:10:03" } ], "4485": [ { "sample_cnt": 4, "yara_rule_name": "winoshunter4_0", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "winos rat", "last_hit_utc": "2025-11-18 18:46:30" } ], "4486": [ { "sample_cnt": 4, "yara_rule_name": "win_arkei_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-06 11:58:22" } ], "4487": [ { "sample_cnt": 4, "yara_rule_name": "win_aurastealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.aurastealer.", "last_hit_utc": "2026-04-02 11:16:15" } ], "4488": [ { "sample_cnt": 4, "yara_rule_name": "win_avaddon_w0", "yara_rule_author": "@VK_Intel, modified by @r0ny_123", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1300944441390370819", "yara_rule_description": "Detects Avaddon ransomware", "last_hit_utc": "2023-03-11 04:19:03" } ], "4489": [ { "sample_cnt": 4, "yara_rule_name": "win_blackcat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.blackcat.", "last_hit_utc": "2022-12-20 00:28:03" } ], "4490": [ { "sample_cnt": 4, "yara_rule_name": "win_blister_w0", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Detects Blister loader.", "last_hit_utc": "2022-05-12 04:08:02" } ], "4491": [ { "sample_cnt": 4, "yara_rule_name": "win_buer_unpacked_w0", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects Buer", "last_hit_utc": "2023-08-24 08:24:03" } ], "4492": [ { "sample_cnt": 4, "yara_rule_name": "win_buer_unpacked_w0", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "detects Buer.", "last_hit_utc": "2021-03-15 19:00:06" } ], "4493": [ { "sample_cnt": 4, "yara_rule_name": "win_buer_w0", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "detects Buer.", "last_hit_utc": "2021-03-15 19:00:06" } ], "4494": [ { "sample_cnt": 4, "yara_rule_name": "win_bumblebee", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-27 10:36:05" } ], "4495": [ { "sample_cnt": 4, "yara_rule_name": "win_bumblebee_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.bumblebee.", "last_hit_utc": "2022-09-08 15:59:03" } ], "4496": [ { "sample_cnt": 4, "yara_rule_name": "win_coviper_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-08-05 10:35:03" } ], "4497": [ { "sample_cnt": 4, "yara_rule_name": "win_dorkbot_ngrbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.dorkbot_ngrbot.", "last_hit_utc": "2026-02-27 13:53:59" } ], "4498": [ { "sample_cnt": 4, "yara_rule_name": "win_doublepulsar_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html", "yara_rule_description": "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.", "last_hit_utc": "2025-09-15 11:02:46" } ], "4499": [ { "sample_cnt": 4, "yara_rule_name": "win_dridex_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.dridex.", "last_hit_utc": "2025-10-01 12:56:52" } ], "4500": [ { "sample_cnt": 4, "yara_rule_name": "win_gazer_w1", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "yara_rule_description": "Turla Gazer malware", "last_hit_utc": "2025-01-05 17:28:05" } ], "4501": [ { "sample_cnt": 4, "yara_rule_name": "win_grandoreiro_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-05 14:50:14" } ], "4502": [ { "sample_cnt": 4, "yara_rule_name": "win_isfb_a5", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-17 12:00:08" } ], "4503": [ { "sample_cnt": 4, "yara_rule_name": "win_karkoff_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-04 10:18:40" } ], "4504": [ { "sample_cnt": 4, "yara_rule_name": "win_koadic_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.koadic.", "last_hit_utc": "2022-09-15 12:31:36" } ], "4505": [ { "sample_cnt": 4, "yara_rule_name": "win_kronos_g0", "yara_rule_author": "mak", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-17 10:44:07" } ], "4506": [ { "sample_cnt": 4, "yara_rule_name": "win_kutaki_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.kutaki.", "last_hit_utc": "2022-08-05 09:31:04" } ], "4507": [ { "sample_cnt": 4, "yara_rule_name": "win_locky_a0", "yara_rule_author": "pnx", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-06-19 18:20:04" } ], "4508": [ { "sample_cnt": 4, "yara_rule_name": "win_maze_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.maze.", "last_hit_utc": "2022-01-02 11:39:04" } ], "4509": [ { "sample_cnt": 4, "yara_rule_name": "win_medusalocker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-08-08 17:01:04" } ], "4510": [ { "sample_cnt": 4, "yara_rule_name": "win_mimikatz_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mimikatz.", "last_hit_utc": "2024-01-13 03:21:03" } ], "4511": [ { "sample_cnt": 4, "yara_rule_name": "win_mortalkombat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mortalkombat.", "last_hit_utc": "2025-11-18 16:01:50" } ], "4512": [ { "sample_cnt": 4, "yara_rule_name": "win_nettraveler_w2", "yara_rule_author": "Katie Kleemola", "yara_rule_reference": null, "yara_rule_description": "Export names for dll component", "last_hit_utc": "2020-08-29 12:12:04" } ], "4513": [ { "sample_cnt": 4, "yara_rule_name": "win_neutrino_g1", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-04-25 11:21:51" } ], "4514": [ { "sample_cnt": 4, "yara_rule_name": "win_petrwrap_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.petrwrap.", "last_hit_utc": "2025-01-03 19:39:17" } ], "4515": [ { "sample_cnt": 4, "yara_rule_name": "win_petya_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.petya.", "last_hit_utc": "2025-08-17 09:19:53" } ], "4516": [ { "sample_cnt": 4, "yara_rule_name": "win_phorpiex_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.phorpiex.", "last_hit_utc": "2025-04-26 21:37:09" } ], "4517": [ { "sample_cnt": 4, "yara_rule_name": "win_pikabot", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-07-26 22:15:04" } ], "4518": [ { "sample_cnt": 4, "yara_rule_name": "win_plugx_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.plugx.", "last_hit_utc": "2025-01-05 16:20:52" } ], "4519": [ { "sample_cnt": 4, "yara_rule_name": "win_plugx_w2", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": null, "yara_rule_description": "PlugX RAT", "last_hit_utc": "2023-04-22 07:17:07" } ], "4520": [ { "sample_cnt": 4, "yara_rule_name": "win_polyvice_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.polyvice.", "last_hit_utc": "2023-08-01 20:43:03" } ], "4521": [ { "sample_cnt": 4, "yara_rule_name": "win_predator_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-17 15:43:43" } ], "4522": [ { "sample_cnt": 4, "yara_rule_name": "win_remcom_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.remcom.", "last_hit_utc": "2024-03-25 12:47:03" } ], "4523": [ { "sample_cnt": 4, "yara_rule_name": "win_ryuk_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.ryuk_stealer.", "last_hit_utc": "2021-08-31 23:00:10" } ], "4524": [ { "sample_cnt": 4, "yara_rule_name": "win_sakula_rat_w3", "yara_rule_author": "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou", "yara_rule_reference": null, "yara_rule_description": "Sakula v1.3", "last_hit_utc": "2025-11-05 08:22:48" } ], "4525": [ { "sample_cnt": 4, "yara_rule_name": "win_simda_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.simda.", "last_hit_utc": "2022-08-31 02:55:03" } ], "4526": [ { "sample_cnt": 4, "yara_rule_name": "win_svcready_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.svcready.", "last_hit_utc": "2022-08-18 18:38:08" } ], "4527": [ { "sample_cnt": 4, "yara_rule_name": "win_tinba_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-06-21 05:40:03" } ], "4528": [ { "sample_cnt": 4, "yara_rule_name": "win_tofsee_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-01-24 11:40:05" } ], "4529": [ { "sample_cnt": 4, "yara_rule_name": "win_vawtrak_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-14 19:37:18" } ], "4530": [ { "sample_cnt": 4, "yara_rule_name": "win_wastedlocker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-03-20 12:32:05" } ], "4531": [ { "sample_cnt": 4, "yara_rule_name": "win_wpbrutebot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.wpbrutebot.", "last_hit_utc": "2022-05-08 07:15:02" } ], "4532": [ { "sample_cnt": 4, "yara_rule_name": "win_yahoyah_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-05-04 20:58:12" } ], "4533": [ { "sample_cnt": 4, "yara_rule_name": "win_younglotus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.younglotus.", "last_hit_utc": "2025-05-29 03:00:23" } ], "4534": [ { "sample_cnt": 4, "yara_rule_name": "win_zebrocy_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-09 12:01:45" } ], "4535": [ { "sample_cnt": 4, "yara_rule_name": "win_zloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.zloader.", "last_hit_utc": "2021-10-18 15:34:04" } ], "4536": [ { "sample_cnt": 4, "yara_rule_name": "with_attachment", "yara_rule_author": "Antonio Sanchez ", "yara_rule_reference": "http://laboratorio.blogs.hispasec.com/", "yara_rule_description": "Rule to detect the presence of an or several attachments", "last_hit_utc": "2025-01-05 15:07:15" } ], "4537": [ { "sample_cnt": 4, "yara_rule_name": "xRAT", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:50" } ], "4538": [ { "sample_cnt": 4, "yara_rule_name": "XWorm_Violet_v5", "yara_rule_author": "kirkderp", "yara_rule_reference": "https://github.com/kirkderp/yara", "yara_rule_description": "XWorm / Violet v5 -- 80+ command RAT with HVNC, keylogger, crypto clipper, USB worm, webcam capture", "last_hit_utc": "2026-04-06 09:30:17" } ], "4539": [ { "sample_cnt": 4, "yara_rule_name": "Yayih", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Yayih", "last_hit_utc": "2025-01-05 17:28:06" } ], "4540": [ { "sample_cnt": 4, "yara_rule_name": "YayihStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Yayih Identifying Strings", "last_hit_utc": "2025-01-05 17:28:06" } ], "4541": [ { "sample_cnt": 4, "yara_rule_name": "ZeuS", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects ZeuS", "last_hit_utc": "2025-04-28 01:57:58" } ], "4542": [ { "sample_cnt": 4, "yara_rule_name": "zip_img_stego", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "This rule attempts to identify ZIP (and JAR, APK, DOCX, etc.) archives embedded within various image filetypes.", "last_hit_utc": "2026-01-05 11:30:22" } ], "4543": [ { "sample_cnt": 3, "yara_rule_name": "ach_CobaltStrike_doc_20200804", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/94c3fcf962bc41cdbe3e2d1942ee15b0/", "yara_rule_description": "Detects CobaltStrike DOC", "last_hit_utc": "2020-08-05 12:06:53" } ], "4544": [ { "sample_cnt": 3, "yara_rule_name": "ach_Dofloo", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://bazaar.abuse.ch/sample/087b589c9fd7b934fe9c2a7711795165d8022e101983f9654de89c3125715929/", "yara_rule_description": "", "last_hit_utc": "2022-03-02 00:59:03" } ], "4545": [ { "sample_cnt": 3, "yara_rule_name": "ach_Emotet_xls_20221111", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/0df37394acd26f53e28bc2e0ea100316/", "yara_rule_description": "Detects Emotet XLS", "last_hit_utc": "2022-11-14 07:06:04" } ], "4546": [ { "sample_cnt": 3, "yara_rule_name": "ach_TrickBot_doc_20200813", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/ad76bbb19d39f64e20eb89b330538828/", "yara_rule_description": "Detects TrickBot doc", "last_hit_utc": "2020-08-18 10:27:05" } ], "4547": [ { "sample_cnt": 3, "yara_rule_name": "ach_ZLoader_xls_20200814", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/2e228782196fda1ba41be75b2bcf06bc/", "yara_rule_description": "Detects ZLoader XLS", "last_hit_utc": "2020-08-16 06:41:08" } ], "4548": [ { "sample_cnt": 3, "yara_rule_name": "ACProtect14xRISCOsoft", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:08:24" } ], "4549": [ { "sample_cnt": 3, "yara_rule_name": "ACProtectUltraProtect10X20XRiSco", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:08:24" } ], "4550": [ { "sample_cnt": 3, "yara_rule_name": "ACProtectv135riscosoftwareIncAnticrackSoftware", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:08:24" } ], "4551": [ { "sample_cnt": 3, "yara_rule_name": "Ajax_PHP_Command_Shell_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt", "last_hit_utc": "2025-10-28 13:43:47" } ], "4552": [ { "sample_cnt": 3, "yara_rule_name": "AMSIbypass_CLR_DLL", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "AMSI bypass CLR. https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/", "last_hit_utc": "2026-03-09 08:33:16" } ], "4553": [ { "sample_cnt": 3, "yara_rule_name": "APT10_HTSrl_signed", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "HT Srl signature using APT10", "last_hit_utc": "2022-05-26 07:43:02" } ], "4554": [ { "sample_cnt": 3, "yara_rule_name": "APT_APT29_Win_FlipFlop_LDR", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "yara_rule_description": "A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.", "last_hit_utc": "2026-04-15 11:33:57" } ], "4555": [ { "sample_cnt": 3, "yara_rule_name": "APT_APT41_CN_ELF_Speculoos_Backdoor_RID3365", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/", "yara_rule_description": "Detects Speculoos Backdoor used by APT41", "last_hit_utc": "2025-10-28 13:43:49" } ], "4556": [ { "sample_cnt": 3, "yara_rule_name": "APT_Bitter_Maldoc_Verify", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh", "yara_rule_description": "Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)", "last_hit_utc": "2025-01-05 15:00:30" } ], "4557": [ { "sample_cnt": 3, "yara_rule_name": "APT_HAFNIUM_Forensic_Artefacts_Mar21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "yara_rule_description": "Detects forensic artefacts found in HAFNIUM intrusions", "last_hit_utc": "2025-11-05 08:22:23" } ], "4558": [ { "sample_cnt": 3, "yara_rule_name": "APT_HAFNIUM_Forensic_Artefacts_Mar21_1_RID3463", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "yara_rule_description": "Detects forensic artefacts found in HAFNIUM intrusions", "last_hit_utc": "2025-11-05 08:22:23" } ], "4559": [ { "sample_cnt": 3, "yara_rule_name": "APT_IN_TA397_wmRAT", "yara_rule_author": "Proofpoint", "yara_rule_reference": "https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats", "yara_rule_description": "track wmRAT based on socket usage, odd error handling, and reused strings", "last_hit_utc": "2026-02-27 07:45:22" } ], "4560": [ { "sample_cnt": 3, "yara_rule_name": "APT_Lazarus_LNK_20211105", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects Lazarus Group LNK", "last_hit_utc": "2022-09-01 11:05:04" } ], "4561": [ { "sample_cnt": 3, "yara_rule_name": "APT_MAL_LNX_RedMenshen_BPFDoor_Controller_Generic_May22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", "yara_rule_description": "Detects BPFDoor malware", "last_hit_utc": "2026-04-25 22:06:32" } ], "4562": [ { "sample_cnt": 3, "yara_rule_name": "APT_MAL_UNC4841_SEASPY_Jun23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.talosintelligence.com/alchimist-offensive-framework/", "yara_rule_description": "Detects SEASPY malware used by UNC4841 in attacks against Barracuda ESG appliances exploiting CVE-2023-2868", "last_hit_utc": "2025-10-28 13:43:54" } ], "4563": [ { "sample_cnt": 3, "yara_rule_name": "APT_MAL_Win_BlueLight", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/", "yara_rule_description": "The BLUELIGHT malware family. Leverages Microsoft OneDrive for network communications.", "last_hit_utc": "2022-12-01 23:01:02" } ], "4564": [ { "sample_cnt": 3, "yara_rule_name": "APT_StuxNet_Malware_1_RID2EE8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample - file malware.exe", "last_hit_utc": "2025-03-06 22:28:12" } ], "4565": [ { "sample_cnt": 3, "yara_rule_name": "APT_Stuxnet_Malware_3_RID2F0A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample - file ~WTR4141.tmp", "last_hit_utc": "2025-11-05 08:22:24" } ], "4566": [ { "sample_cnt": 3, "yara_rule_name": "APT_Stuxnet_Malware_4_RID2F0B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample", "last_hit_utc": "2025-03-06 22:26:08" } ], "4567": [ { "sample_cnt": 3, "yara_rule_name": "APT_UNC2447_PS1_WARPRISM_May21_1_RID308C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects WARPRISM PowerShell samples from UNC2447 campaign", "last_hit_utc": "2025-10-28 13:43:57" } ], "4568": [ { "sample_cnt": 3, "yara_rule_name": "APT_WebShell_Tiny_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1097423665472376832", "yara_rule_description": "Detetcs a tiny webshell involved in the Australian Parliament House network compromise", "last_hit_utc": "2025-01-03 23:13:06" } ], "4569": [ { "sample_cnt": 3, "yara_rule_name": "APT_WebShell_Tiny_1_RID2DFE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1097423665472376832", "yara_rule_description": "Detetcs a tiny webshell involved in the Australian Parliament House network compromise", "last_hit_utc": "2025-01-03 23:13:06" } ], "4570": [ { "sample_cnt": 3, "yara_rule_name": "AsCryptv01SToRM1", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-03 20:43:18" } ], "4571": [ { "sample_cnt": 3, "yara_rule_name": "ASPackv21AlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 10:28:01" } ], "4572": [ { "sample_cnt": 3, "yara_rule_name": "ASPack_ASPACK", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file ASPACK.EXE", "last_hit_utc": "2025-12-05 11:22:16" } ], "4573": [ { "sample_cnt": 3, "yara_rule_name": "ASPXspy2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "not set", "yara_rule_description": "Web shell - file ASPXspy2.aspx", "last_hit_utc": "2025-01-05 16:42:05" } ], "4574": [ { "sample_cnt": 3, "yara_rule_name": "ASP_Webshell", "yara_rule_author": "@Pro_Integritate", "yara_rule_reference": "", "yara_rule_description": "Generic ASP Webshell signature", "last_hit_utc": "2022-06-14 10:20:04" } ], "4575": [ { "sample_cnt": 3, "yara_rule_name": "BadIISModule", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match the strings and instructions found in BadIIS", "last_hit_utc": "2025-10-21 17:59:16" } ], "4576": [ { "sample_cnt": 3, "yara_rule_name": "blackcat_fcn_00401fa0", "yara_rule_author": "Michael Davis", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-12-18 15:18:04" } ], "4577": [ { "sample_cnt": 3, "yara_rule_name": "Blackcat_Ran_V1", "yara_rule_author": "DigitalPanda", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-12-18 15:18:04" } ], "4578": [ { "sample_cnt": 3, "yara_rule_name": "blankgrabber_v1", "yara_rule_author": "RandomMalware", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-09 00:53:19" } ], "4579": [ { "sample_cnt": 3, "yara_rule_name": "BluenoroffPoS_DLL", "yara_rule_author": "http://blog.trex.re.kr/", "yara_rule_reference": "http://blog.trex.re.kr/3?category=737685", "yara_rule_description": "Bluenoroff POS malware - hkp.dll", "last_hit_utc": "2025-11-05 08:22:24" } ], "4580": [ { "sample_cnt": 3, "yara_rule_name": "Branchlock_Obfuscator", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Branchlock Obfuscator", "last_hit_utc": "2025-06-16 15:17:15" } ], "4581": [ { "sample_cnt": 3, "yara_rule_name": "BumbleBee", "yara_rule_author": "enzo & kevoreilly", "yara_rule_reference": "", "yara_rule_description": "BumbleBee Payload", "last_hit_utc": "2022-09-08 15:59:03" } ], "4582": [ { "sample_cnt": 3, "yara_rule_name": "CACTUSTORCH", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/mdsecactivebreach/CACTUSTORCH", "yara_rule_description": "Detects CactusTorch Hacktool", "last_hit_utc": "2025-10-28 13:44:00" } ], "4583": [ { "sample_cnt": 3, "yara_rule_name": "ccrewMiniasp", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:44:00" } ], "4584": [ { "sample_cnt": 3, "yara_rule_name": "clearlog", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/4pTkGQ", "yara_rule_description": "Detects Fireball malware - file clearlog.dll", "last_hit_utc": "2025-11-05 08:22:25" } ], "4585": [ { "sample_cnt": 3, "yara_rule_name": "clearlog_RID2A5A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/4pTkGQ", "yara_rule_description": "Detects Fireball malware - file clearlog_RID2A5A.dll", "last_hit_utc": "2025-11-05 08:22:26" } ], "4586": [ { "sample_cnt": 3, "yara_rule_name": "CN_Honker_smsniff_smsniff", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file smsniff.exe", "last_hit_utc": "2023-11-24 22:18:37" } ], "4587": [ { "sample_cnt": 3, "yara_rule_name": "CN_Honker_Webshell_ASPX_aspx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Webshell from CN Honker Pentest Toolset - file aspx.txt", "last_hit_utc": "2025-01-05 16:42:05" } ], "4588": [ { "sample_cnt": 3, "yara_rule_name": "CN_Toolset_NTscan_PipeCmd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://qiannao.com/ls/905300366/33834c0c/", "yara_rule_description": "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe", "last_hit_utc": "2025-11-05 08:22:26" } ], "4589": [ { "sample_cnt": 3, "yara_rule_name": "CobaltStrike_Resources_Httpsstager64_Bin_v3_2_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/httpsstager64.bin signature for versions v3.2 to v4.x", "last_hit_utc": "2025-09-18 08:51:58" } ], "4590": [ { "sample_cnt": 3, "yara_rule_name": "CobaltStrike_Resources_Template_Py_v3_3_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x", "last_hit_utc": "2025-10-28 13:44:02" } ], "4591": [ { "sample_cnt": 3, "yara_rule_name": "CobaltStrike__Resources_Httpsstager64_Bin_v3_2_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-18 08:51:58" } ], "4592": [ { "sample_cnt": 3, "yara_rule_name": "CobaltStrike__Resources_Template_Py_v3_3_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:44:02" } ], "4593": [ { "sample_cnt": 3, "yara_rule_name": "CobaltStrike__Sleeve_Beacon_Dll_v4_7_suspected", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-09 23:16:53" } ], "4594": [ { "sample_cnt": 3, "yara_rule_name": "CobaltStrike__Sleeve_Beacon_x64_v4_1_and_v_4_2", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-04-16 10:56:03" } ], "4595": [ { "sample_cnt": 3, "yara_rule_name": "Codoso_Gh0st_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT Gh0st Malware", "last_hit_utc": "2025-11-05 08:22:27" } ], "4596": [ { "sample_cnt": 3, "yara_rule_name": "Codoso_Gh0st_3_RID2C2F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT Gh0st Malware", "last_hit_utc": "2025-11-05 08:22:27" } ], "4597": [ { "sample_cnt": 3, "yara_rule_name": "CoreImpact_sysdll_exe_RID2F93", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects a malware sysdll.exe from the Rocket Kitten APT", "last_hit_utc": "2025-10-28 13:44:03" } ], "4598": [ { "sample_cnt": 3, "yara_rule_name": "CosmicDuke", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 09:30:26" } ], "4599": [ { "sample_cnt": 3, "yara_rule_name": "Cotx_RAT", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "yara_rule_description": "Identifies Cotx RAT.", "last_hit_utc": "2021-02-24 10:57:59" } ], "4600": [ { "sample_cnt": 3, "yara_rule_name": "crime_generic_DLL_exports_Sep2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": null, "yara_rule_description": "Triggers on malicious DLLs distributed along LNK files in ISO attachments.", "last_hit_utc": "2025-06-09 17:39:08" } ], "4601": [ { "sample_cnt": 3, "yara_rule_name": "crime_win32_conti_ransom_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "twitter", "yara_rule_description": "Detects Conti ransomware v1", "last_hit_utc": "2025-01-03 19:48:03" } ], "4602": [ { "sample_cnt": 3, "yara_rule_name": "CrimsonRAT_Mar18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects CrimsonRAT malware", "last_hit_utc": "2021-07-18 07:33:34" } ], "4603": [ { "sample_cnt": 3, "yara_rule_name": "CVE_2026_21509_RTF_ShellExplorer", "yara_rule_author": "Robin Dost", "yara_rule_reference": "https://blog.synapticsystems.de/apt28-geofencing-as-a-targeting-signal-cve-2026-21509/", "yara_rule_description": "Detect RTF exploiting CVE-2026-21509 via Shell.Explorer.1 OLE object", "last_hit_utc": "2026-03-27 10:26:16" } ], "4604": [ { "sample_cnt": 3, "yara_rule_name": "CyaxSharp_ReZer0", "yara_rule_author": "Max 'Libra' Kersten for McAfee's Advanced Threat Research Team", "yara_rule_reference": "This rule was published in combination with the following McAfee ATR blog: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/see-ya-sharp-a-loaders-tale/", "yara_rule_description": "Detects CyaX-Sharp/ReZer0 loader samples based on the embedded scheduled task template", "last_hit_utc": "2024-01-13 21:07:03" } ], "4605": [ { "sample_cnt": 3, "yara_rule_name": "darkComet_", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked darkComet malware samples.", "last_hit_utc": "2025-07-03 09:56:18" } ], "4606": [ { "sample_cnt": 3, "yara_rule_name": "decoded_PolishBankRAT_fdsvc_strings", "yara_rule_author": "Booz Allen Hamilton Dark Labs", "yara_rule_reference": null, "yara_rule_description": "Finds hard coded strings in PolishBankRAT_fdsvc", "last_hit_utc": "2020-10-02 08:29:31" } ], "4607": [ { "sample_cnt": 3, "yara_rule_name": "Detect_Credit_Card_Form", "yara_rule_author": "NCSC-CH / GovCERT", "yara_rule_reference": null, "yara_rule_description": "Detects credit card submission forms in HTML content", "last_hit_utc": "2025-11-16 06:57:18" } ], "4608": [ { "sample_cnt": 3, "yara_rule_name": "elf_gobrat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects elf.gobrat.", "last_hit_utc": "2025-01-05 16:19:57" } ], "4609": [ { "sample_cnt": 3, "yara_rule_name": "Emotet_Botnet", "yara_rule_author": "Harish Kumar P", "yara_rule_reference": null, "yara_rule_description": "To Detect Emotet Botnet", "last_hit_utc": "2023-01-19 19:44:38" } ], "4610": [ { "sample_cnt": 3, "yara_rule_name": "Empire_Invoke_Shellcode", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/PowerShellEmpire/Empire", "yara_rule_description": "Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1", "last_hit_utc": "2025-08-25 08:05:56" } ], "4611": [ { "sample_cnt": 3, "yara_rule_name": "Empire_Invoke_Shellcode_RID3030", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/PowerShellEmpire/Empire", "yara_rule_description": "Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1", "last_hit_utc": "2025-08-25 08:05:57" } ], "4612": [ { "sample_cnt": 3, "yara_rule_name": "Empire_Out_Minidump", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Out-Minidump.ps1", "last_hit_utc": "2025-08-29 17:46:49" } ], "4613": [ { "sample_cnt": 3, "yara_rule_name": "Empire_Out_Minidump_RID2EAC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Out-Minidump.ps1", "last_hit_utc": "2025-08-29 17:46:49" } ], "4614": [ { "sample_cnt": 3, "yara_rule_name": "Empire_PowerShell_Framework_Gen5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2025-08-25 08:05:56" } ], "4615": [ { "sample_cnt": 3, "yara_rule_name": "Enfal", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Enfal", "last_hit_utc": "2025-01-05 17:28:02" } ], "4616": [ { "sample_cnt": 3, "yara_rule_name": "EnfalStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Enfal Identifying Strings", "last_hit_utc": "2025-01-05 17:28:02" } ], "4617": [ { "sample_cnt": 3, "yara_rule_name": "Enigma_Protector_LazarusSample_RID3326", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/", "yara_rule_description": "Detects malware packed with the Enigma protector", "last_hit_utc": "2022-09-19 20:22:05" } ], "4618": [ { "sample_cnt": 3, "yara_rule_name": "EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2026-03-22 06:23:21" } ], "4619": [ { "sample_cnt": 3, "yara_rule_name": "EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2026-03-22 06:23:28" } ], "4620": [ { "sample_cnt": 3, "yara_rule_name": "EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld_RID3C05", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2026-03-22 06:23:20" } ], "4621": [ { "sample_cnt": 3, "yara_rule_name": "EquationGroup_Toolset_Apr17_ntevt", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2026-03-22 06:23:20" } ], "4622": [ { "sample_cnt": 3, "yara_rule_name": "EquationGroup_Toolset_Apr17_ntevt_RID3427", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2026-03-22 06:23:20" } ], "4623": [ { "sample_cnt": 3, "yara_rule_name": "EXE_Stealer_CryptBot_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:34:40" } ], "4624": [ { "sample_cnt": 3, "yara_rule_name": "EXPLOIT_WinRAR_CVE_2023_38831_Aug23", "yara_rule_author": "Marius Genheimer @ Falcon Team", "yara_rule_reference": "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day", "yara_rule_description": "Detects ZIP archives potentially exploiting CVE-2023-38831 in WinRAR", "last_hit_utc": "2026-03-04 12:42:18" } ], "4625": [ { "sample_cnt": 3, "yara_rule_name": "feklsdfff", "yara_rule_author": "tslalovrr", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:17:45" } ], "4626": [ { "sample_cnt": 3, "yara_rule_name": "FeliksPack3___PHP_Shells_ssh", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file ssh.php", "last_hit_utc": "2025-10-28 13:44:19" } ], "4627": [ { "sample_cnt": 3, "yara_rule_name": "Feokt", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:48:20" } ], "4628": [ { "sample_cnt": 3, "yara_rule_name": "Generic_FakeCaptchaPage", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match strings found in JavaScript/HTML used in captcha-styled malware delivery websites", "last_hit_utc": "2025-04-11 11:36:12" } ], "4629": [ { "sample_cnt": 3, "yara_rule_name": "globalnet_files", "yara_rule_author": "vmovupd", "yara_rule_reference": "https://twitter.com/vmovupd/status/1722548036839072017", "yara_rule_description": "Detect PE files compiled with PyInstaller with AntiDecompilation string. Observed in GlobalNet botnet campaign.", "last_hit_utc": "2024-01-31 12:52:04" } ], "4630": [ { "sample_cnt": 3, "yara_rule_name": "GlowSpark_Downloader", "yara_rule_author": "inquest.net", "yara_rule_reference": null, "yara_rule_description": "GlowSpark_2nd_Stage_Actinium_Downloader", "last_hit_utc": "2026-03-18 10:06:22" } ], "4631": [ { "sample_cnt": 3, "yara_rule_name": "GoogleBot_UserAgent", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects the GoogleBot UserAgent String in an Executable", "last_hit_utc": "2025-01-03 23:12:32" } ], "4632": [ { "sample_cnt": 3, "yara_rule_name": "GoogleBot_UserAgent_RID2E80", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects the GoogleBot UserAgent String in an Executable", "last_hit_utc": "2025-01-03 23:12:32" } ], "4633": [ { "sample_cnt": 3, "yara_rule_name": "h4ntu_shell__powered_by_tsoi_", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt", "last_hit_utc": "2025-10-28 13:44:24" } ], "4634": [ { "sample_cnt": 3, "yara_rule_name": "HackTool_MSIL_SEATBELT_2", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SeatBelt project.", "last_hit_utc": "2026-01-30 13:08:34" } ], "4635": [ { "sample_cnt": 3, "yara_rule_name": "HawkEye_Keylogger_Feb18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9", "yara_rule_description": "Detects HawkEye keylogger variante observed in February 2018", "last_hit_utc": "2022-08-20 08:17:03" } ], "4636": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_Certify", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/Certify", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "4637": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_DInvoke", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/TheWover/DInvoke", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2022-10-22 09:27:02" } ], "4638": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_ExploitRemotingService", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/tyranid/ExploitRemotingService", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "4639": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_LockLess", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/LockLess", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "4640": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_PlasmaRAT", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/mwsrc/PlasmaRAT", "yara_rule_description": "Detects VB.NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "4641": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_SharpDPAPI", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/SharpDPAPI", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "4642": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_SweetPotato", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/CCob/SweetPotato", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-02-22 18:16:19" } ], "4643": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_The_Collection", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/Tlgyt/The-Collection", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-05 15:26:06" } ], "4644": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_Tokenvator", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/0xbadjuju/Tokenvator", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "4645": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_NET_GUID_ysoserial_net", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/pwntester/ysoserial.net", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "4646": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1", "yara_rule_description": "Detects PowerShell Oneliner in Nishang's repository", "last_hit_utc": "2025-11-05 08:22:36" } ], "4647": [ { "sample_cnt": 3, "yara_rule_name": "HKTL_PS1_PowerCat_Mar21_RID2EDD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/besimorhino/powercat", "yara_rule_description": "Detects PowerCat hacktool", "last_hit_utc": "2025-10-28 13:44:30" } ], "4648": [ { "sample_cnt": 3, "yara_rule_name": "hunt_credaccess_cloud_wide_xor", "yara_rule_author": "SBousseaden", "yara_rule_reference": null, "yara_rule_description": "hunt for the presence of more than 1 known cloud client utility related credential paths", "last_hit_utc": "2026-01-30 13:08:34" } ], "4649": [ { "sample_cnt": 3, "yara_rule_name": "hunt_redline_stealer", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Search for samples containing certain fingerprints", "last_hit_utc": "2023-01-27 16:48:03" } ], "4650": [ { "sample_cnt": 3, "yara_rule_name": "HUN_APT29_EnvyScout_Jul_2023_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/StopMalvertisin/status/1677192614985228288", "yara_rule_description": "Hunting rule for detect possible Envyscout malware used by the APT29 group by patterns already used in the past", "last_hit_utc": "2025-01-05 16:18:00" } ], "4651": [ { "sample_cnt": 3, "yara_rule_name": "HydraDexApk_strings", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects Hydra Android Banking malware (DEX strings of the malware)", "last_hit_utc": "2025-06-16 16:07:13" } ], "4652": [ { "sample_cnt": 3, "yara_rule_name": "IcedID_ISO", "yara_rule_author": "Ankit Anubhav - ankitanubhav.info", "yara_rule_reference": "", "yara_rule_description": "Detects IcedID ISO archives", "last_hit_utc": "2022-08-23 14:14:04" } ], "4653": [ { "sample_cnt": 3, "yara_rule_name": "Imphash_Malware_2_TA17_293A_RID302E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-293A", "yara_rule_description": "Detects malware based on Imphash of malware used in TA17-293A", "last_hit_utc": "2025-12-31 16:54:13" } ], "4654": [ { "sample_cnt": 3, "yara_rule_name": "IMPLANT_4_v3_AlternativeRule", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "US CERT Grizzly Steppe Report", "yara_rule_description": "Detects a group of different malware samples", "last_hit_utc": "2025-11-05 08:22:37" } ], "4655": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_EXE_Packed_DNGuard", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with DNGuard", "last_hit_utc": "2022-09-22 22:01:49" } ], "4656": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_EXE_Packed_LLVMLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects LLVM obfuscator/loader", "last_hit_utc": "2021-02-28 22:48:08" } ], "4657": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_EXE_Packed_NoobyProtect", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with NoopyProtect", "last_hit_utc": "2022-07-23 06:43:06" } ], "4658": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_01342592a0010cb1109c11c0519cfd24", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-12-18 16:34:03" } ], "4659": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_01803bc7537a1818c4ab135469963c10", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 14:53:35" } ], "4660": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_01ea62e443cb2250c870ff6bb13ba98e", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-10-20 01:56:04" } ], "4661": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_028aa6e7b516c0d155f15d6290a430e3", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-09-13 09:56:02" } ], "4662": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_0b2b192657b37632518b08a06e201381", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-04-25 20:37:02" } ], "4663": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_0c5396dcb2949c70fac48ab08a07338e", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2025-01-03 22:20:15" } ], "4664": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_0c5396dcb2949c70fac48ab08a07338e", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2022-10-20 17:57:03" } ], "4665": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_0d07705fa0e0c4827cc287cfcdec20c4", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-09-13 16:25:22" } ], "4666": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_2355895f1759e9e3648026f4", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-09-22 18:18:27" } ], "4667": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_28b691272719b1ee", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-09-02 09:41:03" } ], "4668": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_c2cbbd946bc3fdb944d522931d61d51a", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with Sordum Software certificate, particularly Defender Control", "last_hit_utc": "2025-01-05 16:54:58" } ], "4669": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_CERT_c2cbbd946bc3fdb944d522931d61d51a", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with Sordum Software certificate, particularly Defender Control", "last_hit_utc": "2022-06-21 11:10:04" } ], "4670": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Epsilon", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Epsilon ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "4671": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Ryzerlo", "yara_rule_author": "ditekShen", "yara_rule_reference": "", "yara_rule_description": "Detects files referencing identities associated with Ryzerlo / HiddenTear / RSJON ransomware", "last_hit_utc": "2022-09-22 17:48:53" } ], "4672": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Thanos", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Thanos ransomware", "last_hit_utc": "2025-10-28 13:44:36" } ], "4673": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_OLE_RemoteTemplate", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents", "last_hit_utc": "2022-09-02 11:35:03" } ], "4674": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_RMM_AeroAdmin", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects AeroAdmin. Review RMM Inventory", "last_hit_utc": "2025-06-16 15:57:19" } ], "4675": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_RMM_Atera_CERT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Atera by certificate. Review RMM Inventory", "last_hit_utc": "2025-08-28 13:17:07" } ], "4676": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_PWSH_Downloader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects downloader agent, using PowerShell", "last_hit_utc": "2021-02-02 10:58:07" } ], "4677": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_UACBypass_fodhelper", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects Windows exceutables potentially bypassing UAC using fodhelper.exe", "last_hit_utc": "2022-06-18 15:54:03" } ], "4678": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_SUSPICIOUS_Go_Infostealer_Discord_Generic", "yara_rule_author": "Yara Rule Generator", "yara_rule_reference": "Internal analysis of decompiled code. Generic version.", "yara_rule_description": "Detects a Go-based infostealer that targets Discord tokens by locating the 'Local State' file, decrypting the master key with DPAPI, and exfiltrating tokens.", "last_hit_utc": "2026-04-15 11:28:01" } ], "4679": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_SUSPICIOUS_IMG_Embedded_Archive", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects images embedding archives. Observed in TheRat RAT.", "last_hit_utc": "2022-06-05 16:49:02" } ], "4680": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution", "last_hit_utc": "2022-10-11 03:58:04" } ], "4681": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_SUSPICIOUS_References_SecurityTools", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing many IR and analysis tools", "last_hit_utc": "2021-01-18 15:45:06" } ], "4682": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing virtualization MAC addresses", "last_hit_utc": "2022-10-27 16:24:24" } ], "4683": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_SUSPICOIUS_EXE_attrib", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables using attrib with suspicious attributes attributes", "last_hit_utc": "2021-08-03 05:47:29" } ], "4684": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_TOOL_CNC_Earthworm", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Earthworm C&C Windows/macOS tool", "last_hit_utc": "2022-01-17 13:03:04" } ], "4685": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_TOOL_FScan", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects GoGo scan tool", "last_hit_utc": "2026-02-13 10:04:22" } ], "4686": [ { "sample_cnt": 3, "yara_rule_name": "INDICATOR_TOOL_PWS_LSASS_CreateMiniDump", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects CreateMiniDump tool", "last_hit_utc": "2025-10-22 13:13:40" } ], "4687": [ { "sample_cnt": 3, "yara_rule_name": "infostealer_pony", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-02-08 14:02:30" } ], "4688": [ { "sample_cnt": 3, "yara_rule_name": "infostealer_win_mars_stealer_xor_routine", "yara_rule_author": null, "yara_rule_reference": "https://blog.sekoia.io/mars-a-red-hot-information-stealer/", "yara_rule_description": "Identifies samples of Mars Stealer based on the XOR deobfuscation routine.", "last_hit_utc": "2025-07-15 23:11:14" } ], "4689": [ { "sample_cnt": 3, "yara_rule_name": "irata_b4a_string_ping", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects IRATA Android Malware (B4A Variant)", "last_hit_utc": "2025-06-16 16:50:40" } ], "4690": [ { "sample_cnt": 3, "yara_rule_name": "irata_b4a_string_responses", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects IRATA Android Malware (B4A Variant)", "last_hit_utc": "2025-06-16 16:49:51" } ], "4691": [ { "sample_cnt": 3, "yara_rule_name": "ironshell_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file ironshell.php.txt", "last_hit_utc": "2025-10-28 13:44:38" } ], "4692": [ { "sample_cnt": 3, "yara_rule_name": "ItsSoEasy_Ransomware_basic", "yara_rule_author": "bstnbuck", "yara_rule_reference": null, "yara_rule_description": "Detect basics of ItsSoEasy Ransomware (Itssoeasy-A)", "last_hit_utc": "2025-01-03 20:34:49" } ], "4693": [ { "sample_cnt": 3, "yara_rule_name": "JSP_Webshell", "yara_rule_author": "@Pro_Integritate", "yara_rule_reference": "", "yara_rule_description": "Generic JSP Webshell signature", "last_hit_utc": "2022-06-14 10:19:02" } ], "4694": [ { "sample_cnt": 3, "yara_rule_name": "kutaki", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked kutaki malware samples.", "last_hit_utc": "2025-06-21 17:47:14" } ], "4695": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Backdoor_AutoColor", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects AutoColor backdoor.", "last_hit_utc": "2025-12-08 18:54:14" } ], "4696": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Cryptominer_Camelot_83550472", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-08 21:55:23" } ], "4697": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Cryptominer_Flystudio_579a3a4d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 19:54:29" } ], "4698": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Cryptominer_Generic_467c4d46", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-08 21:55:24" } ], "4699": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Generic_Threat_f2452362", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-07 06:36:17" } ], "4700": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Hacktool_Cleanlog_3eb725d1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-18 22:56:23" } ], "4701": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Hacktool_Flooder_1cfa95dd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-31 08:23:08" } ], "4702": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Autocolor_18203450", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-08 18:54:14" } ], "4703": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Banload_d5e1c189", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-12-02 17:04:05" } ], "4704": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Gafgyt_27de1106", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 11:57:04" } ], "4705": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Gafgyt_4d81ad42", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-20 19:37:15" } ], "4706": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Gafgyt_83715433", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 11:57:03" } ], "4707": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Gafgyt_f51c5ac3", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-14 11:57:04" } ], "4708": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Ladvix_77d184fd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-04-01 18:57:04" } ], "4709": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_0cb1699c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:06" } ], "4710": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_0d73971c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-03 15:47:04" } ], "4711": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_268aac0b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:06" } ], "4712": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_2e3f67a9", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:06" } ], "4713": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_3a56423b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:03" } ], "4714": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_4e2246fb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:50:48" } ], "4715": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_6d96ae91", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-22 21:36:03" } ], "4716": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_6e8e9257", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:03" } ], "4717": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_70ef58f1", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:06" } ], "4718": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_d5f2abe2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-13 10:23:16" } ], "4719": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_dab39a25", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:03" } ], "4720": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_e43a8744", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-11 09:48:02" } ], "4721": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Mirai_ec591e81", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-11 06:58:01" } ], "4722": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Trojan_Tsunami_d9e6b88e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-13 09:00:36" } ], "4723": [ { "sample_cnt": 3, "yara_rule_name": "Linux_Worm_Generic_3ff8f75b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:34:57" } ], "4724": [ { "sample_cnt": 3, "yara_rule_name": "LNK_Kimsuky_Aug2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": "Detects LNK files used by North Korean APT Kimsuky", "last_hit_utc": "2025-01-11 07:00:02" } ], "4725": [ { "sample_cnt": 3, "yara_rule_name": "LNK_plugx_mustang_panda", "yara_rule_author": "marsomx", "yara_rule_reference": "LNK dropper with embedded archive extraction", "yara_rule_description": "Detects LNK files with embedded obfuscated PowerShell scripts that extract and execute embedded payloads", "last_hit_utc": "2026-04-07 11:23:21" } ], "4726": [ { "sample_cnt": 3, "yara_rule_name": "Lockbit3Detect_via_SectionPatterns", "yara_rule_author": "InterProbe Malware-Vulnerability Research Team", "yara_rule_reference": null, "yara_rule_description": "Detects new Lockbit 3.0 variants", "last_hit_utc": "2025-01-05 16:06:10" } ], "4727": [ { "sample_cnt": 3, "yara_rule_name": "LockBit3Detect_via_SectionPatterns", "yara_rule_author": "InterProbe Malware-Vulnerability Research Team", "yara_rule_reference": "", "yara_rule_description": "Detects new LockBit 3.0 variants", "last_hit_utc": "2022-07-16 13:50:03" } ], "4728": [ { "sample_cnt": 3, "yara_rule_name": "lockbitrule", "yara_rule_author": "anonymous", "yara_rule_reference": null, "yara_rule_description": "all good scripts include rigorous documentation - literally no one", "last_hit_utc": "2025-01-05 15:57:47" } ], "4729": [ { "sample_cnt": 3, "yara_rule_name": "Lockbit_Unpacked", "yara_rule_author": "DigitalPanda", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 07:42:03" } ], "4730": [ { "sample_cnt": 3, "yara_rule_name": "LokiBot_Dropper_Packed_R11_Feb18", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5", "yara_rule_description": "Auto-generated rule - file scan copy.pdf.r11", "last_hit_utc": "2025-09-03 09:32:24" } ], "4731": [ { "sample_cnt": 3, "yara_rule_name": "MacOS_Backdoor_Kagent_64ca1865", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:31:16" } ], "4732": [ { "sample_cnt": 3, "yara_rule_name": "MacOS_Backdoor_Keyboardrecord_832f7bac", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:31:22" } ], "4733": [ { "sample_cnt": 3, "yara_rule_name": "MaksStealer", "yara_rule_author": "ShadowOpCode", "yara_rule_reference": null, "yara_rule_description": "Detects MaksStealer main payload", "last_hit_utc": "2025-12-10 07:06:29" } ], "4734": [ { "sample_cnt": 3, "yara_rule_name": "malware_MalDocinPDF", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "Hunt Maldoc in PDF", "last_hit_utc": "2025-02-09 22:35:17" } ], "4735": [ { "sample_cnt": 3, "yara_rule_name": "malware_StealthWorker", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect StealthWorker", "last_hit_utc": "2025-12-06 05:29:18" } ], "4736": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_Alfonoso", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Alfonoso infostealer", "last_hit_utc": "2021-05-08 16:47:46" } ], "4737": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_BabyLockerKZ", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects BabyLockerKZ", "last_hit_utc": "2025-01-03 22:39:11" } ], "4738": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_BlankStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects BlankStealer / BlankGrabber / Blank-c Stealer", "last_hit_utc": "2025-12-09 00:53:20" } ], "4739": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_CoinMiner03", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects coinmining malware", "last_hit_utc": "2022-05-07 14:48:02" } ], "4740": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_CovenantGruntStager", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Covenant Grunt Stager", "last_hit_utc": "2025-01-05 14:45:16" } ], "4741": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_DarkVNC", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects DarkVNC", "last_hit_utc": "2022-04-27 08:49:03" } ], "4742": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_DLInjector02", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects downloader injector", "last_hit_utc": "2022-04-28 02:39:02" } ], "4743": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_EspioLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Espio loader and obfuscator", "last_hit_utc": "2025-08-16 21:08:31" } ], "4744": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_Fabookie", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Fabookie / ElysiumStealer", "last_hit_utc": "2022-03-24 18:09:06" } ], "4745": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_FirebirdRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Firebird/Hive RAT payload", "last_hit_utc": "2022-09-02 15:03:58" } ], "4746": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_Fonix", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Fonix ransomware", "last_hit_utc": "2021-01-17 16:07:16" } ], "4747": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_GoBrut", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects unknown Go multi-bruteforcer bot (StealthWorker / GoBrut) against multiple systems: QNAP, MagOcart, WordPress, Opencart, Bitrix, Postgers, MySQL, Drupal, Joomla, SSH, FTP, Magneto, CPanel", "last_hit_utc": "2025-12-06 05:29:18" } ], "4748": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_Leivion", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Leivion", "last_hit_utc": "2025-01-05 15:44:24" } ], "4749": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_Leivion", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Leivion", "last_hit_utc": "2022-07-15 15:50:02" } ], "4750": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_Macoute", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Macoute", "last_hit_utc": "2025-04-24 14:40:19" } ], "4751": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_Osno", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Osno ransomware and infostealer payload", "last_hit_utc": "2025-10-28 13:44:47" } ], "4752": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_Quantum", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Quantum locker / ransomware", "last_hit_utc": "2022-05-05 13:53:02" } ], "4753": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_Rapid", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Rapid ransomware", "last_hit_utc": "2025-01-05 16:54:35" } ], "4754": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_RSJON", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RSJON / Ryzerlo / HiddenTear ransomware", "last_hit_utc": "2025-01-05 15:15:20" } ], "4755": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_RSJON", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RSJON / Ryzerlo / HiddenTear ransomware", "last_hit_utc": "2022-09-22 17:48:53" } ], "4756": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_RustyStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect Rusty / Luca stealer", "last_hit_utc": "2025-02-04 20:31:13" } ], "4757": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_ToxicEye", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ToxicEye / TelegramRAT. Observed used as the basis for many infostealers", "last_hit_utc": "2026-03-08 16:10:21" } ], "4758": [ { "sample_cnt": 3, "yara_rule_name": "MALWARE_Win_WSHRATPlugin", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "WSHRAT keylogger plugin payload", "last_hit_utc": "2023-09-23 08:04:03" } ], "4759": [ { "sample_cnt": 3, "yara_rule_name": "Mal_Downloader_Hancitor_DLL_2021", "yara_rule_author": "BlackBerry Threat Research Team", "yara_rule_reference": "", "yara_rule_description": "Detects Hancitor Dynamic-Link Library dropped by trojanised Word documents", "last_hit_utc": "2021-09-14 15:02:36" } ], "4760": [ { "sample_cnt": 3, "yara_rule_name": "MAL_Dropper_Win_Darkside_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "yara_rule_description": "Detection for on the binary that was used as the dropper leading to DARKSIDE.", "last_hit_utc": "2023-04-17 03:34:03" } ], "4761": [ { "sample_cnt": 3, "yara_rule_name": "MAL_EXPL_Perfctl_Oct24", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/", "yara_rule_description": "Detects exploits used in relation with Perfctl malware campaigns", "last_hit_utc": "2025-10-28 13:44:44" } ], "4762": [ { "sample_cnt": 3, "yara_rule_name": "MAL_HawkEye_Keylogger_Gen_Dec18", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/James_inthe_box/status/1072116224652324870", "yara_rule_description": "Detects HawkEye Keylogger Reborn", "last_hit_utc": "2025-11-05 08:22:39" } ], "4763": [ { "sample_cnt": 3, "yara_rule_name": "MAL_JS_SocGholish_Mar21_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": "", "yara_rule_description": "Triggers on SocGholish JS files", "last_hit_utc": "2022-03-04 06:17:04" } ], "4764": [ { "sample_cnt": 3, "yara_rule_name": "mal_loader_custom_havoc_x64", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://github.com/HavocFramework/Havoc/blob/1248ff9ecc964325447128ae3ea819f1ad10b790/Teamserver/data/implants/Shellcode/Source/Utils.c", "yara_rule_description": "Detects a suspicious hashing algorithm similar (but not equal) to Havoc C2's import hashing with customized salt", "last_hit_utc": "2025-01-05 16:06:53" } ], "4765": [ { "sample_cnt": 3, "yara_rule_name": "mal_lockbit4_packed_feb24", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/lockbit4-0-evasion-tales/", "yara_rule_description": "Detect the packer used by Lockbit4.0", "last_hit_utc": "2025-06-25 07:59:29" } ], "4766": [ { "sample_cnt": 3, "yara_rule_name": "mal_lockbit4_rc4_win_feb24", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/lockbit4-0-evasion-tales/", "yara_rule_description": "Detect the implementation of RC4 Algorithm by Lockbit4.0", "last_hit_utc": "2025-06-25 08:15:42" } ], "4767": [ { "sample_cnt": 3, "yara_rule_name": "MAL_Neshta_Mar20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Neshta malware", "last_hit_utc": "2021-04-13 08:10:06" } ], "4768": [ { "sample_cnt": 3, "yara_rule_name": "MAL_RANSOM_ContiCrypter", "yara_rule_author": "James Quinn, Binary Defense", "yara_rule_reference": null, "yara_rule_description": "Signature for a crypter associated with Conti", "last_hit_utc": "2025-12-08 19:02:25" } ], "4769": [ { "sample_cnt": 3, "yara_rule_name": "MAL_RANSOM_Darkside_May21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/", "yara_rule_description": "Detects Darkside Ransomware", "last_hit_utc": "2025-11-05 08:22:40" } ], "4770": [ { "sample_cnt": 3, "yara_rule_name": "MAL_RANSOM_Darkside_May21_1_RID3019", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/", "yara_rule_description": "Detects Darkside Ransomware", "last_hit_utc": "2025-11-05 08:22:40" } ], "4771": [ { "sample_cnt": 3, "yara_rule_name": "MAL_ZIP_SocGholish_Mar21_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": "", "yara_rule_description": "Triggers on small zip files with typical SocGholish JS files in it", "last_hit_utc": "2022-08-04 07:30:04" } ], "4772": [ { "sample_cnt": 3, "yara_rule_name": "MarioLocker", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects MarioLocker Ransomware", "last_hit_utc": "2025-01-03 21:34:56" } ], "4773": [ { "sample_cnt": 3, "yara_rule_name": "Match_indigorose_trueupdate", "yara_rule_author": "wonderkun", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-20 11:28:54" } ], "4774": [ { "sample_cnt": 3, "yara_rule_name": "MauiRansomware", "yara_rule_author": "Silas Cutler (Silas@Stairwell.com)", "yara_rule_reference": null, "yara_rule_description": "Detection for Maui Ransomware", "last_hit_utc": "2025-06-24 07:12:36" } ], "4775": [ { "sample_cnt": 3, "yara_rule_name": "Maze", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Maze ransomware in memory or unpacked.", "last_hit_utc": "2020-08-20 19:55:10" } ], "4776": [ { "sample_cnt": 3, "yara_rule_name": "MedusaHydra_packer_key_code", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-25 09:17:27" } ], "4777": [ { "sample_cnt": 3, "yara_rule_name": "megacortex_rietspoof", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-02-24 15:41:04" } ], "4778": [ { "sample_cnt": 3, "yara_rule_name": "merlin_agent_01", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-25 11:59:15" } ], "4779": [ { "sample_cnt": 3, "yara_rule_name": "Methodology_Suspicious_Shortcut_LOLcommand", "yara_rule_author": "@itsreallynick (Nick Carr)", "yara_rule_reference": "https://twitter.com/ItsReallyNick/status/1176601500069576704", "yara_rule_description": "Detects possible shortcut usage for .URL persistence", "last_hit_utc": "2026-02-09 10:18:09" } ], "4780": [ { "sample_cnt": 3, "yara_rule_name": "Mimikatz_SampleSet_7", "yara_rule_author": "Florian Roth - Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Mimikatz Rule generated from a big Mimikatz sample set", "last_hit_utc": "2025-06-16 16:57:08" } ], "4781": [ { "sample_cnt": 3, "yara_rule_name": "Mimikatz_Samples_2014b_2", "yara_rule_author": "Florian Roth with the help of YarGen Rule Generator", "yara_rule_reference": "not set", "yara_rule_description": "Mimikatz pwassword dumper samples from the second half of 2014", "last_hit_utc": "2025-06-16 16:57:07" } ], "4782": [ { "sample_cnt": 3, "yara_rule_name": "MiniRAT_Gen_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news", "yara_rule_description": "Detects Mini RAT malware", "last_hit_utc": "2023-01-26 19:19:02" } ], "4783": [ { "sample_cnt": 3, "yara_rule_name": "misc_pos", "yara_rule_author": "@patrickrolsen", "yara_rule_reference": "POS Malware", "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:28:03" } ], "4784": [ { "sample_cnt": 3, "yara_rule_name": "MonsterV2", "yara_rule_author": "doomedraven,YungBinary", "yara_rule_reference": null, "yara_rule_description": "MonsterV2 Payload", "last_hit_utc": "2025-11-21 19:16:21" } ], "4785": [ { "sample_cnt": 3, "yara_rule_name": "Msfpayloads_msf_3_RID2DCB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.psh", "last_hit_utc": "2025-10-28 13:44:50" } ], "4786": [ { "sample_cnt": 3, "yara_rule_name": "Msfpayloads_msf_psh", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf-psh.vba", "last_hit_utc": "2026-02-22 18:17:27" } ], "4787": [ { "sample_cnt": 3, "yara_rule_name": "msxls_zloader_formula_ptg_ref_num_op_count", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Finding XLS2003 documents with a large number of PtgRef->PtgNum->PtgOperator entries", "last_hit_utc": "2020-08-11 20:00:12" } ], "4788": [ { "sample_cnt": 3, "yara_rule_name": "Multi_Hacktool_Gsocket_761d3a0f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-01 07:41:17" } ], "4789": [ { "sample_cnt": 3, "yara_rule_name": "Multi_Ransomware_BlackCat_aaf312c3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-12-18 15:18:04" } ], "4790": [ { "sample_cnt": 3, "yara_rule_name": "Multi_Ransomware_RansomHub_4a8a07cd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:18:53" } ], "4791": [ { "sample_cnt": 3, "yara_rule_name": "MyWScript_CompiledScript", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a scripte with default name Mywscript compiled with Script2Exe (can also be a McAfee tool https://community.mcafee.com/docs/DOC-4124)", "last_hit_utc": "2022-08-19 15:07:03" } ], "4792": [ { "sample_cnt": 3, "yara_rule_name": "nAspyUpdate", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "nAspyUpdate", "last_hit_utc": "2025-04-27 22:53:07" } ], "4793": [ { "sample_cnt": 3, "yara_rule_name": "nAspyUpdateStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "nAspyUpdate Identifying Strings", "last_hit_utc": "2025-04-27 22:53:07" } ], "4794": [ { "sample_cnt": 3, "yara_rule_name": "NETDIC208_NOCEX", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:57:02" } ], "4795": [ { "sample_cnt": 3, "yara_rule_name": "NETDIC_208", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:57:02" } ], "4796": [ { "sample_cnt": 3, "yara_rule_name": "newloader_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d", "yara_rule_description": "Unknown loader", "last_hit_utc": "2021-02-25 15:09:11" } ], "4797": [ { "sample_cnt": 3, "yara_rule_name": "njRat_suspicious_functionality_and_dropped_payloads", "yara_rule_author": "R4ruk", "yara_rule_reference": "https://sidequest-lab.com/2025/09/07/njrat-part-2-c2-command-investigation/", "yara_rule_description": "Matches NjRat payload with strings representing rat functionality calls or payloads delivered.", "last_hit_utc": "2025-10-09 14:18:42" } ], "4798": [ { "sample_cnt": 3, "yara_rule_name": "Nokoyawa_ransomware", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "Detect_Nokoyawa_ransomware", "last_hit_utc": "2025-06-24 07:12:32" } ], "4799": [ { "sample_cnt": 3, "yara_rule_name": "NSFree", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "NSFree", "last_hit_utc": "2025-09-11 21:02:28" } ], "4800": [ { "sample_cnt": 3, "yara_rule_name": "NSFreeStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "NSFree Identifying Strings", "last_hit_utc": "2025-09-11 21:02:28" } ], "4801": [ { "sample_cnt": 3, "yara_rule_name": "NsPack14byNorthStarLiuXingPing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:39:09" } ], "4802": [ { "sample_cnt": 3, "yara_rule_name": "NsPacKV34V35LiuXingPing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:00:40" } ], "4803": [ { "sample_cnt": 3, "yara_rule_name": "Office_OLE_DDEAUTO", "yara_rule_author": "NVISO Labs", "yara_rule_reference": "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/", "yara_rule_description": "Detects DDE in MS Office documents", "last_hit_utc": "2021-07-01 11:18:54" } ], "4804": [ { "sample_cnt": 3, "yara_rule_name": "Oilrig_IntelSecurityManager_macro", "yara_rule_author": "Eyal Sela (slightly modified by Florian Roth)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects OilRig malware", "last_hit_utc": "2025-11-05 08:22:41" } ], "4805": [ { "sample_cnt": 3, "yara_rule_name": "OilRig_Malware_Campaign_Gen1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/QMRZ8K", "yara_rule_description": "Detects malware from OilRig Campaign", "last_hit_utc": "2020-08-30 21:40:20" } ], "4806": [ { "sample_cnt": 3, "yara_rule_name": "OpCloudHopper_Malware_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects malware from Operation Cloud Hopper", "last_hit_utc": "2022-12-26 19:32:03" } ], "4807": [ { "sample_cnt": 3, "yara_rule_name": "OpCloudHopper_Malware_5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects malware from Operation Cloud Hopper", "last_hit_utc": "2025-11-05 08:22:41" } ], "4808": [ { "sample_cnt": 3, "yara_rule_name": "OpCloudHopper_Malware_5_RID2FF1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects Operation CloudHopper malware samples", "last_hit_utc": "2025-11-05 08:22:41" } ], "4809": [ { "sample_cnt": 3, "yara_rule_name": "osx_manuscrypt_w0", "yara_rule_author": "AT&T Alien Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:50:08" } ], "4810": [ { "sample_cnt": 3, "yara_rule_name": "pdb", "yara_rule_author": "@stvemillertime", "yara_rule_reference": null, "yara_rule_description": "Searching for PE files with PDB path keywords, terms or anomalies.", "last_hit_utc": "2025-01-05 14:50:29" } ], "4811": [ { "sample_cnt": 3, "yara_rule_name": "Persistence_Agent_MacOS", "yara_rule_author": "John Lambert @JohnLaTwC", "yara_rule_reference": "https://ghostbin.com/paste/mz5nf", "yara_rule_description": "Detects a Python agent that establishes persistence on macOS", "last_hit_utc": "2026-03-23 06:31:16" } ], "4812": [ { "sample_cnt": 3, "yara_rule_name": "PESpinv04x", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 23:04:43" } ], "4813": [ { "sample_cnt": 3, "yara_rule_name": "Petya", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Petya Payload", "last_hit_utc": "2023-06-09 08:09:13" } ], "4814": [ { "sample_cnt": 3, "yara_rule_name": "PEzor_x64_Release", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match the PEzor packer (release; x64)", "last_hit_utc": "2025-02-20 18:50:08" } ], "4815": [ { "sample_cnt": 3, "yara_rule_name": "PEzor_x86_Release", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match the PEzor packer (release; x86)", "last_hit_utc": "2025-03-07 20:10:18" } ], "4816": [ { "sample_cnt": 3, "yara_rule_name": "PickleOrNot", "yara_rule_author": "Eoin Wickens - Eoin@HiddenLayer.com", "yara_rule_reference": null, "yara_rule_description": "Detects Pickle files with dangerous c_builtins or non standard module imports. These are indicators of possible malicious intent", "last_hit_utc": "2025-01-03 21:03:48" } ], "4817": [ { "sample_cnt": 3, "yara_rule_name": "PlugX_J16_Gen_RID2B8A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "MISP 3954", "yara_rule_description": "Detects PlugX Malware samples from June 2016", "last_hit_utc": "2022-10-20 20:04:03" } ], "4818": [ { "sample_cnt": 3, "yara_rule_name": "PoisonIvy_Sample_6", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects PoisonIvy RAT sample set", "last_hit_utc": "2025-11-05 08:22:42" } ], "4819": [ { "sample_cnt": 3, "yara_rule_name": "PoisonIvy_Sample_6_RID2E17", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects PoisonIvy RAT sample set", "last_hit_utc": "2025-11-05 08:22:42" } ], "4820": [ { "sample_cnt": 3, "yara_rule_name": "PoseidonGroup_Malware", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", "yara_rule_description": "Detects Poseidon Group Malware", "last_hit_utc": "2025-11-05 08:22:42" } ], "4821": [ { "sample_cnt": 3, "yara_rule_name": "PrivateexeProtector20SetiSoftTeam", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:09:07" } ], "4822": [ { "sample_cnt": 3, "yara_rule_name": "PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_31F4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys", "last_hit_utc": "2025-01-03 19:10:49" } ], "4823": [ { "sample_cnt": 3, "yara_rule_name": "Qakbot_WSF_loader", "yara_rule_author": "Ankit Anubhav -ankitanubhav.info", "yara_rule_reference": null, "yara_rule_description": "Detects a WSF loader used to deploy Qakbot DLL", "last_hit_utc": "2025-01-05 15:41:45" } ], "4824": [ { "sample_cnt": 3, "yara_rule_name": "qbot_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/b89d7454-403c-4c81-95db-7ecbba38eb02", "yara_rule_description": "Qbot Qakbot", "last_hit_utc": "2021-05-08 21:34:32" } ], "4825": [ { "sample_cnt": 3, "yara_rule_name": "QuarksPwDump_Gen", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects all QuarksPWDump versions", "last_hit_utc": "2025-10-28 13:45:01" } ], "4826": [ { "sample_cnt": 3, "yara_rule_name": "Quasar_RAT_Jan18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "yara_rule_description": "Detects Quasar RAT", "last_hit_utc": "2021-07-23 00:59:24" } ], "4827": [ { "sample_cnt": 3, "yara_rule_name": "r57shell_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file r57shell.php.php.txt", "last_hit_utc": "2025-10-28 13:45:02" } ], "4828": [ { "sample_cnt": 3, "yara_rule_name": "RaccoonStealerV2", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects RecordBreaker, Raccoon Stealer 2.0", "last_hit_utc": "2025-06-03 22:21:30" } ], "4829": [ { "sample_cnt": 3, "yara_rule_name": "Ramnit", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Ramnit Payload", "last_hit_utc": "2022-08-23 15:22:03" } ], "4830": [ { "sample_cnt": 3, "yara_rule_name": "RansomWare_GermanWiper", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": "https://twitter.com/r3c0nst/status/1158326526766657538", "yara_rule_description": "Detects RansomWare GermanWiper in Memory or in unpacked state", "last_hit_utc": "2025-01-05 16:54:35" } ], "4831": [ { "sample_cnt": 3, "yara_rule_name": "Ransomware_ServicioPublico_Chile", "yara_rule_author": "German Fernandez | CronUp - Cyber Threat Intelligence", "yara_rule_reference": "https://twitter.com/SERNAC/status/1562872175068975105", "yara_rule_description": "Regla Yara para detectar ARCrypt Ransomware (tambi\u00e9n conocido como Chile Locker)", "last_hit_utc": "2022-11-17 02:20:03" } ], "4832": [ { "sample_cnt": 3, "yara_rule_name": "ransom_conti", "yara_rule_author": "Christiaan Beek @ McAfee ATR", "yara_rule_reference": "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", "yara_rule_description": "Conti ransomware is havnig capability too scan and encrypt oover the network", "last_hit_utc": "2022-02-21 15:30:10" } ], "4833": [ { "sample_cnt": 3, "yara_rule_name": "ransom_conti", "yara_rule_author": "McAfee ATR team", "yara_rule_reference": "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", "yara_rule_description": "Conti ransomware is havnig capability too scan and encrypt oover the network", "last_hit_utc": "2023-03-21 05:01:02" } ], "4834": [ { "sample_cnt": 3, "yara_rule_name": "ransom_Linux_HelloKitty_0721", "yara_rule_author": "Christiaan @ ATR", "yara_rule_reference": "", "yara_rule_description": "rule to detect Linux variant of the Hello Kitty Ransomware", "last_hit_utc": "2021-08-14 14:08:04" } ], "4835": [ { "sample_cnt": 3, "yara_rule_name": "Ransom_LockerGoga_Mar19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", "yara_rule_description": "Detects LockerGoga ransomware binaries", "last_hit_utc": "2024-06-11 10:49:04" } ], "4836": [ { "sample_cnt": 3, "yara_rule_name": "Ransom_LockerGoga_Mar19_1_RID3037", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", "yara_rule_description": "Detects LockerGoga ransomware binaries", "last_hit_utc": "2024-06-11 10:49:04" } ], "4837": [ { "sample_cnt": 3, "yara_rule_name": "Ransom_Ryuk_sept2020", "yara_rule_author": "McAfe ATR", "yara_rule_reference": null, "yara_rule_description": "Detecting latest Ryuk samples", "last_hit_utc": "2020-10-31 18:20:13" } ], "4838": [ { "sample_cnt": 3, "yara_rule_name": "RANSOM_win_Adhubllka", "yara_rule_author": "KrknSec", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka", "yara_rule_description": "Detects Adhubllka ransomware.", "last_hit_utc": "2023-03-14 18:49:13" } ], "4839": [ { "sample_cnt": 3, "yara_rule_name": "RAN_ALPHV_Apr_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect AlphV ransomware (Rust version)", "last_hit_utc": "2022-12-18 15:18:04" } ], "4840": [ { "sample_cnt": 3, "yara_rule_name": "RAN_Crylock_July_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/BushidoToken/status/1415958829318217730", "yara_rule_description": "Detect CryLock ransomware (ex-Cryakl)", "last_hit_utc": "2025-01-03 21:41:29" } ], "4841": [ { "sample_cnt": 3, "yara_rule_name": "RAN_Maui_Jul_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": null, "yara_rule_description": "Detect Maui ransomware", "last_hit_utc": "2025-06-24 07:12:36" } ], "4842": [ { "sample_cnt": 3, "yara_rule_name": "RAN_Nokoyawa_Dec_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust", "yara_rule_description": "Detect the rust variant of Nokoyawa ransomware (x64)", "last_hit_utc": "2025-06-24 07:12:33" } ], "4843": [ { "sample_cnt": 3, "yara_rule_name": "Ran_OnyxLocker_Nov_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/Kangxiaopao/status/1328614320016560128", "yara_rule_description": "Detect OnyxLocker ransomware", "last_hit_utc": "2022-09-21 04:05:41" } ], "4844": [ { "sample_cnt": 3, "yara_rule_name": "RAT_Plasma", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Plasma", "yara_rule_description": "Detects Plasma RAT", "last_hit_utc": "2025-11-05 08:22:43" } ], "4845": [ { "sample_cnt": 3, "yara_rule_name": "RAT_ToxicEye_StringsA", "yara_rule_author": "albertzsigovits", "yara_rule_reference": "https://bazaar.abuse.ch/browse/signature/toxiceye/", "yara_rule_description": null, "last_hit_utc": "2026-03-08 16:10:22" } ], "4846": [ { "sample_cnt": 3, "yara_rule_name": "RAT_ToxicEye_StringsW", "yara_rule_author": "albertzsigovits", "yara_rule_reference": "https://bazaar.abuse.ch/browse/signature/toxiceye/", "yara_rule_description": null, "last_hit_utc": "2026-03-08 16:10:22" } ], "4847": [ { "sample_cnt": 3, "yara_rule_name": "Redline_Stealer_10032022", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects RedLine Stealer", "last_hit_utc": "2022-03-14 13:56:32" } ], "4848": [ { "sample_cnt": 3, "yara_rule_name": "redline_win_generic", "yara_rule_author": "_kphi", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:47:03" } ], "4849": [ { "sample_cnt": 3, "yara_rule_name": "Regin_Related_Malware_RID2F4E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Malware Sample - maybe Regin related", "last_hit_utc": "2025-11-05 08:22:43" } ], "4850": [ { "sample_cnt": 3, "yara_rule_name": "revil_linux", "yara_rule_author": "Marius 'f0wL' Genheimer ", "yara_rule_reference": "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", "yara_rule_description": "Detects the Linux version of REvil Ransomware with ESXI capabilities", "last_hit_utc": "2025-06-06 05:32:58" } ], "4851": [ { "sample_cnt": 3, "yara_rule_name": "revil_linux", "yara_rule_author": "Marius 'f0wL' Genheimer, https://dissectingmalwa.re", "yara_rule_reference": "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", "yara_rule_description": "Detects the Linux version of REvil Ransomware with ESXI capabilities", "last_hit_utc": "2025-06-06 05:32:58" } ], "4852": [ { "sample_cnt": 3, "yara_rule_name": "RhadamanthysLoader", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Rhadamanthys Loader", "last_hit_utc": "2026-03-02 07:54:19" } ], "4853": [ { "sample_cnt": 3, "yara_rule_name": "rig_win64_xmrig_6_13_1_config", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "rig_win64 - file config.json", "last_hit_utc": "2025-12-04 07:48:21" } ], "4854": [ { "sample_cnt": 3, "yara_rule_name": "RoyalRoad_code_pattern3", "yara_rule_author": "neo_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2021-04-28 16:32:14" } ], "4855": [ { "sample_cnt": 3, "yara_rule_name": "RoyalRoad_encode_in_RTF", "yara_rule_author": "neo_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2021-04-06 18:03:10" } ], "4856": [ { "sample_cnt": 3, "yara_rule_name": "RoyalRoad_RTF", "yara_rule_author": "neo_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2021-04-28 16:32:14" } ], "4857": [ { "sample_cnt": 3, "yara_rule_name": "RoyalRoad_RTF_v7", "yara_rule_author": "neo_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2021-04-06 18:03:10" } ], "4858": [ { "sample_cnt": 3, "yara_rule_name": "RUAG_APT_Malware_Gen3_RID2E58", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects malware used in the RUAG APT case", "last_hit_utc": "2025-11-05 08:21:39" } ], "4859": [ { "sample_cnt": 3, "yara_rule_name": "ScanBox_Malware_Generic", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP", "last_hit_utc": "2025-10-28 13:45:06" } ], "4860": [ { "sample_cnt": 3, "yara_rule_name": "scrubcrypt", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "ScrubCrypt Loader/Packer", "last_hit_utc": "2023-08-03 15:05:03" } ], "4861": [ { "sample_cnt": 3, "yara_rule_name": "shellbot_pl", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file shellbot.pl.txt", "last_hit_utc": "2025-11-12 17:23:23" } ], "4862": [ { "sample_cnt": 3, "yara_rule_name": "Sig_RemoteAdmin_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects strings from well-known APT malware", "last_hit_utc": "2025-01-03 22:54:55" } ], "4863": [ { "sample_cnt": 3, "yara_rule_name": "SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt", "last_hit_utc": "2025-10-28 13:45:10" } ], "4864": [ { "sample_cnt": 3, "yara_rule_name": "SimplePackV11XV12XMethod1bagie", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 10:33:42" } ], "4865": [ { "sample_cnt": 3, "yara_rule_name": "snake_ransomware", "yara_rule_author": "McAfee ATR Team", "yara_rule_reference": "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/", "yara_rule_description": "Rule to detect Snake ransomware", "last_hit_utc": "2024-01-03 10:41:22" } ], "4866": [ { "sample_cnt": 3, "yara_rule_name": "sodinokibi_2020_06_10", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-11-16 23:47:03" } ], "4867": [ { "sample_cnt": 3, "yara_rule_name": "Sodinokobi", "yara_rule_author": "McAfee ATR team", "yara_rule_reference": "", "yara_rule_description": "This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future.", "last_hit_utc": "2023-11-16 23:40:03" } ], "4868": [ { "sample_cnt": 3, "yara_rule_name": "sql_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file sql.php.php.txt", "last_hit_utc": "2025-10-28 13:45:11" } ], "4869": [ { "sample_cnt": 3, "yara_rule_name": "StrelaStealer", "yara_rule_author": "@hackNpatch@infosec.exchange", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-18 13:07:38" } ], "4870": [ { "sample_cnt": 3, "yara_rule_name": "StuxNet_Malware_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample - file malware.exe", "last_hit_utc": "2025-03-06 22:28:12" } ], "4871": [ { "sample_cnt": 3, "yara_rule_name": "Stuxnet_Malware_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample - file ~WTR4141.tmp", "last_hit_utc": "2025-11-05 08:22:44" } ], "4872": [ { "sample_cnt": 3, "yara_rule_name": "Stuxnet_Malware_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample", "last_hit_utc": "2025-03-06 22:26:08" } ], "4873": [ { "sample_cnt": 3, "yara_rule_name": "Suspicious_OneNote", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": null, "yara_rule_description": "Detects OneNote documents with FileDataStoreObject structure containing: PE32, shortcut files (*.lnk), encoded JS, Windows Help File (*.chm), or batch script", "last_hit_utc": "2025-01-05 15:47:49" } ], "4874": [ { "sample_cnt": 3, "yara_rule_name": "suspicious_powershell_winword", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-04 10:16:26" } ], "4875": [ { "sample_cnt": 3, "yara_rule_name": "suspicious_telegram_bot", "yara_rule_author": "dieplhn.95", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-20 14:01:07" } ], "4876": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_Disable_ETW_Jun20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3", "yara_rule_description": "Detects method to disable ETW in ENV vars before executing a program", "last_hit_utc": "2026-01-30 08:13:27" } ], "4877": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_DOTNET_PE_Download_To_SpecialFolder", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects a .NET Binary that downloads further payload and retrieves a special folder", "last_hit_utc": "2025-08-28 21:51:35" } ], "4878": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_ELF_Tor_Client", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects VPNFilter malware", "last_hit_utc": "2026-03-23 16:22:15" } ], "4879": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_ELF_Tor_Client_RID2DE4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ELF Linux Tor client", "last_hit_utc": "2026-03-23 16:22:15" } ], "4880": [ { "sample_cnt": 3, "yara_rule_name": "Susp_Indicators_EXE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://pastebin.com/8qaiyPxs", "yara_rule_description": "Detects packed NullSoft Inst EXE with characteristics of NetWire RAT", "last_hit_utc": "2025-01-05 15:32:23" } ], "4881": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_LNX_SH_CryptoMiner_Indicators_Dec20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/", "yara_rule_description": "Detects helper script used in a crypto miner campaign", "last_hit_utc": "2023-01-16 11:31:02" } ], "4882": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_MyWScript_RID2C4D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects files generated with Script2Exe", "last_hit_utc": "2022-08-19 15:07:03" } ], "4883": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_Netsh_PortProxy_Command", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy", "yara_rule_description": "Detects a suspicious command line with netsh and the portproxy command", "last_hit_utc": "2022-06-23 02:19:02" } ], "4884": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_Netsh_PortProxy_Command", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy", "yara_rule_description": "Detects a suspicious command line with netsh and the portproxy command", "last_hit_utc": "2025-10-28 13:45:12" } ], "4885": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_OneNote_Embedded_FileDataStoreObject_Type_Jan23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.didierstevens.com/", "yara_rule_description": "Detects suspicious embedded file types in OneNote files", "last_hit_utc": "2025-01-05 15:47:49" } ], "4886": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_RDP_File_Indicators_Oct24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/", "yara_rule_description": "Detects characteristics found in malicious RDP files used as email attachments in spear phishing campaigns", "last_hit_utc": "2025-04-11 06:40:11" } ], "4887": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_Scheduled_Task_BigSize_RID314A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspiciously big scheduled task XML file as seen in combination with embedded base64 encoded PowerShell code", "last_hit_utc": "2026-02-27 11:02:16" } ], "4888": [ { "sample_cnt": 3, "yara_rule_name": "SUSP_THOR_Unsigned_Oct23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects unsigned version of THOR scanner, which could be a backdoored / modified version of the scanner", "last_hit_utc": "2025-12-07 21:12:14" } ], "4889": [ { "sample_cnt": 3, "yara_rule_name": "SystemBC", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://news.sophos.com/en-us/2020/12/16/systembc/", "yara_rule_description": "Identifies SystemBC RAT.", "last_hit_utc": "2021-07-13 13:58:44" } ], "4890": [ { "sample_cnt": 3, "yara_rule_name": "TA17_293A_malware_1", "yara_rule_author": "US-CERT Code Analysis Team (modified by Florian Roth)", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-293A", "yara_rule_description": "inveigh pen testing tools & related artifacts", "last_hit_utc": "2025-11-05 08:22:45" } ], "4891": [ { "sample_cnt": 3, "yara_rule_name": "telnetd_pl", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file telnetd.pl.txt", "last_hit_utc": "2025-11-12 17:23:23" } ], "4892": [ { "sample_cnt": 3, "yara_rule_name": "testGozi", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Gozi", "last_hit_utc": "2022-04-24 06:10:04" } ], "4893": [ { "sample_cnt": 3, "yara_rule_name": "test_something_rule", "yara_rule_author": "test", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-20 14:01:07" } ], "4894": [ { "sample_cnt": 3, "yara_rule_name": "ThemidaWinLicenseV18XV19XOreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-21 18:43:05" } ], "4895": [ { "sample_cnt": 3, "yara_rule_name": "tool_3proxy_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "http://3proxy.ru/", "yara_rule_description": "3Proxy tiny proxy server", "last_hit_utc": "2025-01-03 19:50:27" } ], "4896": [ { "sample_cnt": 3, "yara_rule_name": "troj_win_hancitor", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": null, "yara_rule_description": "Detects Microsoft Word documents using a technique commonly found to deploy Hancitor or H1N1 downloaders", "last_hit_utc": "2025-05-07 04:36:11" } ], "4897": [ { "sample_cnt": 3, "yara_rule_name": "Unidentified_Malware_Two", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "Unidentified Implant by APT29", "last_hit_utc": "2025-10-28 13:45:15" } ], "4898": [ { "sample_cnt": 3, "yara_rule_name": "Unit78020_Malware_Gen3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://threatconnect.com/camerashy/?utm_campaign=CameraShy", "yara_rule_description": "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong", "last_hit_utc": "2025-11-05 08:22:46" } ], "4899": [ { "sample_cnt": 3, "yara_rule_name": "Unit78020_Malware_Gen3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://threatconnect.com/camerashy/?utm_campaign=CameraShy", "yara_rule_description": "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong", "last_hit_utc": "2025-11-05 08:22:46" } ], "4900": [ { "sample_cnt": 3, "yara_rule_name": "Unit78020_Malware_Gen3_RID2E86", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://threatconnect.com/camerashy/?utm_campaign=CameraShy", "yara_rule_description": "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong", "last_hit_utc": "2025-11-05 08:22:46" } ], "4901": [ { "sample_cnt": 3, "yara_rule_name": "universal_1337_stealer_serveur", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "Universal 1337 Stealer Serveur", "last_hit_utc": "2025-06-16 16:48:04" } ], "4902": [ { "sample_cnt": 3, "yara_rule_name": "unknown_stealer_2", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Unknown Stealer Payload", "last_hit_utc": "2023-10-08 09:34:03" } ], "4903": [ { "sample_cnt": 3, "yara_rule_name": "Unspecified_Malware_Jul17_2C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/CX3KaY", "yara_rule_description": "Unspecified Malware - CN relation", "last_hit_utc": "2020-12-19 01:36:25" } ], "4904": [ { "sample_cnt": 3, "yara_rule_name": "Unspecified_Malware_Oct16_A", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an unspecififed malware - October 2016", "last_hit_utc": "2026-04-23 08:36:37" } ], "4905": [ { "sample_cnt": 3, "yara_rule_name": "UPXV194MarkusOberhumerLaszloMolnarJohnReiser", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:20:16" } ], "4906": [ { "sample_cnt": 3, "yara_rule_name": "VPNFilter", "yara_rule_author": "Christiaan Beek @ McAfee Advanced Threat Research", "yara_rule_reference": "https://blog.talosintelligence.com/2018/05/VPNFilter.html", "yara_rule_description": "Filter for 2nd stage malware used in VPNfilter attack", "last_hit_utc": "2025-10-28 13:45:17" } ], "4907": [ { "sample_cnt": 3, "yara_rule_name": "VxCIHVersion12TTITWIN95CIH", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-19 08:14:08" } ], "4908": [ { "sample_cnt": 3, "yara_rule_name": "warfiles_cmd", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://laudanum.inguardians.com/", "yara_rule_description": "Laudanum Injector Tools - file cmd.jsp", "last_hit_utc": "2025-04-27 12:13:09" } ], "4909": [ { "sample_cnt": 3, "yara_rule_name": "webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php", "last_hit_utc": "2025-11-25 20:48:17" } ], "4910": [ { "sample_cnt": 3, "yara_rule_name": "webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-11-25 20:48:17" } ], "4911": [ { "sample_cnt": 3, "yara_rule_name": "webshell_2_520_icesword_job_ma1_ma4_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp", "last_hit_utc": "2025-01-03 22:04:03" } ], "4912": [ { "sample_cnt": 3, "yara_rule_name": "webshell_2_520_icesword_job_ma1_ma4_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp", "last_hit_utc": "2025-01-03 22:04:03" } ], "4913": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_2_520_icesword_job_ma1_ma4_2_RID3477", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp", "last_hit_utc": "2025-01-03 22:04:03" } ], "4914": [ { "sample_cnt": 3, "yara_rule_name": "webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp", "last_hit_utc": "2025-01-03 22:04:03" } ], "4915": [ { "sample_cnt": 3, "yara_rule_name": "webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp", "last_hit_utc": "2025-01-03 22:04:03" } ], "4916": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2_RID369B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp", "last_hit_utc": "2025-01-03 22:04:03" } ], "4917": [ { "sample_cnt": 3, "yara_rule_name": "webshell_2_520_job_ma1_ma4_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp", "last_hit_utc": "2025-01-03 22:04:03" } ], "4918": [ { "sample_cnt": 3, "yara_rule_name": "webshell_2_520_job_ma1_ma4_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp", "last_hit_utc": "2025-01-03 22:04:03" } ], "4919": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_2_520_job_ma1_ma4_2_RID30B8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp", "last_hit_utc": "2025-01-03 22:04:03" } ], "4920": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_Ajax_PHP_Command_Shell_php_RID348D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt", "last_hit_utc": "2025-10-28 13:45:19" } ], "4921": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_and_Exploit_CN_APT_HK", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshell and Exploit Code in relation with APT against Honk Kong protesters", "last_hit_utc": "2025-11-25 20:48:17" } ], "4922": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_and_Exploit_CN_APT_HK", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshell and Exploit Code in relation with APT against Honk Kong protesters", "last_hit_utc": "2025-11-25 20:48:17" } ], "4923": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_and_Exploit_CN_APT_HK_RID3243", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshell and Exploit Code in relation with APT against Honk Kong protesters", "last_hit_utc": "2025-11-25 20:48:17" } ], "4924": [ { "sample_cnt": 3, "yara_rule_name": "WEBSHELL_ASPX_reGeorgTunnel", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx", "yara_rule_description": "variation on reGeorgtunnel", "last_hit_utc": "2025-10-28 13:45:21" } ], "4925": [ { "sample_cnt": 3, "yara_rule_name": "webshell_b374k_str", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "Webshell b374k", "last_hit_utc": "2025-06-16 15:19:33" } ], "4926": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_c99madshell_v2_RID2FCC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt", "last_hit_utc": "2025-10-28 13:45:23" } ], "4927": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_c99shell_v1_0_99_RID2FF9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-10-28 13:45:23" } ], "4928": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_c99_locus7s", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file c99_locus7s.php", "last_hit_utc": "2025-10-28 13:45:23" } ], "4929": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_c99_locus7s", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file c99_locus7s.php", "last_hit_utc": "2025-10-28 13:45:23" } ], "4930": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_c99_locus7s_RID2E8A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file c99_locus7s.php", "last_hit_utc": "2025-10-28 13:45:23" } ], "4931": [ { "sample_cnt": 3, "yara_rule_name": "webshell_caidao_shell_guo", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file guo.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "4932": [ { "sample_cnt": 3, "yara_rule_name": "webshell_caidao_shell_guo", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file guo.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "4933": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_caidao_shell_guo_RID3128", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file guo.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "4934": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_Generic_PHP_5", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files ex0shell.php, megabor.php, GRP WebShell 2.0 release build 2018 (C)2006,Great.php", "last_hit_utc": "2026-02-28 16:03:17" } ], "4935": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_h4ntu_shell__powered_by_tsoi__RID367B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt", "last_hit_utc": "2025-10-28 13:45:28" } ], "4936": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_ironshell_php_RID301D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file ironshell.php.txt", "last_hit_utc": "2025-10-28 13:45:29" } ], "4937": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_JFolder_Leo_RID2ECB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects Web Shell from tennc webshell repo", "last_hit_utc": "2025-10-28 13:45:29" } ], "4938": [ { "sample_cnt": 3, "yara_rule_name": "webshell_jsp_cmd", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file cmd.jsp", "last_hit_utc": "2026-02-18 16:31:17" } ], "4939": [ { "sample_cnt": 3, "yara_rule_name": "webshell_jsp_cmd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file cmd.jsp", "last_hit_utc": "2026-02-18 16:31:17" } ], "4940": [ { "sample_cnt": 3, "yara_rule_name": "webshell_jsp_reverse_jsp_reverse_jspbd", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp", "last_hit_utc": "2025-10-28 13:45:30" } ], "4941": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_jsp_reverse_jsp_RID30FA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp", "last_hit_utc": "2025-10-28 13:45:30" } ], "4942": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_phpspy_2006_arabicspy_RID328E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php", "last_hit_utc": "2025-11-25 20:48:18" } ], "4943": [ { "sample_cnt": 3, "yara_rule_name": "webshell_php_encoded_big", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "PHP webshell using some kind of eval with encoded blob to decode", "last_hit_utc": "2021-12-24 19:41:03" } ], "4944": [ { "sample_cnt": 3, "yara_rule_name": "webshell_php_gzinflated", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "PHP webshell which directly eval()s obfuscated string", "last_hit_utc": "2022-05-11 00:13:02" } ], "4945": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_qsd_php_backdoor", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file qsd-php-backdoor.php", "last_hit_utc": "2025-10-28 13:45:37" } ], "4946": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_qsd_php_backdoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file qsd-php-backdoor.php", "last_hit_utc": "2025-10-28 13:45:37" } ], "4947": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_r577_php_php_SnIpEr_2_RID322A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-10-28 13:45:37" } ], "4948": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_r577_php_RID2D62", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-10-28 13:45:37" } ], "4949": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_r577_php_spy_2_RID2FAE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-10-28 13:45:38" } ], "4950": [ { "sample_cnt": 3, "yara_rule_name": "webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php", "last_hit_utc": "2025-10-28 13:45:38" } ], "4951": [ { "sample_cnt": 3, "yara_rule_name": "webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php", "last_hit_utc": "2025-10-28 13:45:38" } ], "4952": [ { "sample_cnt": 3, "yara_rule_name": "webshell_r57shell127_r57_kartal_r57", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php", "last_hit_utc": "2025-10-28 13:45:38" } ], "4953": [ { "sample_cnt": 3, "yara_rule_name": "webshell_r57shell127_r57_kartal_r57", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php", "last_hit_utc": "2025-10-28 13:45:38" } ], "4954": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_r57shell127_r57_kartal_r57_RID338E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php", "last_hit_utc": "2025-10-28 13:45:38" } ], "4955": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_r57shell_antichat_RID3147", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php", "last_hit_utc": "2025-10-28 13:45:38" } ], "4956": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_simattacker", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file simattacker.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "4957": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_simattacker", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file simattacker.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "4958": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "4959": [ { "sample_cnt": 3, "yara_rule_name": "WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "4960": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php_RID3D96", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt", "last_hit_utc": "2025-10-28 13:45:40" } ], "4961": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_SpecialShell_99b_RID3092", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-10-28 13:45:41" } ], "4962": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_SpecialShell_99_php_php_a_RID343E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-10-28 13:45:41" } ], "4963": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_SpecialShell_99_php_php_c100_php_RID3678", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt", "last_hit_utc": "2025-10-28 13:45:41" } ], "4964": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_sql_php_php_RID2F44", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file sql.php.php.txt", "last_hit_utc": "2025-10-28 13:45:41" } ], "4965": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_telnetd_pl_RID2ED1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file telnetd.pl.txt", "last_hit_utc": "2025-11-12 17:23:23" } ], "4966": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_warfiles_cmd_RID2F96", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://laudanum.inguardians.com/", "yara_rule_description": "Laudanum Injector Tools - file cmd.jsp", "last_hit_utc": "2025-04-27 12:13:09" } ], "4967": [ { "sample_cnt": 3, "yara_rule_name": "webshell_webshells_new_JSP", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file JSP.jsp", "last_hit_utc": "2025-10-28 13:45:44" } ], "4968": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_webshells_new_php5_RID31F4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file php5.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "4969": [ { "sample_cnt": 3, "yara_rule_name": "Webshell_webshell_cnseay02_1_RID31D0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file webshell-cnseay02-1.php", "last_hit_utc": "2025-10-28 13:45:43" } ], "4970": [ { "sample_cnt": 3, "yara_rule_name": "WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "4971": [ { "sample_cnt": 3, "yara_rule_name": "WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "4972": [ { "sample_cnt": 3, "yara_rule_name": "WebShell__findsock_php_findsock_shell_php_reverse_shell_RID3D7D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "4973": [ { "sample_cnt": 3, "yara_rule_name": "WiltedTulip_Windows_UM_Task", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects a Windows scheduled task as used in Operation Wilted Tulip", "last_hit_utc": "2025-11-05 08:22:47" } ], "4974": [ { "sample_cnt": 3, "yara_rule_name": "WiltedTulip_Windows_UM_Task_RID31C5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects a Windows scheduled task as used in Operation Wilted Tulip", "last_hit_utc": "2025-11-05 08:22:47" } ], "4975": [ { "sample_cnt": 3, "yara_rule_name": "Win32_PUA_Domaiq", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Domaiq potentially unwanted application.", "last_hit_utc": "2022-07-16 08:06:03" } ], "4976": [ { "sample_cnt": 3, "yara_rule_name": "Win32_Ransomware_DarkSide", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects DarkSide ransomware.", "last_hit_utc": "2025-01-03 19:39:06" } ], "4977": [ { "sample_cnt": 3, "yara_rule_name": "Win32_Ransomware_LockBit", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects LockBit ransomware.", "last_hit_utc": "2022-06-30 11:57:05" } ], "4978": [ { "sample_cnt": 3, "yara_rule_name": "win32_redline_stealer", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting RedLine Stealer malware", "last_hit_utc": "2025-08-31 12:16:38" } ], "4979": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Credentials_Editor", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.ampliasecurity.com/research/windows-credentials-editor/", "yara_rule_description": "Identifies Windows Credentials Editor (WCE), post-exploitation tool.", "last_hit_utc": "2025-02-07 05:58:11" } ], "4980": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Cryptominer_Generic_dd1e4d1a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 19:54:30" } ], "4981": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Exploit_Dcom_7a1bcec7", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:49" } ], "4982": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Exploit_Dcom_7a1bcec7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:49" } ], "4983": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Generic_Threat_491a8310", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 15:40:33" } ], "4984": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Generic_Threat_66142106", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-15 04:01:20" } ], "4985": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Generic_Threat_acf6222b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-08 14:04:17" } ], "4986": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Generic_Threat_b2a054f8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 09:42:34" } ], "4987": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Hacktool_Certify_ffe1cca2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 13:08:36" } ], "4988": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Ransomware_Maui_266dea64", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-24 07:12:37" } ], "4989": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Ransomware_WannaCry_d9855102", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-13 21:36:44" } ], "4990": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Amadey_c4df8d4a", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 04:21:23" } ], "4991": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Babble_0d6c9505", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-01 15:39:12" } ], "4992": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_CobaltStrike_d00573a3", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Identifies Screenshot module from Cobalt Strike", "last_hit_utc": "2026-03-29 16:34:21" } ], "4993": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_CobaltStrike_ee756db7", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Attempts to detect Cobalt Strike based on strings found in BEACON", "last_hit_utc": "2022-10-30 18:15:04" } ], "4994": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_CobaltStrike_f0b627fc", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Rule for beacon reflective loader", "last_hit_utc": "2022-11-17 14:02:30" } ], "4995": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Emotet_18379a8d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-11 11:47:30" } ], "4996": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Emotet_1943bbf2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-11 11:47:30" } ], "4997": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Formbook_999a203e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 15:17:43" } ], "4998": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Metasploit_38b8ceec", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).", "last_hit_utc": "2022-11-10 06:25:02" } ], "4999": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Metasploit_46e1c247", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-09 19:15:25" } ], "5000": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Metasploit_7bc0f998", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Identifies the API address lookup function leverage by metasploit shellcode", "last_hit_utc": "2022-11-05 10:54:03" } ], "5001": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_MyloBot_a895174a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-06 07:07:18" } ], "5002": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Netwire_6a7df287", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-23 21:25:04" } ], "5003": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Qbot_3074a8d4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-11-28 09:24:57" } ], "5004": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Qbot_92c67a6d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-11-28 09:24:57" } ], "5005": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Raccoon_58091f64", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:39:11" } ], "5006": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Raccoon_af6decc6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:39:12" } ], "5007": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Rhadamanthys_c4760266", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-15 09:43:02" } ], "5008": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_RoningLoader_a4e851ac", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-15 19:36:15" } ], "5009": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Sliver_1dd6d9c2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-31 23:21:18" } ], "5010": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_Smokeloader_de52ed44", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-29 07:02:37" } ], "5011": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_SourShark_f0247cce", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-05 08:10:30" } ], "5012": [ { "sample_cnt": 3, "yara_rule_name": "Windows_Trojan_WarmCookie_7d32fa90", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/dipping-into-danger", "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:01:22" } ], "5013": [ { "sample_cnt": 3, "yara_rule_name": "Windows_VulnDriver_Amifldrv_e387d5ad", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 07:03:38" } ], "5014": [ { "sample_cnt": 3, "yara_rule_name": "Windows_VulnDriver_Cpuz_a53d1446", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Name: cpuz.sys, Version: 1.0.4.3", "last_hit_utc": "2023-05-23 15:45:03" } ], "5015": [ { "sample_cnt": 3, "yara_rule_name": "Windows_VulnDriver_RtCore_4eeb2ce5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:59:50" } ], "5016": [ { "sample_cnt": 3, "yara_rule_name": "Windows_VulnDriver_TrueSight_7429ac81", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-16 02:38:14" } ], "5017": [ { "sample_cnt": 3, "yara_rule_name": "WinRAR32bitSFXModule", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-03 11:48:15" } ], "5018": [ { "sample_cnt": 3, "yara_rule_name": "WinUpackv030betaByDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:36:38" } ], "5019": [ { "sample_cnt": 3, "yara_rule_name": "win_adhubllka_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.adhubllka.", "last_hit_utc": "2023-03-14 18:49:13" } ], "5020": [ { "sample_cnt": 3, "yara_rule_name": "win_agendacrypt_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.agendacrypt.", "last_hit_utc": "2022-12-20 10:16:04" } ], "5021": [ { "sample_cnt": 3, "yara_rule_name": "win_agent_btz_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-25 21:23:29" } ], "5022": [ { "sample_cnt": 3, "yara_rule_name": "win_amadey_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-08-04 07:16:04" } ], "5023": [ { "sample_cnt": 3, "yara_rule_name": "win_arefty_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.arefty.", "last_hit_utc": "2022-09-26 02:57:02" } ], "5024": [ { "sample_cnt": 3, "yara_rule_name": "win_arkei_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.arkei_stealer.", "last_hit_utc": "2023-02-13 19:32:03" } ], "5025": [ { "sample_cnt": 3, "yara_rule_name": "win_babuk_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.babuk.", "last_hit_utc": "2023-04-25 17:45:04" } ], "5026": [ { "sample_cnt": 3, "yara_rule_name": "win_badnews_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:47" } ], "5027": [ { "sample_cnt": 3, "yara_rule_name": "win_bazarbackdoor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.bazarbackdoor.", "last_hit_utc": "2022-08-21 17:39:01" } ], "5028": [ { "sample_cnt": 3, "yara_rule_name": "win_blackmatter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.blackmatter.", "last_hit_utc": "2025-01-05 15:31:02" } ], "5029": [ { "sample_cnt": 3, "yara_rule_name": "win_chaos_w0", "yara_rule_author": "BlackBerry Threat Research", "yara_rule_reference": "", "yara_rule_description": "Detects Ransomware Built by Chaos Ransomware Builder", "last_hit_utc": "2022-11-10 04:52:03" } ], "5030": [ { "sample_cnt": 3, "yara_rule_name": "win_cobra_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-17 15:31:30" } ], "5031": [ { "sample_cnt": 3, "yara_rule_name": "win_conficker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.conficker.", "last_hit_utc": "2025-08-28 10:17:30" } ], "5032": [ { "sample_cnt": 3, "yara_rule_name": "win_cryakl_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-09-30 08:09:03" } ], "5033": [ { "sample_cnt": 3, "yara_rule_name": "win_csext_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-13 08:33:03" } ], "5034": [ { "sample_cnt": 3, "yara_rule_name": "win_doppelpaymer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.doppelpaymer.", "last_hit_utc": "2021-12-24 23:11:05" } ], "5035": [ { "sample_cnt": 3, "yara_rule_name": "win_erbium_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.erbium_stealer.", "last_hit_utc": "2022-11-24 13:12:37" } ], "5036": [ { "sample_cnt": 3, "yara_rule_name": "win_eternal_petya_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.eternal_petya.", "last_hit_utc": "2025-09-30 14:11:35" } ], "5037": [ { "sample_cnt": 3, "yara_rule_name": "win_extreme_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-08-31 02:34:06" } ], "5038": [ { "sample_cnt": 3, "yara_rule_name": "win_flawedammyy_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.flawedammyy.", "last_hit_utc": "2022-09-16 17:15:49" } ], "5039": [ { "sample_cnt": 3, "yara_rule_name": "win_gibberish_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.gibberish.", "last_hit_utc": "2022-04-25 13:32:20" } ], "5040": [ { "sample_cnt": 3, "yara_rule_name": "win_gpcode_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.gpcode.", "last_hit_utc": "2025-01-05 14:45:09" } ], "5041": [ { "sample_cnt": 3, "yara_rule_name": "win_graphdrop_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.graphdrop.", "last_hit_utc": "2024-04-25 10:30:03" } ], "5042": [ { "sample_cnt": 3, "yara_rule_name": "win_grimplant_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.grimplant.", "last_hit_utc": "2022-08-11 12:00:05" } ], "5043": [ { "sample_cnt": 3, "yara_rule_name": "win_hackspy_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-17 11:42:37" } ], "5044": [ { "sample_cnt": 3, "yara_rule_name": "win_icedid_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.icedid.", "last_hit_utc": "2022-04-14 19:54:04" } ], "5045": [ { "sample_cnt": 3, "yara_rule_name": "win_iceid_core_ldr_202104", "yara_rule_author": "Thomas Barabosch, Telekom Security", "yara_rule_reference": "", "yara_rule_description": "2021 loader for Bokbot / Icedid core (license.dat)", "last_hit_utc": "2022-01-19 07:50:49" } ], "5046": [ { "sample_cnt": 3, "yara_rule_name": "win_industroyer_w3", "yara_rule_author": "Dragos Inc", "yara_rule_reference": "https://dragos.com/blog/crashoverride/", "yara_rule_description": "IEC-104 Interaction Module Program Strings", "last_hit_utc": "2025-10-28 13:45:49" } ], "5047": [ { "sample_cnt": 3, "yara_rule_name": "win_kimsuky_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.kimsuky.", "last_hit_utc": "2021-11-03 12:25:04" } ], "5048": [ { "sample_cnt": 3, "yara_rule_name": "win_konni_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.konni.", "last_hit_utc": "2022-11-13 13:25:04" } ], "5049": [ { "sample_cnt": 3, "yara_rule_name": "win_kutaki_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.kutaki.", "last_hit_utc": "2025-01-05 15:27:32" } ], "5050": [ { "sample_cnt": 3, "yara_rule_name": "win_lockbit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-06-30 11:56:04" } ], "5051": [ { "sample_cnt": 3, "yara_rule_name": "win_lockergoga_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.lockergoga.", "last_hit_utc": "2023-04-08 18:15:04" } ], "5052": [ { "sample_cnt": 3, "yara_rule_name": "win_lockergoga_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", "yara_rule_description": "Detects LockerGoga ransomware binaries", "last_hit_utc": "2024-06-11 10:49:04" } ], "5053": [ { "sample_cnt": 3, "yara_rule_name": "win_lorenz_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.lorenz.", "last_hit_utc": "2025-06-16 15:50:29" } ], "5054": [ { "sample_cnt": 3, "yara_rule_name": "win_loup_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.loup.", "last_hit_utc": "2022-07-16 08:07:01" } ], "5055": [ { "sample_cnt": 3, "yara_rule_name": "win_lumma_update_simple_strings_sep_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-30 15:41:12" } ], "5056": [ { "sample_cnt": 3, "yara_rule_name": "win_mars_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mars_stealer.", "last_hit_utc": "2022-05-20 22:35:31" } ], "5057": [ { "sample_cnt": 3, "yara_rule_name": "win_mbrlock_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-08-27 10:36:44" } ], "5058": [ { "sample_cnt": 3, "yara_rule_name": "win_mylobot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-12-20 08:01:04" } ], "5059": [ { "sample_cnt": 3, "yara_rule_name": "win_nachocheese_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-02 08:29:31" } ], "5060": [ { "sample_cnt": 3, "yara_rule_name": "win_narilam_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.narilam.", "last_hit_utc": "2025-01-03 19:34:48" } ], "5061": [ { "sample_cnt": 3, "yara_rule_name": "win_neutrino_pos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-14 19:46:15" } ], "5062": [ { "sample_cnt": 3, "yara_rule_name": "win_nightsky_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.nightsky.", "last_hit_utc": "2022-04-21 00:19:02" } ], "5063": [ { "sample_cnt": 3, "yara_rule_name": "win_numando_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-10-13 09:02:20" } ], "5064": [ { "sample_cnt": 3, "yara_rule_name": "win_ozone_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-04-14 15:14:06" } ], "5065": [ { "sample_cnt": 3, "yara_rule_name": "win_phorpiex_a_84fc", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects unpacked Phorpiex samples", "last_hit_utc": "2025-04-26 21:51:40" } ], "5066": [ { "sample_cnt": 3, "yara_rule_name": "win_phorpiex_g1", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-09-29 18:24:05" } ], "5067": [ { "sample_cnt": 3, "yara_rule_name": "win_plugx_w2", "yara_rule_author": "Jean-Philippe Teissier / @Jipe_", "yara_rule_reference": "", "yara_rule_description": "PlugX RAT", "last_hit_utc": "2022-10-20 20:04:03" } ], "5068": [ { "sample_cnt": 3, "yara_rule_name": "win_qakbot_api_hashing_oct_2022", "yara_rule_author": "@Embee_Research", "yara_rule_reference": "https://twitter.com/embee_research/status/1592067841154756610", "yara_rule_description": null, "last_hit_utc": "2024-04-18 08:37:02" } ], "5069": [ { "sample_cnt": 3, "yara_rule_name": "win_rakhni_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-09-23 22:11:30" } ], "5070": [ { "sample_cnt": 3, "yara_rule_name": "win_ramnit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.ramnit.", "last_hit_utc": "2022-08-23 15:22:04" } ], "5071": [ { "sample_cnt": 3, "yara_rule_name": "win_ramnit_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-09 23:14:06" } ], "5072": [ { "sample_cnt": 3, "yara_rule_name": "win_ramnit_g1", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-09 23:14:06" } ], "5073": [ { "sample_cnt": 3, "yara_rule_name": "win_ratankbapos_w0", "yara_rule_author": "Threat Exchange http://blog.trex.re.kr/3", "yara_rule_reference": null, "yara_rule_description": "hkp.dll", "last_hit_utc": "2025-11-05 08:22:48" } ], "5074": [ { "sample_cnt": 3, "yara_rule_name": "win_rifdoor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.rifdoor.", "last_hit_utc": "2025-01-03 21:34:19" } ], "5075": [ { "sample_cnt": 3, "yara_rule_name": "win_robinhood_w0", "yara_rule_author": "anonymous submission", "yara_rule_reference": null, "yara_rule_description": "Unpacked RobinHood ransomware", "last_hit_utc": "2020-11-05 14:19:23" } ], "5076": [ { "sample_cnt": 3, "yara_rule_name": "win_ryuk_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-03-17 21:02:48" } ], "5077": [ { "sample_cnt": 3, "yara_rule_name": "win_sakula_rat_w2", "yara_rule_author": "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou", "yara_rule_reference": null, "yara_rule_description": "Sakula v1.2", "last_hit_utc": "2025-04-28 05:11:11" } ], "5078": [ { "sample_cnt": 3, "yara_rule_name": "win_sakula_rat_w4", "yara_rule_author": "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou", "yara_rule_reference": null, "yara_rule_description": "Sakula v1.4", "last_hit_utc": "2025-11-05 08:22:48" } ], "5079": [ { "sample_cnt": 3, "yara_rule_name": "win_sality_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de", "yara_rule_reference": null, "yara_rule_description": "2013-11-11 Sality Infector", "last_hit_utc": "2021-05-09 23:00:06" } ], "5080": [ { "sample_cnt": 3, "yara_rule_name": "win_sendsafe_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.sendsafe.", "last_hit_utc": "2021-12-26 00:48:24" } ], "5081": [ { "sample_cnt": 3, "yara_rule_name": "WIN_SHADOW_UNPACKED", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-11 03:58:04" } ], "5082": [ { "sample_cnt": 3, "yara_rule_name": "win_snake_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2024-01-03 10:41:22" } ], "5083": [ { "sample_cnt": 3, "yara_rule_name": "win_socks5_systemz_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.socks5_systemz.", "last_hit_utc": "2026-04-13 12:02:36" } ], "5084": [ { "sample_cnt": 3, "yara_rule_name": "win_spectre_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.spectre.", "last_hit_utc": "2022-06-05 09:40:13" } ], "5085": [ { "sample_cnt": 3, "yara_rule_name": "win_stresspaint_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.stresspaint.", "last_hit_utc": "2025-06-26 09:39:47" } ], "5086": [ { "sample_cnt": 3, "yara_rule_name": "win_suppobox_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.suppobox.", "last_hit_utc": "2022-12-24 06:47:03" } ], "5087": [ { "sample_cnt": 3, "yara_rule_name": "win_systembc_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-07-31 20:46:03" } ], "5088": [ { "sample_cnt": 3, "yara_rule_name": "win_tempedreve_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-10-12 17:41:39" } ], "5089": [ { "sample_cnt": 3, "yara_rule_name": "win_tinynuke_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.tinynuke.", "last_hit_utc": "2025-03-21 16:53:11" } ], "5090": [ { "sample_cnt": 3, "yara_rule_name": "win_trickbot_a4", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-04 09:44:26" } ], "5091": [ { "sample_cnt": 3, "yara_rule_name": "win_turla_silentmoon_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.turla_silentmoon.", "last_hit_utc": "2021-10-28 21:10:05" } ], "5092": [ { "sample_cnt": 3, "yara_rule_name": "win_unidentified_079_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-03-29 13:42:24" } ], "5093": [ { "sample_cnt": 3, "yara_rule_name": "win_void_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.void.", "last_hit_utc": "2022-11-16 08:49:02" } ], "5094": [ { "sample_cnt": 3, "yara_rule_name": "win_yoddos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.yoddos.", "last_hit_utc": "2022-11-05 20:40:04" } ], "5095": [ { "sample_cnt": 3, "yara_rule_name": "Xtreme", "yara_rule_author": "botherder https://github.com/botherder", "yara_rule_reference": null, "yara_rule_description": "Xtreme RAT", "last_hit_utc": "2024-04-07 15:09:04" } ], "5096": [ { "sample_cnt": 3, "yara_rule_name": "XTunnel", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:29:12" } ], "5097": [ { "sample_cnt": 3, "yara_rule_name": "Zeus_Panda_RID2AFB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", "yara_rule_description": "Detects ZEUS Panda Malware", "last_hit_utc": "2025-02-26 18:09:30" } ], "5098": [ { "sample_cnt": 3, "yara_rule_name": "ZxShell_Jul17_RID2BCD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell - CN threat group", "last_hit_utc": "2025-11-05 08:21:41" } ], "5099": [ { "sample_cnt": 3, "yara_rule_name": "_r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-10-28 13:43:46" } ], "5100": [ { "sample_cnt": 3, "yara_rule_name": "_r577_php_php_r57_php_php_spy_php_php_s_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-10-28 13:43:46" } ], "5101": [ { "sample_cnt": 3, "yara_rule_name": "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-10-28 13:43:46" } ], "5102": [ { "sample_cnt": 3, "yara_rule_name": "_wacking_php_php_1_SpecialShell_99_php_php_c100_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt", "last_hit_utc": "2025-10-28 13:43:47" } ], "5103": [ { "sample_cnt": 3, "yara_rule_name": "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt", "last_hit_utc": "2025-10-28 13:43:46" } ], "5104": [ { "sample_cnt": 3, "yara_rule_name": "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-10-28 13:43:46" } ], "5105": [ { "sample_cnt": 3, "yara_rule_name": "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-10-28 13:43:47" } ], "5106": [ { "sample_cnt": 3, "yara_rule_name": "_w_php_php_wacking_php_php_SpecialShell_99_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-10-28 13:43:47" } ], "5107": [ { "sample_cnt": 2, "yara_rule_name": "ach_202407_html_nocodeform_io", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects potential HTML phishing using nocodeform.io for credential exfil", "last_hit_utc": "2025-01-03 20:34:44" } ], "5108": [ { "sample_cnt": 2, "yara_rule_name": "ach_202512_elf_RondoDox", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects RondoDox Linux malware", "last_hit_utc": "2025-12-18 23:44:13" } ], "5109": [ { "sample_cnt": 2, "yara_rule_name": "ach_Gozi_doc_20200528_bg", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/89ec270c6eb8e14268f248ac9906e534/", "yara_rule_description": "Detects Gozi DOC", "last_hit_utc": "2020-04-28 12:58:13" } ], "5110": [ { "sample_cnt": 2, "yara_rule_name": "ach_Gozi_xls_20200528_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/60091932936aeef17f202e512de5993c/", "yara_rule_description": null, "last_hit_utc": "2020-04-28 21:25:15" } ], "5111": [ { "sample_cnt": 2, "yara_rule_name": "ach_Guildma_LNK", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects malicious LNK files spreading Guildma malware", "last_hit_utc": "2023-04-05 14:08:03" } ], "5112": [ { "sample_cnt": 2, "yara_rule_name": "ach_JAR_in_oleObject", "yara_rule_author": "abuse.ch", "yara_rule_reference": "", "yara_rule_description": "Detects JAR files in Office oleObjects", "last_hit_utc": "2022-09-23 15:48:03" } ], "5113": [ { "sample_cnt": 2, "yara_rule_name": "ach_Quakbot_doc_20200812", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/2e0ef931fd3e5d1c6850a10bada1d318/", "yara_rule_description": "Detects Quakbot DOC", "last_hit_utc": "2021-01-09 13:29:04" } ], "5114": [ { "sample_cnt": 2, "yara_rule_name": "ach_Taurus_doc_20200606", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/887bd038fbc543fc12a6aa35f983516a/", "yara_rule_description": null, "last_hit_utc": "2020-06-06 08:28:54" } ], "5115": [ { "sample_cnt": 2, "yara_rule_name": "ach_TrickBot_doc_20201007", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/5eab26739952a71033226bd7ae83befe/", "yara_rule_description": "Detects TrickBot doc", "last_hit_utc": "2020-10-07 15:14:27" } ], "5116": [ { "sample_cnt": 2, "yara_rule_name": "ach_TrickBot_doc_20201010", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/0a4c5ee8bc0f49fc1c55a7f54cfc08f0/", "yara_rule_description": "Detects TrickBot doc", "last_hit_utc": "2020-10-10 08:26:08" } ], "5117": [ { "sample_cnt": 2, "yara_rule_name": "ach_TrickBot_doc_20201023", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/7012727683e761d58320b11124b5dcd3/", "yara_rule_description": "Detects TrickBot doc", "last_hit_utc": "2020-10-24 06:42:04" } ], "5118": [ { "sample_cnt": 2, "yara_rule_name": "ach_ZLoader_xls_20200523", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/3b4d9d0aef48bcac712c43f87f9f7815/", "yara_rule_description": null, "last_hit_utc": "2020-04-25 08:15:16" } ], "5119": [ { "sample_cnt": 2, "yara_rule_name": "AdaptixBeacon", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "AdaptixBeacon Payload", "last_hit_utc": "2025-09-10 08:22:39" } ], "5120": [ { "sample_cnt": 2, "yara_rule_name": "AgentTesla_mod_tough_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/", "yara_rule_description": "", "last_hit_utc": "2022-01-17 10:12:05" } ], "5121": [ { "sample_cnt": 2, "yara_rule_name": "agenttesla_win_generic", "yara_rule_author": "_kphi", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-16 07:19:03" } ], "5122": [ { "sample_cnt": 2, "yara_rule_name": "Ajan_asp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Ajan.asp.txt", "last_hit_utc": "2025-10-28 13:43:47" } ], "5123": [ { "sample_cnt": 2, "yara_rule_name": "ak74shell_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file ak74shell.php.php.txt", "last_hit_utc": "2025-10-28 13:43:47" } ], "5124": [ { "sample_cnt": 2, "yara_rule_name": "AllTheThings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/subTee/AllTheThings", "yara_rule_description": "Detects AllTheThings", "last_hit_utc": "2025-08-26 05:55:49" } ], "5125": [ { "sample_cnt": 2, "yara_rule_name": "AllTheThings_RID2BB8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/subTee/AllTheThings_RID2BB8", "yara_rule_description": "Detects AllTheThings_RID2BB8", "last_hit_utc": "2025-08-26 05:55:49" } ], "5126": [ { "sample_cnt": 2, "yara_rule_name": "amadeystealer", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked amadey malware samples.", "last_hit_utc": "2025-07-24 08:51:32" } ], "5127": [ { "sample_cnt": 2, "yara_rule_name": "Andromeda", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Andromeda aka Gamarue botnet.", "last_hit_utc": "2023-08-01 23:21:05" } ], "5128": [ { "sample_cnt": 2, "yara_rule_name": "Antichat_Shell_v1_3_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Antichat Shell v1.3.php.txt", "last_hit_utc": "2025-10-28 13:43:48" } ], "5129": [ { "sample_cnt": 2, "yara_rule_name": "Antichat_Socks5_Server_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt", "last_hit_utc": "2025-10-28 13:43:48" } ], "5130": [ { "sample_cnt": 2, "yara_rule_name": "AppLaunch", "yara_rule_author": "iam-py-test", "yara_rule_reference": "", "yara_rule_description": "Detect files referencing DotNet AppLaunch.exe", "last_hit_utc": "2022-10-10 12:00:41" } ], "5131": [ { "sample_cnt": 2, "yara_rule_name": "APT10_ChChes_lnk", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "LNK malware ChChes downloader", "last_hit_utc": "2022-10-11 03:58:03" } ], "5132": [ { "sample_cnt": 2, "yara_rule_name": "APT10_redleaves_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "RedLeaves malware", "last_hit_utc": "2025-11-05 08:22:24" } ], "5133": [ { "sample_cnt": 2, "yara_rule_name": "APT28_SkinnyBoy_Dropper", "yara_rule_author": "Cluster25", "yara_rule_reference": "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf", "yara_rule_description": "Detects APT28 SkinnyBoy droppers", "last_hit_utc": "2025-11-05 08:22:24" } ], "5134": [ { "sample_cnt": 2, "yara_rule_name": "APT28_SourFace_Malware3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html", "yara_rule_description": "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.", "last_hit_utc": "2024-05-22 23:03:02" } ], "5135": [ { "sample_cnt": 2, "yara_rule_name": "APT28_SourFace_Malware3_RID2F32", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html", "yara_rule_description": "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.", "last_hit_utc": "2024-05-22 23:03:02" } ], "5136": [ { "sample_cnt": 2, "yara_rule_name": "APT32_BonW_Microsoft_wwlib_dll_zip", "yara_rule_author": "zero", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-24 10:56:16" } ], "5137": [ { "sample_cnt": 2, "yara_rule_name": "APT9002", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "9002", "last_hit_utc": "2020-10-14 14:52:09" } ], "5138": [ { "sample_cnt": 2, "yara_rule_name": "APT9002Strings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "9002 Identifying Strings", "last_hit_utc": "2020-10-14 14:52:09" } ], "5139": [ { "sample_cnt": 2, "yara_rule_name": "APT_APT10_Malware_Imphash_Dec18_1_RID3250", "yara_rule_author": "Florian Roth", "yara_rule_reference": "AlienVault OTX IOCs - statistical sample analysis", "yara_rule_description": "Detects APT10 malware based on ImpHashes", "last_hit_utc": "2025-01-03 20:07:00" } ], "5140": [ { "sample_cnt": 2, "yara_rule_name": "APT_APT28_Cannon_Trojan_Nov18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", "yara_rule_description": "Detects Cannon Trojan used by Sofacy", "last_hit_utc": "2025-11-05 08:22:22" } ], "5141": [ { "sample_cnt": 2, "yara_rule_name": "APT_APT28_Win_FreshFire", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "yara_rule_description": "The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server.", "last_hit_utc": "2026-04-15 11:33:57" } ], "5142": [ { "sample_cnt": 2, "yara_rule_name": "APT_APT29_NOBELIUM_BoomBox_May21_1_RID31ED", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "yara_rule_description": "Detects BoomBox malware as described in APT29 NOBELIUM report", "last_hit_utc": "2025-10-28 13:43:48" } ], "5143": [ { "sample_cnt": 2, "yara_rule_name": "APT_APT41_CN_ELF_Speculoos_Backdoor", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/", "yara_rule_description": "Detects Speculoos Backdoor used by APT41", "last_hit_utc": "2021-11-03 08:14:04" } ], "5144": [ { "sample_cnt": 2, "yara_rule_name": "APT_APT41_RevokedCert_Aug19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", "yara_rule_description": "Detects revoked certificates used by APT41 group", "last_hit_utc": "2026-03-03 21:36:16" } ], "5145": [ { "sample_cnt": 2, "yara_rule_name": "APT_Backdoor_SUNBURST_1", "yara_rule_author": "FireEye", "yara_rule_reference": null, "yara_rule_description": "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.", "last_hit_utc": "2023-09-11 16:27:03" } ], "5146": [ { "sample_cnt": 2, "yara_rule_name": "APT_DeputyDog", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:28:01" } ], "5147": [ { "sample_cnt": 2, "yara_rule_name": "APT_Dropper_Raw64_TEARDROP_1", "yara_rule_author": "FireEye", "yara_rule_reference": null, "yara_rule_description": "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.", "last_hit_utc": "2021-02-08 20:56:18" } ], "5148": [ { "sample_cnt": 2, "yara_rule_name": "APT_EQGRP_callbacks_RID2DD3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - Callback addresses", "last_hit_utc": "2025-11-05 08:22:22" } ], "5149": [ { "sample_cnt": 2, "yara_rule_name": "apt_equation_equationlaser_runtimeclasses", "yara_rule_author": null, "yara_rule_reference": "https://securelist.com/blog/", "yara_rule_description": "Rule to detect the EquationLaser malware", "last_hit_utc": "2026-03-22 06:23:24" } ], "5150": [ { "sample_cnt": 2, "yara_rule_name": "apt_equation_exploitlib_mutexes", "yara_rule_author": null, "yara_rule_reference": "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/", "yara_rule_description": "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW", "last_hit_utc": "2026-03-22 06:23:27" } ], "5151": [ { "sample_cnt": 2, "yara_rule_name": "APT_Hikit_msrv", "yara_rule_author": "ThreatConnect Intelligence Research Team", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:23" } ], "5152": [ { "sample_cnt": 2, "yara_rule_name": "apt_Lazarus_Job_Lure_May2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": null, "yara_rule_description": "Triggers on macro strings used in Lazarus lure.", "last_hit_utc": "2021-05-05 15:36:03" } ], "5153": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_CN_Wocao_Agent_Csharp", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Strings from CSharp version of Agent", "last_hit_utc": "2025-11-05 08:22:23" } ], "5154": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_CN_Wocao_getos_py", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Python getos utility", "last_hit_utc": "2025-11-05 08:22:23" } ], "5155": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_CN_Wocao_injector_bin", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Process injector/launcher", "last_hit_utc": "2025-11-05 08:22:23" } ], "5156": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_DTRACK_Oct19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21", "yara_rule_description": "Detects DTRACK malware", "last_hit_utc": "2025-11-05 08:22:23" } ], "5157": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_FalseFont_Backdoor_Jan24", "yara_rule_author": "X__Junior, Jonathan Peters", "yara_rule_reference": "https://twitter.com/MsftSecIntel/status/1737895710169628824", "yara_rule_description": "Detects FalseFont backdoor, related to Peach Sandstorm APT", "last_hit_utc": "2025-01-03 19:37:14" } ], "5158": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_NK_Lazarus_VHD_Ransomware_Oct20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "yara_rule_description": "Detects Lazarus VHD Ransomware", "last_hit_utc": "2022-04-28 11:03:02" } ], "5159": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_SLOTHFULMEDIA_Oct20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a", "yara_rule_description": "Detects SLOTHFULMEDIA malware", "last_hit_utc": "2021-07-11 21:29:17" } ], "5160": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_WinntiLinux_Dropper_AzazelFork_May19", "yara_rule_author": "Silas Cutler (havex [@] chronicle.security), Chronicle Security", "yara_rule_reference": "", "yara_rule_description": "Detection of Linux variant of Winnti", "last_hit_utc": "2022-01-17 13:05:07" } ], "5161": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_WinntiLinux_Main_AzazelFork_May19", "yara_rule_author": "Silas Cutler (havex [@] chronicle.security), Chronicle Security", "yara_rule_reference": "", "yara_rule_description": "Detection of Linux variant of Winnti", "last_hit_utc": "2022-03-30 09:27:02" } ], "5162": [ { "sample_cnt": 2, "yara_rule_name": "APT_MAL_Win_BlueLight_B", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/", "yara_rule_description": "North Korean origin malware which uses a custom Google App for c2 communications.", "last_hit_utc": "2025-11-05 08:22:23" } ], "5163": [ { "sample_cnt": 2, "yara_rule_name": "APT_Muddy_Water_MSI_RMM_Atera_April2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:39:59" } ], "5164": [ { "sample_cnt": 2, "yara_rule_name": "APT_NK_BabyShark_KimJoingRAT_Apr19_1_RID339E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/", "yara_rule_description": "Detects BabyShark KimJongRAT", "last_hit_utc": "2024-05-22 23:31:04" } ], "5165": [ { "sample_cnt": 2, "yara_rule_name": "APT_NK_MAL_Keylogger_Unknown_Nov19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/CNMF_VirusAlert/status/1192131508007505921", "yara_rule_description": "Detects unknown keylogger reported by CNMF in November 2019", "last_hit_utc": "2025-11-05 08:22:24" } ], "5166": [ { "sample_cnt": 2, "yara_rule_name": "APT_RAT", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-24 08:13:21" } ], "5167": [ { "sample_cnt": 2, "yara_rule_name": "APT_RAT", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-11-03 12:20:57" } ], "5168": [ { "sample_cnt": 2, "yara_rule_name": "apt_RU_MoonlightMaze_de_tool", "yara_rule_author": "Kaspersky Lab", "yara_rule_reference": "https://en.wikipedia.org/wiki/Moonlight_Maze", "yara_rule_description": "Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool", "last_hit_utc": "2025-11-05 08:22:24" } ], "5169": [ { "sample_cnt": 2, "yara_rule_name": "APT_Stuxnet_Malware_2_RID2F09", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample", "last_hit_utc": "2025-03-06 22:27:10" } ], "5170": [ { "sample_cnt": 2, "yara_rule_name": "APT_Turla_Agent_BTZ_Gen_1_RID3003", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Turla Agent.BTZ", "last_hit_utc": "2025-10-28 13:43:56" } ], "5171": [ { "sample_cnt": 2, "yara_rule_name": "APT_Turla_BigBoss_Apr_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/DrunkBinary/status/1304086230540390400", "yara_rule_description": "Detects new BigBoss implants (SilentMoon/GoldenSky)", "last_hit_utc": "2021-10-28 21:10:05" } ], "5172": [ { "sample_cnt": 2, "yara_rule_name": "APT_UNC2447_MAL_SOMBRAT_May21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects SombRAT samples from UNC2447 campaign", "last_hit_utc": "2025-11-05 08:22:24" } ], "5173": [ { "sample_cnt": 2, "yara_rule_name": "APT_UNC2447_MAL_SOMBRAT_May21_1_RID3035", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects SombRAT samples from UNC2447 campaign", "last_hit_utc": "2025-11-05 08:22:24" } ], "5174": [ { "sample_cnt": 2, "yara_rule_name": "APT_UNC2447_PS1_WARPRISM_May21_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects WARPRISM PowerShell samples from UNC2447 campaign", "last_hit_utc": "2022-08-21 18:16:04" } ], "5175": [ { "sample_cnt": 2, "yara_rule_name": "Armadillov253b3", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-22 06:44:02" } ], "5176": [ { "sample_cnt": 2, "yara_rule_name": "Asmodeus_v0_1_pl", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Asmodeus v0.1.pl.txt", "last_hit_utc": "2025-10-28 13:43:57" } ], "5177": [ { "sample_cnt": 2, "yara_rule_name": "ASPackv10803AlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-20 09:10:03" } ], "5178": [ { "sample_cnt": 2, "yara_rule_name": "ASPack_ASPACK", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file ASPACK.EXE", "last_hit_utc": "2025-11-05 08:22:24" } ], "5179": [ { "sample_cnt": 2, "yara_rule_name": "aspydrv_asp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file aspydrv.asp.txt", "last_hit_utc": "2025-10-28 13:43:58" } ], "5180": [ { "sample_cnt": 2, "yara_rule_name": "Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt", "last_hit_utc": "2025-10-28 13:43:58" } ], "5181": [ { "sample_cnt": 2, "yara_rule_name": "aZRaiLPhp_v1_0_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt", "last_hit_utc": "2025-10-28 13:43:58" } ], "5182": [ { "sample_cnt": 2, "yara_rule_name": "Babuk_Decryptor", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", "yara_rule_description": "Decryptor for Babuk / Babyk ransomware", "last_hit_utc": "2025-08-03 08:32:22" } ], "5183": [ { "sample_cnt": 2, "yara_rule_name": "backdoor1_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file backdoor1.php.txt", "last_hit_utc": "2025-10-28 13:43:58" } ], "5184": [ { "sample_cnt": 2, "yara_rule_name": "backdoorfr_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file backdoorfr.php.txt", "last_hit_utc": "2025-10-28 13:43:58" } ], "5185": [ { "sample_cnt": 2, "yara_rule_name": "Backdoor_Redosdru_Jun17", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/OOB3mH", "yara_rule_description": "Detects malware Redosdru - file systemHome.exe", "last_hit_utc": "2025-10-28 13:43:58" } ], "5186": [ { "sample_cnt": 2, "yara_rule_name": "Backstage_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "b4e270dce231fd01c326f0828a3c5ad80012ebb932842aa8e420575859406fac", "yara_rule_description": "Backstage stealer aka Powerkatz", "last_hit_utc": "2021-04-10 13:53:40" } ], "5187": [ { "sample_cnt": 2, "yara_rule_name": "BadIIS_JKornevHidden", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match the strings found in BadIIS variant of the JKornevHidden rootkit", "last_hit_utc": "2025-10-21 17:58:30" } ], "5188": [ { "sample_cnt": 2, "yara_rule_name": "BazaSpacedDaisy", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-07-19 06:36:02" } ], "5189": [ { "sample_cnt": 2, "yara_rule_name": "bdcli100", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file bdcli100.exe", "last_hit_utc": "2025-10-28 13:43:58" } ], "5190": [ { "sample_cnt": 2, "yara_rule_name": "bdcli100", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file bdcli100.exe", "last_hit_utc": "2025-10-28 13:43:58" } ], "5191": [ { "sample_cnt": 2, "yara_rule_name": "Beastdoor_Backdoor", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects the backdoor Beastdoor", "last_hit_utc": "2025-10-28 13:43:58" } ], "5192": [ { "sample_cnt": 2, "yara_rule_name": "BernhardPOS", "yara_rule_author": "Nick Hoffman / Jeremy Humble", "yara_rule_reference": "http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick", "yara_rule_description": "BernhardPOS Credit Card dumping tool", "last_hit_utc": "2025-11-05 08:21:34" } ], "5193": [ { "sample_cnt": 2, "yara_rule_name": "binder2_binder2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file binder2.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5194": [ { "sample_cnt": 2, "yara_rule_name": "binder2_binder2", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file binder2.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5195": [ { "sample_cnt": 2, "yara_rule_name": "bin_Client", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Client.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5196": [ { "sample_cnt": 2, "yara_rule_name": "bin_Client", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Client.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5197": [ { "sample_cnt": 2, "yara_rule_name": "BIN_Server", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Server.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5198": [ { "sample_cnt": 2, "yara_rule_name": "BIN_Server", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Server.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5199": [ { "sample_cnt": 2, "yara_rule_name": "bitlocker_ransom_vbs", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "another attempt to try find that vbs based on a few string", "last_hit_utc": "2025-01-04 08:51:07" } ], "5200": [ { "sample_cnt": 2, "yara_rule_name": "bitrat_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/52b45503-81fe-426c-93a1-bbfb04f677e1", "yara_rule_description": "BitRAT", "last_hit_utc": "2021-08-23 18:49:04" } ], "5201": [ { "sample_cnt": 2, "yara_rule_name": "BlackMatter", "yara_rule_author": "ATR McAfee", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:31:02" } ], "5202": [ { "sample_cnt": 2, "yara_rule_name": "blackremote_blackrat_payload_2020", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-04-25 11:26:08" } ], "5203": [ { "sample_cnt": 2, "yara_rule_name": "bruteratelc4", "yara_rule_author": "spyw4re", "yara_rule_reference": null, "yara_rule_description": "A Rule to detect brute ratel stager payloads.", "last_hit_utc": "2025-01-13 08:33:02" } ], "5204": [ { "sample_cnt": 2, "yara_rule_name": "BruteRatelConfig", "yara_rule_author": "@immersivelabs", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-12 10:35:03" } ], "5205": [ { "sample_cnt": 2, "yara_rule_name": "Bumblebee_Loader_Similarities", "yara_rule_author": "DigitalPanda", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-16 20:48:03" } ], "5206": [ { "sample_cnt": 2, "yara_rule_name": "by063cli", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file by063cli.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5207": [ { "sample_cnt": 2, "yara_rule_name": "by063cli", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file by063cli.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5208": [ { "sample_cnt": 2, "yara_rule_name": "by064cli", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file by064cli.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5209": [ { "sample_cnt": 2, "yara_rule_name": "by064cli", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file by064cli.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "5210": [ { "sample_cnt": 2, "yara_rule_name": "byshell063_ntboot_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file ntboot.dll", "last_hit_utc": "2025-10-28 13:44:00" } ], "5211": [ { "sample_cnt": 2, "yara_rule_name": "byshell063_ntboot_2", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file ntboot.dll", "last_hit_utc": "2025-10-28 13:44:00" } ], "5212": [ { "sample_cnt": 2, "yara_rule_name": "ByteCode_MSIL_Ransomware_ChupaCabra", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects ChupaCabra ransomware.", "last_hit_utc": "2022-09-24 09:41:04" } ], "5213": [ { "sample_cnt": 2, "yara_rule_name": "ByteCode_MSIL_Ransomware_Janelle", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Janelle ransomware.", "last_hit_utc": "2022-09-20 05:04:07" } ], "5214": [ { "sample_cnt": 2, "yara_rule_name": "ByteCode_MSIL_Ransomware_WormLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects WormLocker ransomware.", "last_hit_utc": "2026-04-01 20:25:25" } ], "5215": [ { "sample_cnt": 2, "yara_rule_name": "c99madshell_v2_0_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt", "last_hit_utc": "2025-10-28 13:44:00" } ], "5216": [ { "sample_cnt": 2, "yara_rule_name": "caliber44", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked 44caliber malware samples.", "last_hit_utc": "2025-09-07 22:57:37" } ], "5217": [ { "sample_cnt": 2, "yara_rule_name": "canvasspectre", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": null, "yara_rule_description": "Hunts for CANVAS Spectre", "last_hit_utc": "2025-01-05 17:19:22" } ], "5218": [ { "sample_cnt": 2, "yara_rule_name": "CarbonLoader_v3_71_", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-16 21:53:04" } ], "5219": [ { "sample_cnt": 2, "yara_rule_name": "carbon_metadata", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "yara_rule_description": "Turla Carbon malware", "last_hit_utc": "2022-10-16 21:53:04" } ], "5220": [ { "sample_cnt": 2, "yara_rule_name": "Casper_Backdoor_x86", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo", "last_hit_utc": "2025-11-05 08:22:25" } ], "5221": [ { "sample_cnt": 2, "yara_rule_name": "Casper_EXE_Dropper", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo", "last_hit_utc": "2025-11-05 08:22:25" } ], "5222": [ { "sample_cnt": 2, "yara_rule_name": "Casper_EXE_Dropper", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo", "last_hit_utc": "2025-11-05 08:22:25" } ], "5223": [ { "sample_cnt": 2, "yara_rule_name": "Casper_EXE_Dropper_RID2DEB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo", "last_hit_utc": "2025-11-05 08:22:25" } ], "5224": [ { "sample_cnt": 2, "yara_rule_name": "Casper_Included_Strings", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo", "last_hit_utc": "2025-11-05 08:22:25" } ], "5225": [ { "sample_cnt": 2, "yara_rule_name": "Casper_Included_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo", "last_hit_utc": "2025-11-05 08:22:25" } ], "5226": [ { "sample_cnt": 2, "yara_rule_name": "Casper_Included_Strings_RID303F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo", "last_hit_utc": "2025-11-05 08:22:25" } ], "5227": [ { "sample_cnt": 2, "yara_rule_name": "Casus15_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Casus15.php.php.txt", "last_hit_utc": "2025-10-28 13:44:00" } ], "5228": [ { "sample_cnt": 2, "yara_rule_name": "CCREWBACK1", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:28:01" } ], "5229": [ { "sample_cnt": 2, "yara_rule_name": "Cerber", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Cerber Payload", "last_hit_utc": "2025-03-19 06:03:20" } ], "5230": [ { "sample_cnt": 2, "yara_rule_name": "cert_blocklist_51cd5393514f7ace2b407c3dbfb09d8d", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2021-03-01 13:36:44" } ], "5231": [ { "sample_cnt": 2, "yara_rule_name": "cgi_python_py", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file cgi-python.py.txt", "last_hit_utc": "2025-10-28 13:44:00" } ], "5232": [ { "sample_cnt": 2, "yara_rule_name": "ChromePass", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - file ChromePass.exe", "last_hit_utc": "2022-12-16 21:33:02" } ], "5233": [ { "sample_cnt": 2, "yara_rule_name": "CmdAsp_asp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file CmdAsp.asp.txt", "last_hit_utc": "2025-10-28 13:44:01" } ], "5234": [ { "sample_cnt": 2, "yara_rule_name": "cmdjsp_jsp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file cmdjsp.jsp.txt", "last_hit_utc": "2025-10-28 13:44:01" } ], "5235": [ { "sample_cnt": 2, "yara_rule_name": "CN_disclosed_20180208_Mal5_RID2F5D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2025-06-22 22:05:38" } ], "5236": [ { "sample_cnt": 2, "yara_rule_name": "CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe", "last_hit_utc": "2021-06-26 08:11:07" } ], "5237": [ { "sample_cnt": 2, "yara_rule_name": "Cobaltgang_PDF_Metadata_Rev_A", "yara_rule_author": "Palo Alto Networks Unit 42", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/", "yara_rule_description": "Find documents saved from the same potential Cobalt Gang PDF template", "last_hit_utc": "2025-10-28 13:44:02" } ], "5238": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x)", "last_hit_utc": "2025-11-05 08:22:26" } ], "5239": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike_Resources_Httpstager_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/httpstager.bin signature for versions 2.5 to 4.x", "last_hit_utc": "2025-01-03 21:53:00" } ], "5240": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike_Sleeve_BeaconLoader_HA_x64_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/BeaconLoader.HA.x64.o (HeapAlloc) Versions 4.3 through at least 4.6", "last_hit_utc": "2025-11-23 05:00:38" } ], "5241": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike_Sleeve_BeaconLoader_MVF_x64_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/BeaconLoader.MVF.x64.o (MapViewOfFile) Versions 4.3 through at least 4.6", "last_hit_utc": "2025-01-03 19:38:27" } ], "5242": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike_Sleeve_Beacon_x64_v4_1_and_v_4_2", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.1 and 4.2", "last_hit_utc": "2023-04-16 10:56:03" } ], "5243": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike__Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:26" } ], "5244": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike__Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x_change", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:26" } ], "5245": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike__Resources_Httpstager_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:53:00" } ], "5246": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike__Sleeve_BeaconLoader_HA_x64_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 05:00:38" } ], "5247": [ { "sample_cnt": 2, "yara_rule_name": "CobaltStrike__Sleeve_BeaconLoader_MVF_x64_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:38:26" } ], "5248": [ { "sample_cnt": 2, "yara_rule_name": "Codoso_PlugX_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT PlugX Malware", "last_hit_utc": "2025-11-05 08:22:27" } ], "5249": [ { "sample_cnt": 2, "yara_rule_name": "Codoso_PlugX_2_RID2C58", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT PlugX Malware", "last_hit_utc": "2025-11-05 08:22:27" } ], "5250": [ { "sample_cnt": 2, "yara_rule_name": "COLLECTOR2022B", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-06-09 14:25:11" } ], "5251": [ { "sample_cnt": 2, "yara_rule_name": "ComRAT", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-09-12 08:08:26" } ], "5252": [ { "sample_cnt": 2, "yara_rule_name": "connectback2_pl", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file connectback2.pl.txt", "last_hit_utc": "2025-10-28 13:44:03" } ], "5253": [ { "sample_cnt": 2, "yara_rule_name": "connector", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file connector.asp", "last_hit_utc": "2025-10-28 13:44:03" } ], "5254": [ { "sample_cnt": 2, "yara_rule_name": "connector", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file connector.asp", "last_hit_utc": "2025-10-28 13:44:03" } ], "5255": [ { "sample_cnt": 2, "yara_rule_name": "CoreImpact_sysdll_exe", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Detects a malware sysdll.exe from the Rocket Kitten APT", "last_hit_utc": "2022-09-02 09:40:06" } ], "5256": [ { "sample_cnt": 2, "yara_rule_name": "Coreshell", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-05-22 23:03:02" } ], "5257": [ { "sample_cnt": 2, "yara_rule_name": "CreateMiniDump", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass", "yara_rule_description": "Identifies CreateMiniDump, tool to dump LSASS.", "last_hit_utc": "2024-01-13 16:33:03" } ], "5258": [ { "sample_cnt": 2, "yara_rule_name": "crime_generic_DLL_exports_Sep2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": "", "yara_rule_description": "Triggers on malicious DLLs distributed along LNK files in ISO attachments.", "last_hit_utc": "2022-10-12 16:59:43" } ], "5259": [ { "sample_cnt": 2, "yara_rule_name": "crime_generic_LNK_uid_Jun2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": null, "yara_rule_description": "Triggers on malicious link files which calls powershell with an obfuscated payload and downloads an HTA file.", "last_hit_utc": "2021-06-07 07:42:16" } ], "5260": [ { "sample_cnt": 2, "yara_rule_name": "crime_UNC2529_DoubleBack_May2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": null, "yara_rule_description": "Triggers on strings and constants used in doubleback samples", "last_hit_utc": "2021-05-05 20:30:00" } ], "5261": [ { "sample_cnt": 2, "yara_rule_name": "crime_win32_lu0bot", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-11-07 14:39:02" } ], "5262": [ { "sample_cnt": 2, "yara_rule_name": "crime_win32_zloader_a0", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": "", "yara_rule_description": "Detects Zloader Payload", "last_hit_utc": "2021-08-25 06:29:08" } ], "5263": [ { "sample_cnt": 2, "yara_rule_name": "crime_win64_bumblebee_powershell_loader", "yara_rule_author": "Rony", "yara_rule_reference": "", "yara_rule_description": "Detects a Powershell Loader used to load bumblebee in memory", "last_hit_utc": "2022-09-13 18:16:04" } ], "5264": [ { "sample_cnt": 2, "yara_rule_name": "crime_zloader_dec_23", "yara_rule_author": "Rony (r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects ZLoader", "last_hit_utc": "2025-01-03 23:03:45" } ], "5265": [ { "sample_cnt": 2, "yara_rule_name": "CrowdStrike_SUNSPOT_01", "yara_rule_author": "(c) 2021 CrowdStrike Inc.", "yara_rule_reference": "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", "yara_rule_description": "Detects RC4 and AES key encryption material in SUNSPOT", "last_hit_utc": "2025-11-05 08:22:27" } ], "5266": [ { "sample_cnt": 2, "yara_rule_name": "CrowdStrike_SUNSPOT_02", "yara_rule_author": null, "yara_rule_reference": "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", "yara_rule_description": "Detects mutex names in SUNSPOT", "last_hit_utc": "2025-11-05 08:22:27" } ], "5267": [ { "sample_cnt": 2, "yara_rule_name": "CrunchPE", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-27 07:14:14" } ], "5268": [ { "sample_cnt": 2, "yara_rule_name": "CryptoLockv202EngRyanThian", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-08 22:36:26" } ], "5269": [ { "sample_cnt": 2, "yara_rule_name": "csh_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file csh.php.php.txt", "last_hit_utc": "2025-10-28 13:44:03" } ], "5270": [ { "sample_cnt": 2, "yara_rule_name": "cspayload", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 17:01:27" } ], "5271": [ { "sample_cnt": 2, "yara_rule_name": "CVE_2017_11882_RTF", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882", "last_hit_utc": "2025-01-03 22:30:00" } ], "5272": [ { "sample_cnt": 2, "yara_rule_name": "CVE_2017_8759_WSDL_in_RTF", "yara_rule_author": "Security Doggo @xdxdxdxdoa", "yara_rule_reference": "https://twitter.com/xdxdxdxdoa/status/908665278199996416", "yara_rule_description": "Detects malicious RTF file related CVE-2017-8759", "last_hit_utc": "2023-05-13 14:43:03" } ], "5273": [ { "sample_cnt": 2, "yara_rule_name": "cyberlords_sql_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file cyberlords_sql.php.php.txt", "last_hit_utc": "2025-10-28 13:44:04" } ], "5274": [ { "sample_cnt": 2, "yara_rule_name": "d238aea078ca1bb99a80ec2bf5d07acb818d72e7823ea8e767eefde95a03", "yara_rule_author": "H3lium", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "MALWARE! - file d238aea078ca1bb99a80ec2bf5d07acb818d72e7823ea8e767eefde95a038401.exe", "last_hit_utc": "2021-06-18 00:41:09" } ], "5275": [ { "sample_cnt": 2, "yara_rule_name": "DarkSpy105", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file DarkSpy105.exe", "last_hit_utc": "2025-10-28 13:44:04" } ], "5276": [ { "sample_cnt": 2, "yara_rule_name": "DarkSpy105", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file DarkSpy105.exe", "last_hit_utc": "2025-10-28 13:44:04" } ], "5277": [ { "sample_cnt": 2, "yara_rule_name": "darkteam_loader", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Rdpwrap Tool", "last_hit_utc": "2025-08-02 22:46:20" } ], "5278": [ { "sample_cnt": 2, "yara_rule_name": "darktrack_rat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-07 08:48:02" } ], "5279": [ { "sample_cnt": 2, "yara_rule_name": "dbgiis6cli", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file dbgiis6cli.exe", "last_hit_utc": "2025-10-28 13:44:04" } ], "5280": [ { "sample_cnt": 2, "yara_rule_name": "dbgiis6cli", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file dbgiis6cli.exe", "last_hit_utc": "2025-10-28 13:44:04" } ], "5281": [ { "sample_cnt": 2, "yara_rule_name": "dbgntboot", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file dbgntboot.dll", "last_hit_utc": "2025-10-28 13:44:04" } ], "5282": [ { "sample_cnt": 2, "yara_rule_name": "dbgntboot", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file dbgntboot.dll", "last_hit_utc": "2025-10-28 13:44:04" } ], "5283": [ { "sample_cnt": 2, "yara_rule_name": "Debug_cress", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file cress.exe", "last_hit_utc": "2025-10-28 13:44:04" } ], "5284": [ { "sample_cnt": 2, "yara_rule_name": "Debug_cress", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file cress.exe", "last_hit_utc": "2025-10-28 13:44:04" } ], "5285": [ { "sample_cnt": 2, "yara_rule_name": "DemonNtdllHashes", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 11:24:39" } ], "5286": [ { "sample_cnt": 2, "yara_rule_name": "Detect_Base64_Web_Patterns", "yara_rule_author": "dogsafetyforeverone", "yara_rule_reference": "Website pattern detection", "yara_rule_description": "Detects specific base64-encoded patterns commonly found on a suspicious computers that may have been infected by remote access tool (RAT)", "last_hit_utc": "2025-02-26 12:36:11" } ], "5287": [ { "sample_cnt": 2, "yara_rule_name": "Detect_Janeleiro_Banker", "yara_rule_author": "@johnk3r", "yara_rule_reference": "https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil", "yara_rule_description": "Detects LATAM TRJ_Banker JANELEIRO", "last_hit_utc": "2025-06-16 15:41:48" } ], "5288": [ { "sample_cnt": 2, "yara_rule_name": "Detect_LATAM_Banker_MSI", "yara_rule_author": "@johnk3r", "yara_rule_reference": null, "yara_rule_description": "Detects common strings, DLL and API in Banker_BR", "last_hit_utc": "2025-01-05 16:56:00" } ], "5289": [ { "sample_cnt": 2, "yara_rule_name": "Detect_Malicious_PDF_Dropper", "yara_rule_author": "daniyyell", "yara_rule_reference": null, "yara_rule_description": "Detects a malicious PDF dropper that uses specific objects and patterns indicative of malware activity.", "last_hit_utc": "2025-06-16 16:50:21" } ], "5290": [ { "sample_cnt": 2, "yara_rule_name": "detect_Raccoon_Stealer_v2", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_Raccoon_Stealer_v2", "last_hit_utc": "2023-09-24 10:41:03" } ], "5291": [ { "sample_cnt": 2, "yara_rule_name": "detect_silence_Downloader", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_silence_Downloader", "last_hit_utc": "2025-01-05 17:28:02" } ], "5292": [ { "sample_cnt": 2, "yara_rule_name": "Detect_squirrel_banker_v2", "yara_rule_author": "@johnk3r", "yara_rule_reference": "https://twitter.com/johnk3r/status/1770244020637192398", "yara_rule_description": "Detect first stage of TRJ_Banker using squirrel", "last_hit_utc": "2025-01-05 17:30:14" } ], "5293": [ { "sample_cnt": 2, "yara_rule_name": "Dexter_Malware", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/oBvy8b", "yara_rule_description": "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b", "last_hit_utc": "2025-11-05 08:22:28" } ], "5294": [ { "sample_cnt": 2, "yara_rule_name": "Dexter_Malware", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/oBvy8b", "yara_rule_description": "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b", "last_hit_utc": "2025-11-05 08:22:28" } ], "5295": [ { "sample_cnt": 2, "yara_rule_name": "Dexter_Malware_RID2CA5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/oBvy8b", "yara_rule_description": "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b", "last_hit_utc": "2025-11-05 08:22:28" } ], "5296": [ { "sample_cnt": 2, "yara_rule_name": "Dive_Shell_1_0___Emperor_Hacking_Team_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt", "last_hit_utc": "2025-10-28 13:44:06" } ], "5297": [ { "sample_cnt": 2, "yara_rule_name": "DK_Brute", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/xiIphp", "yara_rule_description": "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe", "last_hit_utc": "2025-11-05 08:22:28" } ], "5298": [ { "sample_cnt": 2, "yara_rule_name": "DK_Brute", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/xiIphp", "yara_rule_description": "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe", "last_hit_utc": "2025-11-05 08:22:28" } ], "5299": [ { "sample_cnt": 2, "yara_rule_name": "Donot_Download", "yara_rule_author": "NaN", "yara_rule_reference": "", "yara_rule_description": "Donot APT Download Detect", "last_hit_utc": "2022-10-09 09:28:03" } ], "5300": [ { "sample_cnt": 2, "yara_rule_name": "DROPPER_Vjw0rm_Stage_1", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "https://bazaar.abuse.ch/browse.php?search=tag%3AVjw0rm", "yara_rule_description": null, "last_hit_utc": "2026-04-26 16:27:32" } ], "5301": [ { "sample_cnt": 2, "yara_rule_name": "dtrack_2020", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:28" } ], "5302": [ { "sample_cnt": 2, "yara_rule_name": "Dx_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Dx.php.php.txt", "last_hit_utc": "2025-10-28 13:44:06" } ], "5303": [ { "sample_cnt": 2, "yara_rule_name": "Ebury_v1_7_crypto", "yara_rule_author": "Marc-Etienne M.L\u00e9veill\u00e9 ", "yara_rule_reference": "https://www.welivesecurity.com", "yara_rule_description": "This rule detects the strings decryption routine in Ebury v1.7 and v1.8", "last_hit_utc": "2025-07-11 08:40:12" } ], "5304": [ { "sample_cnt": 2, "yara_rule_name": "EditServer_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file EditServer.exe", "last_hit_utc": "2025-10-28 13:44:06" } ], "5305": [ { "sample_cnt": 2, "yara_rule_name": "EditServer_2", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file EditServer.exe", "last_hit_utc": "2025-10-28 13:44:06" } ], "5306": [ { "sample_cnt": 2, "yara_rule_name": "EditServer_3", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file EditServer.exe", "last_hit_utc": "2025-10-28 13:44:06" } ], "5307": [ { "sample_cnt": 2, "yara_rule_name": "EditServer_EXE", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file EditServer.exe", "last_hit_utc": "2025-10-28 13:44:06" } ], "5308": [ { "sample_cnt": 2, "yara_rule_name": "EFSO_2_asp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file EFSO_2.asp.txt", "last_hit_utc": "2025-10-28 13:44:07" } ], "5309": [ { "sample_cnt": 2, "yara_rule_name": "elf_blackcat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects elf.blackcat.", "last_hit_utc": "2025-06-24 07:12:35" } ], "5310": [ { "sample_cnt": 2, "yara_rule_name": "elf_kaiten_w0", "yara_rule_author": "Akamai SIRT", "yara_rule_reference": null, "yara_rule_description": "Kaiten/STD DDoS malware", "last_hit_utc": "2026-01-26 01:26:28" } ], "5311": [ { "sample_cnt": 2, "yara_rule_name": "elf_winnti_w0", "yara_rule_author": "Silas Cutler (havex [@] chronicle.security), Chronicle Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-03-30 09:27:02" } ], "5312": [ { "sample_cnt": 2, "yara_rule_name": "elf_winnti_w1", "yara_rule_author": "Silas Cutler (havex [@] chronicle.security), Chronicle Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-01-17 13:05:07" } ], "5313": [ { "sample_cnt": 2, "yara_rule_name": "Elise", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:28:02" } ], "5314": [ { "sample_cnt": 2, "yara_rule_name": "elmaliseker", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file elmaliseker.asp", "last_hit_utc": "2025-10-28 13:44:07" } ], "5315": [ { "sample_cnt": 2, "yara_rule_name": "elmaliseker", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file elmaliseker.asp", "last_hit_utc": "2025-10-28 13:44:07" } ], "5316": [ { "sample_cnt": 2, "yara_rule_name": "elmaliseker_asp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file elmaliseker.asp.txt", "last_hit_utc": "2025-10-28 13:44:07" } ], "5317": [ { "sample_cnt": 2, "yara_rule_name": "Emotets", "yara_rule_author": "pekeinfo", "yara_rule_reference": null, "yara_rule_description": "Emotets", "last_hit_utc": "2020-11-16 04:52:33" } ], "5318": [ { "sample_cnt": 2, "yara_rule_name": "EncodedLockbitAdminLogString", "yara_rule_author": "Adam Hassan", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting the LockBit 2.0 Ransomware based on common encoded strings", "last_hit_utc": "2025-01-05 15:57:47" } ], "5319": [ { "sample_cnt": 2, "yara_rule_name": "EQGRP_callbacks", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - Callback addresses", "last_hit_utc": "2025-11-05 08:22:29" } ], "5320": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_modifyAudit_Lp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/tcSoiJ", "yara_rule_description": "EquationGroup Malware - file modifyAudit_Lp.dll", "last_hit_utc": "2025-11-05 08:22:29" } ], "5321": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_modifyAudit_Lp_RID325D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/tcSoiJ", "yara_rule_description": "EquationGroup Malware - file modifyAudit_Lp.dll", "last_hit_utc": "2025-11-05 08:22:29" } ], "5322": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_nethide_Lp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/tcSoiJ", "yara_rule_description": "EquationGroup Malware - file nethide_Lp.dll", "last_hit_utc": "2025-11-05 08:22:29" } ], "5323": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_nethide_Lp_RID30BF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/tcSoiJ", "yara_rule_description": "EquationGroup Malware - file nethide_Lp.dll", "last_hit_utc": "2025-11-05 08:22:29" } ], "5324": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "5325": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:44" } ], "5326": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_Toolset_Apr17_Gen2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-11-05 08:22:29" } ], "5327": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_Toolset_Apr17_Gen2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-11-05 08:22:29" } ], "5328": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_Toolset_Apr17_Gen2_RID3342", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-11-05 08:22:29" } ], "5329": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_Toolset_Apr17_ntevt", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2026-03-22 06:23:28" } ], "5330": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-10-28 13:44:16" } ], "5331": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-10-28 13:44:17" } ], "5332": [ { "sample_cnt": 2, "yara_rule_name": "EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4_RID3A9F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-10-28 13:44:17" } ], "5333": [ { "sample_cnt": 2, "yara_rule_name": "ESXi_Ransomware_Royal_params", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": "Detection for Royal ransomware on ESXi", "last_hit_utc": "2025-10-01 22:35:49" } ], "5334": [ { "sample_cnt": 2, "yara_rule_name": "EternalRocks_taskhost", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/stamparm/status/864865144748298242", "yara_rule_description": "Detects EternalRocks Malware - file taskhost.exe", "last_hit_utc": "2025-11-05 08:22:29" } ], "5335": [ { "sample_cnt": 2, "yara_rule_name": "EternalRocks_taskhost_FR_RID30A5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/stamparm/status/864865144748298242", "yara_rule_description": "Detects EternalRocks Malware - file taskhost.exe", "last_hit_utc": "2025-11-05 08:22:30" } ], "5336": [ { "sample_cnt": 2, "yara_rule_name": "EXECryptor224StrongbitSoftCompleteDevelopmenth3", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 22:48:11" } ], "5337": [ { "sample_cnt": 2, "yara_rule_name": "EXE_Backdoor_Rust_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-03 19:35:03" } ], "5338": [ { "sample_cnt": 2, "yara_rule_name": "EXE_Stealer_RisePro_Jan2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:34:00" } ], "5339": [ { "sample_cnt": 2, "yara_rule_name": "EXE_Stealer_TrollStealer_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-06-21 09:35:03" } ], "5340": [ { "sample_cnt": 2, "yara_rule_name": "exploit", "yara_rule_author": "xorseed", "yara_rule_reference": "https://stuff.rop.io/", "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:19:22" } ], "5341": [ { "sample_cnt": 2, "yara_rule_name": "exploit_generic", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "exploit", "last_hit_utc": "2022-11-20 15:26:03" } ], "5342": [ { "sample_cnt": 2, "yara_rule_name": "Exploit_MS15_077_078", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200", "yara_rule_description": "MS15-078 / MS15-077 exploit - generic signature", "last_hit_utc": "2025-11-05 08:22:30" } ], "5343": [ { "sample_cnt": 2, "yara_rule_name": "Exploit_MS15_077_078", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200", "yara_rule_description": "MS15-078 / MS15-077 exploit - generic signature", "last_hit_utc": "2025-11-05 08:22:30" } ], "5344": [ { "sample_cnt": 2, "yara_rule_name": "Exploit_MS15_077_078_RID2D56", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200", "yara_rule_description": "MS15-078 / MS15-077 exploit - generic signature", "last_hit_utc": "2025-11-05 08:22:30" } ], "5345": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_CVE_2021_40444_Document_Rels_XML", "yara_rule_author": "Jeremy Brown / @alteredbytes", "yara_rule_reference": "https://twitter.com/AlteredBytes/status/1435811407249952772", "yara_rule_description": "Detects indicators found in weaponized documents that exploit CVE-2021-40444", "last_hit_utc": "2025-07-08 07:38:17" } ], "5346": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_CVE_2021_40444_Document_Rels_XML_1", "yara_rule_author": "Jeremy Brown / @alteredbytes", "yara_rule_reference": "https://twitter.com/AlteredBytes/status/1435811407249952772", "yara_rule_description": "Detects indicators found in weaponized documents that exploit CVE-2021-40444", "last_hit_utc": "2025-07-08 07:38:17" } ], "5347": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_Exchange_ProxyShell_Successful_Aug21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "yara_rule_description": "Detects successful ProxyShell exploitation attempts in log files", "last_hit_utc": "2025-01-03 20:34:47" } ], "5348": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_Exchange_ProxyShell_Successful_Aug21_1_RID3733", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "yara_rule_description": "Detects successful ProxyShell exploitation attempts in log files", "last_hit_utc": "2025-01-03 20:34:47" } ], "5349": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_GitLab_CE_RCE_Malformed_JPG_CVE_2021_22204", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog", "yara_rule_description": "Detects malformed JPG files exploting EXIF vulnerability CVE-2021-22204 and used in the exploitation of GitLab vulnerability CVE-2021-22205", "last_hit_utc": "2022-08-10 12:45:02" } ], "5350": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_GitLab_CE_RCE_Malformed_JPG_CVE_2021_22205", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog", "yara_rule_description": "Detects malformed JPG files used in the exploitation of GitLab vulnerability CVE-2021-22205", "last_hit_utc": "2022-01-13 15:43:03" } ], "5351": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_JNDI_Exploit_Patterns_Dec21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/pimps/JNDI-Exploit-Kit", "yara_rule_description": "Detects JNDI Exploit Kit patterns in files", "last_hit_utc": "2025-01-03 22:02:35" } ], "5352": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "yara_rule_description": "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065", "last_hit_utc": "2025-11-05 08:22:30" } ], "5353": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1_RID3AD7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "yara_rule_description": "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065", "last_hit_utc": "2025-11-05 08:22:30" } ], "5354": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_RAR_Archive_with_Path_Traversal_Aug25", "yara_rule_author": "Arnim Rupp (Nextron Systems)", "yara_rule_reference": "https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/#the-discovery-of-cve-2025-8088", "yara_rule_description": "Detects RAR archives abused for path traversal like CVE-2025-8088 and CVE-2025-6218", "last_hit_utc": "2026-02-10 08:35:16" } ], "5355": [ { "sample_cnt": 2, "yara_rule_name": "EXPL_RCE_React_Server_CVE_2025_55182_POC_Dec25", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.youtube.com/watch?v=MmdwakT-Ve8", "yara_rule_description": "Detects RCE indicators related to the proof-of-concept code for the React Server Remote Code Execution Vulnerability (CVE-2025-55182)", "last_hit_utc": "2026-03-23 22:50:17" } ], "5356": [ { "sample_cnt": 2, "yara_rule_name": "FeliksPack3___PHP_Shells_phpft", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file phpft.php", "last_hit_utc": "2025-10-28 13:44:19" } ], "5357": [ { "sample_cnt": 2, "yara_rule_name": "FeliksPack3___PHP_Shells_phpft", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file phpft.php", "last_hit_utc": "2025-10-28 13:44:18" } ], "5358": [ { "sample_cnt": 2, "yara_rule_name": "FeliksPack3___PHP_Shells_usr", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file usr.php", "last_hit_utc": "2025-10-28 13:44:19" } ], "5359": [ { "sample_cnt": 2, "yara_rule_name": "FeliksPack3___PHP_Shells_usr", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file usr.php", "last_hit_utc": "2025-10-28 13:44:19" } ], "5360": [ { "sample_cnt": 2, "yara_rule_name": "FE_LEGALSTRIKE_RTF", "yara_rule_author": "joshua.kim@FireEye. - modified by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom", "last_hit_utc": "2025-01-03 22:30:21" } ], "5361": [ { "sample_cnt": 2, "yara_rule_name": "FSO_s_casus15_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file casus15.php", "last_hit_utc": "2025-10-28 13:44:21" } ], "5362": [ { "sample_cnt": 2, "yara_rule_name": "FSO_s_casus15_2", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file casus15.php", "last_hit_utc": "2025-10-28 13:44:21" } ], "5363": [ { "sample_cnt": 2, "yara_rule_name": "FSO_s_phpinj", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file phpinj.php", "last_hit_utc": "2025-10-28 13:44:21" } ], "5364": [ { "sample_cnt": 2, "yara_rule_name": "FSO_s_phpinj", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file phpinj.php", "last_hit_utc": "2025-10-28 13:44:21" } ], "5365": [ { "sample_cnt": 2, "yara_rule_name": "FSO_s_reader", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file reader.asp", "last_hit_utc": "2025-10-28 13:44:21" } ], "5366": [ { "sample_cnt": 2, "yara_rule_name": "FSO_s_reader", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file reader.asp", "last_hit_utc": "2025-10-28 13:44:21" } ], "5367": [ { "sample_cnt": 2, "yara_rule_name": "FSO_s_zehir4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file zehir4.asp", "last_hit_utc": "2025-10-28 13:44:22" } ], "5368": [ { "sample_cnt": 2, "yara_rule_name": "FSO_s_zehir4", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file zehir4.asp", "last_hit_utc": "2025-10-28 13:44:22" } ], "5369": [ { "sample_cnt": 2, "yara_rule_name": "fuckphpshell_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file fuckphpshell.php.txt", "last_hit_utc": "2025-10-28 13:44:22" } ], "5370": [ { "sample_cnt": 2, "yara_rule_name": "FVEY_ShadowBroker_Auct_Dez16_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "String from the ShodowBroker Files Screenshots - Dec 2016", "last_hit_utc": "2025-11-05 08:22:30" } ], "5371": [ { "sample_cnt": 2, "yara_rule_name": "Geoirb_TCP", "yara_rule_author": "@_FirehaK", "yara_rule_reference": "", "yara_rule_description": "Detects the message library created for the Boba botnet.", "last_hit_utc": "2021-11-22 21:50:39" } ], "5372": [ { "sample_cnt": 2, "yara_rule_name": "Gmer", "yara_rule_author": "@bartblaze", "yara_rule_reference": "http://www.gmer.net/", "yara_rule_description": "Identifies Gmer, sometimes used by attackers to disable security software.", "last_hit_utc": "2024-03-01 18:27:06" } ], "5373": [ { "sample_cnt": 2, "yara_rule_name": "Gmer_Driver", "yara_rule_author": "@bartblaze", "yara_rule_reference": "http://www.gmer.net/", "yara_rule_description": "Identifies Gmer's driver, sometimes used by attackers to disable security software.", "last_hit_utc": "2025-01-05 16:50:23" } ], "5374": [ { "sample_cnt": 2, "yara_rule_name": "GraceWireLoader", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": "Yara rule to detect GraceWireLoader via usage of Stack Strings", "last_hit_utc": "2025-03-07 19:43:29" } ], "5375": [ { "sample_cnt": 2, "yara_rule_name": "Greenbug_Malware_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/urp4CD", "yara_rule_description": "Detects ISMDoor Backdoor", "last_hit_utc": "2025-11-05 08:21:37" } ], "5376": [ { "sample_cnt": 2, "yara_rule_name": "Greenbug_Malware_4_RID2DFB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/urp4CD", "yara_rule_description": "Detects ISMDoor Backdoor", "last_hit_utc": "2025-11-05 08:21:37" } ], "5377": [ { "sample_cnt": 2, "yara_rule_name": "Hacktools_CN_JoHor_Posts_Killer", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file JoHor_Posts_Killer.exe", "last_hit_utc": "2025-11-05 08:22:31" } ], "5378": [ { "sample_cnt": 2, "yara_rule_name": "Hacktools_CN_JoHor_Posts_Killer", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file JoHor_Posts_Killer.exe", "last_hit_utc": "2025-11-05 08:22:31" } ], "5379": [ { "sample_cnt": 2, "yara_rule_name": "Hacktools_CN_JoHor_Rdos_3_6_uplis", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file uplis.vbp", "last_hit_utc": "2025-01-03 19:33:29" } ], "5380": [ { "sample_cnt": 2, "yara_rule_name": "HackTool_MSIL_SAFETYKATZ_4", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project.", "last_hit_utc": "2026-01-30 13:08:33" } ], "5381": [ { "sample_cnt": 2, "yara_rule_name": "HackTool_MSIL_SharpHound_3", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.", "last_hit_utc": "2025-08-25 10:09:32" } ], "5382": [ { "sample_cnt": 2, "yara_rule_name": "halogen_generated_9669d28c903a6b096d9d2452b14fc4c1", "yara_rule_author": "Halogen Generated Rule", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-12-07 09:32:04" } ], "5383": [ { "sample_cnt": 2, "yara_rule_name": "HawkEye_Keylogger_Feb18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9", "yara_rule_description": "Semiautomatically generated YARA rule", "last_hit_utc": "2023-06-18 08:18:03" } ], "5384": [ { "sample_cnt": 2, "yara_rule_name": "HDConfig", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file HDConfig.exe", "last_hit_utc": "2025-10-28 13:44:26" } ], "5385": [ { "sample_cnt": 2, "yara_rule_name": "HDConfig", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file HDConfig.exe", "last_hit_utc": "2025-10-28 13:44:26" } ], "5386": [ { "sample_cnt": 2, "yara_rule_name": "Hex_Encoded_Powershell", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-18 10:05:34" } ], "5387": [ { "sample_cnt": 2, "yara_rule_name": "hidshell_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file hidshell.php.php.txt", "last_hit_utc": "2025-10-28 13:44:26" } ], "5388": [ { "sample_cnt": 2, "yara_rule_name": "Hive_V1", "yara_rule_author": "DigitalPanda", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-11 16:27:05" } ], "5389": [ { "sample_cnt": 2, "yara_rule_name": "hkdoordll", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file hkdoordll.dll", "last_hit_utc": "2025-10-28 13:44:27" } ], "5390": [ { "sample_cnt": 2, "yara_rule_name": "hkdoordll", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file hkdoordll.dll", "last_hit_utc": "2025-10-28 13:44:27" } ], "5391": [ { "sample_cnt": 2, "yara_rule_name": "hkshell_hkrmv", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file hkrmv.exe", "last_hit_utc": "2025-10-28 13:44:27" } ], "5392": [ { "sample_cnt": 2, "yara_rule_name": "hkshell_hkrmv", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file hkrmv.exe", "last_hit_utc": "2025-10-28 13:44:27" } ], "5393": [ { "sample_cnt": 2, "yara_rule_name": "hkshell_hkshell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file hkshell.exe", "last_hit_utc": "2025-10-28 13:44:27" } ], "5394": [ { "sample_cnt": 2, "yara_rule_name": "hkshell_hkshell", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file hkshell.exe", "last_hit_utc": "2025-10-28 13:44:27" } ], "5395": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_Amplia_Security_Tool", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects Amplia Security Tool like Windows Credential Editor", "last_hit_utc": "2025-10-28 13:44:27" } ], "5396": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_bdcli100_RID2B32", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file bdcli100.exe", "last_hit_utc": "2025-10-28 13:44:27" } ], "5397": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_BIN_Server_RID2C52", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file Server.exe", "last_hit_utc": "2025-10-28 13:44:27" } ], "5398": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_BruteRatel_Badger_Indicators_Oct22_4", "yara_rule_author": "Matthew @embee_research, Florian Roth", "yara_rule_reference": "https://twitter.com/embee_research/status/1580030310778953728", "yara_rule_description": "Detects Brute Ratel C4 badger indicators", "last_hit_utc": "2025-11-05 08:22:31" } ], "5399": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_by063cli_RID2B4F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file by063cli.exe", "last_hit_utc": "2025-10-28 13:44:27" } ], "5400": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_by064cli_RID2B50", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file by064cli.exe", "last_hit_utc": "2025-10-28 13:44:27" } ], "5401": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_byshell063_ntboot_2_RID2FB5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file ntboot.dll", "last_hit_utc": "2025-10-28 13:44:27" } ], "5402": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_dbgiis6cli_RID2C83", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file dbgiis6cli.exe", "last_hit_utc": "2025-10-28 13:44:28" } ], "5403": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_dbgntboot_RID2C66", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file dbgntboot.dll", "last_hit_utc": "2025-10-28 13:44:28" } ], "5404": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_Debug_cress_RID2D09", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file cress.exe", "last_hit_utc": "2025-10-28 13:44:28" } ], "5405": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_EditServer_2_RID2D31", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file EditServer.exe", "last_hit_utc": "2025-10-28 13:44:28" } ], "5406": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_HDConfig_RID2B85", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file HDConfig.exe", "last_hit_utc": "2025-10-28 13:44:28" } ], "5407": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_hkdoordll_RID2C66", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file hkdoordll.dll", "last_hit_utc": "2025-10-28 13:44:28" } ], "5408": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_hkshell_hkrmv_RID2E15", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file hkrmv.exe", "last_hit_utc": "2025-10-28 13:44:28" } ], "5409": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_HYTop_CaseSwitch_2005_RID2FEA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file 2005.exe", "last_hit_utc": "2025-10-28 13:44:28" } ], "5410": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_Koh_TokenStealer", "yara_rule_author": "Will Schroeder (@harmj0y)", "yara_rule_reference": "https://github.com/GhostPack/Koh", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project.", "last_hit_utc": "2026-01-30 13:08:34" } ], "5411": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_LazyCat_LogEraser", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1097423665472376832", "yara_rule_description": "Detetcs a tool used in the Australian Parliament House network compromise", "last_hit_utc": "2025-11-05 08:21:37" } ], "5412": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_Mithril_dllTest_RID2EB7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file dllTest.dll", "last_hit_utc": "2025-10-28 13:44:29" } ], "5413": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_Mithril_tool_RID2D99", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file Mithril.exe", "last_hit_utc": "2025-10-28 13:44:29" } ], "5414": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_Mithril_v1_45_dllTest_RID3085", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file dllTest.dll", "last_hit_utc": "2025-10-28 13:44:29" } ], "5415": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NATBypass_Dec22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/cw1997/NATBypass", "yara_rule_description": "Detects NatBypass tool (also used by APT41)", "last_hit_utc": "2025-10-28 13:44:29" } ], "5416": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_Adamantium_Thief", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/LimerBoy/Adamantium-Thief", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:31" } ], "5417": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_BrowserGhost", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/QAX-A-Team/BrowserGhost", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-03 19:14:31" } ], "5418": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_BypassUAC", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/cnsimo/BypassUAC", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "5419": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_DarkFender", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/0xyg3n/DarkFender", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2022-10-19 07:19:04" } ], "5420": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_ForgeCert", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/ForgeCert", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "5421": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_Koh", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/Koh", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "5422": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_PoshC2_Misc", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/nettitude/PoshC2_Misc", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2021-06-22 07:43:38" } ], "5423": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_RestrictedAdmin", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/RestrictedAdmin", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "5424": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_RexCrypter", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/syrex1013/RexCrypter", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "5425": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_SafetyKatz", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/SafetyKatz", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "5426": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_SharpChromium", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/djhohnstein/SharpChromium", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-01-03 19:14:31" } ], "5427": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_SharpDump", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/SharpDump", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "5428": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_SharpHound3", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/BloodHoundAD/SharpHound3", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-08-25 10:09:32" } ], "5429": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_SharpPack", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/Lexus89/SharpPack", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "5430": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_SharpScribbles", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/V1V1/SharpScribbles", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2023-09-06 12:51:02" } ], "5431": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_SharpWMI_1", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/QAX-A-Team/sharpwmi", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "5432": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_SharpWMI_2", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/GhostPack/SharpWMI", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-01-30 13:08:34" } ], "5433": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_SharpWSUS", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/nettitude/SharpWSUS", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-08-13 08:23:23" } ], "5434": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_UnmanagedPowerShell", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/leechristensen/UnmanagedPowerShell", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2024-01-10 13:02:03" } ], "5435": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_NET_GUID_VanillaRAT", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/DannyTheSloth/VanillaRAT", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2021-08-06 12:58:33" } ], "5436": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1", "yara_rule_description": "Detects PowerShell Oneliner in Nishang's repository", "last_hit_utc": "2021-12-30 15:44:05" } ], "5437": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_PasswordReminder_RID2F2C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file PasswordReminder.exe", "last_hit_utc": "2025-10-28 13:44:30" } ], "5438": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_PortRacer_RID2C35", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semiautomatically generated YARA rule on file PortRacer.exe", "last_hit_utc": "2025-10-28 13:44:30" } ], "5439": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_PS1_PowerCat_Mar21", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/besimorhino/powercat", "yara_rule_description": "Detects PowerCat hacktool", "last_hit_utc": "2025-10-28 13:44:30" } ], "5440": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_rdrbs084_RID2B5C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file rdrbs084.exe", "last_hit_utc": "2025-10-28 13:44:31" } ], "5441": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_rdrbs100_RID2B51", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file rdrbs100.exe", "last_hit_utc": "2025-10-28 13:44:31" } ], "5442": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_root_040_zip_Folder_deploy_RID32B3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file deploy.exe", "last_hit_utc": "2025-10-28 13:44:31" } ], "5443": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_shelltools_g0t_root_HideRun_RID3387", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file HideRun.exe", "last_hit_utc": "2025-10-28 13:44:31" } ], "5444": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_Unpack_Injectt_RID2E35", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file Injectt.exe", "last_hit_utc": "2025-10-28 13:44:31" } ], "5445": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_vanquish_2_RID2CA3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file vanquish.exe", "last_hit_utc": "2025-10-28 13:44:31" } ], "5446": [ { "sample_cnt": 2, "yara_rule_name": "HKTL_ZXshell2_0_rar_Folder_zxrecv_RID338E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file zxrecv.exe", "last_hit_utc": "2025-10-28 13:44:31" } ], "5447": [ { "sample_cnt": 2, "yara_rule_name": "HTKL_BlackBone_DriverInjector", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/DarthTon/Blackbone", "yara_rule_description": "Detects BlackBone Driver injector", "last_hit_utc": "2022-12-31 22:47:02" } ], "5448": [ { "sample_cnt": 2, "yara_rule_name": "HYTop2006_rar_Folder_2006", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file 2006.asp", "last_hit_utc": "2025-10-28 13:44:32" } ], "5449": [ { "sample_cnt": 2, "yara_rule_name": "HYTop2006_rar_Folder_2006", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file 2006.asp", "last_hit_utc": "2025-10-28 13:44:32" } ], "5450": [ { "sample_cnt": 2, "yara_rule_name": "HYTop_CaseSwitch_2005", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file 2005.exe", "last_hit_utc": "2025-10-28 13:44:32" } ], "5451": [ { "sample_cnt": 2, "yara_rule_name": "HYTop_CaseSwitch_2005", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file 2005.exe", "last_hit_utc": "2025-10-28 13:44:32" } ], "5452": [ { "sample_cnt": 2, "yara_rule_name": "HYTop_DevPack_server", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file server.asp", "last_hit_utc": "2025-10-28 13:44:32" } ], "5453": [ { "sample_cnt": 2, "yara_rule_name": "HYTop_DevPack_server", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file server.asp", "last_hit_utc": "2025-10-28 13:44:32" } ], "5454": [ { "sample_cnt": 2, "yara_rule_name": "HYTop_DevPack_server_RID2ED8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file server.asp", "last_hit_utc": "2025-10-28 13:44:32" } ], "5455": [ { "sample_cnt": 2, "yara_rule_name": "HYTop_DevPack_upload", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file upload.asp", "last_hit_utc": "2025-10-28 13:44:32" } ], "5456": [ { "sample_cnt": 2, "yara_rule_name": "HYTop_DevPack_upload", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file upload.asp", "last_hit_utc": "2025-10-28 13:44:32" } ], "5457": [ { "sample_cnt": 2, "yara_rule_name": "IcedIDStage2", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "IcedID Stage2 Payload", "last_hit_utc": "2021-09-23 06:41:05" } ], "5458": [ { "sample_cnt": 2, "yara_rule_name": "icyfox007v1_10_rar_Folder_asp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file asp.asp", "last_hit_utc": "2025-10-28 13:44:32" } ], "5459": [ { "sample_cnt": 2, "yara_rule_name": "icyfox007v1_10_rar_Folder_asp", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file asp.asp", "last_hit_utc": "2025-10-28 13:44:32" } ], "5460": [ { "sample_cnt": 2, "yara_rule_name": "IISPutScannesr_RID2C6C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file IISPutScannesr_RID2C6C.exe", "last_hit_utc": "2025-01-05 16:01:23" } ], "5461": [ { "sample_cnt": 2, "yara_rule_name": "iKAT_startbar", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html", "yara_rule_description": "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe", "last_hit_utc": "2025-10-28 13:44:33" } ], "5462": [ { "sample_cnt": 2, "yara_rule_name": "iKAT_tools_nmap", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html", "yara_rule_description": "Generic rule for NMAP - based on NMAP 4 standalone", "last_hit_utc": "2025-11-05 08:22:37" } ], "5463": [ { "sample_cnt": 2, "yara_rule_name": "iKAT_tools_nmap", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html", "yara_rule_description": "Generic rule for NMAP - based on NMAP 4 standalone", "last_hit_utc": "2025-11-05 08:22:37" } ], "5464": [ { "sample_cnt": 2, "yara_rule_name": "Imphash_Malware_2_TA17_293A", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-293A", "yara_rule_description": "Detects malware based on Imphash of malware used in TA17-293A", "last_hit_utc": "2025-12-31 16:54:13" } ], "5465": [ { "sample_cnt": 2, "yara_rule_name": "IMPLANT_2_v1", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "CORESHELL/SOURFACE Implant by APT28", "last_hit_utc": "2024-05-22 23:03:02" } ], "5466": [ { "sample_cnt": 2, "yara_rule_name": "IMPLANT_2_v15", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "CORESHELL/SOURFACE Implant by APT28", "last_hit_utc": "2024-05-22 23:03:02" } ], "5467": [ { "sample_cnt": 2, "yara_rule_name": "IMPLANT_2_v16", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "CORESHELL/SOURFACE Implant by APT28", "last_hit_utc": "2024-05-22 23:03:02" } ], "5468": [ { "sample_cnt": 2, "yara_rule_name": "IMPLANT_2_v3", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "CORESHELL/SOURFACE Implant by APT28", "last_hit_utc": "2024-05-22 23:03:02" } ], "5469": [ { "sample_cnt": 2, "yara_rule_name": "IMPLANT_3_v1", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "X-Agent/CHOPSTICK Implant by APT28", "last_hit_utc": "2025-11-05 08:22:37" } ], "5470": [ { "sample_cnt": 2, "yara_rule_name": "IMPLANT_4_v10", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "BlackEnergy / Voodoo Bear Implant by APT28", "last_hit_utc": "2025-11-05 08:22:37" } ], "5471": [ { "sample_cnt": 2, "yara_rule_name": "IMPLANT_4_v9", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "BlackEnergy / Voodoo Bear Implant by APT28", "last_hit_utc": "2025-11-05 08:22:37" } ], "5472": [ { "sample_cnt": 2, "yara_rule_name": "IMPLANT_6_v1", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "Sednit / EVILTOSS Implant by APT28", "last_hit_utc": "2025-01-05 17:28:02" } ], "5473": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_EXE_Packed_BoxedApp", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with BoxedApp", "last_hit_utc": "2025-06-25 20:46:13" } ], "5474": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_EXE_Packed_KoiVM", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with or use KoiVM", "last_hit_utc": "2022-10-11 03:58:03" } ], "5475": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_EXE_Packed_NoobyProtect", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with NoopyProtect", "last_hit_utc": "2025-01-05 16:53:49" } ], "5476": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_EXE_Packed_Spices", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with 9Rays.Net Spices.Net Obfuscator.", "last_hit_utc": "2024-03-24 17:32:03" } ], "5477": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_EXE_Packed_Spices", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with 9Rays.Net Spices.Net Obfuscator.", "last_hit_utc": "2022-08-23 12:15:03" } ], "5478": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_JAVA_Packed_Allatori", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects files packed with Allatori Java Obfuscator", "last_hit_utc": "2026-02-24 14:08:33" } ], "5479": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-08-01 07:14:04" } ], "5480": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_0537f25a88e24cafdd7919fa301e8146", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 15:08:11" } ], "5481": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_07f9d80b85ceff7ee3f58dc594fe66b6", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-08-31 01:47:04" } ], "5482": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_0a005d2e2bcd4137168217d8c727747c", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 16:46:44" } ], "5483": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_0aa099e64e214d655801ea38ad876711", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-11-03 21:40:04" } ], "5484": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_0b446546c36525bf5f084f6bbbba7097", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-12-12 15:23:03" } ], "5485": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_0d07705fa0e0c4827cc287cfcdec20c4", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-06-25 11:58:20" } ], "5486": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_0f9d91c6aba86f4e54cbb9ef57e68346", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-08-31 01:47:04" } ], "5487": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_1e508bb2398808bc420a5a1f67ba5d0b", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 15:30:42" } ], "5488": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_22367dbefd0a325c3893af52547b14fa", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 16:48:22" } ], "5489": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_3f8d23c136ae9cbeeac7605b24ec0391", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-07-17 14:28:25" } ], "5490": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_51cd5393514f7ace2b407c3dbfb09d8d", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2021-03-01 13:36:44" } ], "5491": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_66390fc17786d4a342f0ee89996d6522", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-03-13 17:59:05" } ], "5492": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_6b0008bbd5eb53f5d9e616c3ed00000008bbd5", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-10-22 07:50:54" } ], "5493": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_CERT_79906faf4fbd75baa10b322356a07f6d", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects NetSupport (client) signed executables", "last_hit_utc": "2022-08-25 12:52:04" } ], "5494": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_DECAF", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with DECAF ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "5495": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Rhysida", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Rhysida ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "5496": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Zeppelin", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Zeppelin ransomware", "last_hit_utc": "2025-10-28 13:44:36" } ], "5497": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_OLE_Suspicious_MITRE_T1117", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects MITRE technique T1117 in OLE documents", "last_hit_utc": "2025-01-05 15:26:32" } ], "5498": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_PPT_MasterMana", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects known malicious pattern (MasterMana) in PowerPoint documents.", "last_hit_utc": "2022-01-18 09:09:04" } ], "5499": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_RMM_Atera", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Atera. Review RMM Inventory", "last_hit_utc": "2025-08-28 13:16:10" } ], "5500": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_RMM_FleetDeck_CERT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects FleetDeck agent by (default) certificate. Review RMM Inventory", "last_hit_utc": "2025-01-03 23:13:28" } ], "5501": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_RMM_PDQConnect_Agent_CERT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PDQ Connect Agent by (default) certificate. Review RMM Inventory", "last_hit_utc": "2026-03-31 09:24:15" } ], "5502": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_RMM_SplashtopStreamer_CERT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Splashtop Streamer by certificate. Review RMM Inventory", "last_hit_utc": "2025-11-25 07:52:23" } ], "5503": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_RTF_Embedded_Excel_SheetMacroEnabled", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RTF documents embedding an Excel sheet with macros enabled. Observed in exploit followed by dropper behavior", "last_hit_utc": "2022-03-07 22:30:10" } ], "5504": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_RTF_Equation_BITSAdmin_Downloader", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RTF documents that references both Microsoft Equation Editor and BITSAdmin. Common exploit + dropper behavior.", "last_hit_utc": "2022-08-22 07:38:04" } ], "5505": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_SUSPICIOUS_EnableSMBv1", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects binaries with PowerShell command enabling SMBv1", "last_hit_utc": "2022-09-24 09:41:09" } ], "5506": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Anti_WinJail", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables potentially checking for WinJail sandbox window", "last_hit_utc": "2022-04-30 01:22:03" } ], "5507": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_TransferSh_URL", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing the transfer.sh file sharing website", "last_hit_utc": "2025-11-05 08:22:37" } ], "5508": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_SUSPICIOUS_JS_Hex_B64Encoded_EXE", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects JavaScript files hex and base64 encoded executables", "last_hit_utc": "2021-03-22 07:44:32" } ], "5509": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_SUSPICIOUS_PWS_CaptureBrowserPlugins", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell script with browser plugins capture capability", "last_hit_utc": "2025-10-28 13:44:36" } ], "5510": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing combination of virtualization drivers", "last_hit_utc": "2022-10-27 16:24:24" } ], "5511": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_SUSPICOIUS_EXE_B64_Encoded_UserAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables containing base64 encoded User Agent", "last_hit_utc": "2021-07-30 13:26:52" } ], "5512": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_CNC_Earthworm", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Earthworm C&C Windows/macOS tool", "last_hit_utc": "2025-08-22 15:16:57" } ], "5513": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_DontSleep", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects Keep Host Unlocked (Don't Sleep)", "last_hit_utc": "2025-01-03 20:17:11" } ], "5514": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_ENC_DiskCryptor", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detect DiskCryptor open encryption solution that offers encryption of all disk partitions", "last_hit_utc": "2022-08-19 15:47:02" } ], "5515": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_EXP_EternalBlue", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Windows executables containing EternalBlue explitation artifacts", "last_hit_utc": "2022-04-19 03:33:03" } ], "5516": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_EXP_SharpPrintNightmare", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect SharpPrintNightmare", "last_hit_utc": "2023-06-12 20:01:02" } ], "5517": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_EXP_WebLogic", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Windows executables containing Weblogic exploits commands", "last_hit_utc": "2025-06-16 16:57:07" } ], "5518": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_KrbRelay", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects KrbRelay", "last_hit_utc": "2026-02-22 18:15:42" } ], "5519": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_PET_SharpWMI", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SharpWMI", "last_hit_utc": "2026-01-30 13:08:35" } ], "5520": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_PWS_SharpWeb", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "detects all versions of the browser password dumping .NET tool, SharpWeb.", "last_hit_utc": "2022-05-05 07:50:03" } ], "5521": [ { "sample_cnt": 2, "yara_rule_name": "INDICATOR_TOOL_SCN_PortScan", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects a port scanner tool observed as second or third stage post-compromise or dropped by malware.", "last_hit_utc": "2023-01-31 15:13:01" } ], "5522": [ { "sample_cnt": 2, "yara_rule_name": "Industroyer_Malware_4_RID2F74", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/x81cSy", "yara_rule_description": "Detects Industroyer related malware", "last_hit_utc": "2025-11-05 08:22:38" } ], "5523": [ { "sample_cnt": 2, "yara_rule_name": "Infostealer_Redline_AVstrings", "yara_rule_author": "albertzsigovits", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-17 05:43:09" } ], "5524": [ { "sample_cnt": 2, "yara_rule_name": "infostealer_win_mars_stealer_llcppc", "yara_rule_author": null, "yara_rule_reference": "https://blog.sekoia.io/mars-a-red-hot-information-stealer/", "yara_rule_description": "Identifies samples of Mars Stealer based on the PE section name LLCPPC.", "last_hit_utc": "2025-06-21 21:48:46" } ], "5525": [ { "sample_cnt": 2, "yara_rule_name": "infrastructure_iclickfix_cluster_ic_tracker_js_javascript1", "yara_rule_author": null, "yara_rule_reference": "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/", "yara_rule_description": "Find the first obfuscated JavaScript of the IClickFix cluster, that contacts the .php?data= URL to download the second JavaScript", "last_hit_utc": "2026-04-05 15:09:15" } ], "5526": [ { "sample_cnt": 2, "yara_rule_name": "InnoSetupModulev2018", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:41:39" } ], "5527": [ { "sample_cnt": 2, "yara_rule_name": "installer", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file installer.cmd", "last_hit_utc": "2025-10-28 13:44:37" } ], "5528": [ { "sample_cnt": 2, "yara_rule_name": "installer", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file installer.cmd", "last_hit_utc": "2025-10-28 13:44:37" } ], "5529": [ { "sample_cnt": 2, "yara_rule_name": "InstallShieldCustom", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:41:26" } ], "5530": [ { "sample_cnt": 2, "yara_rule_name": "Intezer_Iranian_Wipers", "yara_rule_author": "Intezer Labs", "yara_rule_reference": "https://analyze.intezer.com", "yara_rule_description": "Shamoon, ZeroCleare and Dustman", "last_hit_utc": "2025-01-03 19:34:55" } ], "5531": [ { "sample_cnt": 2, "yara_rule_name": "Intezer_Vaccine_Trickbot", "yara_rule_author": "Intezer Labs", "yara_rule_reference": "https://analyze.intezer.com", "yara_rule_description": "Automatic YARA vaccination rule created based on the file's genes", "last_hit_utc": "2022-07-08 09:32:47" } ], "5532": [ { "sample_cnt": 2, "yara_rule_name": "Invoke_WMIExec_Gen_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/Kevin-Robertson/Invoke-TheHash", "yara_rule_description": "Detects Invoke-WmiExec or Invoke-SmbExec", "last_hit_utc": "2025-10-28 13:44:37" } ], "5533": [ { "sample_cnt": 2, "yara_rule_name": "Invoke_WMIExec_Gen_1_RID2E57", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Kevin-Robertson/Invoke-TheHash", "yara_rule_description": "Detects Invoke-WmiExec or Invoke-SmbExec", "last_hit_utc": "2025-10-28 13:44:38" } ], "5534": [ { "sample_cnt": 2, "yara_rule_name": "ja3transport_tools_01", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:08:18" } ], "5535": [ { "sample_cnt": 2, "yara_rule_name": "jar_ratty_w0", "yara_rule_author": "[redacted]", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-12-14 20:09:03" } ], "5536": [ { "sample_cnt": 2, "yara_rule_name": "Java_Shell_js", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Java Shell.js.txt", "last_hit_utc": "2025-10-28 13:44:39" } ], "5537": [ { "sample_cnt": 2, "yara_rule_name": "jspshall_jsp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file jspshall.jsp.txt", "last_hit_utc": "2025-10-28 13:44:39" } ], "5538": [ { "sample_cnt": 2, "yara_rule_name": "JspWebshell_1_2_jsp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt", "last_hit_utc": "2025-10-28 13:44:39" } ], "5539": [ { "sample_cnt": 2, "yara_rule_name": "jsp_reverse_jsp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file jsp-reverse.jsp.txt", "last_hit_utc": "2025-10-28 13:44:39" } ], "5540": [ { "sample_cnt": 2, "yara_rule_name": "JSSLoader", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies FIN7's JSSLoader.", "last_hit_utc": "2021-12-07 21:32:05" } ], "5541": [ { "sample_cnt": 2, "yara_rule_name": "js_downloader_gootloader", "yara_rule_author": "HP Threat Research @HPSecurity", "yara_rule_reference": null, "yara_rule_description": "JavaScript downloader known to deliver Gootkit or REvil ransomware", "last_hit_utc": "2021-06-15 00:38:37" } ], "5542": [ { "sample_cnt": 2, "yara_rule_name": "kacak_asp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file kacak.asp.txt", "last_hit_utc": "2025-10-28 13:44:39" } ], "5543": [ { "sample_cnt": 2, "yara_rule_name": "karkoff_dnspionaje", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", "yara_rule_description": "Rule to detect the Karkoff malware", "last_hit_utc": "2021-04-04 10:18:40" } ], "5544": [ { "sample_cnt": 2, "yara_rule_name": "kawa4096", "yara_rule_author": "Franz", "yara_rule_reference": null, "yara_rule_description": "Kawa Ransomware config rule", "last_hit_utc": "2025-08-21 20:26:43" } ], "5545": [ { "sample_cnt": 2, "yara_rule_name": "keylogger_spy_dropper", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects Keylogger/Spyware dropper Android Malware", "last_hit_utc": "2025-09-10 18:30:57" } ], "5546": [ { "sample_cnt": 2, "yara_rule_name": "Kimsuky_related", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match httpSpy module potentially related to Kimsuky", "last_hit_utc": "2025-09-05 06:34:18" } ], "5547": [ { "sample_cnt": 2, "yara_rule_name": "KINS_dropper", "yara_rule_author": "AlienVault Labs aortega@alienvault.com", "yara_rule_reference": "http://goo.gl/arPhm3", "yara_rule_description": "Match protocol, process injects and windows exploit present in KINS dropper", "last_hit_utc": "2025-11-05 08:22:39" } ], "5548": [ { "sample_cnt": 2, "yara_rule_name": "korean_malware", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-22 06:38:35" } ], "5549": [ { "sample_cnt": 2, "yara_rule_name": "KPOT_v2", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-04 08:19:23" } ], "5550": [ { "sample_cnt": 2, "yara_rule_name": "kv_test2", "yara_rule_author": "Kirill", "yara_rule_reference": "", "yara_rule_description": "test rule 2", "last_hit_utc": "2022-09-15 03:56:03" } ], "5551": [ { "sample_cnt": 2, "yara_rule_name": "lamashell_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file lamashell.php.txt", "last_hit_utc": "2025-10-28 13:44:40" } ], "5552": [ { "sample_cnt": 2, "yara_rule_name": "Lazarus_oprepjs_javascript", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "JS downloader for Lazarus", "last_hit_utc": "2025-09-17 15:06:03" } ], "5553": [ { "sample_cnt": 2, "yara_rule_name": "libkeyutils_with_ctor", "yara_rule_author": "Marc-Etienne M.L\u00e9veill\u00e9 ", "yara_rule_reference": "https://www.welivesecurity.com", "yara_rule_description": "This rule detects if a libkeyutils.so shared library has a potentially malicious function to be called when loaded, either via a glibc constructor (DT_INIT + .ctors) or an initializer function in DT_INIT_ARRAY.", "last_hit_utc": "2025-07-11 08:40:12" } ], "5554": [ { "sample_cnt": 2, "yara_rule_name": "LinuxHacktool_eyes_scanssh", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file scanssh", "last_hit_utc": "2025-10-28 13:44:42" } ], "5555": [ { "sample_cnt": 2, "yara_rule_name": "LinuxMrBlack", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-12 12:45:44" } ], "5556": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Cryptominer_Camelot_6a279f19", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-05 01:52:07" } ], "5557": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Cryptominer_Generic_e1ff020a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:25:19" } ], "5558": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Cryptominer_Xmrminer_b17a7888", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:25:18" } ], "5559": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Downloader", "yara_rule_author": "@P4nd3m1cb0y", "yara_rule_reference": "https://x.com/Huntio/status/1823280152845107543", "yara_rule_description": "Detects a Linux downloader targeting x64, x86, and arm64 architectures.", "last_hit_utc": "2025-08-23 16:12:39" } ], "5560": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Exploit_CVE_2016_5195_3a2ed31b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-23 10:09:48" } ], "5561": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Exploit_CVE_2016_5195_9190d516", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-07 21:20:29" } ], "5562": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Exploit_CVE_2016_5195_9c67a994", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-07 21:20:29" } ], "5563": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Exploit_CVE_2016_5195_b45098df", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-07 21:20:29" } ], "5564": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Exploit_Intfour_0ca45cd3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 23:08:34" } ], "5565": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Generic_Threat_898d9308", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-06 09:09:25" } ], "5566": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Generic_Threat_98bbca63", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-05-08 20:29:03" } ], "5567": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Generic_Threat_bd35454b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:01:44" } ], "5568": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Hacktool_Flooder_1bf0e994", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-20 17:34:51" } ], "5569": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Hacktool_Flooder_4bcea1c4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 07:05:36" } ], "5570": [ { "sample_cnt": 2, "yara_rule_name": "linux_miner_prometei", "yara_rule_author": "@_lubiedo", "yara_rule_reference": "", "yara_rule_description": "Prometei", "last_hit_utc": "2021-10-12 18:28:06" } ], "5571": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Ransomware_Akira_27440619", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:19:43" } ], "5572": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Ransomware_BlackBasta_96eb3f20", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 11:04:03" } ], "5573": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Ransomware_Sodinokibi_2883d7cd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-06 05:32:58" } ], "5574": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Rootkit_Generic_5d17781b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-15 15:42:36" } ], "5575": [ { "sample_cnt": 2, "yara_rule_name": "linux_royal_ransomware_jan_2024_1", "yara_rule_author": "Swachchhanda Shrawan Poudel (Improved by ChatGPT)", "yara_rule_reference": "https://bazaar.abuse.ch/sample/b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c/", "yara_rule_description": "Detects potentially malicious networking functions used in a Royal ransomware Linux variant. Targeted for early 2024 variants.", "last_hit_utc": "2025-01-05 17:47:23" } ], "5576": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_BPFDoor_1a7d804b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "yara_rule_description": null, "last_hit_utc": "2025-05-09 20:10:08" } ], "5577": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_BPFDoor_f690fe3b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "yara_rule_description": null, "last_hit_utc": "2026-04-25 22:06:32" } ], "5578": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Dropperl_e2443be5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-09 10:55:19" } ], "5579": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Gafgyt_71e487ea", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 18:18:03" } ], "5580": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Generic_181054af", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-09 09:35:27" } ], "5581": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Godropper_bae099bd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:33:44" } ], "5582": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Ircbot_bb204b81", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-12 07:21:02" } ], "5583": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Merlin_55beddd3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-04 09:00:03" } ], "5584": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Meterpreter_1bda891e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-16 10:54:04" } ], "5585": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Meterpreter_383c6708", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-25 04:15:03" } ], "5586": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Meterpreter_a82f5d21", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-16 10:54:04" } ], "5587": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Mirai_1e0c5ce0", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 02:49:03" } ], "5588": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Mirai_485c4b13", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-26 14:12:05" } ], "5589": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Mirai_7d05725e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-26 14:12:06" } ], "5590": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Mirai_7e9f85fb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-07 12:20:28" } ], "5591": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Mirai_d8779a57", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-08 13:19:36" } ], "5592": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Rekoobe_b41f70c2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-11 09:59:12" } ], "5593": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Sshdoor_1b443a9b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:04:03" } ], "5594": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Tsunami_0a028640", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-07 13:28:18" } ], "5595": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Tsunami_22646c0d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-20 19:37:15" } ], "5596": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Tsunami_d74d7f0c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-26 01:26:28" } ], "5597": [ { "sample_cnt": 2, "yara_rule_name": "Linux_Trojan_Xorddos_a6572d63", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 14:01:05" } ], "5598": [ { "sample_cnt": 2, "yara_rule_name": "Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt", "last_hit_utc": "2025-10-28 13:44:42" } ], "5599": [ { "sample_cnt": 2, "yara_rule_name": "LOCK98V10028keenvim", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:12:15" } ], "5600": [ { "sample_cnt": 2, "yara_rule_name": "lockergoga", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-04-08 18:15:04" } ], "5601": [ { "sample_cnt": 2, "yara_rule_name": "LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/jdferrell3/status/1368626281970024448", "yara_rule_description": "Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting", "last_hit_utc": "2025-11-05 08:22:39" } ], "5602": [ { "sample_cnt": 2, "yara_rule_name": "LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1_RID3C2E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/jdferrell3/status/1368626281970024448", "yara_rule_description": "Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting", "last_hit_utc": "2025-11-05 08:22:39" } ], "5603": [ { "sample_cnt": 2, "yara_rule_name": "LOG_EXPL_ADSelfService_CVE_2021_40539_ADSLOG_Sep21", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "yara_rule_description": "Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539", "last_hit_utc": "2025-11-05 08:22:39" } ], "5604": [ { "sample_cnt": 2, "yara_rule_name": "LokiBot_Dropper_ScanCopyPDF_Feb18", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5", "yara_rule_description": "Auto-generated rule - file Scan Copy.pdf.com", "last_hit_utc": "2025-11-05 08:22:39" } ], "5605": [ { "sample_cnt": 2, "yara_rule_name": "LokiBot_Dropper_ScanCopyPDF_Feb18_RID332E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5", "yara_rule_description": "Semiautomatically generated YARA rule - file Scan Copy.pdf.com", "last_hit_utc": "2025-11-05 08:22:39" } ], "5606": [ { "sample_cnt": 2, "yara_rule_name": "lurm_safemod_on_cgi", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file lurm_safemod_on.cgi.txt", "last_hit_utc": "2025-10-28 13:44:43" } ], "5607": [ { "sample_cnt": 2, "yara_rule_name": "MacOS_Backdoor_Useragent_1a02fc3a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:31:16" } ], "5608": [ { "sample_cnt": 2, "yara_rule_name": "MacOS_Cryptominer_Generic_333129b7", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:21:37" } ], "5609": [ { "sample_cnt": 2, "yara_rule_name": "MacOS_Cryptominer_Generic_365ecbb9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-09 19:37:03" } ], "5610": [ { "sample_cnt": 2, "yara_rule_name": "MacOS_Cryptominer_Xmrig_241780a1", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:22:49" } ], "5611": [ { "sample_cnt": 2, "yara_rule_name": "MacOS_Trojan_Metasploit_6cab0ec0", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-16 10:54:04" } ], "5612": [ { "sample_cnt": 2, "yara_rule_name": "malrtf_ole2link", "yara_rule_author": "@h3x2b ", "yara_rule_reference": null, "yara_rule_description": "Detects weaponized RTF documents with OLE2Link exploit", "last_hit_utc": "2025-01-03 22:30:21" } ], "5613": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_BAT_KoadicBAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Koadic post-exploitation framework BAT payload", "last_hit_utc": "2022-06-26 11:10:03" } ], "5614": [ { "sample_cnt": 2, "yara_rule_name": "malware_BRC4_code", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "Brute Ratel C4", "last_hit_utc": "2025-01-03 20:14:48" } ], "5615": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Emotet_OneNote_Delivery_js_Mar23", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://twitter.com/bomccss/status/1636746149855121411", "yara_rule_description": "Detects Microsoft OneNote files used to deliver Emotet (.js Payload)", "last_hit_utc": "2025-01-05 15:49:14" } ], "5616": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Linux_HelloKitty", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Linux version of HelloKitty ransomware", "last_hit_utc": "2025-01-03 20:52:09" } ], "5617": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Linux_RansomExx", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "Detects RansomEXX ransomware", "last_hit_utc": "2021-12-24 11:47:04" } ], "5618": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Multi_PondRAT", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects PondRAT", "last_hit_utc": "2025-09-15 14:04:34" } ], "5619": [ { "sample_cnt": 2, "yara_rule_name": "Malware_QA_not_copy", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file not copy.exe", "last_hit_utc": "2025-11-05 08:21:38" } ], "5620": [ { "sample_cnt": 2, "yara_rule_name": "malware_sakula_memory", "yara_rule_author": "David Cannings", "yara_rule_reference": null, "yara_rule_description": "Sakula malware - strings after unpacking (memory rule)", "last_hit_utc": "2025-10-28 13:44:46" } ], "5621": [ { "sample_cnt": 2, "yara_rule_name": "malware_SeaSpy_str", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "malware SeaSpy", "last_hit_utc": "2025-01-30 18:42:02" } ], "5622": [ { "sample_cnt": 2, "yara_rule_name": "malware_TokyoX_Loader", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "detect TokyoX Loader", "last_hit_utc": "2025-10-23 21:34:01" } ], "5623": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_AgnianeStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Agniane infostealer", "last_hit_utc": "2025-01-05 16:45:13" } ], "5624": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_BetaBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "BetaBot payload", "last_hit_utc": "2025-10-08 22:22:00" } ], "5625": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_BrbBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects BrbBot", "last_hit_utc": "2024-04-13 13:28:03" } ], "5626": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_ClipBanker02", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects ClipBanker infostealer", "last_hit_utc": "2022-01-01 13:31:14" } ], "5627": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_CrimsonRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects CrimsonRAT", "last_hit_utc": "2022-10-06 11:39:02" } ], "5628": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_CryLock", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects CryLock ransomware", "last_hit_utc": "2025-01-03 21:41:28" } ], "5629": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_CryLock", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects CryLock ransomware", "last_hit_utc": "2022-09-30 08:09:03" } ], "5630": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_Cuba", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Cuba ransomware", "last_hit_utc": "2021-12-24 18:14:06" } ], "5631": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_DarkTrackRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects OzoneRAT / DarkTrack / DarkSky", "last_hit_utc": "2022-04-07 08:48:03" } ], "5632": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_DLAgent02", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects known downloader agent downloading encoded binaries in patches from paste-like websites, most notably hastebin", "last_hit_utc": "2022-03-31 10:39:02" } ], "5633": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_EXEPWSH_DLAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects downloader agent, using PowerShell", "last_hit_utc": "2021-07-09 08:24:03" } ], "5634": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_GarrantDecrypt", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects GarrantDecrypt ransomware", "last_hit_utc": "2023-04-16 03:00:03" } ], "5635": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_GreetingGhoul", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects GreetingGhoul Cryptocurrency Infostealer", "last_hit_utc": "2023-09-12 03:20:34" } ], "5636": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_ImminentRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ImminentRAT", "last_hit_utc": "2025-01-03 21:09:54" } ], "5637": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_InfinityLock", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects InfinityLock ransomware", "last_hit_utc": "2025-01-03 19:39:30" } ], "5638": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_ISRStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "ISRStealer payload", "last_hit_utc": "2025-08-19 06:26:36" } ], "5639": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_LegionLocker", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects LegionLocker ransomware", "last_hit_utc": "2022-09-29 12:34:08" } ], "5640": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_Macoute", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Macoute", "last_hit_utc": "2022-07-15 16:42:02" } ], "5641": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_MeterpreterStager", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Meterpreter stager payload", "last_hit_utc": "2022-09-20 10:02:05" } ], "5642": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_MountLocker", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects MountLocker ransomware", "last_hit_utc": "2022-01-09 14:20:06" } ], "5643": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_OzoneRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects OzoneRAT / DarkTrack / DarkSky", "last_hit_utc": "2021-05-04 10:06:08" } ], "5644": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_Phorpiex", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Phorpiex variants", "last_hit_utc": "2024-01-10 14:38:02" } ], "5645": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_PingBack", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PingBack ICMP backdoor", "last_hit_utc": "2025-01-05 17:28:03" } ], "5646": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_Poullight", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Poullight infostealer", "last_hit_utc": "2021-08-15 04:52:03" } ], "5647": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_QnapCrypt", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects QnapCrypt/Lockedv1/Cryptfile2 ransomware", "last_hit_utc": "2023-09-11 16:27:07" } ], "5648": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_Rapid", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Rapid ransomware", "last_hit_utc": "2022-11-08 07:42:03" } ], "5649": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_SilentMoon", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects SilentMoon", "last_hit_utc": "2021-10-28 21:10:05" } ], "5650": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_SlothfulMedia", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "SlothfulMedia backdoor payload", "last_hit_utc": "2021-07-11 21:29:17" } ], "5651": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_Spectre", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Spectre infostealer", "last_hit_utc": "2022-03-23 07:12:13" } ], "5652": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_StrongPity", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects StrongPity", "last_hit_utc": "2025-01-05 15:11:45" } ], "5653": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_SunShuttle", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SunShuttle / GoldMax", "last_hit_utc": "2021-04-15 22:20:22" } ], "5654": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_Taurus", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Taurus infostealer payload", "last_hit_utc": "2025-10-28 13:44:48" } ], "5655": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_TrickbotModule", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects Trickbot modules", "last_hit_utc": "2025-01-05 16:50:19" } ], "5656": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_UNK04", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects unknown malware (proxy tool)", "last_hit_utc": "2025-01-03 19:36:19" } ], "5657": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_Vovalex", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Vovalex ransomware", "last_hit_utc": "2025-01-05 17:05:24" } ], "5658": [ { "sample_cnt": 2, "yara_rule_name": "MALWARE_Win_Zeppelin", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Zeppelin (Delphi) ransomware", "last_hit_utc": "2025-01-23 02:57:02" } ], "5659": [ { "sample_cnt": 2, "yara_rule_name": "MAL_APT_RocketKitten_Keylogger_RID326D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/SjQhlp", "yara_rule_description": "Detects Keylogger used in Rocket Kitten APT", "last_hit_utc": "2025-11-05 08:22:39" } ], "5660": [ { "sample_cnt": 2, "yara_rule_name": "MAL_CN_FlyStudio_May18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects malware / hacktool detected in May 2018", "last_hit_utc": "2020-11-17 11:34:17" } ], "5661": [ { "sample_cnt": 2, "yara_rule_name": "MAL_CRIME_suspicious_hex_string_Jun21_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": null, "yara_rule_description": "Triggers on parts of a big hex string available in lots of crime'ish PE files.", "last_hit_utc": "2023-08-06 10:02:02" } ], "5662": [ { "sample_cnt": 2, "yara_rule_name": "MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys", "last_hit_utc": "2025-06-16 16:57:07" } ], "5663": [ { "sample_cnt": 2, "yara_rule_name": "MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys", "last_hit_utc": "2025-06-16 16:57:07" } ], "5664": [ { "sample_cnt": 2, "yara_rule_name": "MAL_GoziCrypter_Dec20_1", "yara_rule_author": "James Quinn", "yara_rule_reference": "YaraExchange", "yara_rule_description": "Detects crypter associated with several Gozi samples", "last_hit_utc": "2021-04-30 12:05:53" } ], "5665": [ { "sample_cnt": 2, "yara_rule_name": "Mal_Infostealer_Win32_Jupyter_Main_Module", "yara_rule_author": "BlackBerry Threat Research Team", "yara_rule_reference": null, "yara_rule_description": "Detects Jupter main module", "last_hit_utc": "2023-09-11 16:27:06" } ], "5666": [ { "sample_cnt": 2, "yara_rule_name": "Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021", "yara_rule_author": "BlackBerry Threat Research Team", "yara_rule_reference": "", "yara_rule_description": "Detects Unobfuscated RedLine Infostealer Executables (.NET)", "last_hit_utc": "2022-11-24 21:08:04" } ], "5667": [ { "sample_cnt": 2, "yara_rule_name": "MAL_JAR_SoupDealer_Aug_09", "yara_rule_author": "Utku Corbaci / Malwation", "yara_rule_reference": "https://www.malwation.com/blog/technical-analysis-of-a-stealth-java-loader-used-in-phishing-campaigns-targeting-turkiye", "yara_rule_description": "This rule detects samples that use the SoupDealer loader.", "last_hit_utc": "2025-08-13 15:04:25" } ], "5668": [ { "sample_cnt": 2, "yara_rule_name": "MAL_LNX_LinaDoor_Rootkit_May22", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects LinaDoor Linux Rootkit", "last_hit_utc": "2025-10-28 13:44:45" } ], "5669": [ { "sample_cnt": 2, "yara_rule_name": "MAL_Mars_Stealer_Apr_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://cert.gov.ua/article/38606", "yara_rule_description": "Detect Mars infostealer (possible cracked version)", "last_hit_utc": "2025-06-21 21:48:45" } ], "5670": [ { "sample_cnt": 2, "yara_rule_name": "MAL_ME_RawDisk_Agent_Jan20_2_RID30A9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/jfslowik/status/1212501454549741568?s=09", "yara_rule_description": "Detects suspicious malware using ElRawDisk", "last_hit_utc": "2025-01-03 19:34:55" } ], "5671": [ { "sample_cnt": 2, "yara_rule_name": "mal_poshc2_csharp_dropper", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://github.com/nettitude/PoshC2/blob/517903431ab43e6d714b24b0752ba111f5d4c2f1/resources/payload-templates/dropper.cs", "yara_rule_description": "Detects a potential PoshC2 C# dropper", "last_hit_utc": "2025-03-13 07:26:05" } ], "5672": [ { "sample_cnt": 2, "yara_rule_name": "mal_poshc2_csharp_implant_fcomm", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://github.com/nettitude/PoshC2/blob/517903431ab43e6d714b24b0752ba111f5d4c2f1/resources/payload-templates/fcomm.cs", "yara_rule_description": "Detects a potential PoshC2 C# implant communicating using files", "last_hit_utc": "2025-03-13 07:26:06" } ], "5673": [ { "sample_cnt": 2, "yara_rule_name": "mal_poshc2_csharp_implant_pbind", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://github.com/nettitude/PoshC2/blob/517903431ab43e6d714b24b0752ba111f5d4c2f1/resources/payload-templates/pbind.cs", "yara_rule_description": "Detects a potential PoshC2 C# implant communicating using named pipes", "last_hit_utc": "2025-03-13 07:26:06" } ], "5674": [ { "sample_cnt": 2, "yara_rule_name": "MAL_Ramnit_May19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/", "yara_rule_description": "Detects Ramnit malware", "last_hit_utc": "2025-01-03 19:38:56" } ], "5675": [ { "sample_cnt": 2, "yara_rule_name": "MAL_RANSOM_Ragna_Locker_Apr20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://otx.alienvault.com/indicator/file/c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6", "yara_rule_description": "Detects Ragna Locker Ransomware", "last_hit_utc": "2025-11-05 08:22:40" } ], "5676": [ { "sample_cnt": 2, "yara_rule_name": "MAL_RANSOM_Ragna_Locker_Apr20_1_RID3195", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://otx.alienvault.com/indicator/file/c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6", "yara_rule_description": "Detects Ragna Locker Ransomware", "last_hit_utc": "2025-11-05 08:22:40" } ], "5677": [ { "sample_cnt": 2, "yara_rule_name": "MAL_Ryuk_Ransomware", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", "yara_rule_description": "Detects strings known from Ryuk Ransomware", "last_hit_utc": "2023-08-11 03:08:03" } ], "5678": [ { "sample_cnt": 2, "yara_rule_name": "mal_syscall_hwsyscalls", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://github.com/Dec0ne/HWSyscalls/blob/ff832ed11a95092478eeebb3422fc35c7be7df31/Src/HWSyscalls.cpp", "yara_rule_description": "Detects suspicious strings related to the HWSyscalls PoC by Mor Davidovich", "last_hit_utc": "2026-03-08 18:07:19" } ], "5679": [ { "sample_cnt": 2, "yara_rule_name": "MAL_vanquish_RID2BB9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file vanquish.dll", "last_hit_utc": "2025-10-28 13:44:46" } ], "5680": [ { "sample_cnt": 2, "yara_rule_name": "MAL_WebMonitor_RAT", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/", "yara_rule_description": "Detects WebMonitor RAT", "last_hit_utc": "2020-06-20 10:02:04" } ], "5681": [ { "sample_cnt": 2, "yara_rule_name": "MassLogger", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "MassLogger", "last_hit_utc": "2022-11-16 15:45:03" } ], "5682": [ { "sample_cnt": 2, "yara_rule_name": "MC_Office_DDE_Command_Execution", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-11-24 15:56:54" } ], "5683": [ { "sample_cnt": 2, "yara_rule_name": "mem_webcreds_regexp_xor", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://github.com/orlyjamie/mimikittenz/blob/master/Invoke-mimikittenz.ps1", "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:44:49" } ], "5684": [ { "sample_cnt": 2, "yara_rule_name": "mercurial", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked mercurial malware samples.", "last_hit_utc": "2025-08-26 10:09:34" } ], "5685": [ { "sample_cnt": 2, "yara_rule_name": "Metasploit_Loader_RSMudge", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/rsmudge/metasploit-loader", "yara_rule_description": "Detects a Metasploit Loader by RSMudge - file loader.exe", "last_hit_utc": "2025-10-28 13:44:49" } ], "5686": [ { "sample_cnt": 2, "yara_rule_name": "Metasploit_Loader_RSMudge_RID30DF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/rsmudge/metasploit-loader", "yara_rule_description": "Detects a Metasploit Loader by RSMudge - file loader.exe", "last_hit_utc": "2025-10-28 13:44:49" } ], "5687": [ { "sample_cnt": 2, "yara_rule_name": "MicroJoiner17coban2k", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:07:00" } ], "5688": [ { "sample_cnt": 2, "yara_rule_name": "Mimikatz_SampleSet_9", "yara_rule_author": "Florian Roth - Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Mimikatz Rule generated from a big Mimikatz sample set", "last_hit_utc": "2025-06-16 16:57:08" } ], "5689": [ { "sample_cnt": 2, "yara_rule_name": "Mimipenguin_SH_RID2C8D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/huntergregal/mimipenguin", "yara_rule_description": "Detects Mimipenguin Password Extractor - Linux", "last_hit_utc": "2025-10-28 13:44:49" } ], "5690": [ { "sample_cnt": 2, "yara_rule_name": "Mithril_dllTest", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file dllTest.dll", "last_hit_utc": "2025-10-28 13:44:49" } ], "5691": [ { "sample_cnt": 2, "yara_rule_name": "Mithril_dllTest", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file dllTest.dll", "last_hit_utc": "2025-10-28 13:44:49" } ], "5692": [ { "sample_cnt": 2, "yara_rule_name": "Mithril_Mithril", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Mithril.exe", "last_hit_utc": "2025-10-28 13:44:49" } ], "5693": [ { "sample_cnt": 2, "yara_rule_name": "Mithril_Mithril", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Mithril.exe", "last_hit_utc": "2025-10-28 13:44:49" } ], "5694": [ { "sample_cnt": 2, "yara_rule_name": "Mithril_v1_45_dllTest", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file dllTest.dll", "last_hit_utc": "2025-10-28 13:44:49" } ], "5695": [ { "sample_cnt": 2, "yara_rule_name": "Mithril_v1_45_dllTest", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file dllTest.dll", "last_hit_utc": "2025-10-28 13:44:50" } ], "5696": [ { "sample_cnt": 2, "yara_rule_name": "Monero_Compromise", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://bartblaze.blogspot.com/2019/11/monero-project-compromised.html", "yara_rule_description": "Identifies compromised Monero binaries.", "last_hit_utc": "2025-01-03 22:05:43" } ], "5697": [ { "sample_cnt": 2, "yara_rule_name": "MossadProxy_DDoS_ELF", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": "https://github.com/deepfield/public-research/tree/main/mossadproxy", "yara_rule_description": "MossadProxy DDoS bot - native ELF payload (v2.4.9 libproxy.so, v2.5.x libgbc.so)", "last_hit_utc": "2026-03-26 19:58:15" } ], "5698": [ { "sample_cnt": 2, "yara_rule_name": "Msfpayloads_msf", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.sh", "last_hit_utc": "2025-01-03 21:11:26" } ], "5699": [ { "sample_cnt": 2, "yara_rule_name": "Msfpayloads_msf_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.psh", "last_hit_utc": "2025-10-28 13:44:50" } ], "5700": [ { "sample_cnt": 2, "yara_rule_name": "Msfpayloads_msf_5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.msi", "last_hit_utc": "2025-11-05 08:22:41" } ], "5701": [ { "sample_cnt": 2, "yara_rule_name": "Msfpayloads_msf_5_RID2DCD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.msi", "last_hit_utc": "2025-11-05 08:22:41" } ], "5702": [ { "sample_cnt": 2, "yara_rule_name": "Msfpayloads_msf_9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.war - contents", "last_hit_utc": "2021-08-17 23:33:03" } ], "5703": [ { "sample_cnt": 2, "yara_rule_name": "Msfpayloads_msf_psh_RID2EE3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf-psh.vba", "last_hit_utc": "2025-10-28 13:44:51" } ], "5704": [ { "sample_cnt": 2, "yara_rule_name": "Msfpayloads_msf_RID2D39", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.sh", "last_hit_utc": "2025-01-03 21:11:26" } ], "5705": [ { "sample_cnt": 2, "yara_rule_name": "MshtaDownloader", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:41" } ], "5706": [ { "sample_cnt": 2, "yara_rule_name": "msil_susp_obf_antidump", "yara_rule_author": "dr4k0nia", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-30 00:00:24" } ], "5707": [ { "sample_cnt": 2, "yara_rule_name": "Multi_Ransomware_BlackCat_e066d802", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-24 07:12:36" } ], "5708": [ { "sample_cnt": 2, "yara_rule_name": "Multi_Trojan_Mythic_e0ea7ef9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-13 10:51:15" } ], "5709": [ { "sample_cnt": 2, "yara_rule_name": "Multi_Trojan_Sliver_3bde542d", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-16 18:18:01" } ], "5710": [ { "sample_cnt": 2, "yara_rule_name": "mysql_shell_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file mysql_shell.php.txt", "last_hit_utc": "2025-10-28 13:44:51" } ], "5711": [ { "sample_cnt": 2, "yara_rule_name": "MySQL_Web_Interface_Version_0_8_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt", "last_hit_utc": "2025-10-28 13:44:51" } ], "5712": [ { "sample_cnt": 2, "yara_rule_name": "Mythic", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://github.com/its-a-feature/Mythic", "yara_rule_description": "Identifies Mythic, a collaborative, multi-platform, red teaming framework.", "last_hit_utc": "2026-04-16 11:14:43" } ], "5713": [ { "sample_cnt": 2, "yara_rule_name": "nanocore_surveillance_plugin", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-08 14:41:04" } ], "5714": [ { "sample_cnt": 2, "yara_rule_name": "Nautilus_forensic_artificats", "yara_rule_author": "NCSC UK / Florian Roth", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/turla-group-malware", "yara_rule_description": "Rule for detection of Nautilus related strings", "last_hit_utc": "2025-10-28 13:44:51" } ], "5715": [ { "sample_cnt": 2, "yara_rule_name": "Ncat_Hacktools_CN", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file nc.exe", "last_hit_utc": "2025-10-28 13:44:52" } ], "5716": [ { "sample_cnt": 2, "yara_rule_name": "Ncat_Hacktools_CN", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file nc.exe", "last_hit_utc": "2025-10-28 13:44:51" } ], "5717": [ { "sample_cnt": 2, "yara_rule_name": "NeoLitev20", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-30 20:04:20" } ], "5718": [ { "sample_cnt": 2, "yara_rule_name": "Netview_Hacktool", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/mubix/netview", "yara_rule_description": "Network domain enumeration tool - often used by attackers - file Nv.exe", "last_hit_utc": "2025-11-05 08:21:38" } ], "5719": [ { "sample_cnt": 2, "yara_rule_name": "ngh_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file ngh.php.php.txt", "last_hit_utc": "2025-10-28 13:44:52" } ], "5720": [ { "sample_cnt": 2, "yara_rule_name": "NikiHTTP", "yara_rule_author": "@bartblaze, @nsquar3", "yara_rule_reference": "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/", "yara_rule_description": "Identifies NikiHTTP, a versatile backdoor by (likely) Kimsuky.", "last_hit_utc": "2025-02-09 09:20:45" } ], "5721": [ { "sample_cnt": 2, "yara_rule_name": "NionSpy", "yara_rule_author": "", "yara_rule_reference": "https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector", "yara_rule_description": "Triggers on old and new variants of W32/NionSpy file infector", "last_hit_utc": "2022-07-15 16:33:02" } ], "5722": [ { "sample_cnt": 2, "yara_rule_name": "NSISInstallerNullSoft", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-18 14:40:36" } ], "5723": [ { "sample_cnt": 2, "yara_rule_name": "NsPack34NorthStar", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:21:28" } ], "5724": [ { "sample_cnt": 2, "yara_rule_name": "NT_Addy_asp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file NT Addy.asp.txt", "last_hit_utc": "2025-10-28 13:44:52" } ], "5725": [ { "sample_cnt": 2, "yara_rule_name": "Obfuscated_IP_Address_in_URL", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam/", "yara_rule_description": "Detects hexadecimal and octal IP address representations in URL", "last_hit_utc": "2025-09-10 12:34:35" } ], "5726": [ { "sample_cnt": 2, "yara_rule_name": "OBFUS_PowerShell_Replace_Tilde", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "https://bazaar.abuse.ch/sample/4c391b57d604c695925938bfc10ceb4673edd64e9655759c2aead9e12b3e17cf/", "yara_rule_description": "Detects usage of Replace to replace tilde. Often observed in obfuscation", "last_hit_utc": "2022-05-26 18:55:03" } ], "5727": [ { "sample_cnt": 2, "yara_rule_name": "Office_OLE_DDE", "yara_rule_author": "NVISO Labs", "yara_rule_reference": "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/", "yara_rule_description": "Detects DDE in MS Office documents", "last_hit_utc": "2022-06-21 09:06:03" } ], "5728": [ { "sample_cnt": 2, "yara_rule_name": "OLE2_AutoOpen_Reversed_Payload", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": null, "yara_rule_description": "Detects suspiciously reversed payloads in OLE2 objects with auto-open macros", "last_hit_utc": "2025-01-03 22:53:00" } ], "5729": [ { "sample_cnt": 2, "yara_rule_name": "OPCLEAVER_wndTest", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Backdoor used by attackers in Operation Cleaver", "last_hit_utc": "2025-11-05 08:22:41" } ], "5730": [ { "sample_cnt": 2, "yara_rule_name": "OpCloudHopper_Malware_4_RID2FF0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects Operation CloudHopper malware samples", "last_hit_utc": "2025-01-03 20:07:00" } ], "5731": [ { "sample_cnt": 2, "yara_rule_name": "OSX_backdoor_Bella", "yara_rule_author": "John Lambert @JohnLaTwC", "yara_rule_reference": "https://twitter.com/JohnLaTwC/status/911998777182924801", "yara_rule_description": "Bella MacOS/OSX backdoor", "last_hit_utc": "2026-03-23 06:31:15" } ], "5732": [ { "sample_cnt": 2, "yara_rule_name": "osx_bella_w0", "yara_rule_author": "John Lambert @JohnLaTwC", "yara_rule_reference": "https://twitter.com/JohnLaTwC/status/911998777182924801", "yara_rule_description": "Bella MacOS/OSX backdoor", "last_hit_utc": "2026-03-23 06:31:15" } ], "5733": [ { "sample_cnt": 2, "yara_rule_name": "p0wnedListenerConsole", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedListenerConsole.cs", "last_hit_utc": "2025-11-05 08:21:39" } ], "5734": [ { "sample_cnt": 2, "yara_rule_name": "p0wnedListenerConsole_RID2F78", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedListenerConsole_RID2F78.cs", "last_hit_utc": "2025-11-05 08:21:39" } ], "5735": [ { "sample_cnt": 2, "yara_rule_name": "p0wnedShellx64_RID2C39", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShellx64_RID2C39.exe", "last_hit_utc": "2025-11-05 08:22:41" } ], "5736": [ { "sample_cnt": 2, "yara_rule_name": "packager_cve2017_11882", "yara_rule_author": "Rich Warren", "yara_rule_reference": "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py", "yara_rule_description": "Attempts to exploit CVE-2017-11882 using Packager", "last_hit_utc": "2023-03-10 05:54:03" } ], "5737": [ { "sample_cnt": 2, "yara_rule_name": "Pafish", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Paranoid Fish Sandbox Detection", "last_hit_utc": "2025-10-04 10:45:39" } ], "5738": [ { "sample_cnt": 2, "yara_rule_name": "PasswordReminder", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file PasswordReminder.exe", "last_hit_utc": "2020-11-30 15:14:36" } ], "5739": [ { "sample_cnt": 2, "yara_rule_name": "PasswordReminder", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file PasswordReminder.exe", "last_hit_utc": "2025-10-28 13:44:56" } ], "5740": [ { "sample_cnt": 2, "yara_rule_name": "PasswordReminder", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file PasswordReminder.exe", "last_hit_utc": "2025-10-28 13:44:56" } ], "5741": [ { "sample_cnt": 2, "yara_rule_name": "Pastebin_Webshell", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/7dbyZs", "yara_rule_description": "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs", "last_hit_utc": "2025-10-28 13:44:56" } ], "5742": [ { "sample_cnt": 2, "yara_rule_name": "Pastebin_Webshell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/7dbyZs", "yara_rule_description": "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs", "last_hit_utc": "2025-10-28 13:44:56" } ], "5743": [ { "sample_cnt": 2, "yara_rule_name": "Pastebin_Webshell_RID2DDC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/7dbyZs", "yara_rule_description": "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs", "last_hit_utc": "2025-10-28 13:44:56" } ], "5744": [ { "sample_cnt": 2, "yara_rule_name": "perlbot_pl", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file perlbot.pl.txt", "last_hit_utc": "2025-10-28 13:44:56" } ], "5745": [ { "sample_cnt": 2, "yara_rule_name": "PHANTASMA_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file PHANTASMA.php.txt", "last_hit_utc": "2025-10-28 13:44:56" } ], "5746": [ { "sample_cnt": 2, "yara_rule_name": "pHpINJ_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file pHpINJ.php.php.txt", "last_hit_utc": "2025-10-28 13:44:57" } ], "5747": [ { "sample_cnt": 2, "yara_rule_name": "phpjackal_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file phpjackal.php.txt", "last_hit_utc": "2025-10-28 13:44:57" } ], "5748": [ { "sample_cnt": 2, "yara_rule_name": "phpshell17_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file phpshell17.php.txt", "last_hit_utc": "2025-10-28 13:44:57" } ], "5749": [ { "sample_cnt": 2, "yara_rule_name": "PHP_Backdoor_Connect_pl_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt", "last_hit_utc": "2025-10-28 13:44:56" } ], "5750": [ { "sample_cnt": 2, "yara_rule_name": "php_backdoor_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file php-backdoor.php.txt", "last_hit_utc": "2025-10-28 13:44:56" } ], "5751": [ { "sample_cnt": 2, "yara_rule_name": "PHP_Cloaked_Webshell_SuperFetchExec", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/xFvioC", "yara_rule_description": "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC", "last_hit_utc": "2025-10-28 13:44:56" } ], "5752": [ { "sample_cnt": 2, "yara_rule_name": "PHP_Cloaked_Webshell_SuperFetchExec", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/xFvioC", "yara_rule_description": "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC", "last_hit_utc": "2025-10-28 13:44:56" } ], "5753": [ { "sample_cnt": 2, "yara_rule_name": "PHP_Cloaked_Webshell_SuperFetchExec_RID347D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/xFvioC", "yara_rule_description": "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC", "last_hit_utc": "2025-10-28 13:44:56" } ], "5754": [ { "sample_cnt": 2, "yara_rule_name": "php_hide_wp_plugin_a8b373fb", "yara_rule_author": "Taavi E", "yara_rule_reference": null, "yara_rule_description": "Detects WordPress plugins that are trying to hide themselves", "last_hit_utc": "2026-01-21 15:48:33" } ], "5755": [ { "sample_cnt": 2, "yara_rule_name": "php_include_w_shell_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file php-include-w-shell.php.txt", "last_hit_utc": "2025-10-28 13:44:56" } ], "5756": [ { "sample_cnt": 2, "yara_rule_name": "PHP_Obfuscator", "yara_rule_author": "@Pro_Integritate", "yara_rule_reference": "", "yara_rule_description": "PHP Obfuscator, used sometimes by PHP webshells", "last_hit_utc": "2022-06-14 07:59:02" } ], "5757": [ { "sample_cnt": 2, "yara_rule_name": "PHP_shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file shell.php", "last_hit_utc": "2025-10-28 13:44:56" } ], "5758": [ { "sample_cnt": 2, "yara_rule_name": "PHP_shell", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file shell.php", "last_hit_utc": "2025-10-28 13:44:56" } ], "5759": [ { "sample_cnt": 2, "yara_rule_name": "PHP_Shell_v1_7", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file PHP_Shell_v1.7.php", "last_hit_utc": "2025-10-28 13:44:56" } ], "5760": [ { "sample_cnt": 2, "yara_rule_name": "PHP_Shell_v1_7", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file PHP_Shell_v1.7.php", "last_hit_utc": "2025-10-28 13:44:57" } ], "5761": [ { "sample_cnt": 2, "yara_rule_name": "PHP_Webshell_1_Feb17_RID2DF2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127", "yara_rule_description": "Detects a simple cloaked PHP web shell", "last_hit_utc": "2025-10-28 13:44:57" } ], "5762": [ { "sample_cnt": 2, "yara_rule_name": "phvayvv_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file phvayvv.php.php.txt", "last_hit_utc": "2025-10-28 13:44:57" } ], "5763": [ { "sample_cnt": 2, "yara_rule_name": "Phyton_Shell_py", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Phyton Shell.py.txt", "last_hit_utc": "2025-10-28 13:44:57" } ], "5764": [ { "sample_cnt": 2, "yara_rule_name": "PirateStealer", "yara_rule_author": "nwunderly", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-07-08 09:24:01" } ], "5765": [ { "sample_cnt": 2, "yara_rule_name": "Pirpi_1609_A", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects Pirpi Backdoor - and other malware (generic rule)", "last_hit_utc": "2025-11-05 08:22:42" } ], "5766": [ { "sample_cnt": 2, "yara_rule_name": "Pirpi_1609_A_RID2AE4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects Pirpi Backdoor - and other malware (generic rule)", "last_hit_utc": "2025-11-05 08:22:42" } ], "5767": [ { "sample_cnt": 2, "yara_rule_name": "PlugX_EncodedBlob", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-07-01 11:33:02" } ], "5768": [ { "sample_cnt": 2, "yara_rule_name": "PortRacer", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file PortRacer.exe", "last_hit_utc": "2025-10-28 13:44:58" } ], "5769": [ { "sample_cnt": 2, "yara_rule_name": "portscan", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file portscan.exe", "last_hit_utc": "2025-10-28 13:44:58" } ], "5770": [ { "sample_cnt": 2, "yara_rule_name": "poshc2_clipboardlogger_ps1_v1", "yara_rule_author": "e24111111111111", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:21:55" } ], "5771": [ { "sample_cnt": 2, "yara_rule_name": "pos_memory_scrapper_", "yara_rule_author": "@patrickrolsen", "yara_rule_reference": null, "yara_rule_description": "POS Memory Scraper", "last_hit_utc": "2025-01-05 17:28:04" } ], "5772": [ { "sample_cnt": 2, "yara_rule_name": "Prikormka", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:42" } ], "5773": [ { "sample_cnt": 2, "yara_rule_name": "privateloader", "yara_rule_author": "andretavare5", "yara_rule_reference": null, "yara_rule_description": "Detects PrivateLoader malware.", "last_hit_utc": "2025-01-03 19:32:26" } ], "5774": [ { "sample_cnt": 2, "yara_rule_name": "private_string_search", "yara_rule_author": "Researcher_Name", "yara_rule_reference": null, "yara_rule_description": "Hunting for specific text strings", "last_hit_utc": "2026-04-19 01:27:32" } ], "5775": [ { "sample_cnt": 2, "yara_rule_name": "ProcessInjector_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c", "yara_rule_description": "Detects a process injection utility that can be used ofr good and bad purposes", "last_hit_utc": "2025-10-28 13:44:59" } ], "5776": [ { "sample_cnt": 2, "yara_rule_name": "Prometei_PDB", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei", "yara_rule_description": "Identifies debug paths for Prometei botnet.", "last_hit_utc": "2026-04-07 18:59:33" } ], "5777": [ { "sample_cnt": 2, "yara_rule_name": "ps1_powerbrace_w0", "yara_rule_author": "NTT Security", "yara_rule_reference": null, "yara_rule_description": "Detect PowerBrace PowerShell backdoor", "last_hit_utc": "2025-06-16 15:33:54" } ], "5778": [ { "sample_cnt": 2, "yara_rule_name": "PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_8899", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys", "last_hit_utc": "2025-08-21 05:29:37" } ], "5779": [ { "sample_cnt": 2, "yara_rule_name": "PurpleFox_Dropper", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies PurpleFox aka DirtyMoe botnet, dropper CAB or MSI package.", "last_hit_utc": "2025-01-05 16:27:16" } ], "5780": [ { "sample_cnt": 2, "yara_rule_name": "PwDump_B", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - file PwDump.exe", "last_hit_utc": "2025-10-28 13:45:01" } ], "5781": [ { "sample_cnt": 2, "yara_rule_name": "PwDump_B_RID2A0F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - file PwDump.exe", "last_hit_utc": "2025-10-28 13:45:01" } ], "5782": [ { "sample_cnt": 2, "yara_rule_name": "QuarksPwDump_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects all QuarksPWDump versions", "last_hit_utc": "2025-10-28 13:45:02" } ], "5783": [ { "sample_cnt": 2, "yara_rule_name": "QuarksPwDump_Gen_RID2D5E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects all QuarksPWDump versions", "last_hit_utc": "2025-10-28 13:45:02" } ], "5784": [ { "sample_cnt": 2, "yara_rule_name": "raccoon_stealer", "yara_rule_author": "Yakov Goldberg", "yara_rule_reference": null, "yara_rule_description": "Detect variants of Raccoon Stealer v2", "last_hit_utc": "2023-09-24 10:41:03" } ], "5785": [ { "sample_cnt": 2, "yara_rule_name": "RangeScan", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file RangeScan.exe", "last_hit_utc": "2025-11-05 08:22:43" } ], "5786": [ { "sample_cnt": 2, "yara_rule_name": "RangeScan", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file RangeScan.exe", "last_hit_utc": "2025-11-05 08:22:43" } ], "5787": [ { "sample_cnt": 2, "yara_rule_name": "Ransomware_Win32_NebulaRun", "yara_rule_author": "github.com/keegan31", "yara_rule_reference": null, "yara_rule_description": "Detects NebulaRun Ransomware variant", "last_hit_utc": "2026-03-30 14:12:17" } ], "5788": [ { "sample_cnt": 2, "yara_rule_name": "ransom_Linux_HelloKitty_0721", "yara_rule_author": "Christiaan @ ATR", "yara_rule_reference": null, "yara_rule_description": "rule to detect Linux variant of the Hello Kitty Ransomware", "last_hit_utc": "2025-10-28 13:45:02" } ], "5789": [ { "sample_cnt": 2, "yara_rule_name": "RANSOM_mountlocker", "yara_rule_author": "McAfee ATR Team", "yara_rule_reference": "", "yara_rule_description": "Rule to detect Mount Locker ransomware", "last_hit_utc": "2022-01-09 14:20:06" } ], "5790": [ { "sample_cnt": 2, "yara_rule_name": "RANSOM_RYUK_May2021", "yara_rule_author": "Marc Elias | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect latest May 2021 compiled Ryuk variant", "last_hit_utc": "2025-01-05 16:54:34" } ], "5791": [ { "sample_cnt": 2, "yara_rule_name": "RAN_BlackBasta_Dec_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://www.zscaler.com/blogs/security-research/back-black-basta", "yara_rule_description": "Detect the BlackBasta ransomware (DLL v2)", "last_hit_utc": "2025-07-25 03:05:34" } ], "5792": [ { "sample_cnt": 2, "yara_rule_name": "RAN_ELF_Conti_Dec_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect ELF version of Conti ransomware", "last_hit_utc": "2025-01-05 16:18:29" } ], "5793": [ { "sample_cnt": 2, "yara_rule_name": "RAN_ELF_HelloKitty_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect the ELF version of HelloKitty ransomware", "last_hit_utc": "2025-01-03 20:52:10" } ], "5794": [ { "sample_cnt": 2, "yara_rule_name": "RAN_ELF_REvil_Jun_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": null, "yara_rule_description": "Detect the ELF version of REvil ransomware", "last_hit_utc": "2025-06-06 05:32:58" } ], "5795": [ { "sample_cnt": 2, "yara_rule_name": "RAN_Lockbit_Green_Jan_2023_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://github.com/prodaft/malware-ioc/blob/master/LockBit/green.md", "yara_rule_description": "Detect the green variant used by lockbit group (x86)", "last_hit_utc": "2023-12-10 01:21:04" } ], "5796": [ { "sample_cnt": 2, "yara_rule_name": "Ran_Pay2Key_Nov_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect Pay2Key ransomware", "last_hit_utc": "2021-12-24 19:33:10" } ], "5797": [ { "sample_cnt": 2, "yara_rule_name": "RAN_Yanluowang_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "", "yara_rule_description": "Detect Yanluowang ransomware", "last_hit_utc": "2022-10-13 09:37:02" } ], "5798": [ { "sample_cnt": 2, "yara_rule_name": "RAT_AAR", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/AAR", "yara_rule_description": "Detects AAR RAT", "last_hit_utc": "2025-06-22 22:07:43" } ], "5799": [ { "sample_cnt": 2, "yara_rule_name": "RAT_adWind", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/adWind", "yara_rule_description": "Detects Adwind RAT", "last_hit_utc": "2025-10-28 13:45:02" } ], "5800": [ { "sample_cnt": 2, "yara_rule_name": "RAT_LuxNet", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/LuxNet", "yara_rule_description": "Detects LuxNet RAT", "last_hit_utc": "2021-01-05 07:22:12" } ], "5801": [ { "sample_cnt": 2, "yara_rule_name": "RAT_Paradox", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Paradox", "yara_rule_description": "Detects Paradox RAT", "last_hit_utc": "2025-10-28 13:45:03" } ], "5802": [ { "sample_cnt": 2, "yara_rule_name": "RAT_ShadowTech", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/ShadowTech", "yara_rule_description": "Detects ShadowTech RAT", "last_hit_utc": "2025-11-05 08:22:43" } ], "5803": [ { "sample_cnt": 2, "yara_rule_name": "RAT_VirusRat", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/VirusRat", "yara_rule_description": "Detects VirusRAT", "last_hit_utc": "2022-06-18 11:49:02" } ], "5804": [ { "sample_cnt": 2, "yara_rule_name": "RDP_Brute_Strings", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "yara_rule_description": "Detects RDP brute forcer from NCSC report", "last_hit_utc": "2025-11-05 08:22:43" } ], "5805": [ { "sample_cnt": 2, "yara_rule_name": "rdrbs084", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file rdrbs084.exe", "last_hit_utc": "2025-10-28 13:45:04" } ], "5806": [ { "sample_cnt": 2, "yara_rule_name": "rdrbs084", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file rdrbs084.exe", "last_hit_utc": "2025-10-28 13:45:04" } ], "5807": [ { "sample_cnt": 2, "yara_rule_name": "rdrbs100", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file rdrbs100.exe", "last_hit_utc": "2025-10-28 13:45:04" } ], "5808": [ { "sample_cnt": 2, "yara_rule_name": "rdrbs100", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file rdrbs100.exe", "last_hit_utc": "2025-10-28 13:45:04" } ], "5809": [ { "sample_cnt": 2, "yara_rule_name": "ReactOS_cmd_valid", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php", "yara_rule_description": "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset", "last_hit_utc": "2025-11-05 08:22:43" } ], "5810": [ { "sample_cnt": 2, "yara_rule_name": "Reader_asp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Reader.asp.txt", "last_hit_utc": "2025-10-28 13:45:04" } ], "5811": [ { "sample_cnt": 2, "yara_rule_name": "REDLEAVES_CoreImplant_UniqueStrings", "yara_rule_author": "USG", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-117A", "yara_rule_description": "Strings identifying the core REDLEAVES RAT in its deobfuscated state", "last_hit_utc": "2025-11-05 08:22:43" } ], "5812": [ { "sample_cnt": 2, "yara_rule_name": "Reflective_DLL_Loader_Aug17_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Reflective DLL Loader - suspicious - Possible FP could be program crack", "last_hit_utc": "2025-10-28 13:45:05" } ], "5813": [ { "sample_cnt": 2, "yara_rule_name": "REGEORG_Tuneller_generic", "yara_rule_author": "Mandiant", "yara_rule_reference": "https://www.mandiant.com/resources/unc3524-eye-spy-email", "yara_rule_description": "", "last_hit_utc": "2022-09-12 01:29:03" } ], "5814": [ { "sample_cnt": 2, "yara_rule_name": "Regin_Related_Malware", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Malware Sample - maybe Regin related", "last_hit_utc": "2023-01-31 15:13:01" } ], "5815": [ { "sample_cnt": 2, "yara_rule_name": "Regin_Related_Malware", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Malware Sample - maybe Regin related", "last_hit_utc": "2025-11-05 08:22:43" } ], "5816": [ { "sample_cnt": 2, "yara_rule_name": "Rem_View_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Rem View.php.php.txt", "last_hit_utc": "2025-10-28 13:45:05" } ], "5817": [ { "sample_cnt": 2, "yara_rule_name": "REvilLinux", "yara_rule_author": "AlienLabs", "yara_rule_reference": null, "yara_rule_description": "REvil Linux", "last_hit_utc": "2025-06-06 05:32:58" } ], "5818": [ { "sample_cnt": 2, "yara_rule_name": "REvilLinux", "yara_rule_author": "AlienLabs", "yara_rule_reference": "", "yara_rule_description": "REvil Linux", "last_hit_utc": "2021-12-24 00:24:06" } ], "5819": [ { "sample_cnt": 2, "yara_rule_name": "RkNTLoad", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file RkNTLoad.exe", "last_hit_utc": "2025-10-28 13:45:06" } ], "5820": [ { "sample_cnt": 2, "yara_rule_name": "RkNTLoad", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file RkNTLoad.exe", "last_hit_utc": "2025-10-28 13:45:06" } ], "5821": [ { "sample_cnt": 2, "yara_rule_name": "rknt_zip_Folder_RkNT", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file RkNT.dll", "last_hit_utc": "2025-10-28 13:45:06" } ], "5822": [ { "sample_cnt": 2, "yara_rule_name": "rknt_zip_Folder_RkNT", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file RkNT.dll", "last_hit_utc": "2025-10-28 13:45:05" } ], "5823": [ { "sample_cnt": 2, "yara_rule_name": "RocketKitten_Keylogger", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/SjQhlp", "yara_rule_description": "Detects Keylogger used in Rocket Kitten APT", "last_hit_utc": "2025-11-05 08:22:44" } ], "5824": [ { "sample_cnt": 2, "yara_rule_name": "rondodox_elf_multiarch", "yara_rule_author": "Anish Bogati", "yara_rule_reference": "https://bazaar.abuse.ch/sample/3b02c502a23b26e4d76850cd524041ae16d282431f62a2c07564cf1c3d29a9d5/", "yara_rule_description": "Detects RondoDox (Rondo) botnet ELF multi architecture variants", "last_hit_utc": "2025-12-18 23:44:13" } ], "5825": [ { "sample_cnt": 2, "yara_rule_name": "rootshell_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file rootshell.php.txt", "last_hit_utc": "2025-10-28 13:45:06" } ], "5826": [ { "sample_cnt": 2, "yara_rule_name": "ropo_dropper_v1", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-04 07:28:02" } ], "5827": [ { "sample_cnt": 2, "yara_rule_name": "RottenPotato_Potato_RID2EDA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/foxglovesec/RottenPotato", "yara_rule_description": "Detects a component of privilege escalation tool Rotten Potato - file Potato.exe", "last_hit_utc": "2025-11-05 08:21:39" } ], "5828": [ { "sample_cnt": 2, "yara_rule_name": "RoyalRoad_encode_in_RTF", "yara_rule_author": "nao_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2022-07-08 14:22:03" } ], "5829": [ { "sample_cnt": 2, "yara_rule_name": "rst_sql_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file rst_sql.php.php.txt", "last_hit_utc": "2025-10-28 13:45:06" } ], "5830": [ { "sample_cnt": 2, "yara_rule_name": "rtf_cve2017_11882_ole", "yara_rule_author": "John Davison", "yara_rule_reference": "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about", "yara_rule_description": "Attempts to identify the exploit CVE 2017 11882", "last_hit_utc": "2026-03-07 07:11:16" } ], "5831": [ { "sample_cnt": 2, "yara_rule_name": "ru24_post_sh_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file ru24_post_sh.php.php.txt", "last_hit_utc": "2025-10-28 13:45:06" } ], "5832": [ { "sample_cnt": 2, "yara_rule_name": "RUAG_APT_Malware_Gen1_RID2E56", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects malware used in the RUAG APT case", "last_hit_utc": "2025-10-28 13:45:06" } ], "5833": [ { "sample_cnt": 2, "yara_rule_name": "RUAG_APT_Malware_Gen2_RID2E57", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects malware used in the RUAG APT case", "last_hit_utc": "2025-10-28 13:45:06" } ], "5834": [ { "sample_cnt": 2, "yara_rule_name": "Ryuk", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Ryuk Payload", "last_hit_utc": "2023-03-09 18:23:03" } ], "5835": [ { "sample_cnt": 2, "yara_rule_name": "Ryuk", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Ryuk Payload", "last_hit_utc": "2022-02-17 12:08:05" } ], "5836": [ { "sample_cnt": 2, "yara_rule_name": "s72_Shell_v1_1_Coding_html", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt", "last_hit_utc": "2025-10-28 13:45:06" } ], "5837": [ { "sample_cnt": 2, "yara_rule_name": "Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt", "last_hit_utc": "2025-10-28 13:45:06" } ], "5838": [ { "sample_cnt": 2, "yara_rule_name": "SafeNet", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "SafeNet family", "last_hit_utc": "2025-01-05 17:28:04" } ], "5839": [ { "sample_cnt": 2, "yara_rule_name": "SafeNetStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Strings used by SafeNet", "last_hit_utc": "2025-01-05 17:28:04" } ], "5840": [ { "sample_cnt": 2, "yara_rule_name": "Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt", "last_hit_utc": "2025-10-28 13:45:06" } ], "5841": [ { "sample_cnt": 2, "yara_rule_name": "Satan_Mutexes", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html", "yara_rule_description": "Identifies Satan ransomware (and its variants) by mutex.", "last_hit_utc": "2025-01-05 16:00:35" } ], "5842": [ { "sample_cnt": 2, "yara_rule_name": "ScareCrow_Malware", "yara_rule_author": "schmidtsz", "yara_rule_reference": null, "yara_rule_description": "Identify ScareCrow/GoShell samples", "last_hit_utc": "2025-01-05 17:25:41" } ], "5843": [ { "sample_cnt": 2, "yara_rule_name": "screencap", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file screencap.exe", "last_hit_utc": "2025-10-28 13:45:07" } ], "5844": [ { "sample_cnt": 2, "yara_rule_name": "screencap", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file screencap.exe", "last_hit_utc": "2025-10-28 13:45:07" } ], "5845": [ { "sample_cnt": 2, "yara_rule_name": "SecurityXploded_Producer_String", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://securityxploded.com/browser-password-dump.php", "yara_rule_description": "Detects hacktools by SecurityXploded", "last_hit_utc": "2024-01-27 02:27:03" } ], "5846": [ { "sample_cnt": 2, "yara_rule_name": "SedrecoPayload", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:37:07" } ], "5847": [ { "sample_cnt": 2, "yara_rule_name": "sendmail", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file sendmail.exe", "last_hit_utc": "2025-10-28 13:45:07" } ], "5848": [ { "sample_cnt": 2, "yara_rule_name": "sendmail", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file sendmail.exe", "last_hit_utc": "2025-10-28 13:45:07" } ], "5849": [ { "sample_cnt": 2, "yara_rule_name": "Sfile", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Sfile aka Escal ransomware.", "last_hit_utc": "2025-01-05 16:40:56" } ], "5850": [ { "sample_cnt": 2, "yara_rule_name": "Sfile", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Sfile aka Escal ransomware.", "last_hit_utc": "2021-12-23 08:05:36" } ], "5851": [ { "sample_cnt": 2, "yara_rule_name": "ShadowTech", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:44" } ], "5852": [ { "sample_cnt": 2, "yara_rule_name": "shankar_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file shankar.php.php.txt", "last_hit_utc": "2025-10-28 13:45:07" } ], "5853": [ { "sample_cnt": 2, "yara_rule_name": "SharpAdidnsdump", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities", "yara_rule_description": "Identifies SharpAdidnsdump, which allows for AD integrated DNS dumping and also abused by attackers such as Storm-2603.", "last_hit_utc": "2025-11-05 08:22:44" } ], "5854": [ { "sample_cnt": 2, "yara_rule_name": "shelltools_g0t_root_Fport", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Fport.exe", "last_hit_utc": "2025-10-28 13:45:07" } ], "5855": [ { "sample_cnt": 2, "yara_rule_name": "shelltools_g0t_root_Fport", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Fport.exe", "last_hit_utc": "2025-10-28 13:45:07" } ], "5856": [ { "sample_cnt": 2, "yara_rule_name": "shelltools_g0t_root_HideRun", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file HideRun.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "5857": [ { "sample_cnt": 2, "yara_rule_name": "shelltools_g0t_root_HideRun", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file HideRun.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "5858": [ { "sample_cnt": 2, "yara_rule_name": "shelltools_g0t_root_resolve", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file resolve.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "5859": [ { "sample_cnt": 2, "yara_rule_name": "shelltools_g0t_root_resolve", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file resolve.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "5860": [ { "sample_cnt": 2, "yara_rule_name": "shelltools_g0t_root_xwhois", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file xwhois.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "5861": [ { "sample_cnt": 2, "yara_rule_name": "shelltools_g0t_root_xwhois", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file xwhois.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "5862": [ { "sample_cnt": 2, "yara_rule_name": "shell_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file shell.php.php.txt", "last_hit_utc": "2025-10-28 13:45:07" } ], "5863": [ { "sample_cnt": 2, "yara_rule_name": "sh_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file sh.php.php.txt", "last_hit_utc": "2025-10-28 13:45:07" } ], "5864": [ { "sample_cnt": 2, "yara_rule_name": "sig_238_fscan", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file fscan.exe", "last_hit_utc": "2025-11-05 08:21:39" } ], "5865": [ { "sample_cnt": 2, "yara_rule_name": "sig_238_fscan", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file fscan.exe", "last_hit_utc": "2025-11-05 08:21:39" } ], "5866": [ { "sample_cnt": 2, "yara_rule_name": "SimpleTea", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "attempts to match strings/instructions found in SimpleTea", "last_hit_utc": "2025-09-15 14:04:34" } ], "5867": [ { "sample_cnt": 2, "yara_rule_name": "simple_backdoor_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file simple-backdoor.php.txt", "last_hit_utc": "2025-10-28 13:45:10" } ], "5868": [ { "sample_cnt": 2, "yara_rule_name": "Simple_PHP_BackDooR", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Simple_PHP_BackDooR.php", "last_hit_utc": "2025-10-28 13:45:10" } ], "5869": [ { "sample_cnt": 2, "yara_rule_name": "Simple_PHP_BackDooR", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Simple_PHP_BackDooR.php", "last_hit_utc": "2025-10-28 13:45:10" } ], "5870": [ { "sample_cnt": 2, "yara_rule_name": "Simple_PHP_BackDooR_RID2E06", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file Simple_PHP_BackDooR_RID2E06.php", "last_hit_utc": "2025-10-28 13:45:10" } ], "5871": [ { "sample_cnt": 2, "yara_rule_name": "SimShell_1_0___Simorgh_Security_MGZ_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt", "last_hit_utc": "2025-10-28 13:45:10" } ], "5872": [ { "sample_cnt": 2, "yara_rule_name": "Sincap_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Sincap.php.php.txt", "last_hit_utc": "2025-10-28 13:45:10" } ], "5873": [ { "sample_cnt": 2, "yara_rule_name": "small_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file small.php.php.txt", "last_hit_utc": "2025-10-28 13:45:10" } ], "5874": [ { "sample_cnt": 2, "yara_rule_name": "Smartniff", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file Smartniff.exe", "last_hit_utc": "2023-11-24 22:18:37" } ], "5875": [ { "sample_cnt": 2, "yara_rule_name": "Smartniff_RID2ABB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file Smartniff_RID2ABB.exe", "last_hit_utc": "2025-01-05 16:56:10" } ], "5876": [ { "sample_cnt": 2, "yara_rule_name": "Snake_Keylogger_SMTP_enabled", "yara_rule_author": "@lsepaolo", "yara_rule_reference": null, "yara_rule_description": "Detects whether the Snake keylogger specimen uses SMTP as exfiltration method", "last_hit_utc": "2025-02-10 22:03:19" } ], "5877": [ { "sample_cnt": 2, "yara_rule_name": "Socelars_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/6cd9a083-44e6-48e2-9c21-355c35cb9a57", "yara_rule_description": "Socelars stealer", "last_hit_utc": "2022-09-13 07:00:04" } ], "5878": [ { "sample_cnt": 2, "yara_rule_name": "SocGholish_Custom_Base64", "yara_rule_author": "Ankit Anubhav -ankitanubhav.info", "yara_rule_reference": "", "yara_rule_description": "Detects custom base64 used by SocGholish", "last_hit_utc": "2022-08-04 20:08:04" } ], "5879": [ { "sample_cnt": 2, "yara_rule_name": "SoftComp1xBGSoftPT", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-23 21:36:03" } ], "5880": [ { "sample_cnt": 2, "yara_rule_name": "SoftSentryv211", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-16 15:25:04" } ], "5881": [ { "sample_cnt": 2, "yara_rule_name": "SoftwareCompressBGSoftware", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-23 21:36:03" } ], "5882": [ { "sample_cnt": 2, "yara_rule_name": "SoftwareCompressV12BGSoftwareProtectTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-23 21:36:03" } ], "5883": [ { "sample_cnt": 2, "yara_rule_name": "SoftwareCompressv14LITEBGSoftwareProtectTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:26:43" } ], "5884": [ { "sample_cnt": 2, "yara_rule_name": "SparklingGoblin_Mutex", "yara_rule_author": "ESET Research", "yara_rule_reference": "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "yara_rule_description": "SparklingGoblin ChaCha20 loaders mutexes", "last_hit_utc": "2025-11-05 08:22:44" } ], "5885": [ { "sample_cnt": 2, "yara_rule_name": "ssh_server_with_hardcoded_private_key", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:07:28" } ], "5886": [ { "sample_cnt": 2, "yara_rule_name": "SteelClover_PowerShell_str", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "PowerShell in SteelClover", "last_hit_utc": "2025-01-03 21:47:35" } ], "5887": [ { "sample_cnt": 2, "yara_rule_name": "STNC_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file STNC.php.php.txt", "last_hit_utc": "2025-10-28 13:45:11" } ], "5888": [ { "sample_cnt": 2, "yara_rule_name": "StoneDrill_main_sub", "yara_rule_author": "Kaspersky Lab", "yara_rule_reference": "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/", "yara_rule_description": "Rule to detect StoneDrill (decrypted) samples", "last_hit_utc": "2022-03-10 04:50:09" } ], "5889": [ { "sample_cnt": 2, "yara_rule_name": "StormDNS", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities", "yara_rule_description": "Identifies StormDNS, a DNS shell used by Storm-260 to receive and execute commands from a C2.", "last_hit_utc": "2025-08-06 20:05:55" } ], "5890": [ { "sample_cnt": 2, "yara_rule_name": "strongpity", "yara_rule_author": "christalib & TeK", "yara_rule_reference": "Detects possible StrongPity Dropper Sample Nov 2020", "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:11:46" } ], "5891": [ { "sample_cnt": 2, "yara_rule_name": "Stuxnet_Malware_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample", "last_hit_utc": "2025-03-06 22:27:10" } ], "5892": [ { "sample_cnt": 2, "yara_rule_name": "SuspiciousDll", "yara_rule_author": "martclau", "yara_rule_reference": "", "yara_rule_description": "Detects SolarWinds Orion backdoor", "last_hit_utc": "2022-10-27 16:48:20" } ], "5893": [ { "sample_cnt": 2, "yara_rule_name": "suspicious_sfx_files_size_rule", "yara_rule_author": "Razvan.A.B", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious files containing sfx", "last_hit_utc": "2025-01-05 15:00:58" } ], "5894": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_Base64_Encoded_Hacktool_Dev_RID32C3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1270626274826911744", "yara_rule_description": "Detects a suspicious base64 encoded keyword", "last_hit_utc": "2025-11-05 08:22:45" } ], "5895": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_BAT2EXE_BDargo_Converted_BAT", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.majorgeeks.com/files/details/advanced_bat_to_exe_converter.html", "yara_rule_description": "Detects binaries created with BDARGO Advanced BAT to EXE converter", "last_hit_utc": "2025-01-05 15:07:40" } ], "5896": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_Doc_RTF_OLE2Link_Jun22", "yara_rule_author": "Christian Burkard", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious pattern in RTF files which downloads external resources", "last_hit_utc": "2025-01-03 22:30:21" } ], "5897": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_DropperBackdoor_Keywords", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", "yara_rule_description": "Detects suspicious keywords that indicate a backdoor", "last_hit_utc": "2021-04-04 10:18:40" } ], "5898": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_LNK_Staging_Directory", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detects typical staging directories being referenced inside lnk files", "last_hit_utc": "2022-04-12 09:59:01" } ], "5899": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/cglyer/status/1570965878480719873", "yara_rule_description": "Detects typical stealer output files as created by RedLine or Racoon stealer", "last_hit_utc": "2025-01-10 12:49:03" } ], "5900": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_Microsoft_7z_SFX_Combo_RID3120", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious file that has a Microsoft copyright and is a 7z SFX", "last_hit_utc": "2022-11-04 18:29:03" } ], "5901": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_Microsoft_RAR_SFX_Combo", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious file that has a Microsoft copyright and is a RAR SFX", "last_hit_utc": "2024-05-11 11:36:03" } ], "5902": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_Microsoft_RAR_SFX_Combo_RID3154", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious file that has a Microsoft copyright and is a RAR SFX", "last_hit_utc": "2024-05-11 11:36:03" } ], "5903": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_NK_MAL_M_Hunting_POOLRAT", "yara_rule_author": "Mandiant", "yara_rule_reference": "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise", "yara_rule_description": "Detects strings found in POOLRAT malware", "last_hit_utc": "2025-10-28 13:45:12" } ], "5904": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_Obfuscted_PowerShell_Code", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/silv0123/status/1073072691584880640", "yara_rule_description": "Detects obfuscated PowerShell Code", "last_hit_utc": "2025-07-13 20:58:21" } ], "5905": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_Obfuscted_PowerShell_Code_RID3298", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/silv0123/status/1073072691584880640", "yara_rule_description": "Detects obfuscated PowerShell Code", "last_hit_utc": "2025-07-13 20:58:21" } ], "5906": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_PowerShell_Download_Temp_Rundll", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": "", "yara_rule_description": "Detect a Download to %temp% and execution with rundll32.exe", "last_hit_utc": "2022-10-11 03:58:03" } ], "5907": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_PY_Import_Statement_Apr24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/", "yara_rule_description": "Detects suspicious Python import statement and socket usage often found in Python reverse shells", "last_hit_utc": "2025-10-28 13:45:12" } ], "5908": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_WordDoc_VBA_Macro_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious strings in Word Doc that indcate malicious use of VBA macros", "last_hit_utc": "2024-02-14 20:44:03" } ], "5909": [ { "sample_cnt": 2, "yara_rule_name": "SUSP_WordDoc_VBA_Macro_Strings_RID323F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious strings in Word Doc that indcate malicious use of VBA macros", "last_hit_utc": "2024-02-14 20:44:03" } ], "5910": [ { "sample_cnt": 2, "yara_rule_name": "svchostdll", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file svchostdll.dll", "last_hit_utc": "2025-10-28 13:45:13" } ], "5911": [ { "sample_cnt": 2, "yara_rule_name": "svchostdll", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file svchostdll.dll", "last_hit_utc": "2025-10-28 13:45:13" } ], "5912": [ { "sample_cnt": 2, "yara_rule_name": "svc_clipper", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "SVC Stealer Clipper Payload", "last_hit_utc": "2025-03-07 15:27:11" } ], "5913": [ { "sample_cnt": 2, "yara_rule_name": "S_MultiFunction_Scanners_s", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file s.exe", "last_hit_utc": "2020-11-17 11:34:18" } ], "5914": [ { "sample_cnt": 2, "yara_rule_name": "Tedroo", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "Tedroo Spammer", "last_hit_utc": "2020-12-12 06:45:05" } ], "5915": [ { "sample_cnt": 2, "yara_rule_name": "test_1", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "test1", "last_hit_utc": "2021-10-20 06:40:58" } ], "5916": [ { "sample_cnt": 2, "yara_rule_name": "test_adw_90db6c59", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-20 15:33:56" } ], "5917": [ { "sample_cnt": 2, "yara_rule_name": "thelast_orice2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file orice2.php", "last_hit_utc": "2025-10-28 13:45:14" } ], "5918": [ { "sample_cnt": 2, "yara_rule_name": "thelast_orice2", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file orice2.php", "last_hit_utc": "2025-10-28 13:45:14" } ], "5919": [ { "sample_cnt": 2, "yara_rule_name": "thelast_orice2_RID2CA9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file orice2.php", "last_hit_utc": "2025-10-28 13:45:14" } ], "5920": [ { "sample_cnt": 2, "yara_rule_name": "tick_xxmm_parts", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "xxmm malware", "last_hit_utc": "2025-01-05 17:28:04" } ], "5921": [ { "sample_cnt": 2, "yara_rule_name": "Tool_asp", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file Tool.asp.txt", "last_hit_utc": "2025-10-28 13:45:14" } ], "5922": [ { "sample_cnt": 2, "yara_rule_name": "Tool_EFSPotatoe_Aug_2021_2", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect EFSPotatoe tool (Generic rule)", "last_hit_utc": "2023-07-16 07:41:03" } ], "5923": [ { "sample_cnt": 2, "yara_rule_name": "Truncated_win10_x64_NativeSysCall", "yara_rule_author": "SBousseaden", "yara_rule_reference": "", "yara_rule_description": "hunt of at least 3 occurences of truncated win10 x64 NativeSyscall", "last_hit_utc": "2022-11-04 18:23:03" } ], "5924": [ { "sample_cnt": 2, "yara_rule_name": "Turla_APT_Malware_Gen3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects Turla malware (based on sample used in the RUAG APT case)", "last_hit_utc": "2025-11-05 08:21:40" } ], "5925": [ { "sample_cnt": 2, "yara_rule_name": "Txt_aspx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - Webshells - file aspx.jpg", "last_hit_utc": "2024-01-05 22:26:03" } ], "5926": [ { "sample_cnt": 2, "yara_rule_name": "UACME_Akagi", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/hfiref0x/UACME", "yara_rule_description": "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor", "last_hit_utc": "2025-11-05 08:22:46" } ], "5927": [ { "sample_cnt": 2, "yara_rule_name": "UACME_Akagi_RID2AB8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/hfiref0x/UACME", "yara_rule_description": "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor", "last_hit_utc": "2025-11-05 08:22:46" } ], "5928": [ { "sample_cnt": 2, "yara_rule_name": "UCI", "yara_rule_author": "@johnk3r", "yara_rule_reference": "https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil", "yara_rule_description": "Detects LATAM TRJ_Banker JANELEIRO", "last_hit_utc": "2025-06-16 15:41:48" } ], "5929": [ { "sample_cnt": 2, "yara_rule_name": "unknown_exploit", "yara_rule_author": "evilcel3ri", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-07 12:54:03" } ], "5930": [ { "sample_cnt": 2, "yara_rule_name": "Unpack_Injectt", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Injectt.exe", "last_hit_utc": "2025-10-28 13:45:16" } ], "5931": [ { "sample_cnt": 2, "yara_rule_name": "Unpack_Injectt", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file Injectt.exe", "last_hit_utc": "2025-10-28 13:45:15" } ], "5932": [ { "sample_cnt": 2, "yara_rule_name": "Upackv032BetaDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:36:38" } ], "5933": [ { "sample_cnt": 2, "yara_rule_name": "UPX072", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:28:43" } ], "5934": [ { "sample_cnt": 2, "yara_rule_name": "vanquish", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file vanquish.dll", "last_hit_utc": "2025-10-28 13:45:16" } ], "5935": [ { "sample_cnt": 2, "yara_rule_name": "vanquish", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file vanquish.dll", "last_hit_utc": "2025-10-28 13:45:16" } ], "5936": [ { "sample_cnt": 2, "yara_rule_name": "vanquish_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file vanquish.exe", "last_hit_utc": "2025-10-28 13:45:16" } ], "5937": [ { "sample_cnt": 2, "yara_rule_name": "vanquish_2", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file vanquish.exe", "last_hit_utc": "2025-10-28 13:45:16" } ], "5938": [ { "sample_cnt": 2, "yara_rule_name": "viotto_keylogger", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-06 06:46:51" } ], "5939": [ { "sample_cnt": 2, "yara_rule_name": "w3d_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file w3d.php.php.txt", "last_hit_utc": "2025-10-28 13:45:17" } ], "5940": [ { "sample_cnt": 2, "yara_rule_name": "warfiles_cmd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://laudanum.inguardians.com/", "yara_rule_description": "Laudanum Injector Tools - file cmd.jsp", "last_hit_utc": "2025-04-27 12:13:09" } ], "5941": [ { "sample_cnt": 2, "yara_rule_name": "WARNINGTROJANHuiGeZi", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-22 09:27:02" } ], "5942": [ { "sample_cnt": 2, "yara_rule_name": "wce", "yara_rule_author": "Benjamin DELPY (gentilkiwi)", "yara_rule_reference": null, "yara_rule_description": "wce", "last_hit_utc": "2025-01-03 23:04:42" } ], "5943": [ { "sample_cnt": 2, "yara_rule_name": "WCE_Modified_1_1014", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Modified (packed) version of Windows Credential Editor", "last_hit_utc": "2025-10-28 13:45:18" } ], "5944": [ { "sample_cnt": 2, "yara_rule_name": "WCE_Modified_1_1014", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Modified (packed) version of Windows Credential Editor", "last_hit_utc": "2025-10-28 13:45:17" } ], "5945": [ { "sample_cnt": 2, "yara_rule_name": "webshell_000_403_807_a_c5_config_css_dm_he1p_xxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp", "last_hit_utc": "2025-10-28 13:45:18" } ], "5946": [ { "sample_cnt": 2, "yara_rule_name": "webshell_000_403_807_a_c5_config_css_dm_he1p_xxx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-10-28 13:45:18" } ], "5947": [ { "sample_cnt": 2, "yara_rule_name": "webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp", "last_hit_utc": "2025-10-28 13:45:18" } ], "5948": [ { "sample_cnt": 2, "yara_rule_name": "webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp", "last_hit_utc": "2025-10-28 13:45:18" } ], "5949": [ { "sample_cnt": 2, "yara_rule_name": "webshell_2008_2009lite_2009mssql", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php", "last_hit_utc": "2025-11-25 20:48:17" } ], "5950": [ { "sample_cnt": 2, "yara_rule_name": "webshell_2008_2009lite_2009mssql", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php", "last_hit_utc": "2025-11-25 20:48:17" } ], "5951": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_2008_2009lite_2009mssql_RID31A2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php", "last_hit_utc": "2025-11-25 20:48:17" } ], "5952": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Ajan_asp_RID2DC3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Ajan.asp.txt", "last_hit_utc": "2025-10-28 13:45:19" } ], "5953": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_ak74shell_php_php_RID3143", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file ak74shell.php.php.txt", "last_hit_utc": "2025-10-28 13:45:19" } ], "5954": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_AK_74_Security_Team_Web_Shell_Beta_Version", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php", "last_hit_utc": "2025-10-28 13:45:19" } ], "5955": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_AK_74_Security_Team_Web_Shell_Beta_Version", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php", "last_hit_utc": "2025-10-28 13:45:19" } ], "5956": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_AK_74_Security_Team_Web_Shell_Beta_Version_RID3A6D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php", "last_hit_utc": "2025-10-28 13:45:19" } ], "5957": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Antichat_Shell_v1_3_php_RID3368", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Antichat Shell v1.3.php.txt", "last_hit_utc": "2025-10-28 13:45:19" } ], "5958": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Antichat_Socks5_Server_php_php_RID368D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt", "last_hit_utc": "2025-10-28 13:45:19" } ], "5959": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Asmodeus_v0_1_pl_RID30B7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Asmodeus v0.1.pl.txt", "last_hit_utc": "2025-10-28 13:45:19" } ], "5960": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_aspydrv_asp_RID2F52", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file aspydrv.asp.txt", "last_hit_utc": "2025-10-28 13:45:21" } ], "5961": [ { "sample_cnt": 2, "yara_rule_name": "webshell_asp_404", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file 404.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5962": [ { "sample_cnt": 2, "yara_rule_name": "webshell_asp_404", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file 404.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5963": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_asp_404_RID2CE1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file 404.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5964": [ { "sample_cnt": 2, "yara_rule_name": "webshell_ASP_aspydrv", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file aspydrv.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5965": [ { "sample_cnt": 2, "yara_rule_name": "webshell_ASP_aspydrv", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file aspydrv.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5966": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_ASP_aspydrv_RID2EF2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file aspydrv.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5967": [ { "sample_cnt": 2, "yara_rule_name": "webshell_asp_EFSO_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file EFSO_2.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5968": [ { "sample_cnt": 2, "yara_rule_name": "webshell_asp_EFSO_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file EFSO_2.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5969": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_asp_EFSO_2_RID2E07", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file EFSO_2.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5970": [ { "sample_cnt": 2, "yara_rule_name": "webshell_asp_ice", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file ice.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5971": [ { "sample_cnt": 2, "yara_rule_name": "webshell_asp_ice", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file ice.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5972": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_asp_ice_RID2D7A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file ice.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5973": [ { "sample_cnt": 2, "yara_rule_name": "webshell_asp_up", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file up.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5974": [ { "sample_cnt": 2, "yara_rule_name": "webshell_asp_up", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file up.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5975": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_asp_up_RID2D2E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file up.asp", "last_hit_utc": "2025-10-28 13:45:20" } ], "5976": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php", "last_hit_utc": "2025-10-28 13:45:21" } ], "5977": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php", "last_hit_utc": "2025-10-28 13:45:21" } ], "5978": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html_RID39CD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt", "last_hit_utc": "2025-10-28 13:45:21" } ], "5979": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_aZRaiLPhp_v1_0", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php", "last_hit_utc": "2025-10-28 13:45:21" } ], "5980": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_aZRaiLPhp_v1_0_php_RID312D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt", "last_hit_utc": "2025-10-28 13:45:21" } ], "5981": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_aZRaiLPhp_v1_0_RID2F66", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php", "last_hit_utc": "2025-10-28 13:45:21" } ], "5982": [ { "sample_cnt": 2, "yara_rule_name": "webshell_B374kPHP_B374k", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file B374k.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5983": [ { "sample_cnt": 2, "yara_rule_name": "webshell_B374kPHP_B374k", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file B374k.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5984": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_B374kPHP_B374k_RID2E83", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file B374k.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5985": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_b374k_mini_shell_php_php", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5986": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_b374k_mini_shell_php_php", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php", "last_hit_utc": "2025-10-28 13:45:21" } ], "5987": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_b374k_mini_shell_php_php_RID33C2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5988": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_b374k_php", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file b374k.php.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5989": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_b374k_php", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file b374k.php.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5990": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_b374k_php_RID2D98", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file b374k.php.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5991": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_backdoor1_php_RID2FC3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file backdoor1.php.txt", "last_hit_utc": "2025-10-28 13:45:22" } ], "5992": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_backdoorfr_php_RID306A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file backdoorfr.php.txt", "last_hit_utc": "2025-10-28 13:45:22" } ], "5993": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_backupsql", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file backupsql.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5994": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_backupsql", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file backupsql.php", "last_hit_utc": "2025-10-28 13:45:22" } ], "5995": [ { "sample_cnt": 2, "yara_rule_name": "webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp", "last_hit_utc": "2025-10-28 13:45:22" } ], "5996": [ { "sample_cnt": 2, "yara_rule_name": "webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-10-28 13:45:23" } ], "5997": [ { "sample_cnt": 2, "yara_rule_name": "webshell_bypass_iisuser_p", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file bypass-iisuser-p.asp", "last_hit_utc": "2025-10-28 13:45:23" } ], "5998": [ { "sample_cnt": 2, "yara_rule_name": "webshell_bypass_iisuser_p", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file bypass-iisuser-p.asp", "last_hit_utc": "2025-10-28 13:45:23" } ], "5999": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_bypass_iisuser_p_RID316A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file bypass-iisuser-p.asp", "last_hit_utc": "2025-10-28 13:45:23" } ], "6000": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_c99madshell_v2_0_php_php_RID33A9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt", "last_hit_utc": "2025-10-28 13:45:23" } ], "6001": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_c99php_NIX_REMOTE_WEB_SHELL_RID3350", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt", "last_hit_utc": "2025-10-28 13:45:23" } ], "6002": [ { "sample_cnt": 2, "yara_rule_name": "webshell_caidao_shell_404", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file 404.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6003": [ { "sample_cnt": 2, "yara_rule_name": "webshell_caidao_shell_404", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file 404.php", "last_hit_utc": "2025-10-28 13:45:23" } ], "6004": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_caidao_shell_404_RID3075", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file 404.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6005": [ { "sample_cnt": 2, "yara_rule_name": "webshell_caidao_shell_ice_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file ice.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6006": [ { "sample_cnt": 2, "yara_rule_name": "webshell_caidao_shell_ice_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file ice.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6007": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_caidao_shell_ice_2_RID319F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file ice.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6008": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Casus15_php_php_RID3059", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Casus15.php.php.txt", "last_hit_utc": "2025-10-28 13:45:24" } ], "6009": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_CasuS_1_5", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file CasuS 1.5.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6010": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_CasuS_1_5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file CasuS 1.5.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6011": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_cgitelnet", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file cgitelnet.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6012": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_cgitelnet", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file cgitelnet.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6013": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_cgitelnet_RID2E45", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file cgitelnet.php", "last_hit_utc": "2025-10-28 13:45:24" } ], "6014": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_cgi_python_py_RID3022", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file cgi-python.py.txt", "last_hit_utc": "2025-10-28 13:45:24" } ], "6015": [ { "sample_cnt": 2, "yara_rule_name": "webshell_cihshell_fix", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file cihshell_fix.php", "last_hit_utc": "2025-10-28 13:45:25" } ], "6016": [ { "sample_cnt": 2, "yara_rule_name": "webshell_cihshell_fix", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file cihshell_fix.php", "last_hit_utc": "2025-10-28 13:45:25" } ], "6017": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_cihshell_fix_RID2F98", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file cihshell_fix.php", "last_hit_utc": "2025-10-28 13:45:25" } ], "6018": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_CmdAsp_asp_php", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file CmdAsp.asp.php.txt", "last_hit_utc": "2025-10-28 13:45:25" } ], "6019": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_CmdAsp_asp_php", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file CmdAsp.asp.php.txt", "last_hit_utc": "2025-10-28 13:45:25" } ], "6020": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_CmdAsp_asp_RID2E81", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file CmdAsp.asp.txt", "last_hit_utc": "2025-10-28 13:45:25" } ], "6021": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_cmdjsp_jsp_RID2ED3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file cmdjsp.jsp.txt", "last_hit_utc": "2025-10-28 13:45:25" } ], "6022": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_CN_Hacktools_tools_asp_RID3371", "yara_rule_author": "Florian Roth", "yara_rule_reference": "xfocus.net", "yara_rule_description": "Chinese Hacktool Archive - file asp.asp", "last_hit_utc": "2025-10-28 13:45:25" } ], "6023": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_connectback2_pl_RID308E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file connectback2.pl.txt", "last_hit_utc": "2025-10-28 13:45:25" } ], "6024": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_connector_ASP_RID2FB4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file connector.asp", "last_hit_utc": "2025-10-28 13:45:25" } ], "6025": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_csh_php_php_RID2F32", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file csh.php.php.txt", "last_hit_utc": "2025-10-28 13:45:25" } ], "6026": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_css_dm_he1p_xxx_RID30B3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects Web Shell from tennc webshell repo", "last_hit_utc": "2025-10-28 13:45:25" } ], "6027": [ { "sample_cnt": 2, "yara_rule_name": "WEBSHELL_CVE_2021_27065_Webshells", "yara_rule_author": "Joe Hannon, Microsoft Threat Intelligence Center (MSTIC)", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "yara_rule_description": "Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE", "last_hit_utc": "2025-01-05 16:47:39" } ], "6028": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_cyberlords_sql_php_php_RID33DC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file cyberlords_sql.php.php.txt", "last_hit_utc": "2025-10-28 13:45:25" } ], "6029": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_DarkSpy105_RID2DFA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file DarkSpy105.exe", "last_hit_utc": "2025-10-28 13:45:25" } ], "6030": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_dC3_Security_Crew_Shell_PRiV", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php", "last_hit_utc": "2025-10-28 13:45:25" } ], "6031": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_dC3_Security_Crew_Shell_PRiV", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php", "last_hit_utc": "2025-10-28 13:45:25" } ], "6032": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_dC3_Security_Crew_Shell_PRiV_RID351E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php", "last_hit_utc": "2025-10-28 13:45:25" } ], "6033": [ { "sample_cnt": 2, "yara_rule_name": "webshell_dev_core", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file dev_core.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6034": [ { "sample_cnt": 2, "yara_rule_name": "webshell_dev_core", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file dev_core.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6035": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_dev_core_RID2DED", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file dev_core.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6036": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6037": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-10-28 13:45:26" } ], "6038": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Dive_Shell_1_0___Emperor_Hacking_Team_php_RID3A3C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt", "last_hit_utc": "2025-10-28 13:45:26" } ], "6039": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Dive_Shell_Emperor_Hacking_Team_RID36B8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6040": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_DTool_Pro", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file DTool Pro.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6041": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_DTool_Pro", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file DTool Pro.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6042": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Dx_Dx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file Dx.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6043": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Dx_Dx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file Dx.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6044": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Dx_Dx_RID2C7D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file Dx.php", "last_hit_utc": "2025-10-28 13:45:26" } ], "6045": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Dx_php_php_RID2EB0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Dx.php.php.txt", "last_hit_utc": "2025-10-28 13:45:26" } ], "6046": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_EFSO_2_asp_RID2E07", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file EFSO_2.asp.txt", "last_hit_utc": "2025-10-28 13:45:26" } ], "6047": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_elmaliseker_asp_RID30D7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file elmaliseker.asp.txt", "last_hit_utc": "2025-10-28 13:45:26" } ], "6048": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_elmaliseker_RID2F34", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file elmaliseker.asp", "last_hit_utc": "2025-10-28 13:45:27" } ], "6049": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Expdoor_com_ASP", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file Expdoor.com ASP.asp", "last_hit_utc": "2025-10-28 13:45:27" } ], "6050": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Expdoor_com_ASP", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file Expdoor.com ASP.asp", "last_hit_utc": "2025-10-28 13:45:27" } ], "6051": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Expdoor_com_ASP_RID3068", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file Expdoor.com ASP.asp", "last_hit_utc": "2025-10-28 13:45:27" } ], "6052": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_FeliksPack3___PHP_Shells_phpft_RID3606", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file phpft.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "6053": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_FeliksPack3___PHP_Shells_usr_RID353E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file usr.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "6054": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_FSO_s_casus15_2_RID2FD5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file casus15.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "6055": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_FSO_s_phpinj_RID2F48", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file phpinj.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "6056": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_FSO_s_reader_RID2F32", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file reader.asp", "last_hit_utc": "2025-10-28 13:45:27" } ], "6057": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_FSO_s_zehir4_RID2F15", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file zehir4.asp", "last_hit_utc": "2025-10-28 13:45:27" } ], "6058": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_fuckphpshell_php_RID3156", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file fuckphpshell.php.txt", "last_hit_utc": "2025-10-28 13:45:27" } ], "6059": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Gamma_Web_Shell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Gamma Web Shell.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "6060": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Gamma_Web_Shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Gamma Web Shell.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "6061": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Gamma_Web_Shell_RID303D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file Gamma Web Shell.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "6062": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Generic_PHP_6", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "6063": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Generic_PHP_6", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive", "last_hit_utc": "2025-10-28 13:45:27" } ], "6064": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Generic_PHP_6_RID2F1F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php", "last_hit_utc": "2025-10-28 13:45:27" } ], "6065": [ { "sample_cnt": 2, "yara_rule_name": "webshell_GetPostpHp", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file GetPostpHp.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6066": [ { "sample_cnt": 2, "yara_rule_name": "webshell_GetPostpHp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file GetPostpHp.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6067": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_GetPostpHp_RID2E94", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file GetPostpHp.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6068": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Ghost_Icesword_Silic_RID329D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files ghost_source.php, icesword.php, silic.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6069": [ { "sample_cnt": 2, "yara_rule_name": "webshell_ghost_source_icesword_silic", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files ghost_source.php, icesword.php, silic.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6070": [ { "sample_cnt": 2, "yara_rule_name": "webshell_ghost_source_icesword_silic", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files ghost_source.php, icesword.php, silic.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6071": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_go_shell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file go-shell.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6072": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_go_shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file go-shell.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6073": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_hiddens_shell_v1", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file hiddens shell v1.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6074": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_hiddens_shell_v1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file hiddens shell v1.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6075": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_hiddens_shell_v1_RID30E2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file hiddens shell v1.php", "last_hit_utc": "2025-10-28 13:45:28" } ], "6076": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_HYTop2006_rar_Folder_2006_RID32C8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file 2006.asp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6077": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_HYTop_DevPack_upload_RID325B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file upload.asp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6078": [ { "sample_cnt": 2, "yara_rule_name": "webshell_iMHaPFtp_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file iMHaPFtp.php", "last_hit_utc": "2025-10-28 13:45:29" } ], "6079": [ { "sample_cnt": 2, "yara_rule_name": "webshell_iMHaPFtp_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file iMHaPFtp.php", "last_hit_utc": "2025-10-28 13:45:29" } ], "6080": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_iMHaPFtp_2_RID2E10", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file iMHaPFtp.php", "last_hit_utc": "2025-10-28 13:45:29" } ], "6081": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_installer_RID2E74", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file installer.cmd", "last_hit_utc": "2025-10-28 13:45:29" } ], "6082": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_ironshell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file ironshell.php", "last_hit_utc": "2025-10-28 13:45:29" } ], "6083": [ { "sample_cnt": 2, "yara_rule_name": "webshell_itsec_PHPJackal_itsecteam_shell_jHn", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php", "last_hit_utc": "2025-10-28 13:45:29" } ], "6084": [ { "sample_cnt": 2, "yara_rule_name": "webshell_itsec_PHPJackal_itsecteam_shell_jHn", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php", "last_hit_utc": "2025-10-28 13:45:29" } ], "6085": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Java_Shell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file Java Shell.jsp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6086": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Java_Shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file Java Shell.jsp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6087": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Java_Shell_js_RID2FBB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Java Shell.js.txt", "last_hit_utc": "2025-10-28 13:45:29" } ], "6088": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Java_Shell_RID2E7F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file Java Shell.jsp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6089": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_jspshall_jsp_RID2FB3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file jspshall.jsp.txt", "last_hit_utc": "2025-10-28 13:45:30" } ], "6090": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_JspWebshell_1_2_jsp_RID31D6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt", "last_hit_utc": "2025-10-28 13:45:30" } ], "6091": [ { "sample_cnt": 2, "yara_rule_name": "webshell_jsp_cmdjsp", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file cmdjsp.jsp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6092": [ { "sample_cnt": 2, "yara_rule_name": "webshell_jsp_cmdjsp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file cmdjsp.jsp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6093": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_jsp_cmdjsp_RID2ED3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file cmdjsp.jsp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6094": [ { "sample_cnt": 2, "yara_rule_name": "webshell_jsp_generic", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Generic JSP webshell", "last_hit_utc": "2022-04-14 16:22:02" } ], "6095": [ { "sample_cnt": 2, "yara_rule_name": "webshell_jsp_k81", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file k81.jsp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6096": [ { "sample_cnt": 2, "yara_rule_name": "webshell_jsp_k81", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file k81.jsp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6097": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_jsp_k81_RID2D26", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file k81.jsp", "last_hit_utc": "2025-10-28 13:45:29" } ], "6098": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_jsp_reverse_jsp_2_RID318B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file jsp-reverse.jsp.txt", "last_hit_utc": "2025-10-28 13:45:29" } ], "6099": [ { "sample_cnt": 2, "yara_rule_name": "webshell_jsp_reverse_jsp_reverse_jspbd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp", "last_hit_utc": "2025-10-28 13:45:30" } ], "6100": [ { "sample_cnt": 2, "yara_rule_name": "webshell_jsp_up", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file up.jsp", "last_hit_utc": "2025-10-28 13:45:30" } ], "6101": [ { "sample_cnt": 2, "yara_rule_name": "webshell_jsp_up", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file up.jsp", "last_hit_utc": "2025-10-28 13:45:30" } ], "6102": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_jsp_up_RID2D37", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file up.jsp", "last_hit_utc": "2025-10-28 13:45:30" } ], "6103": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_kacak_asp_RID2E44", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file kacak.asp.txt", "last_hit_utc": "2025-10-28 13:45:30" } ], "6104": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_lamashell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file lamashell.php", "last_hit_utc": "2025-10-28 13:45:30" } ], "6105": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_lamashell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file lamashell.php", "last_hit_utc": "2025-10-28 13:45:30" } ], "6106": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_lamashell_php_RID3000", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file lamashell.php.txt", "last_hit_utc": "2025-10-28 13:45:30" } ], "6107": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_lamashell_RID2E39", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file lamashell.php", "last_hit_utc": "2025-10-28 13:45:30" } ], "6108": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php", "last_hit_utc": "2025-10-28 13:45:30" } ], "6109": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php_RID4390", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt", "last_hit_utc": "2025-10-28 13:45:30" } ], "6110": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_lurm_safemod_on_cgi_RID3272", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file lurm_safemod_on.cgi.txt", "last_hit_utc": "2025-10-28 13:45:30" } ], "6111": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_mysql_shell_php_RID30FA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file mysql_shell.php.txt", "last_hit_utc": "2025-10-28 13:45:30" } ], "6112": [ { "sample_cnt": 2, "yara_rule_name": "webshell_MySQL_Web_Interface_Version_0_8", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file MySQL Web Interface Version 0.8.php", "last_hit_utc": "2025-10-28 13:45:30" } ], "6113": [ { "sample_cnt": 2, "yara_rule_name": "webshell_MySQL_Web_Interface_Version_0_8", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file MySQL Web Interface Version 0.8.php", "last_hit_utc": "2025-10-28 13:45:30" } ], "6114": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_MySQL_Web_Interface_Version_0_8_php_RID37DB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt", "last_hit_utc": "2025-10-28 13:45:30" } ], "6115": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_MySQL_Web_Interface_Version_0_8_RID3634", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file MySQL Web Interface Version 0.8.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6116": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_NCC_Shell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file NCC-Shell.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6117": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_NCC_Shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file NCC-Shell.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6118": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_network_php_xinfo_RID31DA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt", "last_hit_utc": "2025-10-28 13:45:31" } ], "6119": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_ngh_php_php_RID2F31", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file ngh.php.php.txt", "last_hit_utc": "2025-10-28 13:45:31" } ], "6120": [ { "sample_cnt": 2, "yara_rule_name": "webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6121": [ { "sample_cnt": 2, "yara_rule_name": "webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-10-28 13:45:31" } ], "6122": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_NIX_REMOTE_WEB_SHELL_RID30D4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6123": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_nst_perl_proxy_shell_RID3325", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt", "last_hit_utc": "2025-10-28 13:45:31" } ], "6124": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_nst_php_cybershell_RID322E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt", "last_hit_utc": "2025-10-28 13:45:31" } ], "6125": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_NTDaddy_v1_9", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file NTDaddy v1.9.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6126": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_NTDaddy_v1_9", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file NTDaddy v1.9.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6127": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_NT_Addy_asp_RID2ECC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file NT Addy.asp.txt", "last_hit_utc": "2025-10-28 13:45:31" } ], "6128": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_perlbot_pl_RID2ED9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file perlbot.pl.txt", "last_hit_utc": "2025-10-28 13:45:31" } ], "6129": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHANTASMA_php_RID2EEA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file PHANTASMA.php.txt", "last_hit_utc": "2025-10-28 13:45:31" } ], "6130": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_pHpINJ_php_php_RID2FFD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file pHpINJ.php.php.txt", "last_hit_utc": "2025-10-28 13:45:36" } ], "6131": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHPJackal_itsecteam_shell_RID3469", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6132": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_phpjackal_php_RID2FFB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file phpjackal.php.txt", "last_hit_utc": "2025-10-28 13:45:36" } ], "6133": [ { "sample_cnt": 2, "yara_rule_name": "webshell_phpkit_0_1a_odd", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file odd.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6134": [ { "sample_cnt": 2, "yara_rule_name": "webshell_phpkit_0_1a_odd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file odd.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6135": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_phpkit_0_1a_odd_RID304C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file odd.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6136": [ { "sample_cnt": 2, "yara_rule_name": "webshell_phpkit_1_0_odd", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file odd.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6137": [ { "sample_cnt": 2, "yara_rule_name": "webshell_phpkit_1_0_odd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file odd.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6138": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_phpkit_1_0_odd_RID2FEB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file odd.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6139": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_phpshell17_php_RID3015", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file phpshell17.php.txt", "last_hit_utc": "2025-10-28 13:45:36" } ], "6140": [ { "sample_cnt": 2, "yara_rule_name": "webshell_phpspy2010", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file phpspy2010.php", "last_hit_utc": "2025-10-28 13:45:37" } ], "6141": [ { "sample_cnt": 2, "yara_rule_name": "webshell_phpspy2010", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file phpspy2010.php", "last_hit_utc": "2025-10-28 13:45:37" } ], "6142": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_phpspy2010_RID2E0D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file phpspy2010.php", "last_hit_utc": "2025-10-28 13:45:37" } ], "6143": [ { "sample_cnt": 2, "yara_rule_name": "webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6144": [ { "sample_cnt": 2, "yara_rule_name": "webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6145": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_phpspy_2006_PHPSPY_RID30B4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6146": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_PhpSpy_Ver_2006", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file PhpSpy Ver 2006.php", "last_hit_utc": "2025-10-28 13:45:36" } ], "6147": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_PhpSpy_Ver_2006", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file PhpSpy Ver 2006.php", "last_hit_utc": "2025-10-28 13:45:37" } ], "6148": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_PhpSpy_Ver_2006_RID2F9D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file PhpSpy Ver 2006.php", "last_hit_utc": "2025-10-28 13:45:37" } ], "6149": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_150", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file 150.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6150": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_150", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file 150.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6151": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHP_150_RID2C83", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file 150.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6152": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_php_404_a_RID2DA5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file 404.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6153": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_b37", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file b37.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6154": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_b37", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file b37.php", "last_hit_utc": "2025-10-28 13:45:31" } ], "6155": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHP_b37_RID2CB9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file b37.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6156": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_backdoor", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file php-backdoor.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6157": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHP_Backdoor_Connect_pl_php_RID351D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt", "last_hit_utc": "2025-10-28 13:45:32" } ], "6158": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_php_backdoor_php_RID3139", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file php-backdoor.php.txt", "last_hit_utc": "2025-10-28 13:45:32" } ], "6159": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_base64_encoded_payloads", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "php webshell containing base64 encoded payload", "last_hit_utc": "2021-12-24 19:41:03" } ], "6160": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_bug_1_", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file bug (1).php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6161": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_bug_1_", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file bug (1).php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6162": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHP_bug_1__RID2E1A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file bug (1).php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6163": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_by_string_obfuscation", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming", "last_hit_utc": "2022-01-17 13:04:06" } ], "6164": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_c37", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file c37.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6165": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_c37", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file c37.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6166": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHP_c37_RID2CBA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file c37.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6167": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_cmd", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file cmd.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6168": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_cmd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file cmd.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6169": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_php_cmd_RID2D81", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file cmd.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6170": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_co", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file co.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6171": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_co", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file co.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "6172": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHP_co_RID2CBF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file co.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6173": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_fbi", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file fbi.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6174": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_fbi", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file fbi.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6175": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_php_fbi_RID2D7E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file fbi.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6176": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_generic", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings", "last_hit_utc": "2022-05-11 00:13:02" } ], "6177": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_generic_eval", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Generic PHP webshell which uses any eval/exec function in the same line with user input", "last_hit_utc": "2021-11-19 05:13:04" } ], "6178": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_include_w_shell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file php-include-w-shell.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6179": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_include_w_shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file php-include-w-shell.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6180": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_php_include_w_shell_php_RID3425", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file php-include-w-shell.php.txt", "last_hit_utc": "2025-10-28 13:45:33" } ], "6181": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_include_w_shell_RID325E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file php-include-w-shell.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6182": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_list", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file list.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6183": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_list", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file list.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6184": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_php_list_RID2E09", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file list.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6185": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_redcod", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file redcod.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6186": [ { "sample_cnt": 2, "yara_rule_name": "webshell_PHP_redcod", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file redcod.php", "last_hit_utc": "2025-10-28 13:45:33" } ], "6187": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHP_redcod_RID2E5E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file redcod.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6188": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHP_shell_RID2E05", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file shell.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6189": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_PHP_Shell_v1_7_RID2F81", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file PHP_Shell_v1.7.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6190": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_sh_server", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file server.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6191": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_sh_server", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file server.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6192": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_php_sh_server_RID301E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file server.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6193": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_up", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file up.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6194": [ { "sample_cnt": 2, "yara_rule_name": "webshell_php_up", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file up.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6195": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_php_up_RID2D32", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file up.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6196": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_529", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file 529.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6197": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_529", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file 529.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6198": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_cpanel", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file cpanel.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6199": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_cpanel", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file cpanel.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6200": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_kral", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file kral.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6201": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_kral", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file kral.php", "last_hit_utc": "2025-10-28 13:45:34" } ], "6202": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_lolipop", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file lolipop.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6203": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_lolipop", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file lolipop.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6204": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_lolipop_RID3354", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file lolipop.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6205": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_lostDC", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file lostDC.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6206": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_lostDC", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file lostDC.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6207": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_matamu", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file matamu.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6208": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_matamu", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file matamu.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6209": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_MyShell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file MyShell.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6210": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_MyShell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file MyShell.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6211": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_MyShell_RID3313", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file MyShell.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6212": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_myshell_RID3353", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file myshell.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6213": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_NGH", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file NGH.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6214": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_NGH", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file NGH.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6215": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_pHpINJ", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file pHpINJ.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6216": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_pHpINJ", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file pHpINJ.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6217": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_pHpINJ_RID325E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file pHpINJ.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6218": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_pws", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file pws.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6219": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_pws", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file pws.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "6220": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_README", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file README.md", "last_hit_utc": "2025-10-28 13:45:36" } ], "6221": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_README", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file README.md", "last_hit_utc": "2025-10-28 13:45:36" } ], "6222": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_php_webshells_README_RID3203", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file README.md", "last_hit_utc": "2025-10-28 13:45:36" } ], "6223": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_phvayvv_php_php_RID3108", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file phvayvv.php.php.txt", "last_hit_utc": "2025-10-28 13:45:37" } ], "6224": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Phyton_Shell_py_RID30C7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Phyton Shell.py.txt", "last_hit_utc": "2025-10-28 13:45:37" } ], "6225": [ { "sample_cnt": 2, "yara_rule_name": "WEBSHELL_ProxyShell_Exploitation_Nov21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside", "yara_rule_description": "Detects webshells dropped by DropHell malware", "last_hit_utc": "2025-11-05 08:22:47" } ], "6226": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_queryDong_spyjsp2010_zend_RID343F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp", "last_hit_utc": "2025-10-28 13:45:37" } ], "6227": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_r577_php_php_SnIpEr_RID3199", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt", "last_hit_utc": "2025-10-28 13:45:37" } ], "6228": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_reader_asp_php", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file reader.asp.php.txt", "last_hit_utc": "2025-10-28 13:45:38" } ], "6229": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_reader_asp_php", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file reader.asp.php.txt", "last_hit_utc": "2025-10-28 13:45:38" } ], "6230": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Reader_asp_RID2E9C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Reader.asp.txt", "last_hit_utc": "2025-10-28 13:45:38" } ], "6231": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Rem_View_php_php_RID3112", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Rem View.php.php.txt", "last_hit_utc": "2025-10-28 13:45:38" } ], "6232": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_rootshell_php_RID3029", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file rootshell.php.txt", "last_hit_utc": "2025-10-28 13:45:38" } ], "6233": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_rst_sql_php_php_RID30FC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file rst_sql.php.php.txt", "last_hit_utc": "2025-10-28 13:45:38" } ], "6234": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_ru24_post_sh", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file ru24_post_sh.php", "last_hit_utc": "2025-10-28 13:45:38" } ], "6235": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_ru24_post_sh", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file ru24_post_sh.php", "last_hit_utc": "2025-10-28 13:45:39" } ], "6236": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_ru24_post_sh_php_php_RID32A0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file ru24_post_sh.php.php.txt", "last_hit_utc": "2025-10-28 13:45:39" } ], "6237": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_ru24_post_sh_RID2F32", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file ru24_post_sh.php", "last_hit_utc": "2025-10-28 13:45:39" } ], "6238": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_s72_Shell_v1_1_Coding_html_RID3436", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt", "last_hit_utc": "2025-10-28 13:45:39" } ], "6239": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_safe0ver", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file safe0ver.php", "last_hit_utc": "2025-10-28 13:45:39" } ], "6240": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_safe0ver", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file safe0ver.php", "last_hit_utc": "2025-10-28 13:45:39" } ], "6241": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php_RID3D04", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt", "last_hit_utc": "2025-10-28 13:45:39" } ], "6242": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php_RID3A0D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt", "last_hit_utc": "2025-10-28 13:45:39" } ], "6243": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Server_Variables", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file Server Variables.asp", "last_hit_utc": "2025-10-28 13:45:39" } ], "6244": [ { "sample_cnt": 2, "yara_rule_name": "webshell_Server_Variables", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file Server Variables.asp", "last_hit_utc": "2025-10-28 13:45:39" } ], "6245": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Server_Variables_RID3115", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file Server Variables.asp", "last_hit_utc": "2025-10-28 13:45:39" } ], "6246": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_shankar_php_php_RID30DC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file shankar.php.php.txt", "last_hit_utc": "2025-10-28 13:45:40" } ], "6247": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_shell_php_php_RID300C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file shell.php.php.txt", "last_hit_utc": "2025-10-28 13:45:40" } ], "6248": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_sh_php_php_RID2ECF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file sh.php.php.txt", "last_hit_utc": "2025-10-28 13:45:39" } ], "6249": [ { "sample_cnt": 2, "yara_rule_name": "webshell_sig_404super", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file 404super.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "6250": [ { "sample_cnt": 2, "yara_rule_name": "webshell_sig_404super", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file 404super.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "6251": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_sig_404super_RID2F0F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file 404super.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "6252": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_simple_backdoor_php_RID327B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file simple-backdoor.php.txt", "last_hit_utc": "2025-10-28 13:45:40" } ], "6253": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_simple_cmd", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file simple_cmd.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "6254": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_simple_cmd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file simple_cmd.php", "last_hit_utc": "2025-10-28 13:45:40" } ], "6255": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_simple_cmd_RID2EA3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file simple_cmd.php", "last_hit_utc": "2025-10-28 13:45:41" } ], "6256": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_SimShell_1_0___Simorgh_Security_MGZ_php_RID3987", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt", "last_hit_utc": "2025-10-28 13:45:41" } ], "6257": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Sincap_1_0", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Sincap 1.0.php", "last_hit_utc": "2025-10-28 13:45:41" } ], "6258": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Sincap_1_0", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Sincap 1.0.php", "last_hit_utc": "2025-10-28 13:45:41" } ], "6259": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_Sincap_1_0_RID2E03", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file Sincap 1.0.php", "last_hit_utc": "2025-10-28 13:45:41" } ], "6260": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Sincap_php_php_RID3052", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Sincap.php.php.txt", "last_hit_utc": "2025-10-28 13:45:41" } ], "6261": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_small_php_php_RID300D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file small.php.php.txt", "last_hit_utc": "2025-10-28 13:45:41" } ], "6262": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_STNC_php_php_RID2F2C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file STNC.php.php.txt", "last_hit_utc": "2025-10-28 13:45:42" } ], "6263": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_telnet_cgi_RID2EC4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file telnet.cgi.txt", "last_hit_utc": "2025-10-28 13:45:42" } ], "6264": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_Tool_asp_RID2DE7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file Tool.asp.txt", "last_hit_utc": "2025-10-28 13:45:42" } ], "6265": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_w3d_php_php_RID2F02", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file w3d.php.php.txt", "last_hit_utc": "2025-10-28 13:45:42" } ], "6266": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_Asp", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file Asp.asp", "last_hit_utc": "2025-10-28 13:45:43" } ], "6267": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_Asp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file Asp.asp", "last_hit_utc": "2025-10-28 13:45:43" } ], "6268": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_asp1", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file asp1.asp", "last_hit_utc": "2025-10-28 13:45:43" } ], "6269": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_asp1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file asp1.asp", "last_hit_utc": "2025-10-28 13:45:43" } ], "6270": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_asp1_RID31EC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file asp1.asp", "last_hit_utc": "2025-10-28 13:45:43" } ], "6271": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_Asp_RID319B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file Asp.asp", "last_hit_utc": "2025-10-28 13:45:43" } ], "6272": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_code", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file code.php", "last_hit_utc": "2025-10-28 13:45:43" } ], "6273": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_code", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file code.php", "last_hit_utc": "2025-10-28 13:45:43" } ], "6274": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_code_RID3212", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file code.php", "last_hit_utc": "2025-10-28 13:45:44" } ], "6275": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_con2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file con2.asp", "last_hit_utc": "2025-10-28 13:45:44" } ], "6276": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_con2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file con2.asp", "last_hit_utc": "2025-10-28 13:45:44" } ], "6277": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_con2_RID31E9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file con2.asp", "last_hit_utc": "2025-10-28 13:45:44" } ], "6278": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_JSP", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file JSP.jsp", "last_hit_utc": "2025-10-28 13:45:44" } ], "6279": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_JSP_RID3164", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file JSP.jsp", "last_hit_utc": "2025-10-28 13:45:44" } ], "6280": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_pHp", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file pHp.php", "last_hit_utc": "2025-10-28 13:45:44" } ], "6281": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_pHp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file pHp.php", "last_hit_utc": "2025-10-28 13:45:44" } ], "6282": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_PHP1", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file PHP1.php", "last_hit_utc": "2025-10-28 13:45:44" } ], "6283": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_PHP1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file PHP1.php", "last_hit_utc": "2025-10-28 13:45:44" } ], "6284": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_PHP1_RID3190", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file PHP1.php", "last_hit_utc": "2025-10-28 13:45:44" } ], "6285": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_php2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file php2.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6286": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_php2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file php2.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6287": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_php2_RID31F1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file php2.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6288": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_php5", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file php5.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6289": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_php5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file php5.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6290": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_php6", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file php6.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6291": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_php6", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file php6.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6292": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_php6_RID31F5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file php6.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6293": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_PHP_RID315F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file PHP.php", "last_hit_utc": "2025-10-28 13:45:44" } ], "6294": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_pHp_RID319F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file pHp.php", "last_hit_utc": "2025-10-28 13:45:44" } ], "6295": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_pppp", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file pppp.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6296": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_pppp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file pppp.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6297": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_pppp_RID3237", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file pppp.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6298": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_xxxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file xxxx.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6299": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshells_new_xxxx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file xxxx.php", "last_hit_utc": "2025-10-28 13:45:45" } ], "6300": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshells_new_xxxx_RID3257", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file xxxx.php", "last_hit_utc": "2025-10-28 13:45:46" } ], "6301": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_webshells_zehir4", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Github Archive - file zehir4", "last_hit_utc": "2025-10-28 13:45:46" } ], "6302": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_webshells_zehir4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Github Archive - file zehir4", "last_hit_utc": "2025-10-28 13:45:46" } ], "6303": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshell_123", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file webshell-123.php", "last_hit_utc": "2025-10-28 13:45:42" } ], "6304": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshell_123", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file webshell-123.php", "last_hit_utc": "2025-10-28 13:45:42" } ], "6305": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshell_123_RID2EF1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web shells - generated from file webshell-123.php", "last_hit_utc": "2025-10-28 13:45:42" } ], "6306": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshell_cnseay02_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file webshell-cnseay02-1.php", "last_hit_utc": "2025-10-28 13:45:43" } ], "6307": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshell_cnseay02_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file webshell-cnseay02-1.php", "last_hit_utc": "2025-10-28 13:45:43" } ], "6308": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshell_cnseay_x", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file webshell-cnseay-x.php", "last_hit_utc": "2025-10-28 13:45:43" } ], "6309": [ { "sample_cnt": 2, "yara_rule_name": "webshell_webshell_cnseay_x", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file webshell-cnseay-x.php", "last_hit_utc": "2025-10-28 13:45:42" } ], "6310": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_webshell_cnseay_x_RID31B5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file webshell-cnseay-x.php", "last_hit_utc": "2025-10-28 13:45:43" } ], "6311": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_wh_bindshell_py_RID30E1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file wh_bindshell.py.txt", "last_hit_utc": "2025-10-28 13:45:46" } ], "6312": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_WinX_Shell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file WinX Shell.php", "last_hit_utc": "2025-10-28 13:45:46" } ], "6313": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_WinX_Shell_html_RID3097", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file WinX Shell.html.txt", "last_hit_utc": "2025-10-28 13:45:46" } ], "6314": [ { "sample_cnt": 2, "yara_rule_name": "webshell_wsb_idc", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file idc.php", "last_hit_utc": "2025-10-28 13:45:46" } ], "6315": [ { "sample_cnt": 2, "yara_rule_name": "webshell_wsb_idc", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file idc.php", "last_hit_utc": "2025-10-28 13:45:46" } ], "6316": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_wsb_idc_RID2D81", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file idc.php", "last_hit_utc": "2025-10-28 13:45:46" } ], "6317": [ { "sample_cnt": 2, "yara_rule_name": "webshell_wso2_5_1_wso2_5_wso2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php", "last_hit_utc": "2025-01-23 05:09:03" } ], "6318": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_wso2_5_1_wso2_5_wso2_RID31BD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php", "last_hit_utc": "2025-01-23 05:09:03" } ], "6319": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_xssshell_db_RID2F41", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file db.asp", "last_hit_utc": "2025-10-28 13:45:46" } ], "6320": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_xssshell_save_RID302A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file save.asp", "last_hit_utc": "2025-10-28 13:45:46" } ], "6321": [ { "sample_cnt": 2, "yara_rule_name": "Webshell_zacosmall_php_RID3013", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - file zacosmall.php.txt", "last_hit_utc": "2025-10-28 13:45:46" } ], "6322": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_zehir4_asp_php", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file zehir4.asp.php.txt", "last_hit_utc": "2025-10-28 13:45:47" } ], "6323": [ { "sample_cnt": 2, "yara_rule_name": "WebShell_zehir4_asp_php", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file zehir4.asp.php.txt", "last_hit_utc": "2025-10-28 13:45:47" } ], "6324": [ { "sample_cnt": 2, "yara_rule_name": "WebShell__CrystalShell_v_1_erne_stres", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "6325": [ { "sample_cnt": 2, "yara_rule_name": "WebShell__CrystalShell_v_1_erne_stres", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "6326": [ { "sample_cnt": 2, "yara_rule_name": "WebShell__findsock_php_findsock_shell_php_reverse_shell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "6327": [ { "sample_cnt": 2, "yara_rule_name": "WebShell__findsock_php_findsock_shell_php_reverse_shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "6328": [ { "sample_cnt": 2, "yara_rule_name": "WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "6329": [ { "sample_cnt": 2, "yara_rule_name": "WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "6330": [ { "sample_cnt": 2, "yara_rule_name": "WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall_RID3C61", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php", "last_hit_utc": "2025-10-28 13:45:18" } ], "6331": [ { "sample_cnt": 2, "yara_rule_name": "wh_bindshell_py", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file wh_bindshell.py.txt", "last_hit_utc": "2025-10-28 13:45:47" } ], "6332": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_BlackBasta", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects BlackBasta ransomware.", "last_hit_utc": "2025-07-25 03:05:34" } ], "6333": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_Cring", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Cring ransomware.", "last_hit_utc": "2021-04-08 12:18:22" } ], "6334": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_Dharma", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Dharma ransomware.", "last_hit_utc": "2023-04-06 17:55:04" } ], "6335": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_Erica", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Erica ransomware.", "last_hit_utc": "2020-11-29 05:46:26" } ], "6336": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_HDDCryptor", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects HDDCryptor ransomware.", "last_hit_utc": "2025-01-03 19:31:27" } ], "6337": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_Horsedeal", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Horsedeal ransomware.", "last_hit_utc": "2023-04-16 03:00:04" } ], "6338": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_Pay2Key", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Pay2Key ransomware.", "last_hit_utc": "2021-12-24 19:33:07" } ], "6339": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_Petya", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Petya ransomware.", "last_hit_utc": "2023-04-29 07:20:03" } ], "6340": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_Spora", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Spora ransomware.", "last_hit_utc": "2023-03-09 20:50:04" } ], "6341": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_Termite", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Termite ransomware.", "last_hit_utc": "2023-04-22 03:52:05" } ], "6342": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_WormLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects WormLocker ransomware.", "last_hit_utc": "2026-04-01 20:25:25" } ], "6343": [ { "sample_cnt": 2, "yara_rule_name": "Win32_Ransomware_WsIR", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects WsIR ransomware.", "last_hit_utc": "2025-01-22 06:44:02" } ], "6344": [ { "sample_cnt": 2, "yara_rule_name": "win32_salat_stealer", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting SalatStealer malware", "last_hit_utc": "2025-11-23 10:45:24" } ], "6345": [ { "sample_cnt": 2, "yara_rule_name": "win32_vidar", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting Vidar malware", "last_hit_utc": "2025-09-27 04:01:42" } ], "6346": [ { "sample_cnt": 2, "yara_rule_name": "Win64_Ransomware_Curator", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Curator ransomware.", "last_hit_utc": "2022-03-22 12:55:06" } ], "6347": [ { "sample_cnt": 2, "yara_rule_name": "WindowsCredentialEditor", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Windows Credential Editor", "last_hit_utc": "2025-10-28 13:45:51" } ], "6348": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_MalCert_1c42f7ff", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-20 14:33:17" } ], "6349": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_MalCert_1f95f236", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:39:18" } ], "6350": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_MalCert_6926a408", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-06 06:56:16" } ], "6351": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_MalCert_a318116e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-20 14:10:43" } ], "6352": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_MalCert_b19d9b4b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:45:40" } ], "6353": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_11a56097", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-11 12:45:05" } ], "6354": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_278c589e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-05-31 02:45:44" } ], "6355": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_54a914c9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:38:46" } ], "6356": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_642df623", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-17 10:47:30" } ], "6357": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_6b621667", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-27 04:05:54" } ], "6358": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_7d555b55", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:25:55" } ], "6359": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_a0c7b402", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-27 23:04:52" } ], "6360": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_a3d51e0c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 11:25:48" } ], "6361": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_a440f624", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-12 11:31:28" } ], "6362": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_b577c086", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:39:19" } ], "6363": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Generic_Threat_dcc622a4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:06:03" } ], "6364": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Hacktool_ClrOxide_d92d9575", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 12:53:34" } ], "6365": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Hacktool_Phant0m_2d6f9b57", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-18 11:27:22" } ], "6366": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Hacktool_RingQ_b9715540", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:35:20" } ], "6367": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Hacktool_SafetyKatz_072b7370", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 13:08:36" } ], "6368": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Hacktool_SharpDump_7c17d8b1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 13:08:36" } ], "6369": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Hacktool_SharpUp_e5c87c9a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 13:08:36" } ], "6370": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Hacktool_SharpWMI_a67d6fe5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-30 13:08:36" } ], "6371": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Blackmatter_b548d151", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:31:02" } ], "6372": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Clop_606020e7", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", "yara_rule_description": "Identifies CLOP ransomware in unpacked state", "last_hit_utc": "2025-11-05 08:22:49" } ], "6373": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Clop_e04959b5", "yara_rule_author": null, "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", "yara_rule_description": "Identifies CLOP ransomware in unpacked state", "last_hit_utc": "2025-07-24 14:38:23" } ], "6374": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Clop_e04959b5", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", "yara_rule_description": "Identifies CLOP ransomware in unpacked state", "last_hit_utc": "2025-07-24 14:38:23" } ], "6375": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Darkside_d7fc4594", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:39:06" } ], "6376": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Hellokitty_4b668121", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-10 08:18:07" } ], "6377": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Lockbit_369e1e94", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-16 11:04:02" } ], "6378": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Ryuk_25d3c5ba", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "yara_rule_description": "Identifies RYUK ransomware", "last_hit_utc": "2023-09-11 16:27:10" } ], "6379": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Snake_0cfc8ef3", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/", "yara_rule_description": "Identifies SNAKE ransomware", "last_hit_utc": "2024-01-03 10:41:22" } ], "6380": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Snake_20bc5abc", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/", "yara_rule_description": "Identifies SNAKE ransomware", "last_hit_utc": "2024-01-03 10:41:22" } ], "6381": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Snake_550e0265", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/", "yara_rule_description": "Identifies SNAKE ransomware", "last_hit_utc": "2024-01-03 10:41:22" } ], "6382": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Ransomware_Thanos_a6c09942", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/", "yara_rule_description": "Identifies THANOS (Hakbit) ransomware", "last_hit_utc": "2025-01-03 21:07:47" } ], "6383": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Shellcode_Rdi_918f8e2f", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 05:40:21" } ], "6384": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_AgentTesla_d3ac2b2f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla", "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:50" } ], "6385": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_AgentTesla_e577e17e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla", "yara_rule_description": null, "last_hit_utc": "2025-02-22 14:30:52" } ], "6386": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_AgentTesla_f2a90d14", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-02 06:58:03" } ], "6387": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Azorult_38fce9ea", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-04 20:22:04" } ], "6388": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Babylonrat_0f66e73b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-06-25 21:05:04" } ], "6389": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Carberp_d6de82ae", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://github.com/m0n0ph1/malware-1/blob/master/Carberp%20Botnet/source%20-%20absource/pro/all%20source/hvnc_dll/HVNC%20Lib/vnc/xvnc.h#L342", "yara_rule_description": "Identifies VNC module from the leaked Carberp source code. This could exist in other malware families.", "last_hit_utc": "2025-04-28 05:46:08" } ], "6390": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_CastleLoader_173548b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 09:04:29" } ], "6391": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_CobaltStrike_1787eef5", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "CS shellcode variants", "last_hit_utc": "2022-10-30 07:51:03" } ], "6392": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_CobaltStrike_663fc95d", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Identifies CobaltStrike via unidentified function code", "last_hit_utc": "2022-10-30 07:51:03" } ], "6393": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_CobaltStrike_d00573a3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies Screenshot module from Cobalt Strike", "last_hit_utc": "2026-03-29 16:34:21" } ], "6394": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_EagerBee_a64b323b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set", "yara_rule_description": null, "last_hit_utc": "2025-07-29 12:29:58" } ], "6395": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_EmmenHTAl_2", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "EmmenHTAl new version, data stage", "last_hit_utc": "2025-02-01 16:40:24" } ], "6396": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Emotet_1943bbf2", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction", "yara_rule_description": null, "last_hit_utc": "2026-03-24 14:31:10" } ], "6397": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Emotet_d6ac1ea4", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-03 01:24:50" } ], "6398": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_GhostPulse_8ae8310b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-14 00:43:18" } ], "6399": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_GhostPulse_a1311f49", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:48:29" } ], "6400": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_GhostPulse_a1311f49", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks", "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:40:03" } ], "6401": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Hawkeye_77c36ace", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-07-02 10:29:51" } ], "6402": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_IcedID_0b62e783", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", "yara_rule_description": null, "last_hit_utc": "2026-03-13 22:25:20" } ], "6403": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_IcedID_11d24d35", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", "yara_rule_description": null, "last_hit_utc": "2026-03-13 22:25:20" } ], "6404": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_IcedID_48029e37", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", "yara_rule_description": null, "last_hit_utc": "2026-03-13 22:25:20" } ], "6405": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_IcedID_91562d18", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", "yara_rule_description": null, "last_hit_utc": "2026-03-13 22:25:21" } ], "6406": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Limerat_24269a79", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-30 10:17:04" } ], "6407": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Lucifer_ce9d4cc8", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-24 09:05:02" } ], "6408": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Merlin_e8ecb3be", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-04 09:00:04" } ], "6409": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Netwire_f85e4abc", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction", "yara_rule_description": null, "last_hit_utc": "2025-11-24 16:35:35" } ], "6410": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_OskiStealer_a158b1e3", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-25 03:57:02" } ], "6411": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Parallax_b4ea4f1a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-07 19:32:06" } ], "6412": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_PikaBot_5b220e9c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/pikabot-i-choose-you", "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:50" } ], "6413": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Raccoon_deb6325c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-24 10:41:03" } ], "6414": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_RedLineStealer_ed346e4c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-03 00:53:02" } ], "6415": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Smokeloader_4ee15b92", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:35:04" } ], "6416": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Trickbot_9d4d3fa4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:26:04" } ], "6417": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Vidar_9007feb2", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-04 10:31:02" } ], "6418": [ { "sample_cnt": 2, "yara_rule_name": "Windows_Trojan_Zloader_363c65ed", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:07:02" } ], "6419": [ { "sample_cnt": 2, "yara_rule_name": "Windows_VulnDriver_Zam_928812a7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-30 01:28:16" } ], "6420": [ { "sample_cnt": 2, "yara_rule_name": "Winnti_Linux", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-03-30 09:27:02" } ], "6421": [ { "sample_cnt": 2, "yara_rule_name": "WinX_Shell_html", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file WinX Shell.html.txt", "last_hit_utc": "2025-10-28 13:45:51" } ], "6422": [ { "sample_cnt": 2, "yara_rule_name": "win_adhubllka_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-09-13 19:22:05" } ], "6423": [ { "sample_cnt": 2, "yara_rule_name": "win_agent_btz_w0", "yara_rule_author": "Symantec", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2023-02-26 15:21:39" } ], "6424": [ { "sample_cnt": 2, "yara_rule_name": "win_agent_tesla_w0", "yara_rule_author": "InQuest Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-25 18:31:09" } ], "6425": [ { "sample_cnt": 2, "yara_rule_name": "win_andromeda_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.andromeda.", "last_hit_utc": "2023-08-01 23:21:05" } ], "6426": [ { "sample_cnt": 2, "yara_rule_name": "win_appleseed_w0", "yara_rule_author": "KrCERT/CC Profound Analysis Team", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-11-03 12:22:54" } ], "6427": [ { "sample_cnt": 2, "yara_rule_name": "win_artra_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.artra.", "last_hit_utc": "2025-11-24 16:37:32" } ], "6428": [ { "sample_cnt": 2, "yara_rule_name": "win_avos_locker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.avos_locker.", "last_hit_utc": "2023-01-24 14:14:04" } ], "6429": [ { "sample_cnt": 2, "yara_rule_name": "win_badnews_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-12-10 05:32:54" } ], "6430": [ { "sample_cnt": 2, "yara_rule_name": "win_bahamut_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-11-13 16:08:03" } ], "6431": [ { "sample_cnt": 2, "yara_rule_name": "win_batchwiper_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.batchwiper.", "last_hit_utc": "2022-04-20 05:37:02" } ], "6432": [ { "sample_cnt": 2, "yara_rule_name": "win_berbew_strings_dec_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Strings observed in Berbew malware.", "last_hit_utc": "2025-01-03 19:32:49" } ], "6433": [ { "sample_cnt": 2, "yara_rule_name": "win_betabot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.betabot.", "last_hit_utc": "2025-01-28 13:17:20" } ], "6434": [ { "sample_cnt": 2, "yara_rule_name": "win_betabot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.betabot.", "last_hit_utc": "2021-11-19 05:32:28" } ], "6435": [ { "sample_cnt": 2, "yara_rule_name": "win_blackbasta_w0", "yara_rule_author": "rcoliveira@protonmail.com", "yara_rule_reference": "", "yara_rule_description": "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.", "last_hit_utc": "2022-11-15 11:04:03" } ], "6436": [ { "sample_cnt": 2, "yara_rule_name": "win_blackmatter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.blackmatter.", "last_hit_utc": "2022-09-29 04:44:03" } ], "6437": [ { "sample_cnt": 2, "yara_rule_name": "win_blacknix_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-03 23:08:47" } ], "6438": [ { "sample_cnt": 2, "yara_rule_name": "win_blindingcan_w0", "yara_rule_author": "CISA Code & Media Analysis", "yara_rule_reference": "", "yara_rule_description": "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT", "last_hit_utc": "2022-10-05 10:04:02" } ], "6439": [ { "sample_cnt": 2, "yara_rule_name": "win_bozok_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-09-25 17:57:22" } ], "6440": [ { "sample_cnt": 2, "yara_rule_name": "win_bozok_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-04-07 20:58:19" } ], "6441": [ { "sample_cnt": 2, "yara_rule_name": "win_brbbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.brbbot.", "last_hit_utc": "2024-04-13 13:28:03" } ], "6442": [ { "sample_cnt": 2, "yara_rule_name": "win_bumblebee_w0", "yara_rule_author": "@AndreGironda", "yara_rule_reference": "", "yara_rule_description": "BumbleBee / win.bumblebee", "last_hit_utc": "2022-04-15 13:24:02" } ], "6443": [ { "sample_cnt": 2, "yara_rule_name": "win_carbanak_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-14 16:39:35" } ], "6444": [ { "sample_cnt": 2, "yara_rule_name": "win_casper_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo", "last_hit_utc": "2025-11-05 08:22:47" } ], "6445": [ { "sample_cnt": 2, "yara_rule_name": "win_cerber_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.cerber.", "last_hit_utc": "2022-10-14 02:41:01" } ], "6446": [ { "sample_cnt": 2, "yara_rule_name": "win_chaos_w2", "yara_rule_author": "BlackBerry Threat Research", "yara_rule_reference": "", "yara_rule_description": "Detects Chaos Ransomware Builder", "last_hit_utc": "2022-10-13 08:19:03" } ], "6447": [ { "sample_cnt": 2, "yara_rule_name": "win_citadel_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de", "yara_rule_reference": null, "yara_rule_description": "2013-06-23 Citadel (1.3.0.0 - 3.1.0.0)", "last_hit_utc": "2020-06-17 04:18:05" } ], "6448": [ { "sample_cnt": 2, "yara_rule_name": "win_clop_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-03-16 22:53:53" } ], "6449": [ { "sample_cnt": 2, "yara_rule_name": "win_clop_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.clop.", "last_hit_utc": "2022-02-24 05:21:05" } ], "6450": [ { "sample_cnt": 2, "yara_rule_name": "win_cobra_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.cobra.", "last_hit_utc": "2022-10-16 21:53:03" } ], "6451": [ { "sample_cnt": 2, "yara_rule_name": "win_cobra_w1", "yara_rule_author": "ESET Research", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-16 21:53:03" } ], "6452": [ { "sample_cnt": 2, "yara_rule_name": "win_coldseal_w0", "yara_rule_author": "mho ", "yara_rule_reference": null, "yara_rule_description": "High amount of delimiter strings, show that this file contains a payload encrypted using Cold$eal Project. This will hit on a lot of ransomware like Cerber, Locky, GandCrab.", "last_hit_utc": "2025-06-16 15:49:04" } ], "6453": [ { "sample_cnt": 2, "yara_rule_name": "win_coreshell_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html", "yara_rule_description": "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.", "last_hit_utc": "2024-05-22 23:03:02" } ], "6454": [ { "sample_cnt": 2, "yara_rule_name": "win_cryptomix_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cryptomix.", "last_hit_utc": "2025-06-16 16:45:22" } ], "6455": [ { "sample_cnt": 2, "yara_rule_name": "win_cryptoshield_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cryptoshield.", "last_hit_utc": "2023-04-26 12:09:47" } ], "6456": [ { "sample_cnt": 2, "yara_rule_name": "win_danabot_cdf38827", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects DanaBot", "last_hit_utc": "2025-01-05 15:09:23" } ], "6457": [ { "sample_cnt": 2, "yara_rule_name": "win_darkside_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.darkside.", "last_hit_utc": "2025-01-03 19:39:06" } ], "6458": [ { "sample_cnt": 2, "yara_rule_name": "win_darktrack_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-04-07 08:48:03" } ], "6459": [ { "sample_cnt": 2, "yara_rule_name": "win_darktrack_rat_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-07 08:48:03" } ], "6460": [ { "sample_cnt": 2, "yara_rule_name": "win_dispcashbr_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-14 21:24:07" } ], "6461": [ { "sample_cnt": 2, "yara_rule_name": "win_dispcashbr_w0", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": "https://twitter.com/r3c0nst/status/1232944566208286720", "yara_rule_description": "Detects of ATM Malware DispCashBR", "last_hit_utc": "2021-05-14 21:24:07" } ], "6462": [ { "sample_cnt": 2, "yara_rule_name": "win_eagerbee_w0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-29 12:29:58" } ], "6463": [ { "sample_cnt": 2, "yara_rule_name": "win_edam_w0", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "DLL that creates runkey, contacts bestone.php, download & exec payload", "last_hit_utc": "2025-11-05 08:22:47" } ], "6464": [ { "sample_cnt": 2, "yara_rule_name": "win_electricfish_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.electricfish.", "last_hit_utc": "2022-07-01 06:27:02" } ], "6465": [ { "sample_cnt": 2, "yara_rule_name": "win_elise_w0", "yara_rule_author": "ThreatConnect Intelligence Research Team - Wes Hurd", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:28:05" } ], "6466": [ { "sample_cnt": 2, "yara_rule_name": "win_emotet_string_hashing", "yara_rule_author": "Embee_Research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": "Detection of string hashing routines observed in emotet", "last_hit_utc": "2023-10-03 02:37:02" } ], "6467": [ { "sample_cnt": 2, "yara_rule_name": "win_emotet_string_patterns_oct_2022", "yara_rule_author": "Embee_Research @ HuntressLabs", "yara_rule_reference": null, "yara_rule_description": "Detection of string hashing routines observed in emotet", "last_hit_utc": "2023-10-03 02:37:02" } ], "6468": [ { "sample_cnt": 2, "yara_rule_name": "win_erbium_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.erbium_stealer.", "last_hit_utc": "2025-06-03 22:21:27" } ], "6469": [ { "sample_cnt": 2, "yara_rule_name": "win_eternal_petya_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-06-09 08:09:14" } ], "6470": [ { "sample_cnt": 2, "yara_rule_name": "win_evilpony_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-13 17:06:23" } ], "6471": [ { "sample_cnt": 2, "yara_rule_name": "win_feodo_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.feodo.", "last_hit_utc": "2023-04-11 01:28:03" } ], "6472": [ { "sample_cnt": 2, "yara_rule_name": "win_feodo_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.feodo.", "last_hit_utc": "2021-09-28 02:55:05" } ], "6473": [ { "sample_cnt": 2, "yara_rule_name": "win_ffdroider_w0", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": null, "yara_rule_description": "detects FFDroider", "last_hit_utc": "2025-01-26 10:06:40" } ], "6474": [ { "sample_cnt": 2, "yara_rule_name": "win_gazer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.gazer.", "last_hit_utc": "2022-03-10 13:04:06" } ], "6475": [ { "sample_cnt": 2, "yara_rule_name": "win_gootkit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.gootkit.", "last_hit_utc": "2021-08-06 14:09:03" } ], "6476": [ { "sample_cnt": 2, "yara_rule_name": "win_grey_energy_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-04-25 11:38:10" } ], "6477": [ { "sample_cnt": 2, "yara_rule_name": "win_hancitor_g2", "yara_rule_author": "mak", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-07-13 17:12:03" } ], "6478": [ { "sample_cnt": 2, "yara_rule_name": "win_havoc_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.havoc.", "last_hit_utc": "2023-06-07 14:20:05" } ], "6479": [ { "sample_cnt": 2, "yara_rule_name": "win_hijackloader_w4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-14 00:43:18" } ], "6480": [ { "sample_cnt": 2, "yara_rule_name": "win_icedid_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.icedid.", "last_hit_utc": "2023-08-08 20:41:03" } ], "6481": [ { "sample_cnt": 2, "yara_rule_name": "win_industroyer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.industroyer.", "last_hit_utc": "2022-04-13 09:58:03" } ], "6482": [ { "sample_cnt": 2, "yara_rule_name": "win_isr_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-26 07:35:03" } ], "6483": [ { "sample_cnt": 2, "yara_rule_name": "win_isr_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.isr_stealer.", "last_hit_utc": "2025-08-19 06:26:36" } ], "6484": [ { "sample_cnt": 2, "yara_rule_name": "win_karius_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-08 09:22:40" } ], "6485": [ { "sample_cnt": 2, "yara_rule_name": "win_korlia_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.korlia.", "last_hit_utc": "2025-01-05 16:27:36" } ], "6486": [ { "sample_cnt": 2, "yara_rule_name": "win_kovter_g0", "yara_rule_author": "mak", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-31 00:40:09" } ], "6487": [ { "sample_cnt": 2, "yara_rule_name": "win_lockfile_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.lockfile.", "last_hit_utc": "2025-05-10 12:25:09" } ], "6488": [ { "sample_cnt": 2, "yara_rule_name": "win_locky_g0", "yara_rule_author": "mak", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-27 15:34:17" } ], "6489": [ { "sample_cnt": 2, "yara_rule_name": "win_locky_g1", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-06-27 15:34:21" } ], "6490": [ { "sample_cnt": 2, "yara_rule_name": "win_luminosity_rat_w0", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-01-09 13:42:11" } ], "6491": [ { "sample_cnt": 2, "yara_rule_name": "win_mail_o_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mail_o.", "last_hit_utc": "2022-05-24 09:18:03" } ], "6492": [ { "sample_cnt": 2, "yara_rule_name": "win_mimikatz_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-01-05 19:39:36" } ], "6493": [ { "sample_cnt": 2, "yara_rule_name": "win_molerat_loader_g0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.clearskysec.com/iec/", "yara_rule_description": "Detects Downloader", "last_hit_utc": "2021-06-24 01:16:22" } ], "6494": [ { "sample_cnt": 2, "yara_rule_name": "win_morphine_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-03-24 16:12:09" } ], "6495": [ { "sample_cnt": 2, "yara_rule_name": "win_mount_locker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mount_locker.", "last_hit_utc": "2022-01-09 14:20:06" } ], "6496": [ { "sample_cnt": 2, "yara_rule_name": "win_mylobot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mylobot.", "last_hit_utc": "2022-01-27 07:39:04" } ], "6497": [ { "sample_cnt": 2, "yara_rule_name": "win_n40_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-05 17:08:55" } ], "6498": [ { "sample_cnt": 2, "yara_rule_name": "win_netwire_g0", "yara_rule_author": "mak", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-02-03 06:50:10" } ], "6499": [ { "sample_cnt": 2, "yara_rule_name": "win_neutrinobot_g2", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-12-26 19:44:18" } ], "6500": [ { "sample_cnt": 2, "yara_rule_name": "win_neutrino_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.neutrino.", "last_hit_utc": "2026-04-19 19:38:28" } ], "6501": [ { "sample_cnt": 2, "yara_rule_name": "win_numando_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-11-18 03:29:03" } ], "6502": [ { "sample_cnt": 2, "yara_rule_name": "win_obscene_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.obscene.", "last_hit_utc": "2022-08-31 05:35:17" } ], "6503": [ { "sample_cnt": 2, "yara_rule_name": "win_orcus_rat_a0", "yara_rule_author": "CCIRC", "yara_rule_reference": "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", "yara_rule_description": "Unpacked or In-Memory Orcus RAT Rule", "last_hit_utc": "2020-07-16 05:16:04" } ], "6504": [ { "sample_cnt": 2, "yara_rule_name": "win_orpcbackdoor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.orpcbackdoor.", "last_hit_utc": "2025-11-24 16:38:21" } ], "6505": [ { "sample_cnt": 2, "yara_rule_name": "win_parasite_http_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-30 06:40:59" } ], "6506": [ { "sample_cnt": 2, "yara_rule_name": "win_pay2key_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.pay2key.", "last_hit_utc": "2021-12-24 19:33:08" } ], "6507": [ { "sample_cnt": 2, "yara_rule_name": "win_phorpiex_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.phorpiex.", "last_hit_utc": "2025-03-12 00:00:05" } ], "6508": [ { "sample_cnt": 2, "yara_rule_name": "win_pipcreat_w0", "yara_rule_author": "chort (@chort0)", "yara_rule_reference": "http://www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/", "yara_rule_description": "APT backdoor Pipcreat", "last_hit_utc": "2025-01-05 17:28:05" } ], "6509": [ { "sample_cnt": 2, "yara_rule_name": "win_pitou_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.pitou.", "last_hit_utc": "2022-01-15 11:58:04" } ], "6510": [ { "sample_cnt": 2, "yara_rule_name": "win_plugx_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-28 16:39:36" } ], "6511": [ { "sample_cnt": 2, "yara_rule_name": "win_polyvice_w1", "yara_rule_author": "Antonio Cocomazzi @ SentinelOne", "yara_rule_reference": "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development", "yara_rule_description": "Detect a windows ransomware variant tracked as PolyVice adopted by multiple threat actors", "last_hit_utc": "2023-08-01 20:43:03" } ], "6512": [ { "sample_cnt": 2, "yara_rule_name": "win_poulight_w0", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/d9e4933b-3229-4cb4-84e6-c45a336b15be/", "yara_rule_description": "Poullight stealer", "last_hit_utc": "2020-11-08 14:39:03" } ], "6513": [ { "sample_cnt": 2, "yara_rule_name": "win_privateloader", "yara_rule_author": "andretavare5", "yara_rule_reference": "https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service", "yara_rule_description": "Detects PrivateLoader malware.", "last_hit_utc": "2025-01-03 19:32:27" } ], "6514": [ { "sample_cnt": 2, "yara_rule_name": "win_pslogger_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-02 08:25:12" } ], "6515": [ { "sample_cnt": 2, "yara_rule_name": "win_qaccel_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.qaccel.", "last_hit_utc": "2022-10-17 08:52:04" } ], "6516": [ { "sample_cnt": 2, "yara_rule_name": "win_ragnarlocker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-08-03 10:03:40" } ], "6517": [ { "sample_cnt": 2, "yara_rule_name": "win_ratel_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.ratel.", "last_hit_utc": "2025-03-07 20:10:18" } ], "6518": [ { "sample_cnt": 2, "yara_rule_name": "win_recordbreaker_w0", "yara_rule_author": "Jake Goldi", "yara_rule_reference": null, "yara_rule_description": "Detect variants of Raccoon Stealer v2", "last_hit_utc": "2023-09-24 10:41:03" } ], "6519": [ { "sample_cnt": 2, "yara_rule_name": "win_recordbreaker_w1", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_Raccoon_Stealer_v2", "last_hit_utc": "2023-09-24 10:41:03" } ], "6520": [ { "sample_cnt": 2, "yara_rule_name": "win_rektloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-08 14:03:29" } ], "6521": [ { "sample_cnt": 2, "yara_rule_name": "win_remexi_w0", "yara_rule_author": "Symantec", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:48" } ], "6522": [ { "sample_cnt": 2, "yara_rule_name": "win_retefe_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-12-13 04:01:13" } ], "6523": [ { "sample_cnt": 2, "yara_rule_name": "win_retefe_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.retefe.", "last_hit_utc": "2021-09-08 12:12:01" } ], "6524": [ { "sample_cnt": 2, "yara_rule_name": "win_rincux_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.rincux.", "last_hit_utc": "2022-07-20 07:33:36" } ], "6525": [ { "sample_cnt": 2, "yara_rule_name": "win_royal_ransom_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.royal_ransom.", "last_hit_utc": "2025-01-05 15:52:09" } ], "6526": [ { "sample_cnt": 2, "yara_rule_name": "win_rtm_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-11 08:52:05" } ], "6527": [ { "sample_cnt": 2, "yara_rule_name": "win_ryuk_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.ryuk.", "last_hit_utc": "2022-02-17 12:08:05" } ], "6528": [ { "sample_cnt": 2, "yara_rule_name": "win_sality_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-30 06:48:07" } ], "6529": [ { "sample_cnt": 2, "yara_rule_name": "win_sendsafe_g0", "yara_rule_author": "mak", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-04-25 12:15:38" } ], "6530": [ { "sample_cnt": 2, "yara_rule_name": "win_silence_w0", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_silence_Downloader", "last_hit_utc": "2025-01-05 17:28:05" } ], "6531": [ { "sample_cnt": 2, "yara_rule_name": "win_sliver_w0", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Sliver implant cross-platform adversary emulation/red team", "last_hit_utc": "2022-11-16 18:18:01" } ], "6532": [ { "sample_cnt": 2, "yara_rule_name": "win_socks5_systemz_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-01-08 14:59:23" } ], "6533": [ { "sample_cnt": 2, "yara_rule_name": "win_spider_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.spider_rat.", "last_hit_utc": "2025-01-05 15:21:58" } ], "6534": [ { "sample_cnt": 2, "yara_rule_name": "win_spora_ransom_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.spora_ransom.", "last_hit_utc": "2023-03-09 20:50:04" } ], "6535": [ { "sample_cnt": 2, "yara_rule_name": "win_sunburst_w0", "yara_rule_author": "FireEye", "yara_rule_reference": null, "yara_rule_description": "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.", "last_hit_utc": "2025-11-05 08:22:48" } ], "6536": [ { "sample_cnt": 2, "yara_rule_name": "win_sysscan_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-06-16 16:48:00" } ], "6537": [ { "sample_cnt": 2, "yara_rule_name": "win_taidoor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-12-26 06:50:04" } ], "6538": [ { "sample_cnt": 2, "yara_rule_name": "win_teledoor_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/CpfJQQ", "yara_rule_description": "Detects the TeleDoor Backdoor as used in Petya Attack in June 2017", "last_hit_utc": "2025-11-05 08:22:48" } ], "6539": [ { "sample_cnt": 2, "yara_rule_name": "win_tflower_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-06 10:46:11" } ], "6540": [ { "sample_cnt": 2, "yara_rule_name": "win_tiger_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.tiger_rat.", "last_hit_utc": "2022-09-08 07:11:02" } ], "6541": [ { "sample_cnt": 2, "yara_rule_name": "win_torrentlocker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.torrentlocker.", "last_hit_utc": "2023-08-10 20:37:02" } ], "6542": [ { "sample_cnt": 2, "yara_rule_name": "win_toxiceye_w0", "yara_rule_author": "albertzsigovits", "yara_rule_reference": "https://bazaar.abuse.ch/browse/signature/toxiceye/", "yara_rule_description": null, "last_hit_utc": "2026-03-08 16:10:22" } ], "6543": [ { "sample_cnt": 2, "yara_rule_name": "win_trickbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.trickbot.", "last_hit_utc": "2023-08-24 07:26:02" } ], "6544": [ { "sample_cnt": 2, "yara_rule_name": "win_unidentified_075_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.unidentified_075.", "last_hit_utc": "2021-08-06 12:44:18" } ], "6545": [ { "sample_cnt": 2, "yara_rule_name": "win_unidentified_089_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.unidentified_089.", "last_hit_utc": "2022-07-14 22:14:03" } ], "6546": [ { "sample_cnt": 2, "yara_rule_name": "win_urlzone_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-12-26 09:36:04" } ], "6547": [ { "sample_cnt": 2, "yara_rule_name": "win_urlzone_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de", "yara_rule_reference": null, "yara_rule_description": "2013-07-10 URLZone Banking Trojan", "last_hit_utc": "2020-12-26 09:36:04" } ], "6548": [ { "sample_cnt": 2, "yara_rule_name": "win_uroburos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.uroburos.", "last_hit_utc": "2025-10-17 17:58:30" } ], "6549": [ { "sample_cnt": 2, "yara_rule_name": "win_vidar_w0", "yara_rule_author": "Fumik0_", "yara_rule_reference": null, "yara_rule_description": "Yara rule for detecting Vidar stealer", "last_hit_utc": "2025-11-05 08:22:48" } ], "6550": [ { "sample_cnt": 2, "yara_rule_name": "win_vmzeus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-04 08:25:12" } ], "6551": [ { "sample_cnt": 2, "yara_rule_name": "win_vmzeus_g0", "yara_rule_author": "mak", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-04 08:25:13" } ], "6552": [ { "sample_cnt": 2, "yara_rule_name": "win_void_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.void.", "last_hit_utc": "2023-07-14 23:36:03" } ], "6553": [ { "sample_cnt": 2, "yara_rule_name": "win_vsingle_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.vsingle.", "last_hit_utc": "2022-11-17 14:02:30" } ], "6554": [ { "sample_cnt": 2, "yara_rule_name": "win_wannacryptor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.wannacryptor.", "last_hit_utc": "2025-07-25 17:55:19" } ], "6555": [ { "sample_cnt": 2, "yara_rule_name": "win_webmonitor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-06-20 10:02:04" } ], "6556": [ { "sample_cnt": 2, "yara_rule_name": "win_wndtest_w0", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Backdoor used by attackers in Operation Cleaver", "last_hit_utc": "2025-11-05 08:22:49" } ], "6557": [ { "sample_cnt": 2, "yara_rule_name": "win_woolger_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/SjQhlp", "yara_rule_description": "Detects Keylogger used in Rocket Kitten APT", "last_hit_utc": "2025-11-05 08:22:49" } ], "6558": [ { "sample_cnt": 2, "yara_rule_name": "win_wscspl_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.wscspl.", "last_hit_utc": "2025-11-24 16:38:18" } ], "6559": [ { "sample_cnt": 2, "yara_rule_name": "win_xwormmm_s1_6f74", "yara_rule_author": "Johannes Bader", "yara_rule_reference": "", "yara_rule_description": "detects unpacked Xwormmm samples", "last_hit_utc": "2022-11-23 23:35:04" } ], "6560": [ { "sample_cnt": 2, "yara_rule_name": "win_xxmm_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects malware / hacktool sample from Bronze Butler incident", "last_hit_utc": "2025-01-05 17:28:05" } ], "6561": [ { "sample_cnt": 2, "yara_rule_name": "win_zeus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.zeus.", "last_hit_utc": "2022-07-16 08:08:03" } ], "6562": [ { "sample_cnt": 2, "yara_rule_name": "win_zloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.zloader.", "last_hit_utc": "2025-01-03 20:07:02" } ], "6563": [ { "sample_cnt": 2, "yara_rule_name": "XAgent", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:25:42" } ], "6564": [ { "sample_cnt": 2, "yara_rule_name": "XCSSET_Strings", "yara_rule_author": "@is_henderson", "yara_rule_reference": "", "yara_rule_description": "Rule based on deob strings - easymode", "last_hit_utc": "2022-08-17 06:09:01" } ], "6565": [ { "sample_cnt": 2, "yara_rule_name": "Xenarmor_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "e524b801fd77238e3da5755ade262f700e244768a312dc7897bb68e370607fae", "yara_rule_description": "Xenaormor Crapware", "last_hit_utc": "2021-08-23 18:49:04" } ], "6566": [ { "sample_cnt": 2, "yara_rule_name": "Xenarmor_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "e524b801fd77238e3da5755ade262f700e244768a312dc7897bb68e370607fae", "yara_rule_description": "Xenaormor Crapware", "last_hit_utc": "2021-08-23 18:49:04" } ], "6567": [ { "sample_cnt": 2, "yara_rule_name": "xssshell_db", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file db.asp", "last_hit_utc": "2025-10-28 13:45:52" } ], "6568": [ { "sample_cnt": 2, "yara_rule_name": "xssshell_db", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file db.asp", "last_hit_utc": "2025-10-28 13:45:52" } ], "6569": [ { "sample_cnt": 2, "yara_rule_name": "xssshell_save", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file save.asp", "last_hit_utc": "2025-10-28 13:45:52" } ], "6570": [ { "sample_cnt": 2, "yara_rule_name": "xssshell_save", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file save.asp", "last_hit_utc": "2025-10-28 13:45:52" } ], "6571": [ { "sample_cnt": 2, "yara_rule_name": "Xtreme_Sep17_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects XTREME sample analyzed in September 2017", "last_hit_utc": "2022-11-05 01:47:03" } ], "6572": [ { "sample_cnt": 2, "yara_rule_name": "Ysoserial_Payload", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/frohoff/ysoserial", "yara_rule_description": "Ysoserial Payloads", "last_hit_utc": "2025-10-28 13:45:52" } ], "6573": [ { "sample_cnt": 2, "yara_rule_name": "Ysoserial_Payload_RID2DF5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/frohoff/ysoserial", "yara_rule_description": "Ysoserial Payloads", "last_hit_utc": "2025-10-28 13:45:53" } ], "6574": [ { "sample_cnt": 2, "yara_rule_name": "Ysoserial_Payload_Spring1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/frohoff/ysoserial", "yara_rule_description": "Ysoserial Payloads - file Spring1.bin", "last_hit_utc": "2025-10-28 13:45:53" } ], "6575": [ { "sample_cnt": 2, "yara_rule_name": "Ysoserial_Payload_Spring1_RID30F8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/frohoff/ysoserial", "yara_rule_description": "Ysoserial Payloads - file Spring1.bin", "last_hit_utc": "2025-10-28 13:45:53" } ], "6576": [ { "sample_cnt": 2, "yara_rule_name": "zacosmall_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - file zacosmall.php.txt", "last_hit_utc": "2025-10-28 13:45:53" } ], "6577": [ { "sample_cnt": 2, "yara_rule_name": "Zeus_Panda", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", "yara_rule_description": "Detects ZEUS Panda Malware", "last_hit_utc": "2025-02-26 18:09:30" } ], "6578": [ { "sample_cnt": 2, "yara_rule_name": "zipExec", "yara_rule_author": "Marius 'f0wL' Genheimer, https://dissectingmalwa.re", "yara_rule_reference": "https://github.com/Tylous/ZipExec", "yara_rule_description": "Detects zipExec Golang Loader/Crypter", "last_hit_utc": "2022-11-01 15:20:04" } ], "6579": [ { "sample_cnt": 2, "yara_rule_name": "Zloader", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Zloader Payload", "last_hit_utc": "2021-08-25 06:29:08" } ], "6580": [ { "sample_cnt": 2, "yara_rule_name": "ZXshell2_0_rar_Folder_nc", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file nc.exe", "last_hit_utc": "2025-10-28 13:45:53" } ], "6581": [ { "sample_cnt": 2, "yara_rule_name": "ZXshell2_0_rar_Folder_nc", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file nc.exe", "last_hit_utc": "2025-10-28 13:45:53" } ], "6582": [ { "sample_cnt": 2, "yara_rule_name": "ZXshell2_0_rar_Folder_zxrecv", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file zxrecv.exe", "last_hit_utc": "2025-10-28 13:45:53" } ], "6583": [ { "sample_cnt": 2, "yara_rule_name": "ZXshell2_0_rar_Folder_zxrecv", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file zxrecv.exe", "last_hit_utc": "2025-10-28 13:45:53" } ], "6584": [ { "sample_cnt": 2, "yara_rule_name": "ZXshell2_0_rar_Folder_ZXshell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file ZXshell.exe", "last_hit_utc": "2025-10-28 13:45:53" } ], "6585": [ { "sample_cnt": 2, "yara_rule_name": "ZXshell2_0_rar_Folder_ZXshell", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file ZXshell.exe", "last_hit_utc": "2025-10-28 13:45:53" } ], "6586": [ { "sample_cnt": 2, "yara_rule_name": "ZXshell2_0_rar_Folder_ZXshell_RID3224", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file ZXshell.exe", "last_hit_utc": "2025-10-28 13:45:53" } ], "6587": [ { "sample_cnt": 2, "yara_rule_name": "ZxShell_Jul17", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell - CN threat group", "last_hit_utc": "2025-11-05 08:21:41" } ], "6588": [ { "sample_cnt": 2, "yara_rule_name": "_network_php_php_xinfo_php_php_nfm_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt", "last_hit_utc": "2025-10-28 13:43:46" } ], "6589": [ { "sample_cnt": 2, "yara_rule_name": "_nst_php_php_cybershell_php_php_img_php_php_nstview_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt", "last_hit_utc": "2025-10-28 13:43:46" } ], "6590": [ { "sample_cnt": 2, "yara_rule_name": "_nst_php_php_img_php_php_nstview_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt", "last_hit_utc": "2025-10-28 13:43:46" } ], "6591": [ { "sample_cnt": 2, "yara_rule_name": "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt", "last_hit_utc": "2025-10-28 13:43:46" } ], "6592": [ { "sample_cnt": 2, "yara_rule_name": "_root_040_zip_Folder_deploy", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file deploy.exe", "last_hit_utc": "2025-10-28 13:43:46" } ], "6593": [ { "sample_cnt": 2, "yara_rule_name": "_root_040_zip_Folder_deploy", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file deploy.exe", "last_hit_utc": "2025-10-28 13:43:46" } ], "6594": [ { "sample_cnt": 1, "yara_rule_name": "ach_202408_html_Suspicious_JS_Redirect", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious JS redirects", "last_hit_utc": "2025-01-03 20:09:57" } ], "6595": [ { "sample_cnt": 1, "yara_rule_name": "ach_202409_html_submitform_com", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects potential HTML phishing using submit-form.com for credential exfil", "last_hit_utc": "2025-01-03 20:53:03" } ], "6596": [ { "sample_cnt": 1, "yara_rule_name": "ach_BuerLoader_xls_20210309", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/9d3bd9b2bd269fa919b0db4836fadc35/", "yara_rule_description": "Detects BuerLoader XLS", "last_hit_utc": "2021-03-10 11:28:43" } ], "6597": [ { "sample_cnt": 1, "yara_rule_name": "ach_Guildma_CMD", "yara_rule_author": "abuse.ch", "yara_rule_reference": null, "yara_rule_description": "Detects malicious CMD files spreading Guildma malware", "last_hit_utc": "2023-04-05 14:08:02" } ], "6598": [ { "sample_cnt": 1, "yara_rule_name": "ach_Ostap_xlsm_20200804", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/252be20afc3d8bb512241921cd1d7a45/", "yara_rule_description": "Detects Ostap XLSM", "last_hit_utc": "2020-08-05 12:37:37" } ], "6599": [ { "sample_cnt": 1, "yara_rule_name": "ach_Quakbot_doc_20200811", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/4f9c1290fb3b3f002718586305702b85/", "yara_rule_description": "Detects Quakbot DOC", "last_hit_utc": "2020-08-11 13:49:35" } ], "6600": [ { "sample_cnt": 1, "yara_rule_name": "ach_Quakbot_doc_20200817", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/614a3584466972109403e3696177d909/", "yara_rule_description": "Detects Quakbot DOC", "last_hit_utc": "2021-01-09 13:29:04" } ], "6601": [ { "sample_cnt": 1, "yara_rule_name": "ach_TrickBot_doc_20201020", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/649f323b4f18e5722a42bbc3118722a2/", "yara_rule_description": "Detects TrickBot doc", "last_hit_utc": "2020-10-20 07:54:06" } ], "6602": [ { "sample_cnt": 1, "yara_rule_name": "ach_TrickBot_doc_20201020_2", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/a99e3e41323e580e89a5cdf7d43bd1d0/", "yara_rule_description": "Detects TrickBot doc", "last_hit_utc": "2020-10-21 08:28:04" } ], "6603": [ { "sample_cnt": 1, "yara_rule_name": "ach_TrickBot_doc_chil86", "yara_rule_author": "abuse.ch", "yara_rule_reference": "https://sandnet.abuse.ch/report/94f1af3c4c1d9f45a5280da970390114/", "yara_rule_description": "Detects TrickBot doc (chil86)", "last_hit_utc": "2020-08-05 07:09:33" } ], "6604": [ { "sample_cnt": 1, "yara_rule_name": "ACProtectV20risco", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:08:24" } ], "6605": [ { "sample_cnt": 1, "yara_rule_name": "AdFind_Detection", "yara_rule_author": "xinquan", "yara_rule_reference": "Analysis on AdFind.exe", "yara_rule_description": "Detects AdFind based on specific string patterns identified in analysis", "last_hit_utc": "2025-02-09 21:14:12" } ], "6606": [ { "sample_cnt": 1, "yara_rule_name": "Adsterra_Adware_Generic", "yara_rule_author": "IlluminatiFish", "yara_rule_reference": null, "yara_rule_description": "Detects Adsterra adware generic script string", "last_hit_utc": "2021-05-14 05:35:12" } ], "6607": [ { "sample_cnt": 1, "yara_rule_name": "ADSync_CredDump_Wide", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://blog.xpnsec.com/azuread-connect-for-redteam/", "yara_rule_description": "AD Connect Sync Credential Extract", "last_hit_utc": "2025-10-28 13:43:47" } ], "6608": [ { "sample_cnt": 1, "yara_rule_name": "ADSync_CredDump_Xor", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://blog.xpnsec.com/azuread-connect-for-redteam/", "yara_rule_description": "Azure AdSync Service Account Password Dumping", "last_hit_utc": "2025-10-28 13:43:47" } ], "6609": [ { "sample_cnt": 1, "yara_rule_name": "Adzok", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:43:47" } ], "6610": [ { "sample_cnt": 1, "yara_rule_name": "AgentTesla", "yara_rule_author": "InQuest Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-25 18:31:09" } ], "6611": [ { "sample_cnt": 1, "yara_rule_name": "AgentTesla_telegram_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/b4ceef1e-a649-44b7-9e0c-e53c3ab05354", "yara_rule_description": null, "last_hit_utc": "2023-09-11 16:27:03" } ], "6612": [ { "sample_cnt": 1, "yara_rule_name": "agenttesla_win_generic", "yara_rule_author": "_kphi", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:14:41" } ], "6613": [ { "sample_cnt": 1, "yara_rule_name": "AHK_DarkGate_Payload_April_2024", "yara_rule_author": "NDA0", "yara_rule_reference": null, "yara_rule_description": "Detects .ahk payload dropped by DarkGate loader", "last_hit_utc": "2025-01-03 21:46:29" } ], "6614": [ { "sample_cnt": 1, "yara_rule_name": "aisuru_ddos_botnet", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": "https://blog.xlab.qianxin.com/aisuru-botnet-en/", "yara_rule_description": "Aisuru DDoS botnet - Mirai derivative with custom crypto", "last_hit_utc": "2026-03-26 16:25:41" } ], "6615": [ { "sample_cnt": 1, "yara_rule_name": "ALLATORI_Obfus_unpacked", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects ALLATORI obfuscator", "last_hit_utc": "2024-06-20 09:17:01" } ], "6616": [ { "sample_cnt": 1, "yara_rule_name": "amatera", "yara_rule_author": "Nikos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Amatera Stealer Payload", "last_hit_utc": "2025-06-10 06:16:21" } ], "6617": [ { "sample_cnt": 1, "yara_rule_name": "Android_BankingTrojan_Hydra", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": "Detects Hydra Android malware samples based on the strings matched", "last_hit_utc": "2024-03-11 10:02:03" } ], "6618": [ { "sample_cnt": 1, "yara_rule_name": "andromeda", "yara_rule_author": "Brian Wallace @botnet_hunter", "yara_rule_reference": null, "yara_rule_description": "Identify Andromeda", "last_hit_utc": "2020-10-25 21:18:07" } ], "6619": [ { "sample_cnt": 1, "yara_rule_name": "Angry_IP_Scanner_v2_08_ipscan", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file ipscan.exe", "last_hit_utc": "2025-10-28 13:43:48" } ], "6620": [ { "sample_cnt": 1, "yara_rule_name": "Anthem_DeepPanda_htran_exe", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Anthem Hack Deep Panda - htran-exe", "last_hit_utc": "2025-10-28 13:43:48" } ], "6621": [ { "sample_cnt": 1, "yara_rule_name": "Anthem_DeepPanda_lot1", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Anthem Hack Deep Panda - lot1.tmp-pwdump", "last_hit_utc": "2025-10-28 13:43:48" } ], "6622": [ { "sample_cnt": 1, "yara_rule_name": "antivirusdetector", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:43:48" } ], "6623": [ { "sample_cnt": 1, "yara_rule_name": "Anydesk_masquerading", "yara_rule_author": "CD_R0M_", "yara_rule_reference": null, "yara_rule_description": "Anydesk is commonly used by threat actors. This rule aims to identify legitimate anydesk, renamed binaries and trojanized versions.", "last_hit_utc": "2023-04-03 14:53:03" } ], "6624": [ { "sample_cnt": 1, "yara_rule_name": "ApkProtector2", "yara_rule_author": "R3R0K", "yara_rule_reference": null, "yara_rule_description": "Android.ApkProtector", "last_hit_utc": "2025-06-16 16:08:00" } ], "6625": [ { "sample_cnt": 1, "yara_rule_name": "ApkProtector3", "yara_rule_author": "R3R0K", "yara_rule_reference": null, "yara_rule_description": "Android.ApkProtector", "last_hit_utc": "2023-06-12 07:26:03" } ], "6626": [ { "sample_cnt": 1, "yara_rule_name": "apk_finfisher_w0", "yara_rule_author": "Thorsten Schr\u00f6der - ths @ ccc.de (https://twitter.com/__ths__)", "yara_rule_reference": null, "yara_rule_description": "Detect Gamma/FinFisher FinSpy for Android #GovWare", "last_hit_utc": "2021-01-12 21:35:25" } ], "6627": [ { "sample_cnt": 1, "yara_rule_name": "apk_finfisher_w0", "yara_rule_author": "Thorsten Schr\u00f6der - ths @ ccc.de (https://twitter.com/__ths__)", "yara_rule_reference": "https://www.ccc.de/de/updates/2019/finspy", "yara_rule_description": "Detect Gamma/FinFisher FinSpy for Android #GovWare", "last_hit_utc": "2024-01-15 23:12:03" } ], "6628": [ { "sample_cnt": 1, "yara_rule_name": "AppLaunch", "yara_rule_author": "iam-py-test", "yara_rule_reference": null, "yara_rule_description": "Detect files referencing DotNet AppLaunch.exe", "last_hit_utc": "2025-01-05 15:17:50" } ], "6629": [ { "sample_cnt": 1, "yara_rule_name": "APT10_Himawari_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf", "yara_rule_description": "detect Himawari(a variant of RedLeaves) in memory", "last_hit_utc": "2025-10-28 13:43:57" } ], "6630": [ { "sample_cnt": 1, "yara_rule_name": "APT10_HTSrl_signed", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "HT Srl signature using APT10", "last_hit_utc": "2025-01-03 20:07:00" } ], "6631": [ { "sample_cnt": 1, "yara_rule_name": "APT1_LIGHTBOLT", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:24" } ], "6632": [ { "sample_cnt": 1, "yara_rule_name": "APT1_WEBC2_QBP", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-07-02 21:12:30" } ], "6633": [ { "sample_cnt": 1, "yara_rule_name": "APT1_WEBC2_YAHOO", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:34:45" } ], "6634": [ { "sample_cnt": 1, "yara_rule_name": "APT32_ActiveMime_Lure", "yara_rule_author": "Ian Ahl (@TekDefense) and Nick Carr (@ItsReallyNick)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "yara_rule_description": "Developed to detect APT32 (OceanLotus Group phishing lures used to target Fireeye Customers in 2016 and 2017", "last_hit_utc": "2025-01-03 20:34:45" } ], "6635": [ { "sample_cnt": 1, "yara_rule_name": "apt3_bemstour_strings", "yara_rule_author": "Mark Lechtik", "yara_rule_reference": null, "yara_rule_description": "Detects strings used by the Bemstour exploitation tool", "last_hit_utc": "2025-11-05 08:22:24" } ], "6636": [ { "sample_cnt": 1, "yara_rule_name": "APT6_Malware_Sample_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/", "yara_rule_description": "Rule written for 2 malware samples that communicated to APT6 C2 servers", "last_hit_utc": "2025-10-28 13:43:57" } ], "6637": [ { "sample_cnt": 1, "yara_rule_name": "APT6_Malware_Sample_Gen_RID2F8E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/", "yara_rule_description": "Rule written for 2 malware samples that communicated to APT6 C2 servers", "last_hit_utc": "2025-10-28 13:43:57" } ], "6638": [ { "sample_cnt": 1, "yara_rule_name": "APT_acidbox_main_module_dll", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect the Main mode component of AcidBox", "last_hit_utc": "2025-01-05 15:46:14" } ], "6639": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT10_Malware_Imphash_Dec18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "AlienVault OTX IOCs - statistical sample analysis", "yara_rule_description": "Detects APT10 malware based on ImpHashes", "last_hit_utc": "2022-05-26 07:43:02" } ], "6640": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT10_Malware_Imphash_Dec18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "AlienVault OTX IOCs - statistical sample analysis", "yara_rule_description": "Detects APT10 malware based on ImpHashes", "last_hit_utc": "2025-01-03 20:07:00" } ], "6641": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT28_drovorub_unique_network_comms_strings", "yara_rule_author": "NSA / FBI", "yara_rule_reference": "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/", "yara_rule_description": "Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based", "last_hit_utc": "2025-10-28 13:43:48" } ], "6642": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_BoomBox_May21_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "yara_rule_description": "Detects BoomBox malware as described in APT29 NOBELIUM report", "last_hit_utc": "2025-10-28 13:43:48" } ], "6643": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_BoomBox_May21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "yara_rule_description": "Detects BoomBox malware as described in APT29 NOBELIUM report", "last_hit_utc": "2023-09-11 16:27:03" } ], "6644": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_BoomBox_May21_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "yara_rule_description": "Detects BoomBox malware used by APT29 / NOBELIUM", "last_hit_utc": "2025-11-05 08:22:22" } ], "6645": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_BoomBox_May21_2_RID31EE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "yara_rule_description": "Detects BoomBox malware used by APT29 / NOBELIUM", "last_hit_utc": "2025-11-05 08:22:22" } ], "6646": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_JS_EnvyScout_May21_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "yara_rule_description": "Detects EnvyScout deobfuscator code as used by NOBELIUM group", "last_hit_utc": "2025-01-03 22:27:15" } ], "6647": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_JS_EnvyScout_May21_2_RID33E4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "yara_rule_description": "Detects EnvyScout deobfuscator code as used by NOBELIUM group", "last_hit_utc": "2025-01-03 22:27:15" } ], "6648": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_LNK_NV_Link_May21_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "yara_rule_description": "Detects NV Link as used by NOBELIUM group", "last_hit_utc": "2022-10-05 10:04:03" } ], "6649": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_LNK_NV_Link_May21_2_RID330D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "yara_rule_description": "Detects NV Link as used by NOBELIUM group", "last_hit_utc": "2022-10-05 10:04:02" } ], "6650": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_NativeZone_Loader_May21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "yara_rule_description": "Detects NativeZone loader as described in APT29 NOBELIUM report", "last_hit_utc": "2025-11-05 08:21:34" } ], "6651": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_NativeZone_Loader_May21_1_RID35F0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "yara_rule_description": "Detects NativeZone loader as described in APT29 NOBELIUM report", "last_hit_utc": "2025-11-05 08:21:34" } ], "6652": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_NOBELIUM_Stageless_Loader_May21_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "yara_rule_description": "Detects stageless loader as used by APT29 / NOBELIUM", "last_hit_utc": "2025-10-28 13:43:48" } ], "6653": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_sorefang_command_elem_cookie_ga_boundary_string", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development", "yara_rule_description": "Rule to detect SoreFang based on scheduled task element and Cookie header/boundary strings", "last_hit_utc": "2025-11-05 08:22:22" } ], "6654": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_sorefang_custom_encode_decode", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development", "yara_rule_description": "Rule to detect SoreFang based on the custom encoding/decoding algorithm function", "last_hit_utc": "2026-04-01 10:55:23" } ], "6655": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_sorefang_encryption_round_function", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development", "yara_rule_description": "Rule to detect SoreFang based on the encryption round function", "last_hit_utc": "2025-11-05 08:22:22" } ], "6656": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_sorefang_modify_alphabet_custom_encode", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development", "yara_rule_description": "Rule to detect SoreFang based on arguments passed into custom encoding algorithm function", "last_hit_utc": "2025-11-05 08:22:22" } ], "6657": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT29_wellmess_dotnet_unique_strings", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development", "yara_rule_description": "Rule to detect WellMess .NET samples based on unique strings and function/variable names", "last_hit_utc": "2025-11-05 08:22:22" } ], "6658": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT34_PS_Malware_Apr19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/0xffff0800/status/1118406371165126656", "yara_rule_description": "Detects APT34 PowerShell malware", "last_hit_utc": "2025-10-28 13:43:48" } ], "6659": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT34_PS_Malware_Apr19_1_RID3047", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/0xffff0800/status/1118406371165126656", "yara_rule_description": "Detects APT34 PowerShell malware", "last_hit_utc": "2025-10-28 13:43:48" } ], "6660": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT34_PS_Malware_Apr19_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/0xffff0800/status/1118406371165126656", "yara_rule_description": "Detects APT34 PowerShell malware", "last_hit_utc": "2025-10-28 13:43:49" } ], "6661": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT34_PS_Malware_Apr19_3_RID3049", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/0xffff0800/status/1118406371165126656", "yara_rule_description": "Detects APT34 PowerShell malware", "last_hit_utc": "2025-10-28 13:43:49" } ], "6662": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT38_ValeforBeta_Mar_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect ValeforBeta used in attacks against Japanese organisations by APT38", "last_hit_utc": "2022-11-16 01:26:03" } ], "6663": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT41_CN_ELF_Speculoos_Backdoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/", "yara_rule_description": "Detects Speculoos Backdoor used by APT41", "last_hit_utc": "2025-10-28 13:43:49" } ], "6664": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT41_POISONPLUG", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", "yara_rule_description": "Detects APT41 malware POISONPLUG", "last_hit_utc": "2025-11-05 08:22:22" } ], "6665": [ { "sample_cnt": 1, "yara_rule_name": "APT_APT41_POISONPLUG_RID2D0E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", "yara_rule_description": "Detects APT41 malware POISONPLUG", "last_hit_utc": "2025-11-05 08:22:22" } ], "6666": [ { "sample_cnt": 1, "yara_rule_name": "APT_apt_duqu2_drivers", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Rule to detect Duqu 2.0 drivers", "last_hit_utc": "2025-01-23 16:43:02" } ], "6667": [ { "sample_cnt": 1, "yara_rule_name": "APT_apt_duqu2_loaders", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Rule to detect Duqu 2.0 samples", "last_hit_utc": "2024-05-22 23:13:03" } ], "6668": [ { "sample_cnt": 1, "yara_rule_name": "APT_ATP28_Sofacy_Indicators_May19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1129647994603790338", "yara_rule_description": "Detects APT28 Sofacy indicators in samples", "last_hit_utc": "2022-08-07 14:09:03" } ], "6669": [ { "sample_cnt": 1, "yara_rule_name": "APT_ATP28_Sofacy_Indicators_May19_1_RID3357", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1129647994603790338", "yara_rule_description": "Detects APT28 Sofacy indicators in samples", "last_hit_utc": "2022-08-07 14:09:03" } ], "6670": [ { "sample_cnt": 1, "yara_rule_name": "APT_Backdoor_SUNBURST_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "yara_rule_description": "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.", "last_hit_utc": "2025-11-05 08:22:22" } ], "6671": [ { "sample_cnt": 1, "yara_rule_name": "APT_Backdoor_SUNBURST_2", "yara_rule_author": "FireEye", "yara_rule_reference": null, "yara_rule_description": "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.", "last_hit_utc": "2020-12-28 06:56:13" } ], "6672": [ { "sample_cnt": 1, "yara_rule_name": "APT_Backdoor_Win_GoRat_Memory", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "Identifies GoRat malware in memory based on strings.", "last_hit_utc": "2025-10-28 13:43:49" } ], "6673": [ { "sample_cnt": 1, "yara_rule_name": "APT_Bitter_PDB_Paths", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh", "yara_rule_description": "Detects Bitter (T-APT-17) PDB Paths", "last_hit_utc": "2025-01-05 15:00:30" } ], "6674": [ { "sample_cnt": 1, "yara_rule_name": "APT_Builder_PY_REDFLARE_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "Detects FireEye's Python Redflar", "last_hit_utc": "2025-10-28 13:43:49" } ], "6675": [ { "sample_cnt": 1, "yara_rule_name": "apt_c16_win_memory_pcclient", "yara_rule_author": "@dragonthreatlab", "yara_rule_reference": "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html", "yara_rule_description": "File matching the md5 above tends to only live in memory, hence the lack of MZ header check.", "last_hit_utc": "2025-04-27 22:53:07" } ], "6676": [ { "sample_cnt": 1, "yara_rule_name": "apt_c16_win_wateringhole", "yara_rule_author": "@dragonthreatlab", "yara_rule_reference": "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html", "yara_rule_description": "Detects code from APT wateringhole", "last_hit_utc": "2025-10-28 13:43:49" } ], "6677": [ { "sample_cnt": 1, "yara_rule_name": "apt_Chafer_CadelSpy", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-10 16:01:56" } ], "6678": [ { "sample_cnt": 1, "yara_rule_name": "APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/JAMESWT_MHT/status/1316387482708119556", "yara_rule_description": "Detects Red Delta samples", "last_hit_utc": "2025-10-28 13:43:49" } ], "6679": [ { "sample_cnt": 1, "yara_rule_name": "APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/JAMESWT_MHT/status/1316387482708119556", "yara_rule_description": "Detects Red Delta samples", "last_hit_utc": "2025-10-28 13:43:49" } ], "6680": [ { "sample_cnt": 1, "yara_rule_name": "APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2_RID36A3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/JAMESWT_MHT/status/1316387482708119556", "yara_rule_description": "Detects Red Delta samples", "last_hit_utc": "2025-10-28 13:43:49" } ], "6681": [ { "sample_cnt": 1, "yara_rule_name": "APT_DarkHydrus_Jul18_4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "yara_rule_description": "Detects strings found in malware samples in APT report in DarkHydrus", "last_hit_utc": "2021-11-28 16:57:32" } ], "6682": [ { "sample_cnt": 1, "yara_rule_name": "APT_Derusbi_Gen", "yara_rule_author": "ThreatConnect Intelligence Research Team", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:34:45" } ], "6683": [ { "sample_cnt": 1, "yara_rule_name": "APT_Donot_rtf_20211105", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects Donot Group RTF", "last_hit_utc": "2022-07-14 21:53:03" } ], "6684": [ { "sample_cnt": 1, "yara_rule_name": "apt_duqu2_drivers", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Rule to detect Duqu 2.0 drivers", "last_hit_utc": "2025-01-23 16:43:03" } ], "6685": [ { "sample_cnt": 1, "yara_rule_name": "apt_duqu2_loaders", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Rule to detect Duqu 2.0 samples", "last_hit_utc": "2024-05-22 23:13:03" } ], "6686": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_BananaAid_RID2D82", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BananaAid", "last_hit_utc": "2025-10-28 13:43:49" } ], "6687": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_BananaUsurper_writeJetPlow_RID34B9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130", "last_hit_utc": "2025-10-28 13:43:49" } ], "6688": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_BARPUNCH_BPICKER_RID2EE5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100", "last_hit_utc": "2025-10-28 13:43:49" } ], "6689": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_BBALL_RID2B90", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe", "last_hit_utc": "2025-10-28 13:43:49" } ], "6690": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_BFLEA_2201_RID2CB1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BFLEA-2201.exe", "last_hit_utc": "2025-10-28 13:43:49" } ], "6691": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_BICECREAM_RID2CAE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BICECREAM-2140", "last_hit_utc": "2025-10-28 13:43:50" } ], "6692": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_BLIAR_BLIQUER_RID2E10", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230", "last_hit_utc": "2025-10-28 13:43:50" } ], "6693": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_BUSURPER_2211_724_RID2ECC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BUSURPER-2211-724.exe", "last_hit_utc": "2025-10-28 13:43:50" } ], "6694": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_BUSURPER_3001_724_RID2ECA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BUSURPER-3001-724.exe", "last_hit_utc": "2025-10-28 13:43:50" } ], "6695": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_config_jp1_UA_RID2F08", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file config_jp1_UA.pl", "last_hit_utc": "2025-10-28 13:43:50" } ], "6696": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_create_dns_injection_RID326D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file create_dns_injection.py", "last_hit_utc": "2025-10-28 13:43:50" } ], "6697": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_eligiblecandidate_RID310D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file eligiblecandidate.py", "last_hit_utc": "2025-10-28 13:43:50" } ], "6698": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_EPBA_RID2B4B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file EPBA.script", "last_hit_utc": "2025-10-28 13:43:50" } ], "6699": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_epicbanana_2_1_0_1_RID3075", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py", "last_hit_utc": "2025-10-28 13:43:50" } ], "6700": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_Extrabacon_Output_RID312A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - Extrabacon exploit output", "last_hit_utc": "2025-10-28 13:43:50" } ], "6701": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_extrabacon_RID2E5A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py", "last_hit_utc": "2025-10-28 13:43:50" } ], "6702": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_Implants_Gen1_RID2F25", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, lpexe, writeJetPlow-2130", "last_hit_utc": "2025-10-28 13:43:51" } ], "6703": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_Implants_Gen2_RID2F26", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, writeJetPlow-2130", "last_hit_utc": "2025-10-28 13:43:51" } ], "6704": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_Implants_Gen3_RID2F27", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100", "last_hit_utc": "2025-10-28 13:43:51" } ], "6705": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_Implants_Gen4_RID2F28", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120", "last_hit_utc": "2025-10-28 13:43:51" } ], "6706": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_Implants_Gen5_RID2F29", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130", "last_hit_utc": "2025-10-28 13:43:51" } ], "6707": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_jetplow_SH_RID2E32", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file jetplow.sh", "last_hit_utc": "2025-10-28 13:43:51" } ], "6708": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_MixText_RID2D06", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file MixText.py", "last_hit_utc": "2025-10-28 13:43:51" } ], "6709": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_networkProfiler_orderScans_RID34F3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file networkProfiler_orderScans.sh", "last_hit_utc": "2025-10-28 13:43:51" } ], "6710": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_pandarock_RID2DE6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit", "last_hit_utc": "2025-10-28 13:43:51" } ], "6711": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_payload_RID2D1D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file payload.py", "last_hit_utc": "2025-10-28 13:43:51" } ], "6712": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_screamingplow_RID2FAE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file screamingplow.sh", "last_hit_utc": "2025-10-28 13:43:51" } ], "6713": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_sniffer_xml2pcap_RID30A6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file sniffer_xml2pcap", "last_hit_utc": "2025-10-28 13:43:51" } ], "6714": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_sploit_py_RID2E16", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file sploit.py", "last_hit_utc": "2025-10-28 13:43:51" } ], "6715": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_sploit_RID2CCE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files sploit.py, sploit.py", "last_hit_utc": "2025-10-28 13:43:51" } ], "6716": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_ssh_telnet_29_RID2F36", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files ssh.py, telnet.py", "last_hit_utc": "2025-10-28 13:43:51" } ], "6717": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_StoreFc_RID2CE9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file StoreFc.py", "last_hit_utc": "2025-10-28 13:43:51" } ], "6718": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_tinyhttp_setup_RID3047", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file tinyhttp_setup.sh", "last_hit_utc": "2025-10-28 13:43:51" } ], "6719": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_tunnel_state_reader_RID321B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file tunnel_state_reader", "last_hit_utc": "2025-10-28 13:43:52" } ], "6720": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_uninstallPBD_RID2EE3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file uninstallPBD.bat", "last_hit_utc": "2025-10-28 13:43:52" } ], "6721": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_Unique_Strings_RID2FF3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - Unique strings", "last_hit_utc": "2025-10-28 13:43:52" } ], "6722": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_userscript_RID2E87", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file userscript.FW", "last_hit_utc": "2025-10-28 13:43:52" } ], "6723": [ { "sample_cnt": 1, "yara_rule_name": "APT_EQGRP_workit_RID2CD3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file workit.py", "last_hit_utc": "2025-10-28 13:43:52" } ], "6724": [ { "sample_cnt": 1, "yara_rule_name": "APT_Equation_Group_Op_Triangulation_TriangleDB_Implant_Jun23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/triangledb-triangulation-implant/110050/", "yara_rule_description": "Detects TriangleDB implant found being used in Operation Triangulation on iOS devices (maybe also used on macOS systems)", "last_hit_utc": "2025-10-28 13:43:52" } ], "6725": [ { "sample_cnt": 1, "yara_rule_name": "APT_EXPL_Sharepoint_CVE_2025_53770_ForensicArtefact_Jul25_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://research.eye.security/sharepoint-under-siege/", "yara_rule_description": "Detects URIs accessed during the exploitation of SharePoint RCE vulnerability CVE-2025-53770", "last_hit_utc": "2025-10-28 13:43:52" } ], "6726": [ { "sample_cnt": 1, "yara_rule_name": "APT_FIN7_Sample_Aug18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "yara_rule_description": "Detects FIN7 samples mentioned in FireEye report", "last_hit_utc": "2021-11-24 15:56:54" } ], "6727": [ { "sample_cnt": 1, "yara_rule_name": "APT_FIN7_Sample_Aug18_1_RID2E9F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "yara_rule_description": "Detects FIN7 samples mentioned in FireEye report", "last_hit_utc": "2021-11-24 15:56:54" } ], "6728": [ { "sample_cnt": 1, "yara_rule_name": "APT_FIN7_Strings_Aug18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "yara_rule_description": "Detects strings from FIN7 report in August 2018", "last_hit_utc": "2025-10-28 13:43:52" } ], "6729": [ { "sample_cnt": 1, "yara_rule_name": "APT_FIN7_Strings_Aug18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "yara_rule_description": "Detects strings from FIN7 report in August 2018", "last_hit_utc": "2025-10-28 13:43:52" } ], "6730": [ { "sample_cnt": 1, "yara_rule_name": "APT_FIN7_Strings_Aug18_1_RID2F27", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "yara_rule_description": "Detects strings from FIN7 report in August 2018", "last_hit_utc": "2025-10-28 13:43:52" } ], "6731": [ { "sample_cnt": 1, "yara_rule_name": "APT_HackTool_MSIL_DTRIM_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'dtrim' project, which is a modified version of SharpSploit.", "last_hit_utc": "2025-11-05 08:22:22" } ], "6732": [ { "sample_cnt": 1, "yara_rule_name": "APT_HackTool_MSIL_GPOHUNT_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'gpohunt' project.", "last_hit_utc": "2025-11-05 08:22:22" } ], "6733": [ { "sample_cnt": 1, "yara_rule_name": "APT_HackTool_MSIL_JUSTASK_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'justask' project.", "last_hit_utc": "2025-11-05 08:22:22" } ], "6734": [ { "sample_cnt": 1, "yara_rule_name": "APT_HackTool_MSIL_MODIFIEDSHARPVIEW_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'modifiedsharpview' project.", "last_hit_utc": "2023-09-11 16:27:03" } ], "6735": [ { "sample_cnt": 1, "yara_rule_name": "APT_HackTool_MSIL_NOAMCI_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'noamci' project.", "last_hit_utc": "2025-11-05 08:22:23" } ], "6736": [ { "sample_cnt": 1, "yara_rule_name": "APT_HackTool_MSIL_REVOLVER_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'revolver' project.", "last_hit_utc": "2025-11-05 08:22:23" } ], "6737": [ { "sample_cnt": 1, "yara_rule_name": "APT_HackTool_MSIL_SHARPPATCHCHECK_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharppatchcheck' project.", "last_hit_utc": "2025-11-05 08:22:23" } ], "6738": [ { "sample_cnt": 1, "yara_rule_name": "APT_HackTool_MSIL_SHARPWEBCRAWLER_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpwebcrawler' project.", "last_hit_utc": "2025-11-05 08:22:23" } ], "6739": [ { "sample_cnt": 1, "yara_rule_name": "apt_hellsing_implantstrings", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:43:52" } ], "6740": [ { "sample_cnt": 1, "yara_rule_name": "apt_hellsing_implantstrings", "yara_rule_author": "Costin Raiu, Kaspersky Lab", "yara_rule_reference": null, "yara_rule_description": "detection for Hellsing implants", "last_hit_utc": "2025-10-28 13:43:52" } ], "6741": [ { "sample_cnt": 1, "yara_rule_name": "APT_Kaspersky_Duqu2_procexp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/7yKyOj", "yara_rule_description": "Kaspersky APT Report - Duqu2 Sample - Malicious MSI", "last_hit_utc": "2024-05-22 23:13:03" } ], "6742": [ { "sample_cnt": 1, "yara_rule_name": "apt_Lazarus_Job_DLL_May2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": null, "yara_rule_description": "Triggers on strings used in Lazarus DLL during on of their \"job\" campaigns.", "last_hit_utc": "2021-05-10 19:37:35" } ], "6743": [ { "sample_cnt": 1, "yara_rule_name": "APT_Lazarus_RAT_Jun18_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/DrunkBinary/status/1002587521073721346", "yara_rule_description": "Detects Lazarus Group RAT", "last_hit_utc": "2020-06-10 08:44:31" } ], "6744": [ { "sample_cnt": 1, "yara_rule_name": "APT_Liudoor", "yara_rule_author": "RSA FirstWatch", "yara_rule_reference": null, "yara_rule_description": "Detects Liudoor daemon backdoor", "last_hit_utc": "2025-10-28 13:43:53" } ], "6745": [ { "sample_cnt": 1, "yara_rule_name": "APT_Loader_MSIL_PGF_2", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "base.js, ./lib/payload/techniques/jscriptdotnet/jscriptdotnet_payload.py", "last_hit_utc": "2021-04-03 06:15:02" } ], "6746": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_CommentCrew_MiniASP", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Analysis", "yara_rule_description": "CommentCrew Malware MiniASP APT", "last_hit_utc": "2025-10-28 13:43:54" } ], "6747": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_CommentCrew_MiniASP_RID32B1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "CommentCrew Malware MiniASP APT", "last_hit_utc": "2025-10-28 13:43:54" } ], "6748": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_PutterPanda_MsUpdater_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects Malware related to PutterPanda - MSUpdater", "last_hit_utc": "2025-11-05 08:22:23" } ], "6749": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_PutterPanda_MsUpdater_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects Malware related to PutterPanda - MSUpdater", "last_hit_utc": "2025-11-05 08:22:23" } ], "6750": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_PutterPanda_MsUpdater_1_RID3469", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects Malware related to PutterPanda - MSUpdater", "last_hit_utc": "2025-11-05 08:22:23" } ], "6751": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_PutterPanda_Rel", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects an APT malware related to PutterPanda", "last_hit_utc": "2025-10-28 13:43:55" } ], "6752": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_PutterPanda_Rel", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects an APT malware related to PutterPanda", "last_hit_utc": "2025-10-28 13:43:55" } ], "6753": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_PutterPanda_Rel_RID3167", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects an APT malware related to PutterPanda", "last_hit_utc": "2025-10-28 13:43:55" } ], "6754": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_PutterPanda_WUAUCLT", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects a malware related to Putter Panda", "last_hit_utc": "2025-11-05 08:22:23" } ], "6755": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_PutterPanda_WUAUCLT", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects a malware related to Putter Panda", "last_hit_utc": "2025-11-05 08:22:23" } ], "6756": [ { "sample_cnt": 1, "yara_rule_name": "APT_Malware_PutterPanda_WUAUCLT_RID3269", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Analysis", "yara_rule_description": "Detects a malware related to Putter Panda", "last_hit_utc": "2025-11-05 08:22:23" } ], "6757": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "yara_rule_description": "Detects HAFNIUM ASPX files dropped on compromised servers", "last_hit_utc": "2023-01-31 22:47:02" } ], "6758": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_BKA_GoldenSpy_Aug20_1", "yara_rule_author": "BKA", "yara_rule_reference": "https://www.bka.de/SharedDocs/Kurzmeldungen/DE/Warnhinweise/200821_Cyberspionage.html", "yara_rule_description": "Detects variants of GoldenSpy Malware", "last_hit_utc": "2025-11-05 08:22:23" } ], "6759": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_agent_powershell_b64encoded", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Piece of Base64 encoded data from Agent CSharp version", "last_hit_utc": "2025-10-28 13:43:53" } ], "6760": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_agent_powershell_dropper", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Strings from PowerShell dropper of CSharp version of Agent", "last_hit_utc": "2025-10-28 13:43:53" } ], "6761": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_agent_py", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Strings from Python version of Agent", "last_hit_utc": "2025-10-28 13:43:53" } ], "6762": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_agent_py_b64encoded", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Piece of Base64 encoded data from Agent Python version", "last_hit_utc": "2025-10-28 13:43:53" } ], "6763": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_checkadmin_bin", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Checkadmin utility", "last_hit_utc": "2025-10-28 13:43:53" } ], "6764": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_info_vbs", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Strings from the information grabber VBS", "last_hit_utc": "2025-10-28 13:43:53" } ], "6765": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_keylogger_py", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Strings from Python keylogger", "last_hit_utc": "2025-10-28 13:43:53" } ], "6766": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_timeliner_bin", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Timeliner utility", "last_hit_utc": "2025-10-28 13:43:53" } ], "6767": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_webshell_console_jsp", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Strings from the console.jsp webshell", "last_hit_utc": "2025-10-28 13:43:53" } ], "6768": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_webshell_ver_jsp", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Strings from the ver.jsp webshell", "last_hit_utc": "2025-10-28 13:43:53" } ], "6769": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_webshell_webinfo", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Generic strings from webinfo.war webshells", "last_hit_utc": "2025-10-28 13:43:53" } ], "6770": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_xserver_csharp", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Strings from the CSharp version of XServer", "last_hit_utc": "2025-10-28 13:43:53" } ], "6771": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_xserver_powershell_b64encoded", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Piece of Base64 encoded data from the XServer PowerShell dropper", "last_hit_utc": "2025-10-28 13:43:54" } ], "6772": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_CN_Wocao_xserver_powershell_dropper", "yara_rule_author": "Fox-IT SRT", "yara_rule_reference": "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "yara_rule_description": "Strings from the PowerShell dropper of XServer", "last_hit_utc": "2025-10-28 13:43:54" } ], "6773": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_DTRACK_Oct19_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21", "yara_rule_description": "Detects DTRACK malware", "last_hit_utc": "2021-02-18 11:29:46" } ], "6774": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_Fujinama", "yara_rule_author": "ReaQta Threat Intelligence Team", "yara_rule_reference": "https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa", "yara_rule_description": "Fujinama RAT used by Leonardo SpA Insider Threat", "last_hit_utc": "2025-11-05 08:22:23" } ], "6775": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_HP_iLO_Firmware_Dec21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/", "yara_rule_description": "Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021", "last_hit_utc": "2025-10-28 13:43:54" } ], "6776": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_Ke3chang_Ketrican_Jun20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "BfV Cyber-Brief Nr. 01/2020", "yara_rule_description": "Detects Ketrican malware", "last_hit_utc": "2022-10-05 10:04:02" } ], "6777": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_Ke3chang_Ketrican_Jun20_1_RID3280", "yara_rule_author": "Florian Roth", "yara_rule_reference": "BfV Cyber-Brief Nr. 01/2020", "yara_rule_description": "Detects Ketrican malware", "last_hit_utc": "2022-10-05 10:04:02" } ], "6778": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", "yara_rule_description": "Detects BPFDoor implants used by Chinese actor Red Menshen", "last_hit_utc": "2025-10-28 13:43:54" } ], "6779": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_LUA_Hunting_Lua_SEASPRAY_1", "yara_rule_author": "Mandiant", "yara_rule_reference": "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "yara_rule_description": "Hunting rule looking for strings observed in SEASPRAY samples.", "last_hit_utc": "2025-10-28 13:43:54" } ], "6780": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_NK_Lazarus_VHD_Ransomware_Oct20_1_RID359E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "yara_rule_description": "Detects Lazarus VHD Ransomware", "last_hit_utc": "2022-04-28 11:03:02" } ], "6781": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_RU_Snake_Indicators_May23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF", "yara_rule_description": "Detects indicators found in Snake malware samples", "last_hit_utc": "2025-04-24 02:22:18" } ], "6782": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_RU_Turla_Kazuar_May20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.epicturla.com/blog/sysinturla", "yara_rule_description": "Detects Turla Kazuar malware", "last_hit_utc": "2022-02-21 09:59:06" } ], "6783": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_RU_Turla_Kazuar_May20_1_RID31E1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.epicturla.com/blog/sysinturla", "yara_rule_description": "Detects Turla Kazuar malware", "last_hit_utc": "2022-02-21 09:59:06" } ], "6784": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_Sandworm_Exaramel_Configuration_File_Ciphertext", "yara_rule_author": "FR/ANSSI/SDO", "yara_rule_reference": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "yara_rule_description": "Detects contents of the configuration file used by Exaramel (encrypted with key odhyrfjcnfkdtslt, sample e1ff72[...]", "last_hit_utc": "2025-11-05 08:22:23" } ], "6785": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_Sandworm_Exaramel_Configuration_Key", "yara_rule_author": "FR/ANSSI/SDO", "yara_rule_reference": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "yara_rule_description": "Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]", "last_hit_utc": "2025-10-28 13:43:54" } ], "6786": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted", "yara_rule_author": "FR/ANSSI/SDO", "yara_rule_reference": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "yara_rule_description": "Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]", "last_hit_utc": "2025-10-28 13:43:54" } ], "6787": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_Sandworm_Exaramel_Socket_Path", "yara_rule_author": "FR/ANSSI/SDO", "yara_rule_reference": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "yara_rule_description": "Detects path of the unix socket created to prevent concurrent executions in Exaramel malware", "last_hit_utc": "2025-10-28 13:43:54" } ], "6788": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_Sandworm_Exaramel_Strings", "yara_rule_author": "FR/ANSSI/SDO (composed from 4 saparate rules by Florian Roth)", "yara_rule_reference": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "yara_rule_description": "Detects Strings used by Exaramel malware", "last_hit_utc": "2025-10-28 13:43:54" } ], "6789": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_Sandworm_Exaramel_Task_Names", "yara_rule_author": "FR/ANSSI/SDO", "yara_rule_reference": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "yara_rule_description": "Detects names of the tasks received from the CC server in Exaramel malware", "last_hit_utc": "2025-10-28 13:43:54" } ], "6790": [ { "sample_cnt": 1, "yara_rule_name": "APT_MAL_WinntiLinux_Main_AzazelFork_May19", "yara_rule_author": "Silas Cutler (havex [@] chronicle.security), Chronicle Security", "yara_rule_reference": null, "yara_rule_description": "Detection of Linux variant of Winnti", "last_hit_utc": "2025-12-19 22:35:16" } ], "6791": [ { "sample_cnt": 1, "yara_rule_name": "apt_MuddyWater_MuddyRot_strings", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects RotRot backdoor based on strings permutations", "last_hit_utc": "2025-04-18 19:31:23" } ], "6792": [ { "sample_cnt": 1, "yara_rule_name": "APT_Nazar_Component_Guids", "yara_rule_author": "Itay Cohen", "yara_rule_reference": "https://www.epicturla.com/blog/the-lost-nazar", "yara_rule_description": "Detects Nazar Components by COM Objects' GUID", "last_hit_utc": "2025-11-05 08:22:24" } ], "6793": [ { "sample_cnt": 1, "yara_rule_name": "APT_Neuron2_Loader_Strings", "yara_rule_author": "NCSC", "yara_rule_reference": null, "yara_rule_description": "Rule for detection of Neuron2 based on strings within the loader", "last_hit_utc": "2025-11-05 08:22:24" } ], "6794": [ { "sample_cnt": 1, "yara_rule_name": "APT_NK_AR18_165A_HiddenCobra_import_deob", "yara_rule_author": "NCCIC trusted 3rd party - Edit: Tobias Michalski", "yara_rule_reference": "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A", "yara_rule_description": "Hidden Cobra - Detects installed proxy module as a service", "last_hit_utc": "2025-11-05 08:22:24" } ], "6795": [ { "sample_cnt": 1, "yara_rule_name": "APT_NK_BabyShark_KimJoingRAT_Apr19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/", "yara_rule_description": "Detects BabyShark KimJongRAT", "last_hit_utc": "2024-05-22 23:31:04" } ], "6796": [ { "sample_cnt": 1, "yara_rule_name": "APT_NK_Lazarus_RC4_Loop", "yara_rule_author": "f-secure ", "yara_rule_reference": "https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical", "yara_rule_description": "Detects RC4 loop in Lazarus Group implant", "last_hit_utc": "2021-02-26 05:38:37" } ], "6797": [ { "sample_cnt": 1, "yara_rule_name": "APT_NK_MAL_DLL_Apr23_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/", "yara_rule_description": "Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)", "last_hit_utc": "2025-10-28 13:43:55" } ], "6798": [ { "sample_cnt": 1, "yara_rule_name": "APT_NK_Methodology_Artificial_UserAgent_IE_Win7", "yara_rule_author": "Steve Miller aka @stvemillertime", "yara_rule_reference": "", "yara_rule_description": "Detects hard-coded User-Agent string that has been present in several APT37 malware families.", "last_hit_utc": "2023-07-28 11:46:55" } ], "6799": [ { "sample_cnt": 1, "yara_rule_name": "apt_nobelium_b64_to_Uint8Array", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detect Base64 decode to Uint8Array used in NOBELIUM HTML files", "last_hit_utc": "2025-01-04 09:59:59" } ], "6800": [ { "sample_cnt": 1, "yara_rule_name": "apt_ProjectSauron_encrypted_container", "yara_rule_author": "", "yara_rule_reference": "https://securelist.com/blog/", "yara_rule_description": "Rule to detect ProjectSauron samples encrypted container", "last_hit_utc": "2022-03-05 21:51:03" } ], "6801": [ { "sample_cnt": 1, "yara_rule_name": "apt_ProjectSauron_encrypted_LSA", "yara_rule_author": "", "yara_rule_reference": "https://securelist.com/blog/", "yara_rule_description": "Rule to detect ProjectSauron encrypted LSA samples", "last_hit_utc": "2022-03-06 06:29:25" } ], "6802": [ { "sample_cnt": 1, "yara_rule_name": "apt_ProjectSauron_encrypted_SSPI", "yara_rule_author": null, "yara_rule_reference": "https://securelist.com/blog/", "yara_rule_description": "Rule to detect encrypted ProjectSauron SSPI samples", "last_hit_utc": "2025-01-04 09:01:13" } ], "6803": [ { "sample_cnt": 1, "yara_rule_name": "apt_ProjectSauron_encryption", "yara_rule_author": "", "yara_rule_reference": "https://securelist.com/blog/", "yara_rule_description": "Rule to detect ProjectSauron string encryption", "last_hit_utc": "2022-03-06 06:29:25" } ], "6804": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_arping_module", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects strings from arping module - Project Sauron report by Kaspersky", "last_hit_utc": "2025-10-28 13:43:55" } ], "6805": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_arping_module_RID33C8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects strings from arping module - Project Sauron report by Kaspersky", "last_hit_utc": "2025-10-28 13:43:55" } ], "6806": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_basex_module", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects strings from basex module - Project Sauron report by Kaspersky", "last_hit_utc": "2025-10-28 13:43:55" } ], "6807": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_basex_module_RID335A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects strings from basex module - Project Sauron report by Kaspersky", "last_hit_utc": "2025-10-28 13:43:55" } ], "6808": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_Custom_M2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects malware from Project Sauron APT", "last_hit_utc": "2022-03-05 21:51:03" } ], "6809": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_Custom_M4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects malware from Project Sauron APT", "last_hit_utc": "2025-11-05 08:22:24" } ], "6810": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_dext_module", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects strings from dext module - Project Sauron report by Kaspersky", "last_hit_utc": "2025-10-28 13:43:55" } ], "6811": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_dext_module_RID32FC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects strings from dext module - Project Sauron report by Kaspersky", "last_hit_utc": "2025-10-28 13:43:55" } ], "6812": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_kblogi_module", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects strings from kblogi module - Project Sauron report by Kaspersky", "last_hit_utc": "2025-10-28 13:43:55" } ], "6813": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_kblogi_module_RID33BF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects strings from kblogi module - Project Sauron report by Kaspersky", "last_hit_utc": "2025-10-28 13:43:55" } ], "6814": [ { "sample_cnt": 1, "yara_rule_name": "APT_Project_Sauron_Scripts", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects scripts (mostly LUA) from Project Sauron report by Kaspersky", "last_hit_utc": "2025-10-28 13:43:55" } ], "6815": [ { "sample_cnt": 1, "yara_rule_name": "APT_Proxy_Malware_Packed_dev", "yara_rule_author": "FRoth", "yara_rule_reference": null, "yara_rule_description": "APT Malware - Proxy", "last_hit_utc": "2025-10-28 13:43:55" } ], "6816": [ { "sample_cnt": 1, "yara_rule_name": "APT_PupyRAT_PY", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "yara_rule_description": "Detects Pupy RAT", "last_hit_utc": "2021-09-13 14:22:06" } ], "6817": [ { "sample_cnt": 1, "yara_rule_name": "APT_PY_ESXi_Backdoor_Dec22", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers", "yara_rule_description": "Detects Python backdoor found on ESXi servers", "last_hit_utc": "2025-10-28 13:43:55" } ], "6818": [ { "sample_cnt": 1, "yara_rule_name": "APT_RANSOM_Lockbit_ForensicArtifacts_Nov23", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "yara_rule_description": "Detects patterns found in Lockbit TA attacks exploiting Citrixbleed vulnerability CVE 2023-4966", "last_hit_utc": "2025-10-28 13:43:55" } ], "6819": [ { "sample_cnt": 1, "yara_rule_name": "APT_RUBY_RokRat_Loader", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/", "yara_rule_description": "Ruby loader seen loading the ROKRAT malware family.", "last_hit_utc": "2025-10-28 13:43:56" } ], "6820": [ { "sample_cnt": 1, "yara_rule_name": "apt_RU_MoonlightMaze_customlokitools", "yara_rule_author": "Kaspersky Lab", "yara_rule_reference": "https://en.wikipedia.org/wiki/Moonlight_Maze", "yara_rule_description": "Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings", "last_hit_utc": "2025-10-28 13:43:56" } ], "6821": [ { "sample_cnt": 1, "yara_rule_name": "apt_RU_MoonlightMaze_customsniffer", "yara_rule_author": "Kaspersky Lab", "yara_rule_reference": "https://en.wikipedia.org/wiki/Moonlight_Maze", "yara_rule_description": "Rule to detect Moonlight Maze sniffer tools", "last_hit_utc": "2025-10-28 13:43:56" } ], "6822": [ { "sample_cnt": 1, "yara_rule_name": "apt_RU_MoonlightMaze_xk_keylogger", "yara_rule_author": "Kaspersky Lab", "yara_rule_reference": "https://en.wikipedia.org/wiki/Moonlight_Maze", "yara_rule_description": "Rule to detect Moonlight Maze 'xk' keylogger", "last_hit_utc": "2025-10-28 13:43:56" } ], "6823": [ { "sample_cnt": 1, "yara_rule_name": "APT_RU_Sandworm_PY_May20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/billyleonard/status/1266054881225236482", "yara_rule_description": "Detects Sandworm Python loader", "last_hit_utc": "2025-10-28 13:43:56" } ], "6824": [ { "sample_cnt": 1, "yara_rule_name": "APT_RU_Sandworm_PY_May20_1_RID3026", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/billyleonard/status/1266054881225236482", "yara_rule_description": "Detects Sandworm Python loader", "last_hit_utc": "2025-10-28 13:43:56" } ], "6825": [ { "sample_cnt": 1, "yara_rule_name": "APT_SAP_NetWeaver_Exploitation_Activity_Apr25_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/", "yara_rule_description": "Detects forensic artefacts related to exploitation activity of SAP NetWeaver CVE-2025-31324", "last_hit_utc": "2025-10-28 13:43:56" } ], "6826": [ { "sample_cnt": 1, "yara_rule_name": "APT_SH_Sandworm_Shell_Script_May20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf", "yara_rule_description": "Detects shell script used by Sandworm in attack against Exim mail server", "last_hit_utc": "2025-10-28 13:43:56" } ], "6827": [ { "sample_cnt": 1, "yara_rule_name": "APT_SH_Sandworm_Shell_Script_May20_1_RID343D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf", "yara_rule_description": "Detects shell script used by Sandworm in attack against Exim mail server", "last_hit_utc": "2025-10-28 13:43:56" } ], "6828": [ { "sample_cnt": 1, "yara_rule_name": "APT_Stuxnet_maindll_decrypted_unpacked_RID365D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample - file maindll.decrypted.unpacked.dll_", "last_hit_utc": "2025-11-05 08:21:34" } ], "6829": [ { "sample_cnt": 1, "yara_rule_name": "APT_Thrip_Sample_Jun18_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "yara_rule_description": "Detects sample found in Thrip report by Symantec", "last_hit_utc": "2025-01-03 21:47:34" } ], "6830": [ { "sample_cnt": 1, "yara_rule_name": "APT_Thrip_Sample_Jun18_4_RID2FA5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "yara_rule_description": "Detects sample found in Thrip report by Symantec", "last_hit_utc": "2025-01-03 21:47:34" } ], "6831": [ { "sample_cnt": 1, "yara_rule_name": "APT_Thrip_Sample_Jun18_7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "yara_rule_description": "Detects sample found in Thrip report by Symantec", "last_hit_utc": "2022-08-31 04:02:03" } ], "6832": [ { "sample_cnt": 1, "yara_rule_name": "APT_Thrip_Sample_Jun18_7_RID2FA8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "yara_rule_description": "Detects sample found in Thrip report by Symantec", "last_hit_utc": "2022-08-31 04:02:03" } ], "6833": [ { "sample_cnt": 1, "yara_rule_name": "APT_Turla_Agent_BTZ_Gen_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Turla Agent.BTZ", "last_hit_utc": "2022-08-31 04:01:03" } ], "6834": [ { "sample_cnt": 1, "yara_rule_name": "APT_Turla_Agent_BTZ_Gen_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Turla Agent.BTZ", "last_hit_utc": "2025-10-28 13:43:56" } ], "6835": [ { "sample_cnt": 1, "yara_rule_name": "apt_turla_pdb", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://attack.mitre.org/groups/G0010/", "yara_rule_description": "Rule to detect a component of the APT Turla", "last_hit_utc": "2022-10-16 21:53:03" } ], "6836": [ { "sample_cnt": 1, "yara_rule_name": "APT_UA_Hermetic_Wiper_Artefacts_Feb22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", "yara_rule_description": "Detects artefacts found in Hermetic Wiper malware related intrusions", "last_hit_utc": "2025-10-28 13:43:56" } ], "6837": [ { "sample_cnt": 1, "yara_rule_name": "APT_UA_Hermetic_Wiper_Feb22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "yara_rule_description": "Detects Hermetic Wiper malware", "last_hit_utc": "2022-03-29 17:31:03" } ], "6838": [ { "sample_cnt": 1, "yara_rule_name": "APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", "yara_rule_description": "Detects scheduled task pattern found in Hermetic Wiper malware related intrusions", "last_hit_utc": "2025-10-28 13:43:56" } ], "6839": [ { "sample_cnt": 1, "yara_rule_name": "APT_UNC2447_PS1_WARPRISM_May21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "yara_rule_description": "Detects WARPRISM PowerShell samples from UNC2447 campaign", "last_hit_utc": "2025-10-28 13:43:57" } ], "6840": [ { "sample_cnt": 1, "yara_rule_name": "APT_UNC4841_ESG_Barracuda_CVE_2023_2868_Forensic_Artifacts_Jun23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "yara_rule_description": "Detects forensic artifacts found in the exploitation of CVE-2023-2868 in Barracuda ESG devices by UNC4841", "last_hit_utc": "2025-10-28 13:43:57" } ], "6841": [ { "sample_cnt": 1, "yara_rule_name": "APT_UNC5221_Ivanti_ForensicArtifacts_Jan24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "yara_rule_description": "Detects forensic artifacts found in the Ivanti VPN exploitation campaign by APT UNC5221", "last_hit_utc": "2024-02-15 15:03:03" } ], "6842": [ { "sample_cnt": 1, "yara_rule_name": "APT_UTA028_ForensicArtefacts_PaloAlto_CVE_2024_3400_Apr24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/", "yara_rule_description": "Detects forensic artefacts of APT UTA028 as found in a campaign exploiting the Palo Alto CVE-2024-3400 vulnerability", "last_hit_utc": "2025-10-28 13:43:57" } ], "6843": [ { "sample_cnt": 1, "yara_rule_name": "APT_Webshell_SUPERNOVA_1", "yara_rule_author": "FireEye", "yara_rule_reference": null, "yara_rule_description": "SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA.", "last_hit_utc": "2020-12-28 05:14:12" } ], "6844": [ { "sample_cnt": 1, "yara_rule_name": "APT_Webshell_SUPERNOVA_2", "yara_rule_author": "FireEye", "yara_rule_reference": null, "yara_rule_description": "This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args).", "last_hit_utc": "2020-12-28 05:14:12" } ], "6845": [ { "sample_cnt": 1, "yara_rule_name": "APT_WEBSHELL_Tiny_WebShell", "yara_rule_author": "Markus Neis,Swisscom", "yara_rule_reference": "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "yara_rule_description": "Detects WebShell Injection", "last_hit_utc": "2023-12-01 12:49:03" } ], "6846": [ { "sample_cnt": 1, "yara_rule_name": "apt_Windows_TA410_X4_strings", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/", "yara_rule_description": "Matches various strings found in TA410 X4", "last_hit_utc": "2025-10-28 13:43:57" } ], "6847": [ { "sample_cnt": 1, "yara_rule_name": "ArechClient_Campaign_July2021", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://twitter.com/bcrypt/status/1420471176137113601", "yara_rule_description": "Identifies ArechClient stealer's July 2021 campaign.", "last_hit_utc": "2021-08-06 12:57:51" } ], "6848": [ { "sample_cnt": 1, "yara_rule_name": "Arkei", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-10-05 05:33:07" } ], "6849": [ { "sample_cnt": 1, "yara_rule_name": "Armadillo3X5XSiliconRealmsToolworks", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:35:45" } ], "6850": [ { "sample_cnt": 1, "yara_rule_name": "Armadillov19x", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:18:00" } ], "6851": [ { "sample_cnt": 1, "yara_rule_name": "Armadillov430v440SiliconRealmsToolworks", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:35:45" } ], "6852": [ { "sample_cnt": 1, "yara_rule_name": "ArtTrayHookDll", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll", "last_hit_utc": "2025-10-28 13:43:57" } ], "6853": [ { "sample_cnt": 1, "yara_rule_name": "ArtTrayHookDll", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll", "last_hit_utc": "2025-10-28 13:43:57" } ], "6854": [ { "sample_cnt": 1, "yara_rule_name": "ASPackv2000AlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-12 13:41:03" } ], "6855": [ { "sample_cnt": 1, "yara_rule_name": "ASPackv2001AlexeySolodovnikov", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:10:32" } ], "6856": [ { "sample_cnt": 1, "yara_rule_name": "ASPack_Chinese", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini", "last_hit_utc": "2025-10-28 13:43:57" } ], "6857": [ { "sample_cnt": 1, "yara_rule_name": "ASPack_Chinese", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini", "last_hit_utc": "2025-10-28 13:43:58" } ], "6858": [ { "sample_cnt": 1, "yara_rule_name": "ASProtectv10", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-14 15:04:03" } ], "6859": [ { "sample_cnt": 1, "yara_rule_name": "ASProtectv12AlexeySolodovnikovh1", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-30 20:05:31" } ], "6860": [ { "sample_cnt": 1, "yara_rule_name": "ASProtectvIfyouknowthisversionpostonPEiDboardh2", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-16 22:07:07" } ], "6861": [ { "sample_cnt": 1, "yara_rule_name": "AthenaHTTP", "yara_rule_author": "Brian Wallace @botnet_hunter", "yara_rule_reference": null, "yara_rule_description": "Identify Athena HTTP", "last_hit_utc": "2021-06-13 18:09:07" } ], "6862": [ { "sample_cnt": 1, "yara_rule_name": "AthenaHTTP_v2", "yara_rule_author": "Jason Jones ", "yara_rule_reference": null, "yara_rule_description": "Athena HTTP identification", "last_hit_utc": "2021-06-13 18:09:07" } ], "6863": [ { "sample_cnt": 1, "yara_rule_name": "atollon", "yara_rule_author": "Hugo Porcher", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "yara_rule_description": "Rule to detect Atollon family", "last_hit_utc": "2026-02-13 15:19:16" } ], "6864": [ { "sample_cnt": 1, "yara_rule_name": "AuroraStealer", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora_stealer", "yara_rule_description": "Identifies Aurora Stealer.", "last_hit_utc": "2025-06-16 16:39:42" } ], "6865": [ { "sample_cnt": 1, "yara_rule_name": "Avaddon", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Avaddon ransomware.", "last_hit_utc": "2023-03-11 04:19:03" } ], "6866": [ { "sample_cnt": 1, "yara_rule_name": "BabukLocker", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", "yara_rule_description": "Babuk Locker ransomware", "last_hit_utc": "2021-03-13 06:24:44" } ], "6867": [ { "sample_cnt": 1, "yara_rule_name": "babylonRAT", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked babylonRAT malware samples.", "last_hit_utc": "2025-06-22 22:05:41" } ], "6868": [ { "sample_cnt": 1, "yara_rule_name": "BackDoorLogger", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:43:58" } ], "6869": [ { "sample_cnt": 1, "yara_rule_name": "BadBunny", "yara_rule_author": "Christiaan Beek", "yara_rule_reference": "", "yara_rule_description": "Bad Rabbit Ransomware", "last_hit_utc": "2022-04-19 15:33:02" } ], "6870": [ { "sample_cnt": 1, "yara_rule_name": "BadRabbit", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "BadRabbit Payload", "last_hit_utc": "2025-09-30 14:11:35" } ], "6871": [ { "sample_cnt": 1, "yara_rule_name": "BadRabbitInstaller", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-04 08:21:33" } ], "6872": [ { "sample_cnt": 1, "yara_rule_name": "BadRabbitInstaller", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-19 16:20:04" } ], "6873": [ { "sample_cnt": 1, "yara_rule_name": "BadRabbitWiper", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-19 15:33:02" } ], "6874": [ { "sample_cnt": 1, "yara_rule_name": "BadRabbit_Mimikatz_Comp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://pastebin.com/Y7pJv3tK", "yara_rule_description": "Auto-generated rule", "last_hit_utc": "2025-09-22 09:47:27" } ], "6875": [ { "sample_cnt": 1, "yara_rule_name": "BadRabbit_Mimikatz_Comp_RID2FFF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://pastebin.com/Y7pJv3tK", "yara_rule_description": "Semiautomatically generated YARA rule", "last_hit_utc": "2025-09-22 09:47:27" } ], "6876": [ { "sample_cnt": 1, "yara_rule_name": "banbra", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:34:45" } ], "6877": [ { "sample_cnt": 1, "yara_rule_name": "Batch_Powershell_Invoke_Inveigh", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "yara_rule_description": "Detects malicious batch file from NCSC report", "last_hit_utc": "2025-10-28 13:43:58" } ], "6878": [ { "sample_cnt": 1, "yara_rule_name": "Batch_Script_To_Run_PsExec", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "yara_rule_description": "Detects malicious batch file from NCSC report", "last_hit_utc": "2025-10-28 13:43:58" } ], "6879": [ { "sample_cnt": 1, "yara_rule_name": "BazaFiiii", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:26:23" } ], "6880": [ { "sample_cnt": 1, "yara_rule_name": "bazaloader_new_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/c2a9076e-3174-4ad5-b284-d562778dd644", "yara_rule_description": "Asshat loader", "last_hit_utc": "2021-01-08 20:16:07" } ], "6881": [ { "sample_cnt": 1, "yara_rule_name": "bazaloader_new_bin_s", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/c2a9076e-3174-4ad5-b284-d562778dd644", "yara_rule_description": "Asshat loader", "last_hit_utc": "2021-01-08 20:16:07" } ], "6882": [ { "sample_cnt": 1, "yara_rule_name": "BazaRer", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-23 22:19:04" } ], "6883": [ { "sample_cnt": 1, "yara_rule_name": "BazaSignature2", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-24 08:20:03" } ], "6884": [ { "sample_cnt": 1, "yara_rule_name": "Beastdoor_Backdoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects the backdoor Beastdoor", "last_hit_utc": "2025-10-28 13:43:58" } ], "6885": [ { "sample_cnt": 1, "yara_rule_name": "Bebloh", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect Bebloh(a.k.a. URLZone) in memory", "last_hit_utc": "2020-06-19 18:28:05" } ], "6886": [ { "sample_cnt": 1, "yara_rule_name": "BEERBOT_V4", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-24 07:53:32" } ], "6887": [ { "sample_cnt": 1, "yara_rule_name": "BEERBOT_V4", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-09-13 16:00:09" } ], "6888": [ { "sample_cnt": 1, "yara_rule_name": "benchmark_10M", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "rig_win64 - file benchmark_10M.cmd", "last_hit_utc": "2022-03-18 07:23:04" } ], "6889": [ { "sample_cnt": 1, "yara_rule_name": "benchmark_1M", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "rig_win64 - file benchmark_1M.cmd", "last_hit_utc": "2022-03-18 07:23:04" } ], "6890": [ { "sample_cnt": 1, "yara_rule_name": "BeRoEXEPackerV100BeRo", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-30 15:12:14" } ], "6891": [ { "sample_cnt": 1, "yara_rule_name": "BeRoTinyPascalBeRo", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-04 01:32:02" } ], "6892": [ { "sample_cnt": 1, "yara_rule_name": "BeyondExec_RemoteAccess_Tool", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/BvYurS", "yara_rule_description": "Detects BeyondExec Remote Access Tool - file rexesvr.exe", "last_hit_utc": "2025-11-05 08:22:24" } ], "6893": [ { "sample_cnt": 1, "yara_rule_name": "BeyondExec_RemoteAccess_Tool_RID3211", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/BvYurS", "yara_rule_description": "Detects BeyondExec Remote Access Tool - file rexesvr.exe", "last_hit_utc": "2025-11-05 08:22:24" } ], "6894": [ { "sample_cnt": 1, "yara_rule_name": "BKDR_XZUtil_KillSwitch_CVE_2024_3094_Mar24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01?permalink_comment_id=5006558#gistcomment-5006558", "yara_rule_description": "Detects kill switch used by the backdoored XZ library (xzutil) CVE-2024-3094.", "last_hit_utc": "2025-10-28 13:43:59" } ], "6895": [ { "sample_cnt": 1, "yara_rule_name": "BKDR_XZUtil_Script_CVE_2024_3094_Mar24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.openwall.com/lists/oss-security/2024/03/29/4", "yara_rule_description": "Detects make file and script contents used by the backdoored XZ library (xzutil) CVE-2024-3094.", "last_hit_utc": "2025-10-28 13:43:59" } ], "6896": [ { "sample_cnt": 1, "yara_rule_name": "BlackDropper", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "BlackDropper", "last_hit_utc": "2025-10-28 13:43:59" } ], "6897": [ { "sample_cnt": 1, "yara_rule_name": "blackremote_blackrat_payload_2020", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-02-07 14:48:03" } ], "6898": [ { "sample_cnt": 1, "yara_rule_name": "BlackTech_Bifrose_elf", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "ELF Bifrose in BlackTech", "last_hit_utc": "2025-01-03 20:16:38" } ], "6899": [ { "sample_cnt": 1, "yara_rule_name": "BlackTech_PLEAD_elf", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "ELF PLEAD", "last_hit_utc": "2025-10-28 13:43:59" } ], "6900": [ { "sample_cnt": 1, "yara_rule_name": "BlackTech_PLEAD_elf", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "ELF PLEAD", "last_hit_utc": "2022-03-04 08:34:06" } ], "6901": [ { "sample_cnt": 1, "yara_rule_name": "BlackTech_PLEAD_mutex", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "PLEAD malware mutex strings", "last_hit_utc": "2025-11-05 08:21:34" } ], "6902": [ { "sample_cnt": 1, "yara_rule_name": "Blister", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Blister Loader", "last_hit_utc": "2025-11-05 08:22:24" } ], "6903": [ { "sample_cnt": 1, "yara_rule_name": "BluesPortScan", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file BluesPortScan.exe", "last_hit_utc": "2025-10-28 13:43:59" } ], "6904": [ { "sample_cnt": 1, "yara_rule_name": "Brooxml_Hunting", "yara_rule_author": "Proofpoint", "yara_rule_reference": "https://x.com/threatinsight/status/1861817946508763480", "yara_rule_description": "Detects Microsoft OOXML files with prepended data/manipulated header", "last_hit_utc": "2026-03-01 10:07:23" } ], "6905": [ { "sample_cnt": 1, "yara_rule_name": "Bublik", "yara_rule_author": "Kevin Falcoz", "yara_rule_reference": null, "yara_rule_description": "Bublik Trojan Downloader", "last_hit_utc": "2025-05-03 03:57:07" } ], "6906": [ { "sample_cnt": 1, "yara_rule_name": "Builder_MSIL_SinfulOffice_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SinfulOffice' project.", "last_hit_utc": "2025-11-05 08:22:25" } ], "6907": [ { "sample_cnt": 1, "yara_rule_name": "BumbleBeeLoader", "yara_rule_author": "enzo & kevoreilly", "yara_rule_reference": null, "yara_rule_description": "BumbleBee Loader", "last_hit_utc": "2025-01-05 14:57:07" } ], "6908": [ { "sample_cnt": 1, "yara_rule_name": "ByPassFireWall_zip_Folder_Inject", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file Inject.exe", "last_hit_utc": "2025-10-28 13:44:00" } ], "6909": [ { "sample_cnt": 1, "yara_rule_name": "ByPassFireWall_zip_Folder_Inject", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file Inject.exe", "last_hit_utc": "2025-10-28 13:44:00" } ], "6910": [ { "sample_cnt": 1, "yara_rule_name": "BypassUac2", "yara_rule_author": "yarGen Yara Rule Generator", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule - file BypassUac2.zip", "last_hit_utc": "2025-10-28 13:44:00" } ], "6911": [ { "sample_cnt": 1, "yara_rule_name": "BypassUacDll_6", "yara_rule_author": "yarGen Yara Rule Generator", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule - file BypassUacDll.aps", "last_hit_utc": "2025-11-05 08:22:25" } ], "6912": [ { "sample_cnt": 1, "yara_rule_name": "BypassUacDll_7", "yara_rule_author": "yarGen Yara Rule Generator", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule - file BypassUacDll.aps", "last_hit_utc": "2025-11-05 08:22:25" } ], "6913": [ { "sample_cnt": 1, "yara_rule_name": "BypassUac_3", "yara_rule_author": "yarGen Yara Rule Generator", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule - file BypassUacDll.dll", "last_hit_utc": "2025-11-05 08:22:25" } ], "6914": [ { "sample_cnt": 1, "yara_rule_name": "BypassUac_EXE", "yara_rule_author": "yarGen Yara Rule Generator", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule - file BypassUacDll.aps", "last_hit_utc": "2025-11-05 08:22:25" } ], "6915": [ { "sample_cnt": 1, "yara_rule_name": "ByteCode_MSIL_Ransomware_McBurglar", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects McBurglar ransomware.", "last_hit_utc": "2022-09-24 09:41:06" } ], "6916": [ { "sample_cnt": 1, "yara_rule_name": "ByteCode_MSIL_Ransomware_Povlsomware", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Povlsomware ransomware.", "last_hit_utc": "2023-11-20 22:55:03" } ], "6917": [ { "sample_cnt": 1, "yara_rule_name": "ByteCode_MSIL_Ransomware_WormLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects WormLocker ransomware.", "last_hit_utc": "2022-06-20 17:19:02" } ], "6918": [ { "sample_cnt": 1, "yara_rule_name": "ByteCode_MSIL_Ransomware_ZeroLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects ZeroLocker ransomware.", "last_hit_utc": "2022-09-24 09:41:08" } ], "6919": [ { "sample_cnt": 1, "yara_rule_name": "cachedump", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe", "last_hit_utc": "2025-10-28 13:44:00" } ], "6920": [ { "sample_cnt": 1, "yara_rule_name": "cachedump_RID2ABB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - from files cachedump_RID2ABB.exe, cachedump_RID2ABB64.exe", "last_hit_utc": "2025-10-28 13:44:00" } ], "6921": [ { "sample_cnt": 1, "yara_rule_name": "CACTUSTORCH", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/mdsecactivebreach/CACTUSTORCH", "yara_rule_description": "Detects CactusTorch Hacktool", "last_hit_utc": "2022-01-15 09:58:08" } ], "6922": [ { "sample_cnt": 1, "yara_rule_name": "Carbanak", "yara_rule_author": "enzok", "yara_rule_reference": null, "yara_rule_description": "Carnbanak Payload", "last_hit_utc": "2024-01-02 00:43:02" } ], "6923": [ { "sample_cnt": 1, "yara_rule_name": "CarbonCommunicationLibrary_v3_62_", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-16 21:53:04" } ], "6924": [ { "sample_cnt": 1, "yara_rule_name": "CarbonCommunicationLibrary_v4_00_", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-19 21:25:37" } ], "6925": [ { "sample_cnt": 1, "yara_rule_name": "CarbonDropper_v3_71_", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-16 21:53:04" } ], "6926": [ { "sample_cnt": 1, "yara_rule_name": "CarbonDropper_v3_77_", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-03-05 21:52:04" } ], "6927": [ { "sample_cnt": 1, "yara_rule_name": "CarbonLoader_v3_77_", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-03-05 21:52:04" } ], "6928": [ { "sample_cnt": 1, "yara_rule_name": "CarbonOrchestrator_v3_71_", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-16 21:53:04" } ], "6929": [ { "sample_cnt": 1, "yara_rule_name": "Casper_Backdoor_x86", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo", "last_hit_utc": "2025-11-05 08:21:34" } ], "6930": [ { "sample_cnt": 1, "yara_rule_name": "Casper_SystemInformation_Output", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo", "last_hit_utc": "2025-10-28 13:44:00" } ], "6931": [ { "sample_cnt": 1, "yara_rule_name": "Casper_SystemInformation_Output", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo", "last_hit_utc": "2025-10-28 13:44:00" } ], "6932": [ { "sample_cnt": 1, "yara_rule_name": "Casper_SystemInformation_Output_RID33C9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/VRJNLo", "yara_rule_description": "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo", "last_hit_utc": "2025-10-28 13:44:00" } ], "6933": [ { "sample_cnt": 1, "yara_rule_name": "caspratique_lumma", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-04 10:10:57" } ], "6934": [ { "sample_cnt": 1, "yara_rule_name": "CAS_Dataleak", "yara_rule_author": "Michael Reinprecht", "yara_rule_reference": null, "yara_rule_description": "DEMO CAS YARA Rules for @ost.ch", "last_hit_utc": "2026-03-12 12:15:28" } ], "6935": [ { "sample_cnt": 1, "yara_rule_name": "cerber3", "yara_rule_author": "pekeinfo", "yara_rule_reference": null, "yara_rule_description": "Cerber3 ", "last_hit_utc": "2020-10-25 20:07:08" } ], "6936": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_08d4352185317271c1cec9d05c279af7", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2023-08-24 07:24:04" } ], "6937": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_09c89de6f64a7fdf657e69353c5fdd44", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2021-05-06 14:12:22" } ], "6938": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_0b1926a5e8ae50a0efa504f005f93869", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2025-06-16 16:06:33" } ], "6939": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_0dd7d4a785990584d8c0837659173272", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2025-07-08 13:45:36" } ], "6940": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_0efd9bd4b4281c6522d96011df46c9c4", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2025-07-08 13:45:36" } ], "6941": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_15c5af15afecf1c900cbab0ca9165629", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2022-01-02 19:27:04" } ], "6942": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_1a0fd2a4ef4c2a36ab9c5e8f792a35e2", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2025-01-03 19:32:43" } ], "6943": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_256541e204619033f8b09f9eb7c88ef8", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2025-01-23 16:43:03" } ], "6944": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_39f56251df2088223cc03494084e6081", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2023-03-05 13:41:05" } ], "6945": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_566ac16a57b132d3f64dced14de790ee", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2021-05-11 00:31:13" } ], "6946": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_56d576a062491ea0a5877ced418203a1", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2021-02-08 08:37:22" } ], "6947": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2021-08-03 08:00:29" } ], "6948": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_77019a082385e4b73f569569c9f87bb8", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2022-07-16 08:08:03" } ], "6949": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_ac307e5257bb814b818d3633b630326f", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2025-01-03 19:39:22" } ], "6950": [ { "sample_cnt": 1, "yara_rule_name": "cert_blocklist_fd8c468cc1b45c9cfb41cbd8c835cc9e", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Certificate used for digitally signing malware.", "last_hit_utc": "2022-08-31 02:55:03" } ], "6951": [ { "sample_cnt": 1, "yara_rule_name": "CExev10a", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-18 22:56:14" } ], "6952": [ { "sample_cnt": 1, "yara_rule_name": "Chinese_Hacktool_1014", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Detects a chinese hacktool with unknown use", "last_hit_utc": "2022-06-24 10:28:03" } ], "6953": [ { "sample_cnt": 1, "yara_rule_name": "ciscotools", "yara_rule_author": "Tim Brown @timb_machine", "yara_rule_reference": "", "yara_rule_description": "Cisco tools", "last_hit_utc": "2022-05-13 10:17:03" } ], "6954": [ { "sample_cnt": 1, "yara_rule_name": "CleanIISLog", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file CleanIISLog.exe", "last_hit_utc": "2025-10-28 13:44:01" } ], "6955": [ { "sample_cnt": 1, "yara_rule_name": "CleanIISLog", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file CleanIISLog.exe", "last_hit_utc": "2025-10-28 13:44:01" } ], "6956": [ { "sample_cnt": 1, "yara_rule_name": "cndcom_cndcom", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file cndcom.exe", "last_hit_utc": "2025-05-12 06:29:12" } ], "6957": [ { "sample_cnt": 1, "yara_rule_name": "cndcom_cndcom_RID2C58", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file cndcom.exe", "last_hit_utc": "2025-05-12 06:29:12" } ], "6958": [ { "sample_cnt": 1, "yara_rule_name": "CN_APT_ZeroT_extracted_Mcutil", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx", "yara_rule_description": "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll", "last_hit_utc": "2025-10-28 13:44:01" } ], "6959": [ { "sample_cnt": 1, "yara_rule_name": "CN_APT_ZeroT_extracted_Mcutil_RID3229", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx", "yara_rule_description": "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll", "last_hit_utc": "2025-10-28 13:44:01" } ], "6960": [ { "sample_cnt": 1, "yara_rule_name": "CN_disclosed_20180208_Mal5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2022-02-04 02:12:06" } ], "6961": [ { "sample_cnt": 1, "yara_rule_name": "CN_disclosed_20180208_Mal5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details", "yara_rule_description": "Detects malware from disclosed CN malware set", "last_hit_utc": "2025-06-22 22:05:38" } ], "6962": [ { "sample_cnt": 1, "yara_rule_name": "CN_Hacktool_1433_Scanner_Comp2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese MSSQL scanner - component 2", "last_hit_utc": "2025-11-05 08:22:26" } ], "6963": [ { "sample_cnt": 1, "yara_rule_name": "CN_Hacktool_1433_Scanner_Comp2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese MSSQL scanner - component 2", "last_hit_utc": "2025-11-05 08:22:26" } ], "6964": [ { "sample_cnt": 1, "yara_rule_name": "CN_Hacktool_MilkT_Scanner", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese Portscanner named MilkT", "last_hit_utc": "2025-10-28 13:44:01" } ], "6965": [ { "sample_cnt": 1, "yara_rule_name": "CN_Hacktool_MilkT_Scanner", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese Portscanner named MilkT", "last_hit_utc": "2025-10-28 13:44:01" } ], "6966": [ { "sample_cnt": 1, "yara_rule_name": "CN_Hacktool_ScanPort_Portscanner", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese Portscanner named ScanPort", "last_hit_utc": "2025-11-05 08:22:26" } ], "6967": [ { "sample_cnt": 1, "yara_rule_name": "CN_Hacktool_ScanPort_Portscanner", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese Portscanner named ScanPort", "last_hit_utc": "2025-11-05 08:22:26" } ], "6968": [ { "sample_cnt": 1, "yara_rule_name": "CN_Hacktool_SSPort_Portscanner", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese Portscanner named SSPort", "last_hit_utc": "2025-11-05 08:22:26" } ], "6969": [ { "sample_cnt": 1, "yara_rule_name": "CN_Hacktool_SSPort_Portscanner", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects a chinese Portscanner named SSPort", "last_hit_utc": "2025-11-05 08:22:26" } ], "6970": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_GetHashes_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file GetHashes.exe", "last_hit_utc": "2023-06-24 15:31:03" } ], "6971": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_GetHashes_2_RID2ED4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file GetHashes.exe", "last_hit_utc": "2023-06-24 15:31:03" } ], "6972": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_HASH_32", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file 32.exe", "last_hit_utc": "2024-03-18 11:40:03" } ], "6973": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_HASH_32_RID2CAF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file 32.exe", "last_hit_utc": "2024-03-18 11:40:03" } ], "6974": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_HASH_pwhash", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file pwhash.exe", "last_hit_utc": "2021-03-10 14:25:49" } ], "6975": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_HASH_pwhash", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file pwhash.exe", "last_hit_utc": "2025-06-28 11:57:18" } ], "6976": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_HASH_pwhash_RID2ED5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file pwhash.exe", "last_hit_utc": "2025-06-28 11:57:18" } ], "6977": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_mempodipper2_6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file mempodipper2.6.39", "last_hit_utc": "2021-10-12 18:23:05" } ], "6978": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_mempodipper2_6_RID3030", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file mempodipper2.6.39", "last_hit_utc": "2021-10-12 18:23:05" } ], "6979": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_SAMInside", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file SAMInside.exe", "last_hit_utc": "2023-06-24 15:31:04" } ], "6980": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_SAMInside_RID2E04", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file SAMInside.exe", "last_hit_utc": "2023-06-24 15:31:04" } ], "6981": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_T00ls_Lpk_Sethc_v4_LPK", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file LPK.DAT", "last_hit_utc": "2023-02-01 06:30:03" } ], "6982": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_T00ls_Lpk_Sethc_v4_LPK_RID3285", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file LPK.DAT", "last_hit_utc": "2023-02-01 06:30:04" } ], "6983": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_Webshell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file Webshell.exe", "last_hit_utc": "2023-02-08 10:49:02" } ], "6984": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker_Webshell_RID2DFD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - file Webshell.exe", "last_hit_utc": "2023-02-08 10:49:02" } ], "6985": [ { "sample_cnt": 1, "yara_rule_name": "CN_Honker__builder_shift_SkinH", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed CN Honker Pentest Toolset", "yara_rule_description": "Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe", "last_hit_utc": "2023-02-27 18:25:19" } ], "6986": [ { "sample_cnt": 1, "yara_rule_name": "CN_Portscan", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "CN Port Scanner", "last_hit_utc": "2023-09-11 16:27:03" } ], "6987": [ { "sample_cnt": 1, "yara_rule_name": "CN_Toolset_sig_1433_135_sqlr", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://qiannao.com/ls/905300366/33834c0c/", "yara_rule_description": "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe", "last_hit_utc": "2025-10-28 13:44:01" } ], "6988": [ { "sample_cnt": 1, "yara_rule_name": "CN_Toolset_sig_1433_135_sqlr_RID30D0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://qiannao.com/ls/905300366/33834c0c/", "yara_rule_description": "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe", "last_hit_utc": "2025-10-28 13:44:02" } ], "6989": [ { "sample_cnt": 1, "yara_rule_name": "CN_Toolset__XScanLib_XScanLib_XScanLib", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://qiannao.com/ls/905300366/33834c0c/", "yara_rule_description": "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll", "last_hit_utc": "2025-10-28 13:44:01" } ], "6990": [ { "sample_cnt": 1, "yara_rule_name": "CN_Tools_PcShare", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file PcShare.exe", "last_hit_utc": "2025-11-05 08:22:26" } ], "6991": [ { "sample_cnt": 1, "yara_rule_name": "CN_Tools_PcShare_RID2D17", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file PcShare.exe", "last_hit_utc": "2025-11-05 08:22:26" } ], "6992": [ { "sample_cnt": 1, "yara_rule_name": "cobaltstrike_beacon_10001", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "This rule detects cobalt strike decrypted beacons.", "last_hit_utc": "2024-05-25 09:46:03" } ], "6993": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike_Resources_Artifact64_v1_49_v2_x_v3_0_v3_3_thru_v3_14", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/artifact64{.dll,.exe,big.exe,big.dll,bigsvc.exe,big.x64.dll} and resources/rtifactuac(alt)64.dll signature for versions v1.49, v2.x, v3.0, and v3.3 through v3.14", "last_hit_utc": "2024-06-11 10:49:04" } ], "6994": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike_Resources_Artifact64_v3_1_v3_2_v3_14_and_v4_0", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/artifact64{svcbig.exe,.dll,big.dll,svc.exe} and resources/artifactuac(big)64.dll signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x", "last_hit_utc": "2024-02-16 10:17:03" } ], "6995": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike_Resources_Beacon_Dll_v3_11_bugfix_and_v3_12", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/beacon.dll Versions 3.11-bugfix and 3.12", "last_hit_utc": "2023-02-04 20:54:04" } ], "6996": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike_Resources_Bind64_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/bind64.bin signature for versions v2.5 to v4.x", "last_hit_utc": "2024-05-30 04:35:03" } ], "6997": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike_Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/template.x64.ps1, resources/template.x32 from v3.11 to v3.14 and resources/template.ps1 from v1.45 to v2.5", "last_hit_utc": "2025-01-03 22:05:16" } ], "6998": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike_Resources__Template_Vbs_v3_3_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's resources/btemplate.vbs signature for versions v3.3 to v4.x", "last_hit_utc": "2025-01-05 16:40:01" } ], "6999": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike_Sleeve_BeaconLoader_HA_x86_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse", "yara_rule_description": "Cobalt Strike's sleeve/BeaconLoader.HA.x86.o (HeapAlloc) Versions 4.3 through at least 4.6", "last_hit_utc": "2023-10-19 14:18:02" } ], "7000": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike__Resources_Artifact64_v1_49_v2_x_v3_0_v3_3_thru_v3_14", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-06-11 10:49:04" } ], "7001": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike__Resources_Artifact64_v3_1_v3_2_v3_14_and_v4_0", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-16 10:17:03" } ], "7002": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike__Resources_Beacon_Dll_v3_11_bugfix_and_v3_12", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-02-04 20:54:04" } ], "7003": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike__Resources_Beacon_Dll_v3_8", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-07-13 19:41:03" } ], "7004": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike__Resources_Bind64_Bin_v2_5_through_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-05-30 04:35:03" } ], "7005": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike__Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:05:16" } ], "7006": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike__Resources__Template_Vbs_v3_3_to_v4_x", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:40:01" } ], "7007": [ { "sample_cnt": 1, "yara_rule_name": "CobaltStrike__Sleeve_BeaconLoader_HA_x86_o_v4_3_v4_4_v4_5_and_v4_6", "yara_rule_author": "gssincla@google.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-19 14:18:02" } ], "7008": [ { "sample_cnt": 1, "yara_rule_name": "CodeVirtualizer1310OreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-21 18:43:03" } ], "7009": [ { "sample_cnt": 1, "yara_rule_name": "Codoso_CustomTCP_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT CustomTCP Malware", "last_hit_utc": "2025-10-28 13:44:02" } ], "7010": [ { "sample_cnt": 1, "yara_rule_name": "Codoso_CustomTCP_4_RID2DCC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT CustomTCP Malware", "last_hit_utc": "2025-10-28 13:44:02" } ], "7011": [ { "sample_cnt": 1, "yara_rule_name": "Codoso_PGV_PVID_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT PGV PVID Malware", "last_hit_utc": "2025-10-28 13:44:03" } ], "7012": [ { "sample_cnt": 1, "yara_rule_name": "Codoso_PGV_PVID_1_RID2CE6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT PGV PVID Malware", "last_hit_utc": "2025-10-28 13:44:03" } ], "7013": [ { "sample_cnt": 1, "yara_rule_name": "Codoso_PGV_PVID_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT PGV PVID Malware", "last_hit_utc": "2025-11-05 08:22:27" } ], "7014": [ { "sample_cnt": 1, "yara_rule_name": "Codoso_PGV_PVID_3_RID2CE8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "yara_rule_description": "Detects Codoso APT PGV PVID Malware", "last_hit_utc": "2025-11-05 08:22:27" } ], "7015": [ { "sample_cnt": 1, "yara_rule_name": "colibri_loader", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "Detect_colibri_loader", "last_hit_utc": "2023-02-13 10:51:04" } ], "7016": [ { "sample_cnt": 1, "yara_rule_name": "Contains_hidden_PE_File_inside_a_sequence_of_numbers", "yara_rule_author": "Martin Willing (https://evild3ad.com)", "yara_rule_reference": "http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/", "yara_rule_description": "Detect a hidden PE file inside a sequence of numbers (comma separated)", "last_hit_utc": "2025-01-03 22:55:30" } ], "7017": [ { "sample_cnt": 1, "yara_rule_name": "CoreImpact_sysdll_exe", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects a malware sysdll.exe from the Rocket Kitten APT", "last_hit_utc": "2025-10-28 13:44:03" } ], "7018": [ { "sample_cnt": 1, "yara_rule_name": "CosmicDuke", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-03-05 21:50:08" } ], "7019": [ { "sample_cnt": 1, "yara_rule_name": "Crackmapexec_EXE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects CrackMapExec hack tool", "last_hit_utc": "2020-11-03 13:09:23" } ], "7020": [ { "sample_cnt": 1, "yara_rule_name": "crack_Loader", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file Loader.exe", "last_hit_utc": "2025-10-28 13:44:03" } ], "7021": [ { "sample_cnt": 1, "yara_rule_name": "CredTheft_MSIL_ADPassHunt_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public ADPassHunt project.", "last_hit_utc": "2025-11-05 08:22:27" } ], "7022": [ { "sample_cnt": 1, "yara_rule_name": "CredTheft_MSIL_ADPassHunt_2", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:44:03" } ], "7023": [ { "sample_cnt": 1, "yara_rule_name": "CredTheft_MSIL_TitoSpecial_2", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the TitoSpecial project. There are 2 GUIDs in this rule as the x86 and x64 versions of this tool use a different ProjectGuid.", "last_hit_utc": "2025-11-05 08:22:27" } ], "7024": [ { "sample_cnt": 1, "yara_rule_name": "crime_trickbot_bazar_loader", "yara_rule_author": "AT&T Alien Labs", "yara_rule_reference": "https://otx.alienvault.com/pulse/5ea7262636e7f750733c7436", "yara_rule_description": "TrickBot BazarLoader", "last_hit_utc": "2021-02-25 14:27:36" } ], "7025": [ { "sample_cnt": 1, "yara_rule_name": "crime_win32_falouu_1m", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1191466698651709441", "yara_rule_description": "Detects this multi-purpse malware falouu in memory", "last_hit_utc": "2022-02-07 13:44:04" } ], "7026": [ { "sample_cnt": 1, "yara_rule_name": "crime_win32_loader_delphiload_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "twitter", "yara_rule_description": "Detects Delphi Loader (shiotob)", "last_hit_utc": "2020-10-08 10:26:04" } ], "7027": [ { "sample_cnt": 1, "yara_rule_name": "crime_win32_ransom_maze_dll_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1251388507219726338", "yara_rule_description": "Detects Maze ransomware payload dll unpacked", "last_hit_utc": "2021-09-07 06:10:16" } ], "7028": [ { "sample_cnt": 1, "yara_rule_name": "crime_win32_ransom_nefilim_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "https://twitter.com/VK_Intel/status/1245789909337677825", "yara_rule_description": "Detects Nefilim aka Nemty Revenue Project", "last_hit_utc": "2023-09-11 16:27:04" } ], "7029": [ { "sample_cnt": 1, "yara_rule_name": "crime_win32_ransom_nemty_nephilim_rev_1", "yara_rule_author": "@VK_Intel", "yara_rule_reference": "INTEL-SRC", "yara_rule_description": "Detects Nephilim AND Nemty Revenue Project", "last_hit_utc": "2023-09-11 16:27:04" } ], "7030": [ { "sample_cnt": 1, "yara_rule_name": "crime_win64_bazarloader_packed_sep21", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-02-03 20:15:04" } ], "7031": [ { "sample_cnt": 1, "yara_rule_name": "crime_win64_emotet_unpacked", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects emotet x64 payload", "last_hit_utc": "2022-04-20 17:48:03" } ], "7032": [ { "sample_cnt": 1, "yara_rule_name": "crime_win_rustybuer_a0", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects unpacked buer written in rust", "last_hit_utc": "2021-05-15 07:22:09" } ], "7033": [ { "sample_cnt": 1, "yara_rule_name": "CrimsonRAT_Mar18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects CrimsonRAT malware", "last_hit_utc": "2025-04-08 14:06:17" } ], "7034": [ { "sample_cnt": 1, "yara_rule_name": "CrimsonRAT_Mar18_1_RID2D4B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects CrimsonRAT malware", "last_hit_utc": "2025-04-08 14:06:17" } ], "7035": [ { "sample_cnt": 1, "yara_rule_name": "CrowdStrike_SUNSPOT_02", "yara_rule_author": "", "yara_rule_reference": "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", "yara_rule_description": "Detects mutex names in SUNSPOT", "last_hit_utc": "2022-10-05 10:04:02" } ], "7036": [ { "sample_cnt": 1, "yara_rule_name": "CrowdStrike_SUNSPOT_03", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Detects log format lines in SUNSPOT", "last_hit_utc": "2021-06-29 10:36:32" } ], "7037": [ { "sample_cnt": 1, "yara_rule_name": "CrunchPEv10xx", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-08 15:44:03" } ], "7038": [ { "sample_cnt": 1, "yara_rule_name": "CrunchPEv20xx", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-27 07:14:14" } ], "7039": [ { "sample_cnt": 1, "yara_rule_name": "CRU_Xerph_Stealer_v0", "yara_rule_author": "ConnectWise CRU", "yara_rule_reference": null, "yara_rule_description": "Detects window hiding and mutex creation routine of Xerph Stealer", "last_hit_utc": "2025-05-20 08:05:30" } ], "7040": [ { "sample_cnt": 1, "yara_rule_name": "CryptoLocker_rule2", "yara_rule_author": "Christiaan Beek, Christiaan_Beek@McAfee.com", "yara_rule_reference": "", "yara_rule_description": "Detection of CryptoLocker Variants", "last_hit_utc": "2022-07-15 14:36:03" } ], "7041": [ { "sample_cnt": 1, "yara_rule_name": "csext", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:44:03" } ], "7042": [ { "sample_cnt": 1, "yara_rule_name": "custom_ssh_backdoor_server", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/S46L3o", "yara_rule_description": "Custome SSH backdoor based on python and paramiko - file server.py", "last_hit_utc": "2025-10-28 13:44:03" } ], "7043": [ { "sample_cnt": 1, "yara_rule_name": "cve202120837_webshell_fox", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "CVE-2021-20837 PHP webshell (fox)", "last_hit_utc": "2025-02-18 07:31:14" } ], "7044": [ { "sample_cnt": 1, "yara_rule_name": "CVE_2014_4076_Exploitcode", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "Detects an exploit code for CVE-2014-4076", "last_hit_utc": "2025-01-05 15:07:56" } ], "7045": [ { "sample_cnt": 1, "yara_rule_name": "CVE_2014_4076_Exploitcode_RID2F24", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "Detects an exploit code for CVE-2014-4076", "last_hit_utc": "2025-01-05 15:07:56" } ], "7046": [ { "sample_cnt": 1, "yara_rule_name": "CVE_2015_1701_Taihou", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/W4nU0q", "yara_rule_description": "CVE-2015-1701 compiled exploit code", "last_hit_utc": "2020-11-07 22:09:55" } ], "7047": [ { "sample_cnt": 1, "yara_rule_name": "CVE_2017_8759_Mal_HTA", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample", "yara_rule_description": "Detects malicious files related to CVE-2017-8759 - file cmd.hta", "last_hit_utc": "2025-01-05 15:55:50" } ], "7048": [ { "sample_cnt": 1, "yara_rule_name": "CVE_2017_8759_Mal_HTA_RID2D09", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample", "yara_rule_description": "Detects malicious files related to CVE-2017-8759 - file cmd.hta", "last_hit_utc": "2025-01-05 15:55:50" } ], "7049": [ { "sample_cnt": 1, "yara_rule_name": "cve_2019_1458", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://github.com/unamer/CVE-2019-1458", "yara_rule_description": null, "last_hit_utc": "2024-05-29 11:33:02" } ], "7050": [ { "sample_cnt": 1, "yara_rule_name": "cve_2021_40444_document_rels_xml", "yara_rule_author": "Jeremy Brown / @alteredbytes", "yara_rule_reference": "https://twitter.com/AlteredBytes/status/1435811407249952772", "yara_rule_description": null, "last_hit_utc": "2025-07-08 07:38:17" } ], "7051": [ { "sample_cnt": 1, "yara_rule_name": "cve_2021_40444_document_rels_xml", "yara_rule_author": "Jeremy Brown / @alteredbytes", "yara_rule_reference": "https://twitter.com/AlteredBytes/status/1435811407249952772", "yara_rule_description": "", "last_hit_utc": "2022-06-16 11:29:02" } ], "7052": [ { "sample_cnt": 1, "yara_rule_name": "cve_2021_40444_document_rels_xml_1", "yara_rule_author": "Jeremy Brown / @alteredbytes", "yara_rule_reference": "https://twitter.com/AlteredBytes/status/1435811407249952772", "yara_rule_description": null, "last_hit_utc": "2025-07-08 07:38:17" } ], "7053": [ { "sample_cnt": 1, "yara_rule_name": "cve_2021_40444_document_rels_xml_1", "yara_rule_author": "Jeremy Brown / @alteredbytes", "yara_rule_reference": "https://twitter.com/AlteredBytes/status/1435811407249952772", "yara_rule_description": "", "last_hit_utc": "2022-06-16 11:29:02" } ], "7054": [ { "sample_cnt": 1, "yara_rule_name": "cw_Windows_Redline_panel_distinctive_strings", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/", "yara_rule_description": "Matches rare strings found in Redline panel", "last_hit_utc": "2025-05-13 06:50:32" } ], "7055": [ { "sample_cnt": 1, "yara_rule_name": "Cythosia", "yara_rule_author": "Brian Wallace @botnet_hunter", "yara_rule_reference": null, "yara_rule_description": "Identify Cythosia", "last_hit_utc": "2020-08-24 21:35:01" } ], "7056": [ { "sample_cnt": 1, "yara_rule_name": "danaBot", "yara_rule_author": "@is_henderson", "yara_rule_reference": "https://capesandbox.com/analysis/175597/", "yara_rule_description": "DanaBot/BlackRAT Deobfuscated Strings", "last_hit_utc": "2021-08-06 12:58:04" } ], "7057": [ { "sample_cnt": 1, "yara_rule_name": "DarkComet_2", "yara_rule_author": "botherder https://github.com/botherder", "yara_rule_reference": null, "yara_rule_description": "DarkComet RAT", "last_hit_utc": "2025-01-03 19:36:17" } ], "7058": [ { "sample_cnt": 1, "yara_rule_name": "DarkComet_3", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:36:17" } ], "7059": [ { "sample_cnt": 1, "yara_rule_name": "DarkGate_MSI", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "DarkGate MSI - file 5b608a6729343cf8b6752d5bb201f906920fcb472f5949e04173b907f65ceff1.msi", "last_hit_utc": "2025-01-05 16:22:34" } ], "7060": [ { "sample_cnt": 1, "yara_rule_name": "darkhotel_lnk_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect suspicious lnk file", "last_hit_utc": "2025-01-05 16:57:22" } ], "7061": [ { "sample_cnt": 1, "yara_rule_name": "DarkTortilla_Installer", "yara_rule_author": "Still", "yara_rule_reference": null, "yara_rule_description": "Matches DarkTortilla installer strings/bytecode", "last_hit_utc": "2025-01-17 07:46:02" } ], "7062": [ { "sample_cnt": 1, "yara_rule_name": "darkwatchman", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "DarkWatchMan JS Payload", "last_hit_utc": "2025-07-17 13:01:26" } ], "7063": [ { "sample_cnt": 1, "yara_rule_name": "DCSync_Mimikatz", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://github.com/gentilkiwi/mimikatz", "yara_rule_description": "Hunting rule for Mimikatz Implementation of DCSync Attack", "last_hit_utc": "2025-08-25 10:02:22" } ], "7064": [ { "sample_cnt": 1, "yara_rule_name": "DeepPanda_lot1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Hack Deep Panda - lot1.tmp-pwdump", "last_hit_utc": "2025-10-28 13:44:04" } ], "7065": [ { "sample_cnt": 1, "yara_rule_name": "DeepPanda_lot1_RID2C52", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf", "yara_rule_description": "Hack Deep Panda - FBI Liaison Alert System # A-000049-MW - lot1.tmp-pwdump", "last_hit_utc": "2025-10-28 13:44:05" } ], "7066": [ { "sample_cnt": 1, "yara_rule_name": "DetectDotNetExecutables", "yara_rule_author": "ChatGPT", "yara_rule_reference": null, "yara_rule_description": "Detect executables generated by C# or .NET - ChatGPT PROMPT: Generate a yara rule that detects executable generated by c# or dotnet.", "last_hit_utc": "2025-01-10 14:11:06" } ], "7067": [ { "sample_cnt": 1, "yara_rule_name": "Detect_AllaSenha_Banker", "yara_rule_author": "@johnk3r", "yara_rule_reference": null, "yara_rule_description": "AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America.", "last_hit_utc": "2025-01-03 20:36:45" } ], "7068": [ { "sample_cnt": 1, "yara_rule_name": "Detect_BazarISO", "yara_rule_author": "@johnk3r", "yara_rule_reference": null, "yara_rule_description": "Detects BazarISO", "last_hit_utc": "2025-01-05 14:44:37" } ], "7069": [ { "sample_cnt": 1, "yara_rule_name": "Detect_Go_Module_Inject_Mekotio_Picanha", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-11 04:44:12" } ], "7070": [ { "sample_cnt": 1, "yara_rule_name": "detect_Lumma_stealer", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_Lumma_stealer", "last_hit_utc": "2026-03-28 14:26:16" } ], "7071": [ { "sample_cnt": 1, "yara_rule_name": "Detect_Malicious_Python_Decompress_Exec", "yara_rule_author": "Sn0wFr0$t", "yara_rule_reference": "Custom rule for obfuscated Python script detection", "yara_rule_description": "Detects malicious Python scripts with obfuscated zlib decompression and execution logic", "last_hit_utc": "2025-12-01 20:48:14" } ], "7072": [ { "sample_cnt": 1, "yara_rule_name": "detect_StrelaStealer", "yara_rule_author": "@malgamy12", "yara_rule_reference": "", "yara_rule_description": "detect_StrelaStealer", "last_hit_utc": "2022-11-17 19:42:03" } ], "7073": [ { "sample_cnt": 1, "yara_rule_name": "detect_vidar", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_Vidar_Stealer", "last_hit_utc": "2023-03-28 06:33:03" } ], "7074": [ { "sample_cnt": 1, "yara_rule_name": "DHT_Adware", "yara_rule_author": "rifteyy", "yara_rule_reference": null, "yara_rule_description": "Detects DHT Adware ecosystem", "last_hit_utc": "2026-03-18 14:11:16" } ], "7075": [ { "sample_cnt": 1, "yara_rule_name": "dino", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:44:05" } ], "7076": [ { "sample_cnt": 1, "yara_rule_name": "Disclosed_0day_POCs_lpe", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Disclosed 0day Repos", "yara_rule_description": "Detects POC code from disclosed 0day hacktool set", "last_hit_utc": "2025-01-03 20:48:18" } ], "7077": [ { "sample_cnt": 1, "yara_rule_name": "Disclosed_0day_POCs_payload_MSI", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Disclosed 0day Repos", "yara_rule_description": "Detects POC code from disclosed 0day hacktool set", "last_hit_utc": "2023-02-03 21:33:03" } ], "7078": [ { "sample_cnt": 1, "yara_rule_name": "DLL_APT34_RedCap_July2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:07:51" } ], "7079": [ { "sample_cnt": 1, "yara_rule_name": "DLL_DiceLoader_Fin7_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:29:55" } ], "7080": [ { "sample_cnt": 1, "yara_rule_name": "DLL_Injector_Lynx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Lynx DLL Injector", "last_hit_utc": "2025-11-05 08:22:28" } ], "7081": [ { "sample_cnt": 1, "yara_rule_name": "DLL_Injector_Lynx_RID2D94", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Lynx DLL Injector", "last_hit_utc": "2025-11-05 08:22:28" } ], "7082": [ { "sample_cnt": 1, "yara_rule_name": "DLL_Loader_Pikabot_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-15 01:33:03" } ], "7083": [ { "sample_cnt": 1, "yara_rule_name": "DLL_Loader_Wineloader_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-25 20:13:02" } ], "7084": [ { "sample_cnt": 1, "yara_rule_name": "DLL_North_Korean_Lazarus_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-15 00:11:03" } ], "7085": [ { "sample_cnt": 1, "yara_rule_name": "DLL_Stealer_Strela_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-25 17:40:03" } ], "7086": [ { "sample_cnt": 1, "yara_rule_name": "DLL_TinyTurla_Strings_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-30 19:09:44" } ], "7087": [ { "sample_cnt": 1, "yara_rule_name": "dnscat2_Hacktool", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://downloads.skullsecurity.org/dnscat2/", "yara_rule_description": "Detects dnscat2 - from files dnscat, dnscat2.exe", "last_hit_utc": "2022-06-09 12:54:04" } ], "7088": [ { "sample_cnt": 1, "yara_rule_name": "dnscat2_Hacktool", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://downloads.skullsecurity.org/dnscat2/", "yara_rule_description": "Detects dnscat2 - from files dnscat, dnscat2.exe", "last_hit_utc": "2025-10-28 13:44:06" } ], "7089": [ { "sample_cnt": 1, "yara_rule_name": "dollar_stealer", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "Infostealer written in C using raw sockets.", "last_hit_utc": "2025-01-03 21:00:28" } ], "7090": [ { "sample_cnt": 1, "yara_rule_name": "Dubnium_Sample_SSHOpenSSL", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/AW9Cuu", "yara_rule_description": "Detects sample mentioned in the Dubnium Report", "last_hit_utc": "2025-11-05 08:22:28" } ], "7091": [ { "sample_cnt": 1, "yara_rule_name": "Dubnium_Sample_SSHOpenSSL_RID3077", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/AW9Cuu", "yara_rule_description": "Detects sample mentioned in the Dubnium Report", "last_hit_utc": "2025-11-05 08:22:28" } ], "7092": [ { "sample_cnt": 1, "yara_rule_name": "dubseven_dropper_dialog_remains", "yara_rule_author": "Matt Brooks, @cmatthewbrooks", "yara_rule_reference": null, "yara_rule_description": "Searches for related dialog remnants. How rude.", "last_hit_utc": "2025-11-05 08:22:29" } ], "7093": [ { "sample_cnt": 1, "yara_rule_name": "dump_tool", "yara_rule_author": "@patrickrolsen", "yara_rule_reference": "Related to pwdump6 and fgdump tools", "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:29" } ], "7094": [ { "sample_cnt": 1, "yara_rule_name": "Duqu2_Sample1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", "yara_rule_description": "Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi)", "last_hit_utc": "2024-05-22 23:13:03" } ], "7095": [ { "sample_cnt": 1, "yara_rule_name": "Duqu2_Sample4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", "yara_rule_description": "Detects Duqu2 Malware", "last_hit_utc": "2025-11-05 08:22:29" } ], "7096": [ { "sample_cnt": 1, "yara_rule_name": "easyforme_infostealer", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-30 22:16:16" } ], "7097": [ { "sample_cnt": 1, "yara_rule_name": "EclipseSunCloudRAT", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-10 13:17:37" } ], "7098": [ { "sample_cnt": 1, "yara_rule_name": "EditKeyLog", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file EditKeyLog.exe", "last_hit_utc": "2025-10-28 13:44:06" } ], "7099": [ { "sample_cnt": 1, "yara_rule_name": "EditKeyLog", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file EditKeyLog.exe", "last_hit_utc": "2025-10-28 13:44:06" } ], "7100": [ { "sample_cnt": 1, "yara_rule_name": "EditKeyLogReadMe", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt", "last_hit_utc": "2025-10-28 13:44:06" } ], "7101": [ { "sample_cnt": 1, "yara_rule_name": "EditKeyLogReadMe", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt", "last_hit_utc": "2025-10-28 13:44:06" } ], "7102": [ { "sample_cnt": 1, "yara_rule_name": "EditKeyLogReadMe_RID2D10", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe_RID2D10.txt", "last_hit_utc": "2025-10-28 13:44:06" } ], "7103": [ { "sample_cnt": 1, "yara_rule_name": "EditServer", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file EditServer.exe", "last_hit_utc": "2025-10-28 13:44:06" } ], "7104": [ { "sample_cnt": 1, "yara_rule_name": "EditServer", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file EditServer.exe", "last_hit_utc": "2025-10-28 13:44:06" } ], "7105": [ { "sample_cnt": 1, "yara_rule_name": "Ekans", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Ekans aka Snake ransomware unpacked or in memory.", "last_hit_utc": "2022-10-28 11:49:13" } ], "7106": [ { "sample_cnt": 1, "yara_rule_name": "elf_babuk_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects elf.babuk.", "last_hit_utc": "2025-01-05 14:58:28" } ], "7107": [ { "sample_cnt": 1, "yara_rule_name": "elf_greedyantd_w0", "yara_rule_author": "Intezer", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-10-12 18:29:05" } ], "7108": [ { "sample_cnt": 1, "yara_rule_name": "elf_kobalos_w1", "yara_rule_author": "Marc-Etienne M.L\u00e9veill\u00e9", "yara_rule_reference": "http://www.welivesecurity.com", "yara_rule_description": "Kobalos SSH credential stealer seen in OpenSSH client", "last_hit_utc": "2025-10-28 13:44:07" } ], "7109": [ { "sample_cnt": 1, "yara_rule_name": "elf_messagetap_w0", "yara_rule_author": "Emanuele De Lucia", "yara_rule_reference": null, "yara_rule_description": "Detects MESSAGETAP malware through strings", "last_hit_utc": "2023-07-30 12:34:03" } ], "7110": [ { "sample_cnt": 1, "yara_rule_name": "Elf_plead", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "ELF_PLEAD", "last_hit_utc": "2025-10-28 13:44:07" } ], "7111": [ { "sample_cnt": 1, "yara_rule_name": "ELF_RAT_Bifrost_March2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:16:38" } ], "7112": [ { "sample_cnt": 1, "yara_rule_name": "elf_rekoobe_b3_06c9", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects the Rekoobe Linux backdoor", "last_hit_utc": "2025-05-16 01:34:12" } ], "7113": [ { "sample_cnt": 1, "yara_rule_name": "elf_winnti_w0", "yara_rule_author": "Silas Cutler (havex [@] chronicle.security), Chronicle Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-19 22:35:16" } ], "7114": [ { "sample_cnt": 1, "yara_rule_name": "emotet_maldoc", "yara_rule_author": "Alejandro Prada", "yara_rule_reference": "", "yara_rule_description": "Yara rule for detecting .NET info stealer", "last_hit_utc": "2022-10-31 16:12:02" } ], "7115": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Get_Keystrokes", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Get-Keystrokes.ps1", "last_hit_utc": "2025-10-28 13:44:07" } ], "7116": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Get_Keystrokes_RID2F85", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Get-Keystrokes.ps1", "last_hit_utc": "2025-10-28 13:44:07" } ], "7117": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Get_SecurityPackages", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Get-SecurityPackages.ps1", "last_hit_utc": "2025-10-28 13:44:07" } ], "7118": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Get_SecurityPackages_RID31C8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Get-SecurityPackages.ps1", "last_hit_utc": "2025-10-28 13:44:07" } ], "7119": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1", "last_hit_utc": "2022-04-20 12:05:03" } ], "7120": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_DllInjection", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-DllInjection.ps1", "last_hit_utc": "2025-10-28 13:44:07" } ], "7121": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_DllInjection_RID315C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-DllInjection.ps1", "last_hit_utc": "2025-10-28 13:44:07" } ], "7122": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_EgressCheck", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-EgressCheck.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7123": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_EgressCheck_RID30E4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-EgressCheck.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7124": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_Gen", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1", "last_hit_utc": "2022-04-20 12:05:03" } ], "7125": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_Mimikatz", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/PowerShellEmpire/Empire", "yara_rule_description": "Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1", "last_hit_utc": "2022-04-20 12:05:03" } ], "7126": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_Portscan_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7127": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_Portscan_Gen_RID3160", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7128": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_PostExfil", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-PostExfil.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7129": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_PostExfil_RID303B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-PostExfil.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7130": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_PowerDump", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-PowerDump.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7131": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_PowerDump_RID3040", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-PowerDump.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7132": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_ShellcodeMSIL", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-ShellcodeMSIL.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7133": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_ShellcodeMSIL_RID3165", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-ShellcodeMSIL.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7134": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_SMBAutoBrute", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-SMBAutoBrute.ps1", "last_hit_utc": "2025-10-28 13:44:08" } ], "7135": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_SMBAutoBrute_RID311A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-SMBAutoBrute.ps1", "last_hit_utc": "2025-10-28 13:44:09" } ], "7136": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_SmbScanner", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-SmbScanner.ps1", "last_hit_utc": "2025-10-28 13:44:09" } ], "7137": [ { "sample_cnt": 1, "yara_rule_name": "Empire_Invoke_SmbScanner_RID3089", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file Invoke-SmbScanner.ps1", "last_hit_utc": "2025-10-28 13:44:09" } ], "7138": [ { "sample_cnt": 1, "yara_rule_name": "Empire_KeePassConfig", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file KeePassConfig.ps1", "last_hit_utc": "2025-10-28 13:44:09" } ], "7139": [ { "sample_cnt": 1, "yara_rule_name": "Empire_KeePassConfig_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1", "last_hit_utc": "2025-10-28 13:44:09" } ], "7140": [ { "sample_cnt": 1, "yara_rule_name": "Empire_KeePassConfig_Gen_RID304D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1", "last_hit_utc": "2025-10-28 13:44:09" } ], "7141": [ { "sample_cnt": 1, "yara_rule_name": "Empire_KeePassConfig_RID2ED4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file KeePassConfig.ps1", "last_hit_utc": "2025-10-28 13:44:09" } ], "7142": [ { "sample_cnt": 1, "yara_rule_name": "Empire_PowerShell_Framework_Gen1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2022-04-20 12:05:03" } ], "7143": [ { "sample_cnt": 1, "yara_rule_name": "Empire_PowerShell_Framework_Gen2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2022-04-20 12:05:03" } ], "7144": [ { "sample_cnt": 1, "yara_rule_name": "Empire_PowerShell_Framework_Gen3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2022-04-20 12:05:03" } ], "7145": [ { "sample_cnt": 1, "yara_rule_name": "Empire_PowerShell_Framework_Gen5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component", "last_hit_utc": "2022-04-20 12:05:03" } ], "7146": [ { "sample_cnt": 1, "yara_rule_name": "Empire_PowerUp_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1", "last_hit_utc": "2025-10-28 13:44:09" } ], "7147": [ { "sample_cnt": 1, "yara_rule_name": "Empire_PowerUp_Gen_RID2E1D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1", "last_hit_utc": "2025-10-28 13:44:09" } ], "7148": [ { "sample_cnt": 1, "yara_rule_name": "Empire_ReflectivePick_x64_orig", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/adaptivethreat/Empire", "yara_rule_description": "Detects Empire component - file ReflectivePick_x64_orig.dll", "last_hit_utc": "2021-02-20 00:01:42" } ], "7149": [ { "sample_cnt": 1, "yara_rule_name": "EnigmaPacker_Rare", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an ENIGMA packed executable", "last_hit_utc": "2021-10-13 18:31:04" } ], "7150": [ { "sample_cnt": 1, "yara_rule_name": "EnigmaPacker_Rare_RID2DA1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an ENIGMA packed executable", "last_hit_utc": "2021-10-13 18:31:04" } ], "7151": [ { "sample_cnt": 1, "yara_rule_name": "EnigmaProtector10XSukhovVladimir", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:21:18" } ], "7152": [ { "sample_cnt": 1, "yara_rule_name": "ENIGMAProtectorV112SukhovVladimir", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:21:18" } ], "7153": [ { "sample_cnt": 1, "yara_rule_name": "ENIGMAProtectorV11SukhovVladimir", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:21:18" } ], "7154": [ { "sample_cnt": 1, "yara_rule_name": "Enigma_Protected_Malware_May17_RhxFiles", "yara_rule_author": "Florian Roth with the help of binar.ly", "yara_rule_reference": "Internal Research", "yara_rule_description": "Auto-generated rule - file RhxFiles.dll", "last_hit_utc": "2022-05-12 06:40:02" } ], "7155": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_BananaAid", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BananaAid", "last_hit_utc": "2025-10-28 13:44:09" } ], "7156": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_BananaUsurper_writeJetPlow", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130", "last_hit_utc": "2025-10-28 13:44:09" } ], "7157": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_BARPUNCH_BPICKER", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100", "last_hit_utc": "2025-10-28 13:44:10" } ], "7158": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_BBALL", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe", "last_hit_utc": "2025-10-28 13:44:10" } ], "7159": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_BFLEA_2201", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BFLEA-2201.exe", "last_hit_utc": "2025-10-28 13:44:10" } ], "7160": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_BICECREAM", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BICECREAM-2140", "last_hit_utc": "2025-10-28 13:44:10" } ], "7161": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_BLIAR_BLIQUER", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230", "last_hit_utc": "2025-10-28 13:44:10" } ], "7162": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_BUSURPER_2211_724", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BUSURPER-2211-724.exe", "last_hit_utc": "2025-10-28 13:44:10" } ], "7163": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_BUSURPER_3001_724", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file BUSURPER-3001-724.exe", "last_hit_utc": "2025-10-28 13:44:10" } ], "7164": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_config_jp1_UA", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file config_jp1_UA.pl", "last_hit_utc": "2025-10-28 13:44:10" } ], "7165": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_create_dns_injection", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file create_dns_injection.py", "last_hit_utc": "2025-10-28 13:44:10" } ], "7166": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_eligiblecandidate", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file eligiblecandidate.py", "last_hit_utc": "2025-10-28 13:44:10" } ], "7167": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_EPBA", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file EPBA.script", "last_hit_utc": "2025-10-28 13:44:10" } ], "7168": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_epicbanana_2_1_0_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py", "last_hit_utc": "2025-10-28 13:44:11" } ], "7169": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_extrabacon", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py", "last_hit_utc": "2025-10-28 13:44:11" } ], "7170": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_Extrabacon_Output", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - Extrabacon exploit output", "last_hit_utc": "2025-10-28 13:44:11" } ], "7171": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_Implants_Gen1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall", "last_hit_utc": "2025-10-28 13:44:11" } ], "7172": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_Implants_Gen2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall", "last_hit_utc": "2025-10-28 13:44:11" } ], "7173": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_Implants_Gen3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall", "last_hit_utc": "2025-10-28 13:44:11" } ], "7174": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_Implants_Gen4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120", "last_hit_utc": "2025-10-28 13:44:11" } ], "7175": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_Implants_Gen5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall", "last_hit_utc": "2025-10-28 13:44:11" } ], "7176": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_jetplow_SH", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file jetplow.sh", "last_hit_utc": "2025-10-28 13:44:11" } ], "7177": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_MixText", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file MixText.py", "last_hit_utc": "2025-10-28 13:44:11" } ], "7178": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_networkProfiler_orderScans", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file networkProfiler_orderScans.sh", "last_hit_utc": "2025-10-28 13:44:11" } ], "7179": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_pandarock", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit", "last_hit_utc": "2025-10-28 13:44:11" } ], "7180": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_payload", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file payload.py", "last_hit_utc": "2025-10-28 13:44:11" } ], "7181": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_screamingplow", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file screamingplow.sh", "last_hit_utc": "2025-10-28 13:44:12" } ], "7182": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_sniffer_xml2pcap", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file sniffer_xml2pcap", "last_hit_utc": "2025-10-28 13:44:12" } ], "7183": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_sploit", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files sploit.py, sploit.py", "last_hit_utc": "2025-10-28 13:44:12" } ], "7184": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_sploit_py", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file sploit.py", "last_hit_utc": "2025-10-28 13:44:12" } ], "7185": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_ssh_telnet_29", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - from files ssh.py, telnet.py", "last_hit_utc": "2025-10-28 13:44:12" } ], "7186": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_StoreFc", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file StoreFc.py", "last_hit_utc": "2025-10-28 13:44:12" } ], "7187": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_tinyhttp_setup", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file tinyhttp_setup.sh", "last_hit_utc": "2025-10-28 13:44:12" } ], "7188": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_tunnel_state_reader", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file tunnel_state_reader", "last_hit_utc": "2025-10-28 13:44:12" } ], "7189": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_uninstallPBD", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file uninstallPBD.bat", "last_hit_utc": "2025-10-28 13:44:12" } ], "7190": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_Unique_Strings", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - Unique strings", "last_hit_utc": "2025-10-28 13:44:12" } ], "7191": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_userscript", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file userscript.FW", "last_hit_utc": "2025-10-28 13:44:12" } ], "7192": [ { "sample_cnt": 1, "yara_rule_name": "EQGRP_workit", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Research", "yara_rule_description": "EQGRP Toolset Firewall - file workit.py", "last_hit_utc": "2025-10-28 13:44:12" } ], "7193": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_cmsd", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file cmsd", "last_hit_utc": "2025-10-28 13:44:14" } ], "7194": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_cmsd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file cmsd", "last_hit_utc": "2025-10-28 13:44:14" } ], "7195": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_cmsd_RID2E6A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file cmsd", "last_hit_utc": "2025-10-28 13:44:14" } ], "7196": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_cmsex", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file cmsex", "last_hit_utc": "2025-10-28 13:44:14" } ], "7197": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_cmsex", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file cmsex", "last_hit_utc": "2025-10-28 13:44:14" } ], "7198": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_cmsex_RID2EE3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file cmsex", "last_hit_utc": "2025-10-28 13:44:14" } ], "7199": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_DUL", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file DUL", "last_hit_utc": "2025-10-28 13:44:14" } ], "7200": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_DUL", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file DUL", "last_hit_utc": "2025-10-28 13:44:14" } ], "7201": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_DUL_RID2DA8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file DUL", "last_hit_utc": "2025-10-28 13:44:14" } ], "7202": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_ebbshave", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5", "last_hit_utc": "2025-10-28 13:44:14" } ], "7203": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_ebbshave", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5", "last_hit_utc": "2025-10-28 13:44:14" } ], "7204": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_ebbshave_RID3003", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5", "last_hit_utc": "2025-10-28 13:44:15" } ], "7205": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_eggbasket", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file eggbasket", "last_hit_utc": "2025-10-28 13:44:15" } ], "7206": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_eggbasket", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file eggbasket", "last_hit_utc": "2025-10-28 13:44:15" } ], "7207": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_eggbasket_RID3070", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file eggbasket", "last_hit_utc": "2025-10-28 13:44:15" } ], "7208": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_elgingamble", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file elgingamble", "last_hit_utc": "2025-10-28 13:44:15" } ], "7209": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_elgingamble", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file elgingamble", "last_hit_utc": "2025-10-28 13:44:15" } ], "7210": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_elgingamble_RID313A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file elgingamble", "last_hit_utc": "2025-10-28 13:44:15" } ], "7211": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_epoxyresin_v1_0_0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1", "last_hit_utc": "2025-10-28 13:44:15" } ], "7212": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_epoxyresin_v1_0_0", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1", "last_hit_utc": "2025-10-28 13:44:15" } ], "7213": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_epoxyresin_v1_0_0_RID333D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1", "last_hit_utc": "2025-10-28 13:44:15" } ], "7214": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_EquationDrug_Gen_2", "yara_rule_author": "Auto Generated", "yara_rule_reference": "https://goo.gl/tcSoiJ", "yara_rule_description": "EquationGroup Malware - file PortMap_Implant.dll", "last_hit_utc": "2026-03-22 06:23:27" } ], "7215": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_EquationDrug_Gen_2_RID33A5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/tcSoiJ", "yara_rule_description": "EquationGroup Malware - file PortMap_Implant.dll", "last_hit_utc": "2026-03-22 06:23:27" } ], "7216": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_estesfox", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file estesfox", "last_hit_utc": "2025-10-28 13:44:15" } ], "7217": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_estesfox", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file estesfox", "last_hit_utc": "2025-10-28 13:44:15" } ], "7218": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_estesfox_RID3034", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file estesfox", "last_hit_utc": "2025-10-28 13:44:15" } ], "7219": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_jackpop", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file jackpop", "last_hit_utc": "2025-10-28 13:44:16" } ], "7220": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_jackpop", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file jackpop", "last_hit_utc": "2025-10-28 13:44:16" } ], "7221": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_jackpop_RID2FAB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file jackpop", "last_hit_utc": "2025-10-28 13:44:16" } ], "7222": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_sambal", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file sambal", "last_hit_utc": "2025-10-28 13:44:16" } ], "7223": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_sambal", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file sambal", "last_hit_utc": "2025-10-28 13:44:16" } ], "7224": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_sambal_RID2F33", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file sambal", "last_hit_utc": "2025-10-28 13:44:16" } ], "7225": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_slugger2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file slugger2", "last_hit_utc": "2025-10-28 13:44:16" } ], "7226": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_slugger2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file slugger2", "last_hit_utc": "2025-10-28 13:44:16" } ], "7227": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_slugger2_RID2FEE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file slugger2", "last_hit_utc": "2025-10-28 13:44:16" } ], "7228": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "7229": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "7230": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch_RID3FDF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "7231": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_DiBa_Target", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2026-03-22 06:23:21" } ], "7232": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_DiBa_Target", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2026-03-22 06:23:28" } ], "7233": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_DiBa_Target_RID360C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2026-03-22 06:23:20" } ], "7234": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:44" } ], "7235": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1_RID389A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:44" } ], "7236": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:44" } ], "7237": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1_RID38F4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:44" } ], "7238": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Eternalromance", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-10-28 13:44:17" } ], "7239": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Eternalromance", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-10-28 13:44:17" } ], "7240": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17_Eternalromance_RID37A6", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-10-28 13:44:17" } ], "7241": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-10-28 13:44:16" } ], "7242": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-10-28 13:44:16" } ], "7243": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "7244": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "7245": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2_RID391D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "7246": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17__ESKE_RPC2_8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "7247": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17__ESKE_RPC2_8", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "7248": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_Toolset_Apr17__ESKE_RPC2_8_RID358A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "yara_rule_description": "Detects EquationGroup Tool - April Leak", "last_hit_utc": "2025-09-15 11:02:43" } ], "7249": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_xspy", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file xspy", "last_hit_utc": "2022-04-21 17:33:01" } ], "7250": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup_xspy_RID2E97", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- file xspy", "last_hit_utc": "2022-04-21 17:33:01" } ], "7251": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__ftshell", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7", "last_hit_utc": "2025-10-28 13:44:13" } ], "7252": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__ftshell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7", "last_hit_utc": "2025-10-28 13:44:12" } ], "7253": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__ftshell_ftshell_v3_10_3_0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7", "last_hit_utc": "2025-10-28 13:44:13" } ], "7254": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__ftshell_ftshell_v3_10_3_0", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7", "last_hit_utc": "2025-10-28 13:44:13" } ], "7255": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__ftshell_ftshell_v3_10_3_0_RID364E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7", "last_hit_utc": "2025-10-28 13:44:13" } ], "7256": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__ftshell_RID3014", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7", "last_hit_utc": "2025-10-28 13:44:13" } ], "7257": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__ghost_sparc_ghost_x86_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86", "last_hit_utc": "2025-10-28 13:44:13" } ], "7258": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__ghost_sparc_ghost_x86_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86", "last_hit_utc": "2025-10-28 13:44:13" } ], "7259": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__ghost_sparc_ghost_x86_3_RID361A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86", "last_hit_utc": "2025-10-28 13:44:13" } ], "7260": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__jparsescan_parsescan_5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan", "last_hit_utc": "2025-10-28 13:44:13" } ], "7261": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__jparsescan_parsescan_5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan", "last_hit_utc": "2025-10-28 13:44:13" } ], "7262": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__jparsescan_parsescan_5_RID35FF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan", "last_hit_utc": "2025-10-28 13:44:13" } ], "7263": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__scanner_scanner_v2_1_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2", "last_hit_utc": "2025-10-28 13:44:14" } ], "7264": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__scanner_scanner_v2_1_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2", "last_hit_utc": "2025-10-28 13:44:14" } ], "7265": [ { "sample_cnt": 1, "yara_rule_name": "EquationGroup__scanner_scanner_v2_1_2_RID357D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "yara_rule_description": "Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2", "last_hit_utc": "2025-10-28 13:44:14" } ], "7266": [ { "sample_cnt": 1, "yara_rule_name": "Equation_Kaspersky_EquationLaserInstaller", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/ivt8EW", "yara_rule_description": "Equation Group Malware - EquationLaser Installer", "last_hit_utc": "2026-03-22 06:23:25" } ], "7267": [ { "sample_cnt": 1, "yara_rule_name": "Equation_Kaspersky_EquationLaserInstaller", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/ivt8EW", "yara_rule_description": "Equation Group Malware - EquationLaser Installer", "last_hit_utc": "2026-03-22 06:23:26" } ], "7268": [ { "sample_cnt": 1, "yara_rule_name": "Equation_Kaspersky_FannyWorm", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/ivt8EW", "yara_rule_description": "Equation Group Malware - Fanny Worm", "last_hit_utc": "2026-03-22 06:23:27" } ], "7269": [ { "sample_cnt": 1, "yara_rule_name": "Equation_Kaspersky_FannyWorm", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/ivt8EW", "yara_rule_description": "Equation Group Malware - Fanny Worm", "last_hit_utc": "2026-03-22 06:23:27" } ], "7270": [ { "sample_cnt": 1, "yara_rule_name": "Equation_Kaspersky_GROK_Keylogger", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/ivt8EW", "yara_rule_description": "Equation Group Malware - GROK keylogger", "last_hit_utc": "2026-03-22 06:23:20" } ], "7271": [ { "sample_cnt": 1, "yara_rule_name": "Equation_Kaspersky_GROK_Keylogger", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/ivt8EW", "yara_rule_description": "Equation Group Malware - GROK keylogger", "last_hit_utc": "2026-03-22 06:23:28" } ], "7272": [ { "sample_cnt": 1, "yara_rule_name": "Equation_Kaspersky_TripleFantasy_Loader", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/ivt8EW", "yara_rule_description": "Equation Group Malware - TripleFantasy Loader", "last_hit_utc": "2025-01-03 22:55:48" } ], "7273": [ { "sample_cnt": 1, "yara_rule_name": "Equation_Kaspersky_TripleFantasy_Loader", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/ivt8EW", "yara_rule_description": "Equation Group Malware - TripleFantasy Loader", "last_hit_utc": "2025-01-03 22:55:48" } ], "7274": [ { "sample_cnt": 1, "yara_rule_name": "EternalRocks_svchost", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/stamparm/status/864865144748298242", "yara_rule_description": "Detects EternalRocks Malware - file taskhost.exe", "last_hit_utc": "2026-01-09 08:26:41" } ], "7275": [ { "sample_cnt": 1, "yara_rule_name": "EternalRocks_svchost_FR_RID303E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/stamparm/status/864865144748298242", "yara_rule_description": "Detects EternalRocks Malware - file taskhost.exe", "last_hit_utc": "2026-01-09 08:26:42" } ], "7276": [ { "sample_cnt": 1, "yara_rule_name": "EternalRomance", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "EternalRomance Exploit", "last_hit_utc": "2022-03-10 22:24:03" } ], "7277": [ { "sample_cnt": 1, "yara_rule_name": "EXECryptor2021protectedIAT", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-29 19:30:03" } ], "7278": [ { "sample_cnt": 1, "yara_rule_name": "EXECryptor2223compressedcodewwwstrongbitcom", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 22:48:11" } ], "7279": [ { "sample_cnt": 1, "yara_rule_name": "EXECryptor2223protectedIAT", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 22:48:11" } ], "7280": [ { "sample_cnt": 1, "yara_rule_name": "EXECryptor2xxmaxcompressedresources", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 22:48:11" } ], "7281": [ { "sample_cnt": 1, "yara_rule_name": "EXECryptorV22Xsoftcompletecom", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 22:48:11" } ], "7282": [ { "sample_cnt": 1, "yara_rule_name": "EXE_ICS_FrostyGoop_July2024", "yara_rule_author": "RustyNoob619", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:30" } ], "7283": [ { "sample_cnt": 1, "yara_rule_name": "EXE_Stealer_44Caliber_Feb2024", "yara_rule_author": "Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:05:17" } ], "7284": [ { "sample_cnt": 1, "yara_rule_name": "Explosion_Sample_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/5vYaNb", "yara_rule_description": "Explosion/Explosive Malware - Volatile Cedar APT", "last_hit_utc": "2025-11-05 08:22:30" } ], "7285": [ { "sample_cnt": 1, "yara_rule_name": "Explosion_Sample_2_RID2E24", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/5vYaNb", "yara_rule_description": "Explosion/Explosive Malware - Volatile Cedar APT", "last_hit_utc": "2025-11-05 08:22:30" } ], "7286": [ { "sample_cnt": 1, "yara_rule_name": "Explosive_UA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/HQRCdw", "yara_rule_description": "Explosive Malware Embedded User Agent - Volatile Cedar APT http://goo.gl/HQRCdw", "last_hit_utc": "2022-03-17 18:41:03" } ], "7287": [ { "sample_cnt": 1, "yara_rule_name": "EXPL_Cleo_Exploitation_Log_Indicators_Dec24", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild", "yara_rule_description": "Detects indicators found in logs during and after Cleo software exploitation (as reported by Huntress in December 2024)", "last_hit_utc": "2025-10-28 13:44:17" } ], "7288": [ { "sample_cnt": 1, "yara_rule_name": "EXPL_GitLab_CE_RCE_CVE_2021_22205", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/", "yara_rule_description": "Detects signs of exploitation of GitLab CE CVE-2021-22205", "last_hit_utc": "2025-10-28 13:44:17" } ], "7289": [ { "sample_cnt": 1, "yara_rule_name": "EXPL_Log4j_CallBackDomain_IOCs_Dec21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8", "yara_rule_description": "Detects IOCs found in Log4Shell incidents that indicate exploitation attempts of CVE-2021-44228", "last_hit_utc": "2025-01-03 22:52:57" } ], "7290": [ { "sample_cnt": 1, "yara_rule_name": "EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "yara_rule_description": "Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228", "last_hit_utc": "2025-10-28 13:44:18" } ], "7291": [ { "sample_cnt": 1, "yara_rule_name": "EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts", "yara_rule_author": "Zach Stanford - @svch0st, Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log", "yara_rule_description": "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity", "last_hit_utc": "2025-10-28 13:44:18" } ], "7292": [ { "sample_cnt": 1, "yara_rule_name": "EXPL_ManageEngine_CVE_2022_47966_Jan23_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/", "yara_rule_description": "Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3", "last_hit_utc": "2025-10-28 13:44:18" } ], "7293": [ { "sample_cnt": 1, "yara_rule_name": "EXPL_POC_SpringCore_0day_Indicators_Mar22_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/vxunderground/status/1509170582469943303", "yara_rule_description": "Detects indicators found after SpringCore exploitation attempts and in the POC script", "last_hit_utc": "2022-11-20 15:26:03" } ], "7294": [ { "sample_cnt": 1, "yara_rule_name": "eXPressorv12CGSoftLabs", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-06-20 09:17:01" } ], "7295": [ { "sample_cnt": 1, "yara_rule_name": "eXPressorv14CGSoftLabs", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-06-20 09:17:02" } ], "7296": [ { "sample_cnt": 1, "yara_rule_name": "EXP_CVE_2021_41379_Nov_2021_2", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect exploit tool using CVE-2021-41379 (variant 2)", "last_hit_utc": "2021-12-04 06:49:46" } ], "7297": [ { "sample_cnt": 1, "yara_rule_name": "EXP_potential_CVE_2017_11882", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html", "yara_rule_description": null, "last_hit_utc": "2026-03-07 07:11:16" } ], "7298": [ { "sample_cnt": 1, "yara_rule_name": "EXP_potential_CVE_2017_11882", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html", "yara_rule_description": "", "last_hit_utc": "2022-08-08 08:42:04" } ], "7299": [ { "sample_cnt": 1, "yara_rule_name": "Extract_MachineKey_SharePoint", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://x.com/Gi7w0rm/status/1948027800591466773", "yara_rule_description": "Identifies webshell that extracts SharePoint's MachineKey configuration.", "last_hit_utc": "2025-08-07 09:05:56" } ], "7300": [ { "sample_cnt": 1, "yara_rule_name": "EzuriLoader_revised", "yara_rule_author": "Marius 'f0wL' Genheimer ", "yara_rule_reference": "https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader", "yara_rule_description": "Detects Ezuri Golang Loader/Crypter", "last_hit_utc": "2022-10-09 01:21:02" } ], "7301": [ { "sample_cnt": 1, "yara_rule_name": "FakeInstaller_KeyFile_Crepectl", "yara_rule_author": "SixHands", "yara_rule_reference": null, "yara_rule_description": "Detects the binary .key config used by the analyzed fake installer family", "last_hit_utc": "2026-04-24 21:47:31" } ], "7302": [ { "sample_cnt": 1, "yara_rule_name": "FeliksPack3___PHP_Shells_r57", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file r57.php", "last_hit_utc": "2025-06-16 15:19:31" } ], "7303": [ { "sample_cnt": 1, "yara_rule_name": "FeliksPack3___PHP_Shells_r57", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file r57.php", "last_hit_utc": "2025-06-16 15:19:31" } ], "7304": [ { "sample_cnt": 1, "yara_rule_name": "FeliksPack3___Scanners_ipscan", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file ipscan.exe", "last_hit_utc": "2025-10-28 13:44:19" } ], "7305": [ { "sample_cnt": 1, "yara_rule_name": "FerociousKitten_RAT", "yara_rule_author": "NaN", "yara_rule_reference": null, "yara_rule_description": "FerociousKitten APT RAT Detect", "last_hit_utc": "2026-02-01 05:37:19" } ], "7306": [ { "sample_cnt": 1, "yara_rule_name": "FE_LEGALSTRIKE_RTF", "yara_rule_author": "joshua.kim@FireEye. - modified by Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom", "last_hit_utc": "2022-06-03 09:09:02" } ], "7307": [ { "sample_cnt": 1, "yara_rule_name": "fgexec", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - file fgexec.exe", "last_hit_utc": "2025-10-28 13:44:19" } ], "7308": [ { "sample_cnt": 1, "yara_rule_name": "Fidelis_Advisory_cedt370", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/ZjJyti", "yara_rule_description": "Detects a string found in memory of malware cedt370r(3).exe", "last_hit_utc": "2025-10-28 13:44:19" } ], "7309": [ { "sample_cnt": 1, "yara_rule_name": "Fierce2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "This signature detects the Fierce2 domain scanner", "last_hit_utc": "2025-10-28 13:44:19" } ], "7310": [ { "sample_cnt": 1, "yara_rule_name": "Fierce2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "This signature detects the Fierce2 domain scanner", "last_hit_utc": "2025-10-28 13:44:19" } ], "7311": [ { "sample_cnt": 1, "yara_rule_name": "FIN7_Backdoor_Aug17", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "yara_rule_description": "Detects Word Dropper from Proofpoint FIN7 Report", "last_hit_utc": "2025-10-28 13:44:19" } ], "7312": [ { "sample_cnt": 1, "yara_rule_name": "FIN7_Backdoor_Aug17_RID2D8D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "yara_rule_description": "Detects Word Dropper from Proofpoint FIN7 Report", "last_hit_utc": "2025-10-28 13:44:19" } ], "7313": [ { "sample_cnt": 1, "yara_rule_name": "Fireball_lancer", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/4pTkGQ", "yara_rule_description": "Detects Fireball malware - file lancer.dll", "last_hit_utc": "2025-11-05 08:22:30" } ], "7314": [ { "sample_cnt": 1, "yara_rule_name": "Fireball_lancer_RID2D06", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/4pTkGQ", "yara_rule_description": "Detects Fireball malware - file lancer.dll", "last_hit_utc": "2025-11-05 08:22:30" } ], "7315": [ { "sample_cnt": 1, "yara_rule_name": "FITSEC_MALWAREDNA_MUSTANGPANDA", "yara_rule_author": "Fitsec MalwareDNA", "yara_rule_reference": null, "yara_rule_description": "Mustang Panda APT Ruleset generated by Fitsec MalwareDNA analysis", "last_hit_utc": "2026-04-08 06:44:48" } ], "7316": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwareqwerty_20123", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20123.xml", "last_hit_utc": "2025-10-28 13:44:19" } ], "7317": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwareqwerty_20123", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20123.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7318": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwareqwerty_20123_RID33A5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20123.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7319": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwaresig_20120_cmdDef", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20120_cmdDef.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7320": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwaresig_20120_cmdDef", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20120_cmdDef.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7321": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwaresig_20120_cmdDef_RID34DB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20120_cmdDef.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7322": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwaresig_20121_cmdDef", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20121_cmdDef.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7323": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwaresig_20121_cmdDef", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20121_cmdDef.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7324": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwaresig_20121_cmdDef_RID34DC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20121_cmdDef.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7325": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwaresig_20123_cmdDef", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20123_cmdDef.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7326": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwaresig_20123_cmdDef", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20123_cmdDef.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7327": [ { "sample_cnt": 1, "yara_rule_name": "FiveEyes_QUERTY_Malwaresig_20123_cmdDef_RID34DE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.spiegel.de/media/media-35668.pdf", "yara_rule_description": "FiveEyes QUERTY Malware - file 20123_cmdDef.xml", "last_hit_utc": "2025-10-28 13:44:20" } ], "7328": [ { "sample_cnt": 1, "yara_rule_name": "FourElementSword_Config_File", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/", "yara_rule_description": "Detects FourElementSword Malware", "last_hit_utc": "2025-10-28 13:44:20" } ], "7329": [ { "sample_cnt": 1, "yara_rule_name": "FourElementSword_Config_File_RID321A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Detects FourElementSword Malware", "last_hit_utc": "2025-10-28 13:44:21" } ], "7330": [ { "sample_cnt": 1, "yara_rule_name": "FourElementSword_ElevateDLL_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/", "yara_rule_description": "Detects FourElementSword Malware", "last_hit_utc": "2025-10-28 13:44:21" } ], "7331": [ { "sample_cnt": 1, "yara_rule_name": "FourElementSword_ElevateDLL_2_RID3218", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Detects FourElementSword Malware", "last_hit_utc": "2025-10-28 13:44:21" } ], "7332": [ { "sample_cnt": 1, "yara_rule_name": "FSG131dulekxt", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-13 01:26:29" } ], "7333": [ { "sample_cnt": 1, "yara_rule_name": "FSGv10", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-16 14:31:09" } ], "7334": [ { "sample_cnt": 1, "yara_rule_name": "FSGv100Engdulekxt", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-16 14:31:09" } ], "7335": [ { "sample_cnt": 1, "yara_rule_name": "FSGv110Engdulekxt", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-16 14:31:09" } ], "7336": [ { "sample_cnt": 1, "yara_rule_name": "FSGv133", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 17:40:29" } ], "7337": [ { "sample_cnt": 1, "yara_rule_name": "FSGv133Engdulekxt", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 17:40:29" } ], "7338": [ { "sample_cnt": 1, "yara_rule_name": "FSO_s_c99", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file c99.php", "last_hit_utc": "2025-06-16 15:19:31" } ], "7339": [ { "sample_cnt": 1, "yara_rule_name": "FSO_s_c99", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file c99.php", "last_hit_utc": "2025-06-16 15:19:31" } ], "7340": [ { "sample_cnt": 1, "yara_rule_name": "Furtim_Parent_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://sentinelone.com/blogs/sfg-furtims-parent/", "yara_rule_description": "Detects Furtim Parent Malware", "last_hit_utc": "2025-11-05 08:22:30" } ], "7341": [ { "sample_cnt": 1, "yara_rule_name": "Fusion", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Fusion ransomware, Go variant of Nemty/Nefilim.", "last_hit_utc": "2023-09-11 16:27:04" } ], "7342": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_Gen_Readme1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule", "last_hit_utc": "2025-10-28 13:44:22" } ], "7343": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_Gen_Readme2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON", "last_hit_utc": "2025-10-28 13:44:22" } ], "7344": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_Gen_Readme3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule", "last_hit_utc": "2025-10-28 13:44:22" } ], "7345": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_Gen_Readme4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - from files violetspirit.README, violetspirit.README", "last_hit_utc": "2025-10-28 13:44:22" } ], "7346": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_gr_gr", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file gr.notes", "last_hit_utc": "2025-10-28 13:44:22" } ], "7347": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_nopen_oneshot", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file oneshot.example", "last_hit_utc": "2025-10-28 13:44:22" } ], "7348": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_opscript", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file opscript.se", "last_hit_utc": "2025-10-28 13:44:23" } ], "7349": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_README_cup", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file README.cup.NOPEN", "last_hit_utc": "2025-10-28 13:44:23" } ], "7350": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_strifeworld", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file strifeworld.1", "last_hit_utc": "2025-10-28 13:44:23" } ], "7351": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_user_tool", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file user.tool.elatedmonkey", "last_hit_utc": "2025-10-28 13:44:23" } ], "7352": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_user_tool_dubmoat", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file user.tool.dubmoat.COMMON", "last_hit_utc": "2025-10-28 13:44:23" } ], "7353": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_user_tool_earlyshovel", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file user.tool.earlyshovel.COMMON", "last_hit_utc": "2025-10-28 13:44:23" } ], "7354": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_user_tool_ebbisland", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file user.tool.ebbisland.COMMON", "last_hit_utc": "2025-10-28 13:44:23" } ], "7355": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_user_tool_elgingamble", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file user.tool.elgingamble.COMMON", "last_hit_utc": "2025-10-28 13:44:23" } ], "7356": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_user_tool_envisioncollision", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file user.tool.envisioncollision.COMMON", "last_hit_utc": "2025-10-28 13:44:23" } ], "7357": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_user_tool_epichero", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file user.tool.epichero.COMMON", "last_hit_utc": "2025-10-28 13:44:23" } ], "7358": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_user_tool_pork", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file user.tool.pork.COMMON", "last_hit_utc": "2025-10-28 13:44:23" } ], "7359": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_user_tool_yellowspirit", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file user.tool.yellowspirit.COMMON", "last_hit_utc": "2025-10-28 13:44:23" } ], "7360": [ { "sample_cnt": 1, "yara_rule_name": "FVEY_ShadowBroker_violetspirit", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/", "yara_rule_description": "Auto-generated rule - file violetspirit.README", "last_hit_utc": "2025-10-28 13:44:23" } ], "7361": [ { "sample_cnt": 1, "yara_rule_name": "Gamaredon_GetImportByHash", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": null, "yara_rule_description": "Detects Gamaredon APIHashing", "last_hit_utc": "2025-11-05 08:22:30" } ], "7362": [ { "sample_cnt": 1, "yara_rule_name": "Ganelp", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies Ganelp, a worm that also spreads via USB.", "last_hit_utc": "2025-04-27 18:18:10" } ], "7363": [ { "sample_cnt": 1, "yara_rule_name": "GazerCommunicationModule_x64_", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-03-10 12:53:05" } ], "7364": [ { "sample_cnt": 1, "yara_rule_name": "GazerOrchestrator_x32_", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-03-10 13:04:06" } ], "7365": [ { "sample_cnt": 1, "yara_rule_name": "Gazer_certificate", "yara_rule_author": "ESET", "yara_rule_reference": "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "yara_rule_description": "Detects Tura's Gazer malware", "last_hit_utc": "2022-03-10 12:53:05" } ], "7366": [ { "sample_cnt": 1, "yara_rule_name": "Gazer_certificate_subject", "yara_rule_author": "ESET", "yara_rule_reference": "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "yara_rule_description": "Detects Tura's Gazer malware", "last_hit_utc": "2022-03-10 12:53:05" } ], "7367": [ { "sample_cnt": 1, "yara_rule_name": "Geoirb_TCP", "yara_rule_author": "@_FirehaK", "yara_rule_reference": null, "yara_rule_description": "Detects the message library created for the Boba botnet.", "last_hit_utc": "2021-11-13 16:25:05" } ], "7368": [ { "sample_cnt": 1, "yara_rule_name": "GHISLER_Stealer_1", "yara_rule_author": "Andre Gironda", "yara_rule_reference": "", "yara_rule_description": "GHISLER Golang based GO Stealer , POST /sendlog to http port 5000 , Userid HTTP header", "last_hit_utc": "2022-12-25 15:12:33" } ], "7369": [ { "sample_cnt": 1, "yara_rule_name": "GhostDragon_Gh0stRAT_Sample2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blog.cylance.com/the-ghost-dragon", "yara_rule_description": "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report", "last_hit_utc": "2025-10-28 13:44:23" } ], "7370": [ { "sample_cnt": 1, "yara_rule_name": "GhostDragon_Gh0stRAT_Sample2_RID3170", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.cylance.com/the-ghost-dragon", "yara_rule_description": "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report", "last_hit_utc": "2025-10-28 13:44:23" } ], "7371": [ { "sample_cnt": 1, "yara_rule_name": "GhostDragon_Gh0stRAT_Sample3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blog.cylance.com/the-ghost-dragon", "yara_rule_description": "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report", "last_hit_utc": "2025-01-03 19:36:19" } ], "7372": [ { "sample_cnt": 1, "yara_rule_name": "GIFCloaked_Webshell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Looks like a webshell cloaked as GIF", "last_hit_utc": "2024-06-02 02:35:03" } ], "7373": [ { "sample_cnt": 1, "yara_rule_name": "gina_zip_Folder_gina", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file gina.dll", "last_hit_utc": "2025-10-28 13:44:24" } ], "7374": [ { "sample_cnt": 1, "yara_rule_name": "gina_zip_Folder_gina", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file gina.dll", "last_hit_utc": "2025-10-28 13:44:24" } ], "7375": [ { "sample_cnt": 1, "yara_rule_name": "glassRAT", "yara_rule_author": "RSA RESEARCH", "yara_rule_reference": null, "yara_rule_description": "Detects GlassRAT by RSA (modified by Florian Roth - speed improvements)", "last_hit_utc": "2025-11-05 08:22:30" } ], "7376": [ { "sample_cnt": 1, "yara_rule_name": "GlorySprout", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects GlorySprout Stealer", "last_hit_utc": "2025-04-28 08:33:08" } ], "7377": [ { "sample_cnt": 1, "yara_rule_name": "glorysprout_stealer", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "GlorySprout Stealer Payload", "last_hit_utc": "2025-04-28 08:33:08" } ], "7378": [ { "sample_cnt": 1, "yara_rule_name": "GoldenEye_Ransomware_XLS", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/jp2SkT", "yara_rule_description": "GoldenEye XLS with Macro - file Schneider-Bewerbung.xls", "last_hit_utc": "2023-06-09 06:55:04" } ], "7379": [ { "sample_cnt": 1, "yara_rule_name": "GoldenEye_Ransomware_XLS_RID3061", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/jp2SkT", "yara_rule_description": "GoldenEye XLS with Macro - file Schneider-Bewerbung.xls", "last_hit_utc": "2023-06-09 06:55:04" } ], "7380": [ { "sample_cnt": 1, "yara_rule_name": "GravityRAT", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked GravityRAT stealer malware samples.", "last_hit_utc": "2025-06-21 18:47:13" } ], "7381": [ { "sample_cnt": 1, "yara_rule_name": "GreedyAntd", "yara_rule_author": "Intezer Labs", "yara_rule_reference": "https://www.intezer.com", "yara_rule_description": "", "last_hit_utc": "2021-10-12 18:29:05" } ], "7382": [ { "sample_cnt": 1, "yara_rule_name": "gremlin_malware", "yara_rule_author": "cauliflowerdoughnuts", "yara_rule_reference": null, "yara_rule_description": "Start of the decryption routine for .NET gremlin malware", "last_hit_utc": "2025-05-13 08:12:21" } ], "7383": [ { "sample_cnt": 1, "yara_rule_name": "GrimResource", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.elastic.co/security-labs/grimresource", "yara_rule_description": "Identifies GrimResource and potential derivatives or variants.", "last_hit_utc": "2026-03-11 09:24:17" } ], "7384": [ { "sample_cnt": 1, "yara_rule_name": "GRIZZLY_STEPPE_Malware_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/WVflzO", "yara_rule_description": "Auto-generated rule - file HRDG022184_certclint.dll", "last_hit_utc": "2022-09-28 22:52:04" } ], "7385": [ { "sample_cnt": 1, "yara_rule_name": "GRIZZLY_STEPPE_Malware_1_RID2F34", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/WVflzO", "yara_rule_description": "Semiautomatically generated YARA rule - file HRDG022184_certclint.dll", "last_hit_utc": "2022-09-28 22:52:04" } ], "7386": [ { "sample_cnt": 1, "yara_rule_name": "GRIZZLY_STEPPE_Malware_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/WVflzO", "yara_rule_description": "Auto-generated rule", "last_hit_utc": "2025-10-28 13:44:24" } ], "7387": [ { "sample_cnt": 1, "yara_rule_name": "GRIZZLY_STEPPE_Malware_2_RID2F35", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/WVflzO", "yara_rule_description": "Semiautomatically generated YARA rule", "last_hit_utc": "2025-10-28 13:44:24" } ], "7388": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_Blast", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file Blast.bat", "last_hit_utc": "2025-10-28 13:44:25" } ], "7389": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_Blast", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file Blast.bat", "last_hit_utc": "2025-10-28 13:44:25" } ], "7390": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_Blast_RID306D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Disclosed hacktool set - file Blast.bat", "last_hit_utc": "2025-10-28 13:44:25" } ], "7391": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_pass", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file pass.txt", "last_hit_utc": "2025-10-28 13:44:25" } ], "7392": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_pass", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file pass.txt", "last_hit_utc": "2025-10-28 13:44:25" } ], "7393": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_pass_RID302E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Disclosed hacktool set - file pass.txt", "last_hit_utc": "2025-10-28 13:44:25" } ], "7394": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_sql", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file sql.exe", "last_hit_utc": "2025-10-28 13:44:25" } ], "7395": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_sql", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file sql.exe", "last_hit_utc": "2025-10-28 13:44:25" } ], "7396": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_Start", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file Start.bat - DoS tool", "last_hit_utc": "2025-10-28 13:44:25" } ], "7397": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_Start", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file Start.bat - DoS tool", "last_hit_utc": "2025-10-28 13:44:25" } ], "7398": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Burst_Start_RID3085", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Disclosed hacktool set - file Start.bat - DoS tool", "last_hit_utc": "2025-10-28 13:44:25" } ], "7399": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_GOGOGO_Bat", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file GOGOGO.bat", "last_hit_utc": "2025-10-28 13:44:25" } ], "7400": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_GOGOGO_Bat", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file GOGOGO.bat", "last_hit_utc": "2025-10-28 13:44:25" } ], "7401": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_JoHor_Rdos_get", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file get.vbp", "last_hit_utc": "2025-01-03 19:31:45" } ], "7402": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Panda_445TOOL", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file 445TOOL.rar", "last_hit_utc": "2025-10-28 13:44:26" } ], "7403": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Panda_445TOOL", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file 445TOOL.rar", "last_hit_utc": "2025-10-28 13:44:26" } ], "7404": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Panda_Burst", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file Burst.rar", "last_hit_utc": "2025-10-28 13:44:26" } ], "7405": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Panda_Burst", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file Burst.rar", "last_hit_utc": "2025-10-28 13:44:26" } ], "7406": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Panda_tasksvr", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file tasksvr.exe", "last_hit_utc": "2025-11-05 08:22:31" } ], "7407": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_Panda_tasksvr", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file tasksvr.exe", "last_hit_utc": "2025-11-05 08:22:31" } ], "7408": [ { "sample_cnt": 1, "yara_rule_name": "Hacktools_CN_WinEggDrop", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file s.exe", "last_hit_utc": "2025-10-28 13:44:26" } ], "7409": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_CoreHound_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'CoreHound' project.", "last_hit_utc": "2025-11-05 08:22:31" } ], "7410": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_INVEIGHZERO_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'inveighzero' project.", "last_hit_utc": "2025-11-05 08:22:31" } ], "7411": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_KeeFarce_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'KeeFarce' project.", "last_hit_utc": "2023-09-11 16:27:05" } ], "7412": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_SEATBELT_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "This rule looks for .NET PE files that have regex and format strings found in the public tool SeatBelt. Due to the nature of the regex and format strings used for detection, this rule should detect custom variants of the SeatBelt project.", "last_hit_utc": "2021-03-09 23:03:38" } ], "7413": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_SharPersist_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharPersist project.", "last_hit_utc": "2025-11-05 08:22:31" } ], "7414": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_SharPersist_2", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:31" } ], "7415": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_SharPivot_2", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "Detects FireEye's SharPivot tool", "last_hit_utc": "2025-11-05 08:22:31" } ], "7416": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_SharPivot_3", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "This rule looks for .NET PE files that have the strings of various method names in the SharPivot code.", "last_hit_utc": "2025-11-05 08:22:31" } ], "7417": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_SharPivot_4", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharPivot project.", "last_hit_utc": "2025-11-05 08:22:31" } ], "7418": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_MSIL_SharpSchtask_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpSchtask' project.", "last_hit_utc": "2025-11-05 08:22:31" } ], "7419": [ { "sample_cnt": 1, "yara_rule_name": "HackTool_Samples", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Hacktool", "last_hit_utc": "2022-04-06 01:00:03" } ], "7420": [ { "sample_cnt": 1, "yara_rule_name": "halogen_generated_7d556db58fe36c6525009c6e097dbea1", "yara_rule_author": "Halogen Generated Rule", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-12-07 10:31:03" } ], "7421": [ { "sample_cnt": 1, "yara_rule_name": "HavexLoader", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-11 15:43:20" } ], "7422": [ { "sample_cnt": 1, "yara_rule_name": "HavocDemonDJB2", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 11:24:40" } ], "7423": [ { "sample_cnt": 1, "yara_rule_name": "hero_re_quest", "yara_rule_author": "Luke Acha", "yara_rule_reference": null, "yara_rule_description": "Detects strings related to hero/uphero found in trojanized 7zip installer 63396fa92aa010e543e21cd8cb1bcccc", "last_hit_utc": "2026-02-18 18:12:17" } ], "7424": [ { "sample_cnt": 1, "yara_rule_name": "HiddenCobra_r4_wiper_2", "yara_rule_author": "NCCIC Partner", "yara_rule_reference": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf", "yara_rule_description": "Detects HiddenCobra Wiper", "last_hit_utc": "2025-11-05 08:22:31" } ], "7425": [ { "sample_cnt": 1, "yara_rule_name": "HiddenCobra_Rule_1", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-164A", "yara_rule_description": "Detects Hidden Cobra Malware", "last_hit_utc": "2025-11-05 08:22:31" } ], "7426": [ { "sample_cnt": 1, "yara_rule_name": "Himawari", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf", "yara_rule_description": "detect Himawari(a variant of RedLeaves) in memory", "last_hit_utc": "2025-10-28 13:44:26" } ], "7427": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_BypassUacDll_6_RID2DDF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semiautomatically generated YARA rule - file BypassUacDll.aps", "last_hit_utc": "2025-11-05 08:22:31" } ], "7428": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_BypassUac_EXE_RID2D6F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semiautomatically generated YARA rule - file BypassUacDll.aps", "last_hit_utc": "2025-11-05 08:22:31" } ], "7429": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Dsniff", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects Dsniff hack tool", "last_hit_utc": "2025-10-28 13:44:28" } ], "7430": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Dsniff_RID2AFD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/eFoP4A", "yara_rule_description": "Detects Dsniff hack tool", "last_hit_utc": "2025-10-28 13:44:28" } ], "7431": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_EXPL_WIN_PS1_BadSuccessor_May25", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory", "yara_rule_description": "Detects PowerShell tool called Get-BadSuccessorOUPermissions.ps1 that helps exploit a vulnerability in Active Directory. Lists every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions.", "last_hit_utc": "2025-10-28 13:44:28" } ], "7432": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_FeliksPack3___Scanners_ipscan_RID33EA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semiautomatically generated YARA rule on file ipscan.exe", "last_hit_utc": "2025-10-28 13:44:28" } ], "7433": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Fierce2_RID2B23", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "This signature detects the Fierce2 domain scanner", "last_hit_utc": "2025-10-28 13:44:28" } ], "7434": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_htran_go", "yara_rule_author": "Jeff Beley", "yara_rule_reference": "", "yara_rule_description": "Detects go based htran variant", "last_hit_utc": "2023-08-01 20:41:29" } ], "7435": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_IP_Stealing_Utilities_RID30ED", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semiautomatically generated YARA rule on file IP Stealing Utilities.exe", "last_hit_utc": "2025-10-28 13:44:29" } ], "7436": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Khepri_Beacon_Sep21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/geemion/Khepri/", "yara_rule_description": "Detects Khepri C2 framework beacons", "last_hit_utc": "2025-10-28 13:44:29" } ], "7437": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Lazagne_Gen_18", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/AlessandroZ/LaZagne", "yara_rule_description": "Detects Lazagne password extractor hacktool", "last_hit_utc": "2022-09-26 08:45:03" } ], "7438": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Lazagne_PasswordDumper_Dec18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", "yara_rule_description": "Detects password dumper Lazagne often used by middle eastern threat groups", "last_hit_utc": "2025-01-03 20:28:26" } ], "7439": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Lazagne_PasswordDumper_Dec18_1_RID33E8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", "yara_rule_description": "Detects password dumper Lazagne often used by middle eastern threat groups", "last_hit_utc": "2025-01-03 20:28:26" } ], "7440": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_MAL_Nighthawk_Nov_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice", "yara_rule_description": "Detect the Nighthawk dropped beacon", "last_hit_utc": "2025-01-05 15:27:03" } ], "7441": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Ncrack_RID2AF5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "This signature detects the Ncrack brute force tool", "last_hit_utc": "2025-10-28 13:44:29" } ], "7442": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NetBIOS_Name_Scanner_RID3000", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semiautomatically generated YARA rule on file NetBIOS Name Scanner.exe", "last_hit_utc": "2025-10-28 13:44:29" } ], "7443": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_AggressorScripts", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/harleyQu1nn/AggressorScripts", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:31" } ], "7444": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_AllTheThings", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/johnjohnsp1/AllTheThings", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7445": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Altman", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/keepwn/Altman", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7446": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Anti_Analysis", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Anti-Analysis", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7447": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_aresskit", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/BlackVikingPro/aresskit", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7448": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_AsyncRAT_C_Sharp", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7449": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_AzureCLI_Extractor", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/0x09AL/AzureCLI-Extractor", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7450": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_azure_password_harvesting", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/guardicore/azure_password_harvesting", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7451": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_BrowserGhost", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/QAX-A-Team/BrowserGhost", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2022-01-17 13:06:06" } ], "7452": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Browser_ExternalC2", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/mdsecactivebreach/Browser-ExternalC2", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7453": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_CinaRAT", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/wearelegal/CinaRAT", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7454": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_CloneVault", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/mdsecactivebreach/CloneVault", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7455": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_CsharpAmsiBypass", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/WayneJLee/CsharpAmsiBypass", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7456": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_CVE_2020_1206_POC", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/ZecOps/CVE-2020-1206-POC", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7457": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_DarkFender", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/0xyg3n/DarkFender", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7458": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_DecryptAutoLogon", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/securesean/DecryptAutoLogon", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7459": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_DInvisibleRegistry", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NVISO-BE/DInvisibleRegistry", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7460": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_donut", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/TheWover/donut", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7461": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_DotNetAVBypass_Master", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/lockfale/DotNetAVBypass-Master", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7462": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_DotNetToJScript", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/tyranid/DotNetToJScript", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7463": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_DreamProtectorFree", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/Paskowsky/DreamProtectorFree", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:32" } ], "7464": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Driver_Template", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/FuzzySecurity/Driver-Template", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7465": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Dropless_Malware", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Dropless-Malware", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2021-10-05 18:53:01" } ], "7466": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Dropless_Malware", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Dropless-Malware", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7467": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_EasyNet", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/TheWover/EasyNet", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7468": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_ESC", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NetSPI/ESC", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7469": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_EvilWMIProvider", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/sunnyc7/EvilWMIProvider", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7470": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_EWSToolkit", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/rasta-mouse/EWSToolkit", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7471": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_fakelogonscreen", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/bitsadmin/fakelogonscreen", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7472": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_FileSearcher", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NVISO-BE/FileSearcher", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7473": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_GMSAPasswordReader", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/rvazarkar/GMSAPasswordReader", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-01-03 21:01:39" } ], "7474": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_gray_keylogger_2", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/graysuit/gray-keylogger-2", "yara_rule_description": "Detects VB.NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7475": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Group3r", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/Group3r/Group3r.git", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-01-03 21:20:11" } ], "7476": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_HastySeries", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/obscuritylabs/HastySeries", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7477": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_HideFromAMSI", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/0r13lc0ch4v1/HideFromAMSI", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7478": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_HTTPSBeaconShell", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/limbenjamin/HTTPSBeaconShell", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7479": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_HWIDbypass", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/yunseok/HWIDbypass", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7480": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Keylogger", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/BlackVikingPro/Keylogger", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-05 16:42:53" } ], "7481": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_LethalHTA", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/codewhitesec/LethalHTA", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7482": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_LimeLogger", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/LimeLogger", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7483": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_LimeUSB_Csharp", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/NYAN-x-CAT/LimeUSB-Csharp", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2022-11-15 14:30:06" } ], "7484": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Lime_Crypter", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Lime-Crypter", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7485": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Lime_Downloader", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Lime-Downloader", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7486": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Lime_Miner", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Lime-Miner", "yara_rule_description": "Detects VB.NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7487": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Manager", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/TheWover/Manager", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7488": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Mass_RAT", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/Mass-RAT", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7489": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_MemeVM", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/TobitoFatitoRE/MemeVM", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:33" } ], "7490": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_MemoryMapper", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/jasondrawdy/MemoryMapper", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7491": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_MiscTools", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/rasta-mouse/MiscTools", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7492": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Mythic", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/its-a-feature/Mythic", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7493": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Naga", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/byt3bl33d3r/Naga", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7494": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Net_GPPPassword", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/outflanknl/Net-GPPPassword", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7495": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_njCrypter", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/0xPh0enix/njCrypter", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7496": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_NoMSBuild", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/rvrsh3ll/NoMSBuild", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7497": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Obfuscator", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/3xpl01tc0d3r/Obfuscator", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7498": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_OffensivePowerShellTasking", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/leechristensen/OffensivePowerShellTasking", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7499": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_p0wnedShell", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2024-03-15 19:27:03" } ], "7500": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_PoC", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/thezdi/PoC", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7501": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_PortTran", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/k8gege/PortTran", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7502": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_PoshSecFramework", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/PoshSec/PoshSecFramework", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7503": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Povlsomware", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/povlteksttv/Povlsomware", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2023-11-20 22:55:03" } ], "7504": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_PowerShdll", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/p3nt4/PowerShdll", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7505": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Privilege_Escalation", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/Mrakovic-ORG/Privilege_Escalation", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-03 23:06:18" } ], "7506": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_PSByPassCLM", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/padovah4ck/PSByPassCLM", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2024-05-21 17:21:04" } ], "7507": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_rat_shell", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/stphivos/rat-shell", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7508": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_RAT_TelegramSpyBot", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/SebastianEPH/RAT.TelegramSpyBot", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7509": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_RegistryStrikesBack", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/mdsecactivebreach/RegistryStrikesBack", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7510": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_RunShellcode", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/zerosum0x0/RunShellcode", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:34" } ], "7511": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_RuralBishop", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/rasta-mouse/RuralBishop", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7512": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SauronEye", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/vivami/SauronEye", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7513": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SHAPESHIFTER", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/matterpreter/SHAPESHIFTER", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7514": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpAdidnsdump", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/b4rtik/SharpAdidnsdump", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7515": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpBlock", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/CCob/SharpBlock", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7516": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpBypassUAC", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/FatRodzianko/SharpBypassUAC", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2023-11-09 11:56:02" } ], "7517": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpClipHistory", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/FSecureLABS/SharpClipHistory", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7518": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpCompile", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/SpiderLabs/SharpCompile", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7519": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpCookieMonster", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/m0rv4i/SharpCookieMonster", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7520": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpCrashEventLog", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/slyd0g/SharpCrashEventLog", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7521": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpDomainSpray", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/HunnicCyber/SharpDomainSpray", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7522": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpEDRChecker", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/PwnDexter/SharpEDRChecker", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7523": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharPersist", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/fireeye/SharPersist", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7524": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpExcel4_DCOM", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/rvrsh3ll/SharpExcel4-DCOM", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7525": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpFruit", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/rvrsh3ll/SharpFruit", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7526": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpLocker", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/Pickfordmatt/SharpLocker", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2021-07-13 06:57:28" } ], "7527": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpMapExec", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/cube0x0/SharpMapExec", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7528": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpPack", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/Lexus89/SharpPack", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2021-03-09 23:03:38" } ], "7529": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpPrinter", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/rvrsh3ll/SharpPrinter", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7530": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpRDP", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/0xthirteen/SharpRDP", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2026-02-22 18:16:18" } ], "7531": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpShares", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/djhohnstein/SharpShares/", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2022-10-08 14:37:03" } ], "7532": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpShares", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/djhohnstein/SharpShares/", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-08-25 10:09:33" } ], "7533": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpSpray", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/jnqpblc/SharpSpray", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7534": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SharpView", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/tevora-threat/SharpView", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2023-09-11 16:27:05" } ], "7535": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_sharpwmi", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/QAX-A-Team/sharpwmi", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-08-25 10:09:55" } ], "7536": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Sharp_Suite", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/FuzzySecurity/Sharp-Suite", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-03 19:26:06" } ], "7537": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_ShellcodeLoader", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/Hzllaga/ShellcodeLoader", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:35" } ], "7538": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Snaffler", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/SnaffCon/Snaffler", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "7539": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SneakyExec", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/HackingThings/SneakyExec", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "7540": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SolarFlare", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/mubix/solarflare", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "7541": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SpoolSample", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/leechristensen/SpoolSample", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-08-24 10:05:57" } ], "7542": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SQLRecon", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/skahwah/SQLRecon", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-01-03 20:39:55" } ], "7543": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SuperSQLInjectionV1", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/shack2/SuperSQLInjectionV1", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2021-07-04 09:43:40" } ], "7544": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_SuperSQLInjectionV1", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/shack2/SuperSQLInjectionV1", "yara_rule_description": "Detects .NET red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "7545": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_TikiTorch", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/rasta-mouse/TikiTorch", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "7546": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_UAC_Escaper", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/NYAN-x-CAT/UAC-Escaper", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-01-03 21:09:01" } ], "7547": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_UAC_SilentClean", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/EncodeGroup/UAC-SilentClean", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "7548": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_UnstoppableService", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/malcomvetter/UnstoppableService", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "7549": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_Watson", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/rasta-mouse/Watson", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2021-03-22 04:40:31" } ], "7550": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_WheresMyImplant", "yara_rule_author": "Arnim Rupp (https://github.com/ruppde)", "yara_rule_reference": "https://github.com/0xbadjuju/WheresMyImplant", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2025-11-05 08:22:36" } ], "7551": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_GUID_WindowsDefender_Payload_Downloader", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/notkohlrexo/WindowsDefender-Payload-Downloader", "yara_rule_description": "Detects c# red/black-team tools via typelibguid", "last_hit_utc": "2022-10-22 06:51:04" } ], "7552": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NET_NAME_NativePayload_Reverse_tcp", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp", "yara_rule_description": "Detects .NET red/black-team tools via name", "last_hit_utc": "2021-11-06 02:43:04" } ], "7553": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NFS_Fuse_NFS", "yara_rule_author": "Moritz Oettle", "yara_rule_reference": "https://github.com/hvs-consulting/nfs-security-tooling", "yara_rule_description": "Detects the nfs-security-tooling fuse_nfs by HvS Consulting", "last_hit_utc": "2025-10-28 13:44:29" } ], "7554": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NFS_NFS_Analyze", "yara_rule_author": "Marc Stroebel", "yara_rule_reference": "https://github.com/hvs-consulting/nfs-security-tooling", "yara_rule_description": "Detects the nfs-security-tooling nfy_analyze by HvS Consulting", "last_hit_utc": "2025-10-28 13:44:29" } ], "7555": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Nighthawk_RAT", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": null, "yara_rule_description": "Detects Nighthawk RAT", "last_hit_utc": "2025-01-05 15:27:03" } ], "7556": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Nim_NimPackt", "yara_rule_author": "Cas van Cooten", "yara_rule_reference": "https://github.com/chvancooten/NimPackt-v1", "yara_rule_description": "Detects binaries generated with NimPackt v1", "last_hit_utc": "2025-01-03 20:33:14" } ], "7557": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NoPowerShell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/bitsadmin/nopowershell", "yara_rule_description": "Detects NoPowerShell hack tool", "last_hit_utc": "2025-10-28 13:44:30" } ], "7558": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_NoPowerShell_RID2D65", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/bitsadmin/nopowershell", "yara_rule_description": "Detects NoPowerShell hack tool", "last_hit_utc": "2025-10-28 13:44:30" } ], "7559": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_PortScanner_RID2D12", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semiautomatically generated YARA rule on file PortScanner.exe", "last_hit_utc": "2025-10-28 13:44:30" } ], "7560": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_PortScanner_Simple_Jan14", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file PortScanner.exe", "last_hit_utc": "2025-10-28 13:44:30" } ], "7561": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_PowerKatz_Feb19_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1097423665472376832", "yara_rule_description": "Detetcs a tool used in the Australian Parliament House network compromise", "last_hit_utc": "2025-10-28 13:44:30" } ], "7562": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_PowerKatz_Feb19_1_RID2EB0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1097423665472376832", "yara_rule_description": "Detetcs a tool used in the Australian Parliament House network compromise", "last_hit_utc": "2025-10-28 13:44:30" } ], "7563": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_PowerSploit", "yara_rule_author": "Markus Neis", "yara_rule_reference": "https://www.hybrid-analysis.com/sample/16937e76db6d88ed0420ee87317424af2d4e19117fe12d1364fee35aa2fadb75?environmentId=100", "yara_rule_description": "Detects default strings used by PowerSploit to establish persistence", "last_hit_utc": "2025-11-05 08:22:36" } ], "7564": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_PS1_PowerCat_Mar21", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/besimorhino/powercat", "yara_rule_description": "Detects PowerCat hacktool", "last_hit_utc": "2022-08-04 06:25:03" } ], "7565": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Python_sectools", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "https://github.com/p0dalirius/sectools", "yara_rule_description": "Detects code which uses the python lib sectools", "last_hit_utc": "2025-10-28 13:44:30" } ], "7566": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_RedMimicry_Agent", "yara_rule_author": "mirar@chaosmail.org", "yara_rule_reference": "https://redmimicry.com", "yara_rule_description": "matches the RedMimicry agent executable and payload", "last_hit_utc": "2025-11-05 08:22:36" } ], "7567": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_scanarator_RID2CD1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semiautomatically generated YARA rule on file scanarator.exe", "last_hit_utc": "2025-10-28 13:44:31" } ], "7568": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_shellpop_Powershell_TCP", "yara_rule_author": "Tobias Michalski", "yara_rule_reference": "https://github.com/0x00-0x00/ShellPop", "yara_rule_description": "Detects malicious powershell", "last_hit_utc": "2021-12-30 15:42:06" } ], "7569": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_shellpop_Powershell_TCP_RID31D4", "yara_rule_author": "Tobias Michalski", "yara_rule_reference": "https://github.com/0x00-0x00/ShellPop", "yara_rule_description": "Detects malicious powershell", "last_hit_utc": "2021-12-30 15:42:05" } ], "7570": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_SQLMap_RID2AB1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "This signature detects the SQLMap SQL injection tool", "last_hit_utc": "2025-10-28 13:44:31" } ], "7571": [ { "sample_cnt": 1, "yara_rule_name": "HKTL_Venom_LIB_Dec22", "yara_rule_author": "Ido Veltzman, Florian Roth", "yara_rule_reference": "https://github.com/Idov31/Venom", "yara_rule_description": "Detects Venom - a library that meant to perform evasive communication using stolen browser socket", "last_hit_utc": "2025-10-28 13:44:31" } ], "7572": [ { "sample_cnt": 1, "yara_rule_name": "HTA_WScriptShell_OneNote", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": null, "yara_rule_description": "Detects suspicious OneNote documents with embedded HTA + WScript.Shell", "last_hit_utc": "2023-03-19 19:12:03" } ], "7573": [ { "sample_cnt": 1, "yara_rule_name": "HtmlPhish", "yara_rule_author": "Madhav", "yara_rule_reference": null, "yara_rule_description": "HTML Refresh and Redirect", "last_hit_utc": "2025-06-16 16:33:11" } ], "7574": [ { "sample_cnt": 1, "yara_rule_name": "Hunting_GadgetToJScript_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.", "last_hit_utc": "2025-10-28 13:44:31" } ], "7575": [ { "sample_cnt": 1, "yara_rule_name": "hunt_credaccess_iis_wide_base64", "yara_rule_author": "SBousseaden", "yara_rule_reference": null, "yara_rule_description": "hunt for strings related to iis credential access", "last_hit_utc": "2024-01-10 09:01:03" } ], "7576": [ { "sample_cnt": 1, "yara_rule_name": "hunt_susp_vhd", "yara_rule_author": "SBousseaden", "yara_rule_reference": "", "yara_rule_description": "Virtual hard disk file with embedded PE", "last_hit_utc": "2022-08-31 17:35:02" } ], "7577": [ { "sample_cnt": 1, "yara_rule_name": "HvS_APT27_HyperBro_Stage3_C2", "yara_rule_author": "Marc Stroebel", "yara_rule_reference": "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27", "yara_rule_description": "HyperBro Stage 3 C2 path and user agent detection - also tested in memory", "last_hit_utc": "2025-10-28 13:44:31" } ], "7578": [ { "sample_cnt": 1, "yara_rule_name": "iam_alt_iam_alt", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit", "yara_rule_description": "Auto-generated rule - file iam-alt.exe", "last_hit_utc": "2025-01-03 23:04:42" } ], "7579": [ { "sample_cnt": 1, "yara_rule_name": "iam_alt_iam_alt", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit", "yara_rule_description": "Auto-generated rule - file iam-alt.exe", "last_hit_utc": "2025-01-03 23:04:42" } ], "7580": [ { "sample_cnt": 1, "yara_rule_name": "iam_alt_iam_alt_RID2D1E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - file iam-alt.exe", "last_hit_utc": "2025-01-03 23:04:42" } ], "7581": [ { "sample_cnt": 1, "yara_rule_name": "IcedID_core_loader", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies IcedID core loader.", "last_hit_utc": "2023-04-30 22:08:03" } ], "7582": [ { "sample_cnt": 1, "yara_rule_name": "IcedID_core_loader", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies IcedID core loader.", "last_hit_utc": "2022-10-01 10:15:03" } ], "7583": [ { "sample_cnt": 1, "yara_rule_name": "IcedID_Encryption", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-04-30 22:08:03" } ], "7584": [ { "sample_cnt": 1, "yara_rule_name": "icedid_x64dll_stager", "yara_rule_author": "0x0d4y", "yara_rule_reference": "https://0x0d4y.blog/icedid-technical-analysis-of-x64-dll-version/", "yara_rule_description": "This rule detects samples from the IcedID family unpacked in memory, identifying code reuse of new config decryption function.", "last_hit_utc": "2026-03-13 22:25:20" } ], "7585": [ { "sample_cnt": 1, "yara_rule_name": "IDATDropper", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects modified versions of executables containing embedded JavaScript; the JS executes an obfuscated PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).", "last_hit_utc": "2025-01-03 20:34:22" } ], "7586": [ { "sample_cnt": 1, "yara_rule_name": "IEuser_author_doc", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/", "yara_rule_description": "Identifies Microsoft Word documents created with the default user on IE11 test VMs, more likely to be suspicious.", "last_hit_utc": "2025-01-05 17:12:41" } ], "7587": [ { "sample_cnt": 1, "yara_rule_name": "iexpl0re", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "iexpl0re family", "last_hit_utc": "2023-09-11 16:27:05" } ], "7588": [ { "sample_cnt": 1, "yara_rule_name": "iexpl0reStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Strings used by iexpl0re", "last_hit_utc": "2023-09-11 16:27:05" } ], "7589": [ { "sample_cnt": 1, "yara_rule_name": "IISPutScannesr", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file IISPutScannesr.exe", "last_hit_utc": "2022-06-11 13:58:03" } ], "7590": [ { "sample_cnt": 1, "yara_rule_name": "IISPutScannesr", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file IISPutScannesr.exe", "last_hit_utc": "2025-01-05 16:01:23" } ], "7591": [ { "sample_cnt": 1, "yara_rule_name": "IISRaid", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://github.com/0x09AL/IIS-Raid", "yara_rule_description": "Identifies IISRaid.", "last_hit_utc": "2025-01-03 19:37:57" } ], "7592": [ { "sample_cnt": 1, "yara_rule_name": "IIS_Group14", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/", "yara_rule_description": "Detects Group 14 native IIS malware family", "last_hit_utc": "2025-10-28 13:44:32" } ], "7593": [ { "sample_cnt": 1, "yara_rule_name": "iKAT_cmd_as_dll", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html", "yara_rule_description": "iKAT toolset file cmd.dll ReactOS file cloaked", "last_hit_utc": "2025-11-05 08:22:36" } ], "7594": [ { "sample_cnt": 1, "yara_rule_name": "iKAT_cmd_as_dll", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html", "yara_rule_description": "iKAT toolset file cmd.dll ReactOS file cloaked", "last_hit_utc": "2025-11-05 08:22:37" } ], "7595": [ { "sample_cnt": 1, "yara_rule_name": "iKAT_command_lines_agent", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html", "yara_rule_description": "iKAT hack tools set agent - file ikat.exe", "last_hit_utc": "2025-10-28 13:44:32" } ], "7596": [ { "sample_cnt": 1, "yara_rule_name": "iKAT_command_lines_agent", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html", "yara_rule_description": "iKAT hack tools set agent - file ikat.exe", "last_hit_utc": "2025-10-28 13:44:32" } ], "7597": [ { "sample_cnt": 1, "yara_rule_name": "iKAT_startbar", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html", "yara_rule_description": "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe", "last_hit_utc": "2025-10-28 13:44:32" } ], "7598": [ { "sample_cnt": 1, "yara_rule_name": "Impacket_Tools_atexec", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2025-01-05 17:13:29" } ], "7599": [ { "sample_cnt": 1, "yara_rule_name": "Impacket_Tools_atexec_RID2F88", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2025-01-05 17:13:29" } ], "7600": [ { "sample_cnt": 1, "yara_rule_name": "Impacket_Tools_rpcdump", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2022-06-21 10:38:39" } ], "7601": [ { "sample_cnt": 1, "yara_rule_name": "Impacket_Tools_rpcdump_RID3009", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Compiled Impacket Tools", "last_hit_utc": "2022-06-21 10:38:39" } ], "7602": [ { "sample_cnt": 1, "yara_rule_name": "IMPLANT_3_v2", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "X-Agent/CHOPSTICK Implant by APT28", "last_hit_utc": "2022-07-26 20:40:04" } ], "7603": [ { "sample_cnt": 1, "yara_rule_name": "IMPLANT_4_v2", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "BlackEnergy / Voodoo Bear Implant by APT28", "last_hit_utc": "2025-11-05 08:22:37" } ], "7604": [ { "sample_cnt": 1, "yara_rule_name": "IMPLANT_5_v1", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "XTunnel Implant by APT28", "last_hit_utc": "2025-11-05 08:22:37" } ], "7605": [ { "sample_cnt": 1, "yara_rule_name": "IMPLANT_5_v2", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "XTunnel Implant by APT28", "last_hit_utc": "2025-11-05 08:22:37" } ], "7606": [ { "sample_cnt": 1, "yara_rule_name": "IMPLANT_8_v1", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "HAMMERTOSS / HammerDuke Implant by APT29", "last_hit_utc": "2022-11-30 15:50:04" } ], "7607": [ { "sample_cnt": 1, "yara_rule_name": "IMPLANT_9_v1", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE", "yara_rule_description": "Onion Duke Implant by APT29", "last_hit_utc": "2022-10-05 10:04:03" } ], "7608": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_EXE_Packed_Costura", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with Costura DotNetGuard", "last_hit_utc": "2021-07-28 07:00:32" } ], "7609": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_EXE_Packed_LibZ", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables built or packed with LibZ", "last_hit_utc": "2023-09-21 08:51:08" } ], "7610": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_EXE_Packed_NETProtectIO", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables packed with NETProtect.IO", "last_hit_utc": "2025-06-16 16:54:58" } ], "7611": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_EXE_Packed_NETProtectIO", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables packed with NETProtect.IO", "last_hit_utc": "2022-06-05 09:32:03" } ], "7612": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_00818631110b5d14331dac7e6ad998b902", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-05-10 10:04:14" } ], "7613": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_00ac307e5257bb814b818d3633b630326f", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-03 19:39:22" } ], "7614": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_00b3969cd6b2f913acc99c3f61fc14852f", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-06-12 22:54:42" } ], "7615": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_00e4e795fd1fd25595b869ce22aa7dc49f", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-05-12 04:11:01" } ], "7616": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_010000000001302693cb45", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2023-05-03 15:43:02" } ], "7617": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_0232466dc95b40ec9d21d9329abfcd5d", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2022-01-30 06:48:17" } ], "7618": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_033ed5eda065d1b8c91dfcf92a6c9bd8", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2021-03-31 22:48:06" } ], "7619": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_035b41766660b08aaf121536f0d83d4d", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects signed excutable of DiskCryptor open encryption solution that offers encryption of all disk partitions", "last_hit_utc": "2021-12-29 22:13:04" } ], "7620": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_0407abb64e9990180789eacb81f5f914", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-08-30 20:43:52" } ], "7621": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_040cc2255db4e48da1b4f242f5edfa73", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-09-27 15:23:02" } ], "7622": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_040f11f124a73bdecc41259845a8a773", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-05-19 11:04:43" } ], "7623": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_066226cf6a4d8ae1100961a0c5404ff9", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2021-04-27 04:50:12" } ], "7624": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_08d4352185317271c1cec9d05c279af7", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2023-08-24 07:24:04" } ], "7625": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_09c89de6f64a7fdf657e69353c5fdd44", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2021-05-06 14:12:22" } ], "7626": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_0a1f3a057a1dce4bf7d76d0c7adf837e", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-08-22 20:17:04" } ], "7627": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_0aa099e64e214d655801ea38ad876711", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-06-16 16:02:28" } ], "7628": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_0b1926a5e8ae50a0efa504f005f93869", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2025-06-16 16:06:33" } ], "7629": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_0b1f8cd59e64746beae153ecca21066b", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-07-24 10:47:03" } ], "7630": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_0b2b192657b37632518b08a06e201381", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2023-04-20 12:40:05" } ], "7631": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_0b446546c36525bf5f084f6bbbba7097", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-08-06 13:36:04" } ], "7632": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_1966bc76bda1a708334792da9a336f69", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2023-09-04 13:00:04" } ], "7633": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_19beff8a6c129663e5e8c18953dc1f67", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-03-08 14:01:05" } ], "7634": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_21e3cae5b77c41528658ada08509c392", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-03-08 15:50:24" } ], "7635": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_2355895f1759e9e3648026f4", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-02-11 09:17:05" } ], "7636": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_28b691272719b1ee", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-05 15:12:36" } ], "7637": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_330000026551ae1bbd005cbfbd000000000265", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-01-03 20:16:02" } ], "7638": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_330000026551ae1bbd005cbfbd000000000265", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-01-02 01:58:05" } ], "7639": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_39f56251df2088223cc03494084e6081", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2023-03-05 13:41:05" } ], "7640": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_41f8253e1ceafbfd8e49f32c34a68f9e", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-06-23 02:19:02" } ], "7641": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_4d03ae6512b85eab4184ca7f4fa2e49c", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-02-09 17:16:03" } ], "7642": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_4f8ebbb263f3cbe558d37118c43f8d58", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-04-07 06:01:16" } ], "7643": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_4f8ebbb263f3cbe558d37118c43f8d58", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-07-30 06:46:50" } ], "7644": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_5294f0f841f29855e33a18402421949a", "yara_rule_author": "ditekSHen", "yara_rule_reference": "https://bazaar.abuse.ch/faq/#cscb", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2025-03-12 11:42:10" } ], "7645": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_54cc50d147fa549e3f721c754e4e3a91", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-10-19 14:01:03" } ], "7646": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_559cb90fd16e9d1ad375f050ab6a6616", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-06-24 08:40:03" } ], "7647": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_566ac16a57b132d3f64dced14de790ee", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-05-11 00:31:13" } ], "7648": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_56d576a062491ea0a5877ced418203a1", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-02-08 08:37:22" } ], "7649": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_56fff139df5ae7e788e5d72196dd563a", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-01-05 22:42:17" } ], "7650": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_5da173eb1ac76340ac058e1ff4bf5e1b", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificate", "last_hit_utc": "2023-01-07 12:02:03" } ], "7651": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_66f98881fbb02d0352bef7c13bd61df2", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2024-06-25 05:40:03" } ], "7652": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_69ad1e8b5941c93d5017b7c3fdb8e7b6", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-05-17 14:06:02" } ], "7653": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_709d547a2f09d39c4c2334983f2cbf50", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-08-01 11:42:03" } ], "7654": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_734d0baf7a6b44743ff852c8ba7a751a7ff0ec73", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2023-04-21 14:37:03" } ], "7655": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_7d36cbb64bc9add17ba71737d3ecceca", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2021-04-12 08:02:28" } ], "7656": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_98a04ea05e8a949a4d880d0136794df3", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2026-03-07 13:05:18" } ], "7657": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_98a04ea05e8a949a4d880d0136794df3", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-03-04 14:31:03" } ], "7658": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_CERT_9d915138acdac1a044afa6e5d99567c5", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables signed with stolen, revoked or invalid certificates", "last_hit_utc": "2022-07-13 08:09:06" } ], "7659": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_GoBuildID_Banload", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Golang Build IDs in known bad samples", "last_hit_utc": "2022-12-02 17:32:05" } ], "7660": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_GoBuildID_GoBrut", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Golang Build IDs in GoBrut", "last_hit_utc": "2024-03-06 01:27:03" } ], "7661": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_GoBuildID_GoBrut", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Goland Build IDs in GoBrut", "last_hit_utc": "2021-08-13 07:58:05" } ], "7662": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_GoBuildID_Hive", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Goland Build IDs in Hive ransomware", "last_hit_utc": "2021-11-15 11:08:35" } ], "7663": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_GoBuildID_RanumBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Goland Build IDs in known bad samples", "last_hit_utc": "2021-05-06 01:32:04" } ], "7664": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_GoBuildID_Snatch", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Goland Build IDs in known bad samples", "last_hit_utc": "2021-04-09 11:27:44" } ], "7665": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_PowerShellCookieStealer", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects email accounts used for exfiltration observed in PowerShellCookieStealer", "last_hit_utc": "2025-10-28 13:44:33" } ], "7666": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_PowerShellWiFiStealer", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects email accounts used for exfiltration observed in PowerShellWiFiStealer", "last_hit_utc": "2025-10-28 13:44:33" } ], "7667": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_AlKhal", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with AlKhal ransomware", "last_hit_utc": "2025-10-28 13:44:33" } ], "7668": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_AlumniLocker", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with AlumniLocker ransomware", "last_hit_utc": "2025-10-28 13:44:33" } ], "7669": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Babuk", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Babuk ransomware", "last_hit_utc": "2025-10-28 13:44:33" } ], "7670": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_BlackCat", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with BlackCat ransomware", "last_hit_utc": "2025-10-28 13:44:33" } ], "7671": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_BlackHunt", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with BlackHunt ransomware", "last_hit_utc": "2025-10-28 13:44:33" } ], "7672": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Buran", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Buran ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7673": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_CryptoMix", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with CryptoMix ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7674": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Cuba", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with JobCryptor ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7675": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_DarkSide", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with DarkSide ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7676": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_DECAF", "yara_rule_author": "ditekShen", "yara_rule_reference": "", "yara_rule_description": "Detects files referencing identities associated with DECAF ransomware", "last_hit_utc": "2021-11-25 18:10:08" } ], "7677": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Diavol", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Diavol ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7678": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_DoejoCrypt", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with DoejoCrypt ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7679": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_GetCrypt", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with GetCrypt ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7680": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_GoldenAxe", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with GoldenAxe ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7681": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Hello", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Hello / WickrMe ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7682": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_JobCryptor", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with JobCryptor ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7683": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Koxic", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with LokiLocker ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7684": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_LockDown", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with LockDown / cantopen ransomware", "last_hit_utc": "2025-10-28 13:44:34" } ], "7685": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_LokiLocker", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with LokiLocker ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7686": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Maze", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Maze ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7687": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_MedusaLocker", "yara_rule_author": "ditekShen", "yara_rule_reference": "", "yara_rule_description": "Detects files referencing identities associated with MedusaLocker ransomware", "last_hit_utc": "2022-04-08 10:49:37" } ], "7688": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Payola", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Payola ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7689": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Phobos", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Phobos ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7690": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Purge", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Purge ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7691": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_PYSA", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with PYSA / Mespinoza ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7692": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_PYSA", "yara_rule_author": "ditekShen", "yara_rule_reference": "", "yara_rule_description": "Detects files referencing identities associated with PYSA / Mespinoza ransomware", "last_hit_utc": "2022-09-13 23:55:03" } ], "7693": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_RansomwareEXX", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with RansomwareEXX Linux ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7694": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_RanzyLocker", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with RanzyLocker ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7695": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Rapid", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Rapid ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7696": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Ryuk", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Ryuk ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7697": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Satana", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Satana ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7698": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Spyro", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Spyro ransomware", "last_hit_utc": "2025-10-28 13:44:35" } ], "7699": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_STOP", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with STOP ransomware", "last_hit_utc": "2025-10-28 13:44:36" } ], "7700": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_UnlockYourFiles", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with UnlockYourFiles ransomware", "last_hit_utc": "2025-10-28 13:44:36" } ], "7701": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Vovalex", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Vovalex ransomware", "last_hit_utc": "2025-10-28 13:44:36" } ], "7702": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Xorist", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Xorist ransomware", "last_hit_utc": "2025-10-28 13:44:36" } ], "7703": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_KB_ID_Ransomware_Zeoticus", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects files referencing identities associated with Zeoticus ransomware", "last_hit_utc": "2025-10-28 13:44:36" } ], "7704": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_OLE_Suspicious_MITRE_T1117", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects MITRE technique T1117 in OLE documents", "last_hit_utc": "2022-04-13 04:27:02" } ], "7705": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_PPT_MasterMana", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects known malicious pattern (MasterMana) in PowerPoint documents.", "last_hit_utc": "2021-03-01 07:26:07" } ], "7706": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_RMM_PDQConnect_Agent", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PDQ Connect Agent. Review RMM Inventory", "last_hit_utc": "2025-09-09 11:52:43" } ], "7707": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_RTF_Equation_PowerShell_Downloader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RTF documents that references both Microsoft Equation Editor and PowerShell. Common exploit + dropper behavior.", "last_hit_utc": "2021-02-23 05:05:22" } ], "7708": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_RTF_RemoteTemplate", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RTF documents potentially exploiting CVE-2017-11882", "last_hit_utc": "2022-07-14 21:53:04" } ], "7709": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_SUSPICIOUS_EnableSMBv1", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects binaries with PowerShell command enabling SMBv1", "last_hit_utc": "2025-01-05 15:12:15" } ], "7710": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables potentially checking for WinJail sandbox window", "last_hit_utc": "2025-01-05 17:28:02" } ], "7711": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables potentially checking for WinJail sandbox window", "last_hit_utc": "2021-09-20 23:12:04" } ], "7712": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_SUSPICIOUS_EXE_References_AdsBlocker_Browser_Extension_IDs", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect executables referencing considerable number of Ads blocking browser extension IDs", "last_hit_utc": "2025-01-03 20:04:23" } ], "7713": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_SUSPICIOUS_JS_LocalPersistence", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects JavaScript files used for persistence and executable or script execution", "last_hit_utc": "2023-03-17 09:23:03" } ], "7714": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_SUSPICIOUS_References_Sandbox_Artifacts", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing sandbox artifacts", "last_hit_utc": "2025-01-05 15:10:54" } ], "7715": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_SUSPICIOUS_References_Sandbox_Artifacts", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables referencing sandbox artifacts", "last_hit_utc": "2022-08-20 06:29:03" } ], "7716": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_SUSPICIOUS_Sandbox_Evasion_FilesComb", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects executables referencing specific set of files observed in sandob anti-evation, and Emotet", "last_hit_utc": "2023-04-22 07:17:05" } ], "7717": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_SUSPICOIUS_RTF_EncodedURL", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects executables calling ClearMyTracksByProcess", "last_hit_utc": "2022-07-14 21:53:03" } ], "7718": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOLS_LocalPotato", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects LocalPotato", "last_hit_utc": "2026-02-22 18:15:42" } ], "7719": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_ANT_InviZzzible", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect InviZzzible", "last_hit_utc": "2025-01-03 19:35:51" } ], "7720": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_AVBypass_AVIator", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects AVIator, which is a backdoor generator utility, which uses cryptographic and injection techniques in order to bypass AV detection. This was observed to bypass Win.Trojan.AZorult. This rule works for binaries and memory.", "last_hit_utc": "2025-10-28 13:44:36" } ], "7721": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_Backstab", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detect Backstab tool capable of killing antimalware protected processes by leveraging sysinternals Process Explorer (ProcExp) driver", "last_hit_utc": "2022-11-04 18:22:03" } ], "7722": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_CNC_Chisel", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detect binaries using Chisel", "last_hit_utc": "2022-01-05 18:32:05" } ], "7723": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_DogzProxy", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Dogz proxy tool", "last_hit_utc": "2025-01-03 19:34:28" } ], "7724": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_ENC_BestCrypt", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects BestEncrypt commercial disk encryption and wiping software", "last_hit_utc": "2023-08-01 20:42:01" } ], "7725": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_ENC_DiskCryptor", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect DiskCryptor open encryption solution that offers encryption of all disk partitions", "last_hit_utc": "2025-01-03 19:31:27" } ], "7726": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_ENUM_SharpShares", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SharpShares multithreaded C# .NET Assembly to enumerate accessible network shares in a domain", "last_hit_utc": "2025-08-25 10:09:33" } ], "7727": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_EXP_PetitPotam01", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detect tool potentially exploiting/attempting PetitPotam", "last_hit_utc": "2022-11-24 02:29:02" } ], "7728": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_EXP_SeriousSAM01", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect tool variants potentially exploiting SeriousSAM / HiveNightmare CVE-2021-36934", "last_hit_utc": "2025-08-13 08:21:21" } ], "7729": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_HFS_WebServer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects HFS Web Server", "last_hit_utc": "2025-01-03 20:51:21" } ], "7730": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_Ligolo", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Ligolo tool for establishing SOCKS5 or TCP tunnels from a reverse connection", "last_hit_utc": "2025-01-03 20:01:16" } ], "7731": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_LTM_Ladon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect Ladon tool that assists in lateral movement across a network", "last_hit_utc": "2024-06-08 17:52:02" } ], "7732": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_NSudo", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects NSudo allowing to run processes as TrustedInstaller or System", "last_hit_utc": "2024-03-19 01:40:04" } ], "7733": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PET_DefenderControl", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Defender Control", "last_hit_utc": "2022-01-21 11:25:05" } ], "7734": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PET_Mulit_VenomAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Venom Proxy Agent", "last_hit_utc": "2024-02-11 14:41:03" } ], "7735": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PET_Mulit_VenomAgent", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Venom Proxy Agent", "last_hit_utc": "2022-11-20 15:02:03" } ], "7736": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PET_p0wnedShell", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects compiled executables of p0wnedShell post-exploitation toolkit", "last_hit_utc": "2024-03-15 19:27:03" } ], "7737": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PET_SharpHound", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects BloodHound", "last_hit_utc": "2025-08-25 10:09:32" } ], "7738": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PRI_InstallerFileTakeOver", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect InstallerFileTakeOver CVE-2021-41379", "last_hit_utc": "2023-09-11 16:27:06" } ], "7739": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PRI_InstallerFileTakeOver", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detect InstallerFileTakeOver CVE-2021-41379", "last_hit_utc": "2021-12-04 06:49:46" } ], "7740": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PRI_JuicyPotato", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect JuicyPotato", "last_hit_utc": "2026-03-23 08:47:11" } ], "7741": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PRI_JuicyPotato", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detect JuicyPotato", "last_hit_utc": "2022-08-04 06:11:02" } ], "7742": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PROX_revsocks", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects revsocks Reverse socks5 tunneler with SSL/TLS and proxy support", "last_hit_utc": "2023-07-13 01:26:02" } ], "7743": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PWS_LaZagne", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects LaZagne post-exploitation password stealing tool. It is typically embedded with malware in the binary resources.", "last_hit_utc": "2022-09-26 08:45:03" } ], "7744": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PWS_Mimikatz", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Mimikatz.", "last_hit_utc": "2022-09-08 14:53:37" } ], "7745": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PWS_PwDump7", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Pwdump7 password Dumper", "last_hit_utc": "2025-10-28 13:44:37" } ], "7746": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PWS_SecurityXploded_BrowserPasswordDumper", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SecurityXploded Browser Password Dumper tool", "last_hit_utc": "2021-04-28 22:56:40" } ], "7747": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PWS_SecurityXploded_BrowserPasswordDumper", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects SecurityXploded Browser Password Dumper tool", "last_hit_utc": "2022-04-06 01:00:03" } ], "7748": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PWS_SecurityXploded_EmailPasswordDumper", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects SecurityXploded Email Password Dumper tool", "last_hit_utc": "2022-04-06 01:00:03" } ], "7749": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PWS_SecurityXploded_FTPPasswordDumper", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SecurityXploded FTP Password Dumper tool", "last_hit_utc": "2021-05-30 06:41:00" } ], "7750": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_PWS_SecurityXploded_FTPPasswordDumper", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects SecurityXploded FTP Password Dumper tool", "last_hit_utc": "2022-04-06 01:00:03" } ], "7751": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_REC_ADFind", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect ADFind", "last_hit_utc": "2025-02-09 21:14:12" } ], "7752": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_SCMalDevInj_Go", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Detects Go shell/malware dev injector", "last_hit_utc": "2025-01-03 20:13:14" } ], "7753": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_SCN_NBTScan", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects NBTScan scanner for open NETBIOS nameservers on a local or remote TCP/IP network", "last_hit_utc": "2021-04-28 22:56:40" } ], "7754": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_SCR_Amady", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects screenshot stealer DLL. Dropped by Amady", "last_hit_utc": "2020-12-18 07:00:25" } ], "7755": [ { "sample_cnt": 1, "yara_rule_name": "INDICATOR_TOOL_SQLRecon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SQLRecon C# MS-SQL toolkit designed for offensive reconnaissance and post-exploitation", "last_hit_utc": "2025-01-03 20:39:55" } ], "7756": [ { "sample_cnt": 1, "yara_rule_name": "Industroyer_Malware_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/x81cSy", "yara_rule_description": "Detects Industroyer related malware", "last_hit_utc": "2025-11-05 08:22:38" } ], "7757": [ { "sample_cnt": 1, "yara_rule_name": "Industroyer_Malware_1_RID2F71", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/x81cSy", "yara_rule_description": "Detects Industroyer related malware", "last_hit_utc": "2025-11-05 08:22:38" } ], "7758": [ { "sample_cnt": 1, "yara_rule_name": "Industroyer_Malware_4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/x81cSy", "yara_rule_description": "Detects Industroyer related malware", "last_hit_utc": "2022-04-13 09:58:03" } ], "7759": [ { "sample_cnt": 1, "yara_rule_name": "Industroyer_Malware_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/x81cSy", "yara_rule_description": "Detects Industroyer related malware", "last_hit_utc": "2025-11-05 08:22:38" } ], "7760": [ { "sample_cnt": 1, "yara_rule_name": "Industroyer_Malware_5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/x81cSy", "yara_rule_description": "Detects Industroyer related malware", "last_hit_utc": "2025-10-28 13:44:37" } ], "7761": [ { "sample_cnt": 1, "yara_rule_name": "Industroyer_Malware_5_RID2F75", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/x81cSy", "yara_rule_description": "Detects Industroyer related malware", "last_hit_utc": "2025-10-28 13:44:37" } ], "7762": [ { "sample_cnt": 1, "yara_rule_name": "Industroyer_Portscan_3_Output", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/x81cSy", "yara_rule_description": "Detects Industroyer related custom port scaner output file", "last_hit_utc": "2025-10-28 13:44:37" } ], "7763": [ { "sample_cnt": 1, "yara_rule_name": "Industroyer_Portscan_3_Output_RID32E4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/x81cSy", "yara_rule_description": "Detects Industroyer related custom port scaner output file", "last_hit_utc": "2025-10-28 13:44:37" } ], "7764": [ { "sample_cnt": 1, "yara_rule_name": "infostealer_win_mars_stealer_early_version", "yara_rule_author": null, "yara_rule_reference": "https://blog.sekoia.io/mars-a-red-hot-information-stealer/", "yara_rule_description": "Identifies samples of Mars Stealer early version based on opcodes of the function loading obfuscated strings.", "last_hit_utc": "2025-06-21 21:48:46" } ], "7765": [ { "sample_cnt": 1, "yara_rule_name": "Insta11", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Insta11", "last_hit_utc": "2025-01-03 20:11:33" } ], "7766": [ { "sample_cnt": 1, "yara_rule_name": "Insta11Code", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Insta11 code features", "last_hit_utc": "2025-01-03 20:11:33" } ], "7767": [ { "sample_cnt": 1, "yara_rule_name": "InstallStub32bit", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-23 12:12:25" } ], "7768": [ { "sample_cnt": 1, "yara_rule_name": "InstGina", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file InstGina.exe", "last_hit_utc": "2025-10-28 13:44:37" } ], "7769": [ { "sample_cnt": 1, "yara_rule_name": "InstGina", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file InstGina.exe", "last_hit_utc": "2025-10-28 13:44:37" } ], "7770": [ { "sample_cnt": 1, "yara_rule_name": "Invoke_mimikittenz", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/putterpanda/mimikittenz", "yara_rule_description": "Detects Mimikittenz - file Invoke-mimikittenz.ps1", "last_hit_utc": "2025-10-28 13:44:37" } ], "7771": [ { "sample_cnt": 1, "yara_rule_name": "Invoke_mimikittenz_RID2E91", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/putterpanda/mimikittenz", "yara_rule_description": "Semiautomatically generated YARA rule - file Invoke-mimikittenz.ps1", "last_hit_utc": "2025-10-28 13:44:37" } ], "7772": [ { "sample_cnt": 1, "yara_rule_name": "Invoke_PSImage", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/peewpw/Invoke-PSImage", "yara_rule_description": "Detects a command to execute PowerShell from String", "last_hit_utc": "2025-11-05 08:21:37" } ], "7773": [ { "sample_cnt": 1, "yara_rule_name": "Invoke_PSImage_RID2C62", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/peewpw/Invoke-PSImage", "yara_rule_description": "Detects a command to execute PowerShell from String", "last_hit_utc": "2025-11-05 08:21:37" } ], "7774": [ { "sample_cnt": 1, "yara_rule_name": "IP_Stealing_Utilities", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file IP Stealing Utilities.exe", "last_hit_utc": "2025-10-28 13:44:38" } ], "7775": [ { "sample_cnt": 1, "yara_rule_name": "IronGate_APT_Step7ProSim_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/Mr6M2J", "yara_rule_description": "Detects IronGate APT Malware - Step7ProSim DLL", "last_hit_utc": "2025-10-28 13:44:38" } ], "7776": [ { "sample_cnt": 1, "yara_rule_name": "IronGate_APT_Step7ProSim_Gen_RID3173", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/Mr6M2J", "yara_rule_description": "Detects IronGate APT Malware - Step7ProSim DLL", "last_hit_utc": "2025-10-28 13:44:38" } ], "7777": [ { "sample_cnt": 1, "yara_rule_name": "IronPanda_DNSTunClient", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/E4qia9", "yara_rule_description": "Iron Panda malware DnsTunClient - file named.exe", "last_hit_utc": "2025-10-28 13:44:38" } ], "7778": [ { "sample_cnt": 1, "yara_rule_name": "IronPanda_DNSTunClient", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/E4qia9", "yara_rule_description": "Iron Panda malware DnsTunClient - file named.exe", "last_hit_utc": "2025-10-28 13:44:38" } ], "7779": [ { "sample_cnt": 1, "yara_rule_name": "IronPanda_DNSTunClient_RID2F67", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/E4qia9", "yara_rule_description": "Iron Panda malware DnsTunClient - file named.exe", "last_hit_utc": "2025-10-28 13:44:38" } ], "7780": [ { "sample_cnt": 1, "yara_rule_name": "IronPanda_Malware_Htran", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/E4qia9", "yara_rule_description": "Iron Panda Malware Htran", "last_hit_utc": "2025-10-28 13:44:38" } ], "7781": [ { "sample_cnt": 1, "yara_rule_name": "IronPanda_Malware_Htran", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/E4qia9", "yara_rule_description": "Iron Panda Malware Htran", "last_hit_utc": "2025-10-28 13:44:38" } ], "7782": [ { "sample_cnt": 1, "yara_rule_name": "IronPanda_Malware_Htran_RID3011", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/E4qia9", "yara_rule_description": "Iron Panda Malware Htran", "last_hit_utc": "2025-10-28 13:44:38" } ], "7783": [ { "sample_cnt": 1, "yara_rule_name": "IronTiger_ChangePort_Toolkit_driversinstall", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "Iron Tiger Malware - Changeport Toolkit driverinstall", "last_hit_utc": "2025-11-05 08:22:38" } ], "7784": [ { "sample_cnt": 1, "yara_rule_name": "IronTiger_dllshellexc2010", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "dllshellexc2010 Exchange backdoor + remote shell", "last_hit_utc": "2025-11-05 08:22:38" } ], "7785": [ { "sample_cnt": 1, "yara_rule_name": "IronTiger_GetPassword_x64", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "Iron Tiger Malware - GetPassword x64", "last_hit_utc": "2025-11-05 08:22:38" } ], "7786": [ { "sample_cnt": 1, "yara_rule_name": "IronTiger_PlugX_DosEmulator", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "Iron Tiger Malware - PlugX DosEmulator", "last_hit_utc": "2025-11-05 08:22:38" } ], "7787": [ { "sample_cnt": 1, "yara_rule_name": "IronTiger_PlugX_FastProxy", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "Iron Tiger Malware - PlugX FastProxy", "last_hit_utc": "2025-11-05 08:22:38" } ], "7788": [ { "sample_cnt": 1, "yara_rule_name": "IronTiger_PlugX_Server", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "Iron Tiger Malware - PlugX Server", "last_hit_utc": "2025-11-05 08:22:38" } ], "7789": [ { "sample_cnt": 1, "yara_rule_name": "IronTiger_wmiexec", "yara_rule_author": "Cyber Safety Solutions, Trend Micro", "yara_rule_reference": "http://goo.gl/T5fSJC", "yara_rule_description": "Iron Tiger Tool - wmi.vbs detection", "last_hit_utc": "2025-10-28 13:44:38" } ], "7790": [ { "sample_cnt": 1, "yara_rule_name": "ismail_2010_samples", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-12 17:49:04" } ], "7791": [ { "sample_cnt": 1, "yara_rule_name": "ItsSoEasy_Ransomware", "yara_rule_author": "bstnbuck", "yara_rule_reference": null, "yara_rule_description": "Detect ItsSoEasy Ransomware (Itssoeasy-A)", "last_hit_utc": "2023-11-03 06:41:03" } ], "7792": [ { "sample_cnt": 1, "yara_rule_name": "ItsSoEasy_Ransomware_Go_Var", "yara_rule_author": "bstnbuck", "yara_rule_reference": null, "yara_rule_description": "Detect ItsSoEasy Ransomware (Itssoeasy-A Go.Var)", "last_hit_utc": "2023-11-03 06:41:03" } ], "7793": [ { "sample_cnt": 1, "yara_rule_name": "ItsSoEasy_Ransomware_Py_Var", "yara_rule_author": "bstnbuck", "yara_rule_reference": null, "yara_rule_description": "Detect ItsSoEasy Ransomware (Itssoeasy-A Py.Var)", "last_hit_utc": "2023-11-03 06:43:02" } ], "7794": [ { "sample_cnt": 1, "yara_rule_name": "ja3transport_tools_01", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 15:56:03" } ], "7795": [ { "sample_cnt": 1, "yara_rule_name": "jar_ratty_w0", "yara_rule_author": "[redacted]", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-01-12 12:31:44" } ], "7796": [ { "sample_cnt": 1, "yara_rule_name": "Jasus", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:44:38" } ], "7797": [ { "sample_cnt": 1, "yara_rule_name": "JavaScript_Run_Suspicious", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/craiu/status/900314063560998912", "yara_rule_description": "Detects a suspicious Javascript Run command", "last_hit_utc": "2025-10-28 13:44:39" } ], "7798": [ { "sample_cnt": 1, "yara_rule_name": "JavaScript_Run_Suspicious_RID3132", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/craiu/status/900314063560998912", "yara_rule_description": "Detects a suspicious Javascript Run command", "last_hit_utc": "2025-10-28 13:44:39" } ], "7799": [ { "sample_cnt": 1, "yara_rule_name": "Jc_WinEggDrop_Shell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt", "last_hit_utc": "2025-10-28 13:44:39" } ], "7800": [ { "sample_cnt": 1, "yara_rule_name": "Jc_WinEggDrop_Shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt", "last_hit_utc": "2025-10-28 13:44:39" } ], "7801": [ { "sample_cnt": 1, "yara_rule_name": "Jc_WinEggDrop_Shell_RID2E4A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt", "last_hit_utc": "2025-10-28 13:44:39" } ], "7802": [ { "sample_cnt": 1, "yara_rule_name": "JohnWalkerTexasLoader", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects JohnWalkerTexasLoader", "last_hit_utc": "2025-01-03 21:29:09" } ], "7803": [ { "sample_cnt": 1, "yara_rule_name": "JSP_Browser_APT_webshell", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a", "last_hit_utc": "2022-12-04 16:38:04" } ], "7804": [ { "sample_cnt": 1, "yara_rule_name": "JSP_Browser_APT_webshell_RID303A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a", "last_hit_utc": "2022-12-04 16:38:04" } ], "7805": [ { "sample_cnt": 1, "yara_rule_name": "JSP_Webshell", "yara_rule_author": "@Pro_Integritate", "yara_rule_reference": null, "yara_rule_description": "Generic JSP Webshell signature", "last_hit_utc": "2025-01-05 14:58:14" } ], "7806": [ { "sample_cnt": 1, "yara_rule_name": "JSTokenGrabber", "yara_rule_author": "nwunderly", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-02-11 02:24:05" } ], "7807": [ { "sample_cnt": 1, "yara_rule_name": "JSWorm", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-11 16:27:06" } ], "7808": [ { "sample_cnt": 1, "yara_rule_name": "js_node_rat_w0", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html", "yara_rule_description": "detect Noderat in memory", "last_hit_utc": "2025-10-28 13:44:39" } ], "7809": [ { "sample_cnt": 1, "yara_rule_name": "js_ostap_w0", "yara_rule_author": "Alex Holland @cryptogramfan (Bromium Labs)", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-09-27 15:24:06" } ], "7810": [ { "sample_cnt": 1, "yara_rule_name": "JS_Suspicious_MSHTA_Bypass", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/ItsReallyNick/status/887705105239343104", "yara_rule_description": "Detects MSHTA Bypass", "last_hit_utc": "2025-10-28 13:44:39" } ], "7811": [ { "sample_cnt": 1, "yara_rule_name": "JS_Suspicious_MSHTA_Bypass_RID30F1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/ItsReallyNick/status/887705105239343104", "yara_rule_description": "Detects MSHTA Bypass", "last_hit_utc": "2025-10-28 13:44:39" } ], "7812": [ { "sample_cnt": 1, "yara_rule_name": "Jupyter_Dropped_File", "yara_rule_author": "Lucas Acha (http://www.lukeacha.com)", "yara_rule_reference": "http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", "yara_rule_description": "observed wide strings with malicious DLL loaded by Jupyer malware", "last_hit_utc": "2025-01-03 20:34:49" } ], "7813": [ { "sample_cnt": 1, "yara_rule_name": "kagent", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:44:39" } ], "7814": [ { "sample_cnt": 1, "yara_rule_name": "kartoxa_malware_pdb", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://securitynews.sonicwall.com/xmlpost/guatambu-new-multi-component-infostealer-drops-kartoxa-pos-malware-apr-08-2016/", "yara_rule_description": "Rule to detect Kartoxa POS based on the PDB", "last_hit_utc": "2022-01-08 21:08:05" } ], "7815": [ { "sample_cnt": 1, "yara_rule_name": "KasperMalware_Oct17_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Kasper Backdoor", "last_hit_utc": "2025-11-05 08:22:38" } ], "7816": [ { "sample_cnt": 1, "yara_rule_name": "KasperMalware_Oct17_1_RID2EBD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Kasper Backdoor", "last_hit_utc": "2025-11-05 08:22:38" } ], "7817": [ { "sample_cnt": 1, "yara_rule_name": "katz", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked katz malware samples.", "last_hit_utc": "2025-08-06 11:22:37" } ], "7818": [ { "sample_cnt": 1, "yara_rule_name": "Kazuar", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-02-21 09:59:07" } ], "7819": [ { "sample_cnt": 1, "yara_rule_name": "KBySV028shoooo", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:57:54" } ], "7820": [ { "sample_cnt": 1, "yara_rule_name": "kerberoast_PY", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/skelsec/PyKerberoast", "yara_rule_description": "Auto-generated rule - file kerberoast.py", "last_hit_utc": "2025-10-28 13:44:40" } ], "7821": [ { "sample_cnt": 1, "yara_rule_name": "kerberoast_PY_RID2C4B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/skelsec/PyKerberoast", "yara_rule_description": "Semiautomatically generated YARA rule - file kerberoast.py", "last_hit_utc": "2025-10-28 13:44:40" } ], "7822": [ { "sample_cnt": 1, "yara_rule_name": "keydnap_backdoor", "yara_rule_author": "Marc-Etienne M.L\u00e9veill\u00e9", "yara_rule_reference": "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials", "yara_rule_description": "Unpacked OSX/Keydnap backdoor", "last_hit_utc": "2025-10-28 13:44:40" } ], "7823": [ { "sample_cnt": 1, "yara_rule_name": "keydnap_downloader", "yara_rule_author": "Marc-Etienne M.L\u00e9veill\u00e9", "yara_rule_reference": "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials", "yara_rule_description": "OSX/Keydnap Downloader", "last_hit_utc": "2025-10-28 13:44:40" } ], "7824": [ { "sample_cnt": 1, "yara_rule_name": "Keylogger_CN_APT", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Keylogger - generic rule for a Chinese variant", "last_hit_utc": "2025-10-28 13:44:40" } ], "7825": [ { "sample_cnt": 1, "yara_rule_name": "KGBSFX", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:29:42" } ], "7826": [ { "sample_cnt": 1, "yara_rule_name": "killer_rookit", "yara_rule_author": "wtl", "yara_rule_reference": null, "yara_rule_description": "detect killer rookit", "last_hit_utc": "2025-06-25 13:05:32" } ], "7827": [ { "sample_cnt": 1, "yara_rule_name": "KINS_DLL_zeus", "yara_rule_author": "AlienVault Labs aortega@alienvault.com", "yara_rule_reference": "http://goo.gl/arPhm3", "yara_rule_description": "Match default bot in KINS leaked dropper, Zeus", "last_hit_utc": "2026-02-17 12:01:21" } ], "7828": [ { "sample_cnt": 1, "yara_rule_name": "kiwistealer", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked kiwistealer malware samples.", "last_hit_utc": "2025-06-26 01:59:34" } ], "7829": [ { "sample_cnt": 1, "yara_rule_name": "kkrunchy023alphaRyd", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:12:59" } ], "7830": [ { "sample_cnt": 1, "yara_rule_name": "kkrunchyRyd", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:12:59" } ], "7831": [ { "sample_cnt": 1, "yara_rule_name": "kkrunchyV02XRyd", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:12:59" } ], "7832": [ { "sample_cnt": 1, "yara_rule_name": "kleptoparasite", "yara_rule_author": "jarcher", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-08-31 04:03:02" } ], "7833": [ { "sample_cnt": 1, "yara_rule_name": "kobalos_ssh_credential_stealer", "yara_rule_author": "Marc-Etienne M.L\u00e9veill\u00e9", "yara_rule_reference": "http://www.welivesecurity.com", "yara_rule_description": "Kobalos SSH credential stealer seen in OpenSSH client", "last_hit_utc": "2025-10-28 13:44:40" } ], "7834": [ { "sample_cnt": 1, "yara_rule_name": "Kpot", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Kpot Stealer", "last_hit_utc": "2020-12-13 08:57:05" } ], "7835": [ { "sample_cnt": 1, "yara_rule_name": "Kpot", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "Kpot Stealer", "last_hit_utc": "2021-07-23 16:20:28" } ], "7836": [ { "sample_cnt": 1, "yara_rule_name": "kraken_cryptor_ransomware_loader", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/", "yara_rule_description": "Rule to detect the Kraken Cryptor Ransomware loader", "last_hit_utc": "2022-09-20 05:04:04" } ], "7837": [ { "sample_cnt": 1, "yara_rule_name": "KR_Target_Malware_Aug17", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/eyalsela/status/900250203097354240", "yara_rule_description": "Detects malware that targeted South Korea in Aug 2017 - file MRDqsbuEqGxrgqtbXU.exe", "last_hit_utc": "2020-10-26 06:20:13" } ], "7838": [ { "sample_cnt": 1, "yara_rule_name": "latrodectus_dll_str_decrypt", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "This rule detects the Latrodectus DLL Decrypt String Algorithm.", "last_hit_utc": "2024-05-03 20:56:03" } ], "7839": [ { "sample_cnt": 1, "yara_rule_name": "Lazagne_PW_Dumper", "yara_rule_author": "Markus Neis / Florian Roth", "yara_rule_reference": "https://github.com/AlessandroZ/LaZagne/releases/", "yara_rule_description": "Detects Lazagne PW Dumper", "last_hit_utc": "2025-10-28 13:44:40" } ], "7840": [ { "sample_cnt": 1, "yara_rule_name": "Lazagne_PW_Dumper_RID2DA5", "yara_rule_author": "Markus Neis, Florian Roth", "yara_rule_reference": "https://github.com/AlessandroZ/LaZagne/releases/", "yara_rule_description": "Detects Lazagne PW Dumper", "last_hit_utc": "2025-10-28 13:44:40" } ], "7841": [ { "sample_cnt": 1, "yara_rule_name": "Lazarus_Dtrack_code", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "Dtrack malware in Lazarus", "last_hit_utc": "2025-11-05 08:22:39" } ], "7842": [ { "sample_cnt": 1, "yara_rule_name": "Lazarus_magicpoint_code", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "magicpoint bot using Lazarus", "last_hit_utc": "2025-11-05 08:22:39" } ], "7843": [ { "sample_cnt": 1, "yara_rule_name": "Lazarus_msi_str", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "msi file using Lazarus", "last_hit_utc": "2025-01-03 21:53:50" } ], "7844": [ { "sample_cnt": 1, "yara_rule_name": "Lazarus_packer_code", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "Lazarus using packer", "last_hit_utc": "2022-11-16 01:26:03" } ], "7845": [ { "sample_cnt": 1, "yara_rule_name": "Lazarus_Torisma_strvest", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "Torisma in Lazarus", "last_hit_utc": "2025-11-05 08:22:39" } ], "7846": [ { "sample_cnt": 1, "yara_rule_name": "Lazarus_VSingle_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "VSingle malware in Lazarus", "last_hit_utc": "2022-11-16 08:37:00" } ], "7847": [ { "sample_cnt": 1, "yara_rule_name": "lb_keystream_shellcode_1", "yara_rule_author": "0x0d4y", "yara_rule_reference": null, "yara_rule_description": "This rule detects the Shellcode code pattern injected into memory to generate the decryption keystream.", "last_hit_utc": "2025-01-03 20:40:02" } ], "7848": [ { "sample_cnt": 1, "yara_rule_name": "ledbetter_malware_munger", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:27:50" } ], "7849": [ { "sample_cnt": 1, "yara_rule_name": "LinuxHacktool_eyes_a", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file a", "last_hit_utc": "2025-10-28 13:44:41" } ], "7850": [ { "sample_cnt": 1, "yara_rule_name": "LinuxHacktool_eyes_a", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file a", "last_hit_utc": "2025-10-28 13:44:41" } ], "7851": [ { "sample_cnt": 1, "yara_rule_name": "LinuxHacktool_eyes_a_RID2F2B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file a", "last_hit_utc": "2025-10-28 13:44:41" } ], "7852": [ { "sample_cnt": 1, "yara_rule_name": "LinuxHacktool_eyes_mass", "yara_rule_author": "Florian Roth", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file mass", "last_hit_utc": "2025-10-28 13:44:41" } ], "7853": [ { "sample_cnt": 1, "yara_rule_name": "LinuxHacktool_eyes_mass", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file mass", "last_hit_utc": "2025-10-28 13:44:41" } ], "7854": [ { "sample_cnt": 1, "yara_rule_name": "LinuxHacktool_eyes_scanssh", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "not set", "yara_rule_description": "Linux hack tools - file scanssh", "last_hit_utc": "2025-10-28 13:44:42" } ], "7855": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Backdoor_Python_00606bac", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-28 14:24:07" } ], "7856": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Backdoor_Tinyshell_67ee6fae", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:28:55" } ], "7857": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Camelot_25b63f54", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-05 02:43:11" } ], "7858": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Generic_54357231", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-14 14:07:30" } ], "7859": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Generic_e36a35b0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-23 19:54:29" } ], "7860": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Malxmr_c8adb449", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-04 00:23:03" } ], "7861": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Stak_52dc7af3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:25:18" } ], "7862": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Ursu_3c05f8ab", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:36:21" } ], "7863": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Xmrig_403b0a12", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:35:24" } ], "7864": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Xmrig_bffa106b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-04 00:23:03" } ], "7865": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Xmrminer_98b00f9c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:25:18" } ], "7866": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Cryptominer_Xmrminer_d625fcd2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-09 08:10:46" } ], "7867": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_CVE_2016_5195_9190d516", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-09 22:13:03" } ], "7868": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_CVE_2016_5195_9c67a994", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-09 22:13:03" } ], "7869": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_CVE_2016_5195_b45098df", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-09 22:13:03" } ], "7870": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_CVE_2018_10561_0f246e33", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:29:40" } ], "7871": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_CVE_2021_3156_f3fb10cd", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:12:27" } ], "7872": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_CVE_2021_3490_d369d615", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-05-06 21:22:02" } ], "7873": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_Perl_4a4b8a42", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-13 07:29:16" } ], "7874": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_Vmsplice_055f88b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:33:29" } ], "7875": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_Vmsplice_431e689d", "yara_rule_author": "Elastic Security", "yara_rule_reference": "1cbb09223f16af4cd13545d72dbeeb996900535b1e279e4bcf447670728de1e1", "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:33:29" } ], "7876": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Exploit_Vmsplice_cfa94001", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:33:29" } ], "7877": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_094c1238", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:50:16" } ], "7878": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_11041685", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-13 18:00:40" } ], "7879": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_1e047045", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-11 09:59:11" } ], "7880": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_4a46b0e1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-13 05:24:19" } ], "7881": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_66d00a84", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:21:50" } ], "7882": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_75813ab2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:33:29" } ], "7883": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_80aea077", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-11 09:59:12" } ], "7884": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_b0b891fb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:01:44" } ], "7885": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_be02b1c9", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-16 01:34:13" } ], "7886": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Generic_Threat_d60e5924", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-19 14:36:25" } ], "7887": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Bruteforce_eb83b6aa", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-28 13:59:07" } ], "7888": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Cleanlog_c2907d77", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-19 14:36:25" } ], "7889": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_1a4eb229", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-06 19:23:17" } ], "7890": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_4bcea1c4", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-12 05:45:03" } ], "7891": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_678c1145", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-28 20:13:16" } ], "7892": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_8b63ff02", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 23:10:44" } ], "7893": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_a2795a4c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:18:45" } ], "7894": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_a2795a4c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-12 05:45:03" } ], "7895": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_af9f75e6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-23 06:06:35" } ], "7896": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_d710a5da", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-11 09:37:12" } ], "7897": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_e63396f4", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-12 05:45:03" } ], "7898": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Flooder_f434a3fb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-04-02 18:19:02" } ], "7899": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Hacktool_Portscan_6c6000c2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-21 12:37:15" } ], "7900": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Portscan_Shark_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35", "yara_rule_description": "Detects Linux Port Scanner Shark", "last_hit_utc": "2025-10-28 13:44:40" } ], "7901": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Portscan_Shark_2_RID2FB3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35", "yara_rule_description": "Detects Linux Port Scanner Shark", "last_hit_utc": "2025-10-28 13:44:40" } ], "7902": [ { "sample_cnt": 1, "yara_rule_name": "linux_rakos", "yara_rule_author": "Peter K\u00e1lnai", "yara_rule_reference": "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/", "yara_rule_description": "Linux/Rakos.A executable", "last_hit_utc": "2025-10-28 13:44:40" } ], "7903": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Ransomware_BlackBasta_Strings", "yara_rule_author": "albertzsigovits", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1624478905275977731", "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:26:16" } ], "7904": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Ransomware_Gonnacry_53c3832d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-07-25 23:43:03" } ], "7905": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Ransomware_Hellokitty_35731270", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:44:41" } ], "7906": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Ransomware_Lockbit_d248e80e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:44:41" } ], "7907": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Ransomware_RagnarLocker_9f5982b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:52:09" } ], "7908": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Rootkit_Perfctl_ce456896", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-09-25 08:28:36" } ], "7909": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Rootkit_Reptile_c9f8806d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-23 02:05:18" } ], "7910": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Ddostf_6dc1caab", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:56:48" } ], "7911": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Dofloo_1d057993", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-05-19 19:37:03" } ], "7912": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Dofloo_29c12775", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-05-19 19:37:03" } ], "7913": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Dofloo_be1973ed", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-05-19 19:37:03" } ], "7914": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Dropperl_b97baf37", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-09 10:55:19" } ], "7915": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Gafgyt_0e03b7d3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-17 22:21:02" } ], "7916": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Gafgyt_148b91a2", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 18:19:03" } ], "7917": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Gafgyt_20f5e74f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 18:18:03" } ], "7918": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Gafgyt_750fe002", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 18:18:03" } ], "7919": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Gafgyt_9a62845f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-07 08:33:03" } ], "7920": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Gafgyt_9abf7e0c", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-03 08:17:03" } ], "7921": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Gafgyt_a10161ce", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 18:19:02" } ], "7922": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Ganiw_b9f045aa", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-29 11:16:02" } ], "7923": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Generic_5e3bc3b3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Rule for custom Trojan found in Linux REF6138.", "last_hit_utc": "2026-03-18 09:05:33" } ], "7924": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Generic_d8953ca0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-02 09:38:10" } ], "7925": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Marut_47af730d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-06 01:27:04" } ], "7926": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Metasploit_dd5fd075", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Detects x86 msfvenom TCP bind shell payloads", "last_hit_utc": "2026-01-09 16:40:44" } ], "7927": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Mirai_1cb033f3", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-04 23:15:03" } ], "7928": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Mirai_3278f1b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:06" } ], "7929": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Mirai_3a85a418", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-08 11:40:06" } ], "7930": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Mirai_76bbc4ca", "yara_rule_author": "Elastic Security", "yara_rule_reference": "1a9ff86a66d417678c387102932a71fd879972173901c04f3462de0e519c3b51", "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:04:37" } ], "7931": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Mirai_88a1b067", "yara_rule_author": "Elastic Security", "yara_rule_reference": "1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9", "yara_rule_description": "", "last_hit_utc": "2022-11-21 07:08:03" } ], "7932": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Mirai_e3e6d768", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-07 14:11:16" } ], "7933": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Pidief_635667d1", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-05 15:43:03" } ], "7934": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Pornoasset_927f314f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-04 00:23:03" } ], "7935": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Rotajakiro_fb24f399", "yara_rule_author": "Elastic Security", "yara_rule_reference": "023a7f9ed082d9dd7be6eba5942bfa77f8e618c2d15a8bc384d85223c5b91a0c", "yara_rule_description": null, "last_hit_utc": "2025-06-29 20:42:49" } ], "7936": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Setag_01e2f79b", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-29 11:16:02" } ], "7937": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Setag_351eeb76", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-29 11:16:02" } ], "7938": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Sshdkit_18a0b82a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:46:37" } ], "7939": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Torii_fa253f2a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-31 12:15:26" } ], "7940": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Tsunami_35806adc", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-01-26 01:26:27" } ], "7941": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Tsunami_36a98405", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 23:10:44" } ], "7942": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Tsunami_8a11f9be", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-12 05:45:03" } ], "7943": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Winnti_4c5a1865", "yara_rule_author": "Elastic Security", "yara_rule_reference": "0d963a713093fc8e5928141f5747640c9b43f3aadc8a5478c949f7ec364b28ad", "yara_rule_description": null, "last_hit_utc": "2025-12-19 22:35:16" } ], "7944": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Winnti_61215d98", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-28 12:21:03" } ], "7945": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Winnti_6f4ca425", "yara_rule_author": "Elastic Security", "yara_rule_reference": "161af780209aa24845863f7a8120aa982aa811f16ec04bcd797ed165955a09c1", "yara_rule_description": null, "last_hit_utc": "2025-12-19 22:35:17" } ], "7946": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Xhide_7f0a131b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-08 21:39:11" } ], "7947": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Xhide_cd8489f7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-08 21:39:11" } ], "7948": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_XZBackdoor_74e87a9d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:44:41" } ], "7949": [ { "sample_cnt": 1, "yara_rule_name": "Linux_Trojan_Zpevdo_7f563544", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:56:32" } ], "7950": [ { "sample_cnt": 1, "yara_rule_name": "liudoor", "yara_rule_author": "RSA FirstWatch", "yara_rule_reference": null, "yara_rule_description": "Detects Liudoor daemon backdoor", "last_hit_utc": "2025-10-28 13:44:42" } ], "7951": [ { "sample_cnt": 1, "yara_rule_name": "LM_hash_empty_String_RID2F11", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects the empty LM hash on disk/in memory/as output from hacking tools", "last_hit_utc": "2025-10-28 13:44:42" } ], "7952": [ { "sample_cnt": 1, "yara_rule_name": "lnk_raspberryrobin", "yara_rule_author": "HP Threat Research @HPSecurity", "yara_rule_reference": null, "yara_rule_description": "LNK file part of Raspberry Robin", "last_hit_utc": "2023-01-26 15:41:03" } ], "7953": [ { "sample_cnt": 1, "yara_rule_name": "loader_fakebat_initial_powershell_may24", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Finds FakeBat initial PowerShell script downloading and executing the next-stage payload.", "last_hit_utc": "2025-01-04 09:10:24" } ], "7954": [ { "sample_cnt": 1, "yara_rule_name": "Loader_MSIL_CSharpSectionInjection_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'C_Sharp_SectionInjection' project.", "last_hit_utc": "2025-11-05 08:22:39" } ], "7955": [ { "sample_cnt": 1, "yara_rule_name": "Loader_MSIL_NETAssemblyInject_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NET-Assembly-Inject' project.", "last_hit_utc": "2025-11-05 08:22:39" } ], "7956": [ { "sample_cnt": 1, "yara_rule_name": "Loader_MSIL_RuralBishop_1b", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public RuralBishop project.", "last_hit_utc": "2025-11-05 08:22:39" } ], "7957": [ { "sample_cnt": 1, "yara_rule_name": "Loader_MSIL_SharPy_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharPy' project.", "last_hit_utc": "2025-11-05 08:22:39" } ], "7958": [ { "sample_cnt": 1, "yara_rule_name": "Loader_MSIL_WildChild_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the WildChild project.", "last_hit_utc": "2025-11-05 08:22:39" } ], "7959": [ { "sample_cnt": 1, "yara_rule_name": "Loader_MSIL_WMIRunner_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMIRunner' project.", "last_hit_utc": "2025-11-05 08:22:39" } ], "7960": [ { "sample_cnt": 1, "yara_rule_name": "loader_win_bumblebee", "yara_rule_author": null, "yara_rule_reference": "https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/", "yara_rule_description": null, "last_hit_utc": "2023-05-16 08:28:01" } ], "7961": [ { "sample_cnt": 1, "yara_rule_name": "loader_win_bumblebee", "yara_rule_author": "", "yara_rule_reference": "https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/", "yara_rule_description": "", "last_hit_utc": "2022-08-27 15:35:02" } ], "7962": [ { "sample_cnt": 1, "yara_rule_name": "loader_win_bumblebee", "yara_rule_author": "SEKOIA.IO", "yara_rule_reference": null, "yara_rule_description": "Find BumbleBee samples based on specific strings", "last_hit_utc": "2023-05-16 08:28:02" } ], "7963": [ { "sample_cnt": 1, "yara_rule_name": "loader_win_bumblebee", "yara_rule_author": "SEKOIA.IO", "yara_rule_reference": "", "yara_rule_description": "Find BumbleBee samples based on specific strings", "last_hit_utc": "2022-08-27 15:35:02" } ], "7964": [ { "sample_cnt": 1, "yara_rule_name": "locdoor_ransomware", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://twitter.com/leotpsc/status/1036180615744376832", "yara_rule_description": "Rule to detect Locdoor/DryCry", "last_hit_utc": "2023-02-03 15:53:03" } ], "7965": [ { "sample_cnt": 1, "yara_rule_name": "LockbitBlack_Loader_Rule", "yara_rule_author": "Luis Fabuel", "yara_rule_reference": null, "yara_rule_description": "Hunting rule for the Lockbit Black loader, based on https://twitter.com/vxunderground/status/1543661557883740161", "last_hit_utc": "2023-03-07 04:55:03" } ], "7966": [ { "sample_cnt": 1, "yara_rule_name": "lockbitblack_ransomnote", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Hunting rule for LockBit Black/3.0 ransom notes", "last_hit_utc": "2025-01-05 16:47:40" } ], "7967": [ { "sample_cnt": 1, "yara_rule_name": "LockBit_Conti_Green", "yara_rule_author": "Allie Roblee", "yara_rule_reference": null, "yara_rule_description": "LockBit Green (x32/x64)", "last_hit_utc": "2025-01-05 16:04:08" } ], "7968": [ { "sample_cnt": 1, "yara_rule_name": "LockBit_Conti_Green_2", "yara_rule_author": "Allie Roblee", "yara_rule_reference": null, "yara_rule_description": "LockBit Green (x32/x64)", "last_hit_utc": "2025-01-05 16:04:09" } ], "7969": [ { "sample_cnt": 1, "yara_rule_name": "LockBit_Green", "yara_rule_author": "PRODAFT", "yara_rule_reference": null, "yara_rule_description": "LockBit Green detector (x32/x64)", "last_hit_utc": "2025-01-05 16:04:09" } ], "7970": [ { "sample_cnt": 1, "yara_rule_name": "LockerGogaRansomware", "yara_rule_author": "Christiaan Beek - McAfee ATR team", "yara_rule_reference": null, "yara_rule_description": "LockerGoga Ransomware", "last_hit_utc": "2023-01-07 12:02:03" } ], "7971": [ { "sample_cnt": 1, "yara_rule_name": "LOG_APT_WEBSHELL_Solarwinds_SUNBURST_Report_Webshell_Dec20_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "yara_rule_description": "Detects webshell access mentioned in FireEye's SUNBURST report", "last_hit_utc": "2025-10-28 13:44:42" } ], "7972": [ { "sample_cnt": 1, "yara_rule_name": "LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_RID36CD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log", "yara_rule_description": "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity", "last_hit_utc": "2025-10-28 13:44:42" } ], "7973": [ { "sample_cnt": 1, "yara_rule_name": "LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "yara_rule_description": "Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539", "last_hit_utc": "2025-10-28 13:44:43" } ], "7974": [ { "sample_cnt": 1, "yara_rule_name": "LOG_EXPL_Confluence_RCE_CVE_2021_26084_Sep21", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "yara_rule_description": "Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084", "last_hit_utc": "2025-10-28 13:44:43" } ], "7975": [ { "sample_cnt": 1, "yara_rule_name": "LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response", "yara_rule_description": "Detects a potential compromise indicator found in MOVEit Transfer logs", "last_hit_utc": "2025-10-28 13:44:43" } ], "7976": [ { "sample_cnt": 1, "yara_rule_name": "LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response", "yara_rule_description": "Detects a potential compromise indicator found in MOVEit Transfer logs", "last_hit_utc": "2025-10-28 13:44:43" } ], "7977": [ { "sample_cnt": 1, "yara_rule_name": "LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_3", "yara_rule_author": "Nasreddine Bencherchali", "yara_rule_reference": "https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis", "yara_rule_description": "Detects a potential compromise indicator found in MOVEit DMZ Web API logs", "last_hit_utc": "2025-10-28 13:44:43" } ], "7978": [ { "sample_cnt": 1, "yara_rule_name": "LOG_EXPL_ProxyToken_Exploitation_Aug21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server", "yara_rule_description": "Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system", "last_hit_utc": "2025-10-28 13:44:43" } ], "7979": [ { "sample_cnt": 1, "yara_rule_name": "LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/", "yara_rule_description": "Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup", "last_hit_utc": "2025-10-28 13:44:43" } ], "7980": [ { "sample_cnt": 1, "yara_rule_name": "LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1_RID3A2F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/", "yara_rule_description": "Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup", "last_hit_utc": "2025-10-28 13:44:43" } ], "7981": [ { "sample_cnt": 1, "yara_rule_name": "LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/testanull/ProxyNotShell-PoC", "yara_rule_description": "Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers", "last_hit_utc": "2025-10-28 13:44:43" } ], "7982": [ { "sample_cnt": 1, "yara_rule_name": "LOG_SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "yara_rule_description": "Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954", "last_hit_utc": "2026-02-18 16:31:16" } ], "7983": [ { "sample_cnt": 1, "yara_rule_name": "LOG_TeamViewer_Connect_Chinese_Keyboard_Layout", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs", "yara_rule_description": "Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout", "last_hit_utc": "2025-10-28 13:44:43" } ], "7984": [ { "sample_cnt": 1, "yara_rule_name": "LOG_TeamViewer_Connect_Russian_Keyboard_Layout", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs", "yara_rule_description": "Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout", "last_hit_utc": "2025-10-28 13:44:43" } ], "7985": [ { "sample_cnt": 1, "yara_rule_name": "loki2crypto", "yara_rule_author": "Costin Raiu, Kaspersky Lab", "yara_rule_reference": "https://en.wikipedia.org/wiki/Moonlight_Maze", "yara_rule_description": "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */", "last_hit_utc": "2025-11-05 08:22:39" } ], "7986": [ { "sample_cnt": 1, "yara_rule_name": "lsremora", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups", "last_hit_utc": "2025-10-28 13:44:43" } ], "7987": [ { "sample_cnt": 1, "yara_rule_name": "LucaStealer", "yara_rule_author": "Chat3ux", "yara_rule_reference": "", "yara_rule_description": "Lucasstealer", "last_hit_utc": "2022-09-14 23:15:04" } ], "7988": [ { "sample_cnt": 1, "yara_rule_name": "MacOS_Cryptominer_Generic_4e7d4488", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-01 18:27:03" } ], "7989": [ { "sample_cnt": 1, "yara_rule_name": "MacOS_Infostealer_MdQueryTCC_142313cb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-23 16:19:40" } ], "7990": [ { "sample_cnt": 1, "yara_rule_name": "MacOS_Trojan_Metasploit_27d409f1", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x64/shell_bind_tcp.rb", "yara_rule_description": "Byte sequence based on Metasploit x64 shell_bind_tcp.rb", "last_hit_utc": "2025-01-03 20:34:49" } ], "7991": [ { "sample_cnt": 1, "yara_rule_name": "MacOS_Trojan_Metasploit_768df39d", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb", "yara_rule_description": "Byte sequence based on Metasploit shell_reverse_tcp.rb", "last_hit_utc": "2025-01-03 21:26:18" } ], "7992": [ { "sample_cnt": 1, "yara_rule_name": "MacOS_Trojan_RustBucket_e64f7a92", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-07 20:30:04" } ], "7993": [ { "sample_cnt": 1, "yara_rule_name": "MacromediaWindowsFlashProjectorPlayerv50", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-18 12:26:03" } ], "7994": [ { "sample_cnt": 1, "yara_rule_name": "Malaysia_mal_APK_2", "yara_rule_author": "@fareedfauzi", "yara_rule_reference": null, "yara_rule_description": "Detects Malicious APK targeting Malaysia", "last_hit_utc": "2025-01-05 16:16:44" } ], "7995": [ { "sample_cnt": 1, "yara_rule_name": "maldoc_indirect_function_call_2", "yara_rule_author": "Didier Stevens (https://DidierStevens.com)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:18:20" } ], "7996": [ { "sample_cnt": 1, "yara_rule_name": "malrtf_ole2link", "yara_rule_author": "@h3x2b ", "yara_rule_reference": "", "yara_rule_description": "Detect weaponized RTF documents with OLE2Link exploit", "last_hit_utc": "2022-06-03 09:09:02" } ], "7997": [ { "sample_cnt": 1, "yara_rule_name": "malware_apt15_exchange_tool", "yara_rule_author": "Ahmed Zaki", "yara_rule_reference": null, "yara_rule_description": "This is a an exchange enumeration/hijacking tool used by an APT 15", "last_hit_utc": "2025-11-05 08:22:40" } ], "7998": [ { "sample_cnt": 1, "yara_rule_name": "malware_apt15_generic", "yara_rule_author": "David Cannings", "yara_rule_reference": null, "yara_rule_description": "Find generic data potentially relating to AP15 tools", "last_hit_utc": "2025-10-28 13:44:46" } ], "7999": [ { "sample_cnt": 1, "yara_rule_name": "malware_apt15_royaldll", "yara_rule_author": "David Cannings", "yara_rule_reference": null, "yara_rule_description": "DLL implant, originally rights.dll and runs as a service", "last_hit_utc": "2025-11-05 08:22:40" } ], "8000": [ { "sample_cnt": 1, "yara_rule_name": "malware_donut_shellcode", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://github.com/TheWover/donut", "yara_rule_description": "donut shellcode", "last_hit_utc": "2025-01-03 21:42:59" } ], "8001": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Java_Pyrogenic", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Pyrogenic/Qealler infostealer payload", "last_hit_utc": "2025-10-28 13:44:46" } ], "8002": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Linux_GetShell", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect GetShell Linux backdoor", "last_hit_utc": "2024-05-28 12:48:05" } ], "8003": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Linux_HelloKitty", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Linux version of HelloKitty ransomware", "last_hit_utc": "2021-12-22 11:50:05" } ], "8004": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Linux_PLEAD", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "PLEAD Linux payload", "last_hit_utc": "2022-03-04 08:34:07" } ], "8005": [ { "sample_cnt": 1, "yara_rule_name": "malware_lvscam_phpwebshell", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "PHP malware used in lucky visitor scam", "last_hit_utc": "2023-01-16 10:37:03" } ], "8006": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Multi_GolangBypassAV", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detect Go executables using GolangBypassAV", "last_hit_utc": "2024-05-30 16:40:03" } ], "8007": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Multi_POOLRAT", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects POOLRAT", "last_hit_utc": "2025-09-12 14:20:59" } ], "8008": [ { "sample_cnt": 1, "yara_rule_name": "malware_NimFilecoder", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "NimCopycatLoader malware in human-operated ransomware attack", "last_hit_utc": "2025-01-03 22:09:44" } ], "8009": [ { "sample_cnt": 1, "yara_rule_name": "malware_Noderat_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html", "yara_rule_description": "detect Noderat in memory", "last_hit_utc": "2025-10-28 13:44:46" } ], "8010": [ { "sample_cnt": 1, "yara_rule_name": "malware_QakBot", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "detect QakBot(a.k.a. Qbot, Quakbot, Pinkslipbot) in memory", "last_hit_utc": "2022-10-02 06:54:39" } ], "8011": [ { "sample_cnt": 1, "yara_rule_name": "Malware_QA_get_The_FucKinG_IP", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file get The FucKinG IP.exe", "last_hit_utc": "2025-11-05 08:21:38" } ], "8012": [ { "sample_cnt": 1, "yara_rule_name": "Malware_QA_get_The_FucKinG_IP_RID31C8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file get The FucKinG IP.exe", "last_hit_utc": "2025-11-05 08:21:38" } ], "8013": [ { "sample_cnt": 1, "yara_rule_name": "Malware_QA_tls", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file tls.exe", "last_hit_utc": "2025-11-05 08:22:40" } ], "8014": [ { "sample_cnt": 1, "yara_rule_name": "Malware_QA_tls_RID2C7D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "VT Research QA", "yara_rule_description": "VT Research QA uploaded malware - file tls.exe", "last_hit_utc": "2025-11-05 08:22:40" } ], "8015": [ { "sample_cnt": 1, "yara_rule_name": "malware_sakula_shellcode", "yara_rule_author": "David Cannings", "yara_rule_reference": null, "yara_rule_description": "Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula", "last_hit_utc": "2025-11-05 08:22:40" } ], "8016": [ { "sample_cnt": 1, "yara_rule_name": "malware_VeletrixLoader", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": null, "yara_rule_description": "Veletrix Loader", "last_hit_utc": "2026-02-18 00:36:28" } ], "8017": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_ActionRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects ActionRAT, CSharp and Delfi variants", "last_hit_utc": "2021-08-06 12:42:12" } ], "8018": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_AllaKore", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects AllaKore", "last_hit_utc": "2025-01-05 17:25:13" } ], "8019": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Baldr", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Baldr payload", "last_hit_utc": "2021-12-10 12:51:04" } ], "8020": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Bandook", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects Bandook backdoor", "last_hit_utc": "2021-07-02 06:02:10" } ], "8021": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Banload", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Banload", "last_hit_utc": "2022-12-02 17:32:05" } ], "8022": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_BetaBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "BetaBot payload", "last_hit_utc": "2021-11-19 05:32:27" } ], "8023": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_BitterRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "BitterRAT payload", "last_hit_utc": "2021-08-28 14:48:36" } ], "8024": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_BlackshadesRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "BlackshadesRAT POS payload", "last_hit_utc": "2021-05-05 10:26:46" } ], "8025": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_BlueBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects BlueBot", "last_hit_utc": "2025-08-20 16:15:59" } ], "8026": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_BlueBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects BlueBot", "last_hit_utc": "2021-08-06 12:58:34" } ], "8027": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Cicada3301", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects Cicada3301", "last_hit_utc": "2025-06-16 16:36:07" } ], "8028": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_ClipBanker03", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects ClipBanker", "last_hit_utc": "2025-06-21 21:46:56" } ], "8029": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_CoinMiner01", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects coinmining malware", "last_hit_utc": "2023-04-22 07:17:05" } ], "8030": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_CoinMiner01", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects coinmining malware", "last_hit_utc": "2021-12-27 21:52:19" } ], "8031": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_CoinMiningBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects coinmining bot", "last_hit_utc": "2021-06-13 10:30:47" } ], "8032": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_CovenantGruntStager", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Covenant Grunt Stager", "last_hit_utc": "2022-03-17 17:42:03" } ], "8033": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_CrimsonRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects CrimsonRAT", "last_hit_utc": "2025-04-08 14:07:19" } ], "8034": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Cuba", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Cuba ransomware", "last_hit_utc": "2021-12-24 18:13:32" } ], "8035": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_DarkEye", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects DarkEye infostealer", "last_hit_utc": "2025-01-05 17:18:10" } ], "8036": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_DarkVNC", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects DarkVNC", "last_hit_utc": "2023-06-30 20:03:34" } ], "8037": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Diavol", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Diavol ransomware", "last_hit_utc": "2022-10-05 10:06:02" } ], "8038": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Egregor", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Egregor ransomware variants", "last_hit_utc": "2025-10-28 13:44:47" } ], "8039": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_ExMatter", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects BlackMatter data exfiltration tool", "last_hit_utc": "2022-10-08 14:37:03" } ], "8040": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_FakeWMI", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "FakeWMI payload", "last_hit_utc": "2022-06-23 02:19:02" } ], "8041": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Farfli", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Farfli backdoor", "last_hit_utc": "2021-09-11 13:37:03" } ], "8042": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_G0Crypt", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects G0Crypt / BRG0SNet / NovaGP ransomware", "last_hit_utc": "2025-04-30 08:35:12" } ], "8043": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Gasket", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Gasket", "last_hit_utc": "2022-01-05 18:32:05" } ], "8044": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_GetCrypt", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "GetCrypt ransomware payload", "last_hit_utc": "2026-03-15 07:55:22" } ], "8045": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_GoBrut", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects unknown Go multi-bruteforcer bot (dubbed GoBrut) against multiple systems: QNAP, MagOcart, WordPress, Opencart, Bitrix, Postgers, MySQL, Drupal, Joomla, SSH, FTP, Magneto, CPanel", "last_hit_utc": "2021-08-13 07:58:05" } ], "8046": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_GoBrutLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects GoBrut StealthWorker laoder", "last_hit_utc": "2023-06-03 20:12:03" } ], "8047": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_HDLocker", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects HDLocker ransomware", "last_hit_utc": "2023-09-11 16:27:07" } ], "8048": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Heracles", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Heracles infostealer", "last_hit_utc": "2022-06-05 09:32:03" } ], "8049": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_HorusEyesRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects HorusEyesRAT", "last_hit_utc": "2022-05-05 23:33:02" } ], "8050": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_HoudiniConfig", "yara_rule_author": "ditekshen", "yara_rule_reference": "https://github.com/ditekshen/back-in-2017", "yara_rule_description": "Detects Houdini Trojan configurations", "last_hit_utc": "2025-10-28 13:44:47" } ], "8051": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_HUNT_Apostle", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Attempt on hunting new variants of Apostle", "last_hit_utc": "2025-10-28 13:44:47" } ], "8052": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_HyperBro", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects HyperBro (class names) payload", "last_hit_utc": "2021-10-11 23:19:03" } ], "8053": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_HyperBro02", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects HyperBro IronTiger / LuckyMouse / APT27 malware", "last_hit_utc": "2021-10-11 23:19:04" } ], "8054": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_IAmTheKingKeylogger", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "IAmTheKing Keylogger payload", "last_hit_utc": "2021-07-11 21:33:18" } ], "8055": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_InfinityLock", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects InfinityLock ransomware", "last_hit_utc": "2022-08-31 17:53:04" } ], "8056": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_ISRStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "ISRStealer payload", "last_hit_utc": "2021-08-02 05:44:26" } ], "8057": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_JSSLoader", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects JSSLoader RAT/backdoor", "last_hit_utc": "2021-09-13 18:35:29" } ], "8058": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Khonsari", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Khonsari ransomware", "last_hit_utc": "2023-09-11 16:27:07" } ], "8059": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Kimsuky", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "Detects Kimsuky backdoor", "last_hit_utc": "2021-11-03 12:22:54" } ], "8060": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Kitty", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects HelloKitty ransomware, triggers on FIVEHANDS", "last_hit_utc": "2021-08-14 13:49:48" } ], "8061": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_KLogExe", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Detects KLogExe", "last_hit_utc": "2025-01-03 22:23:08" } ], "8062": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Koxic", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Koxic ransomware", "last_hit_utc": "2022-10-11 08:31:29" } ], "8063": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_LockDown", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Lockdown / cantopen ransomware", "last_hit_utc": "2022-10-15 04:18:03" } ], "8064": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_LokiLocker", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects LokiLocker ransomware", "last_hit_utc": "2022-10-11 03:58:03" } ], "8065": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Lorenz", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Lorenz ransomware", "last_hit_utc": "2023-03-10 18:59:02" } ], "8066": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_MargulasRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects MargulasRAT", "last_hit_utc": "2025-01-05 15:27:33" } ], "8067": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_MarkiRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects MarkiRAT", "last_hit_utc": "2026-02-01 05:37:19" } ], "8068": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_MassLogger", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "MassLogger keylogger payload", "last_hit_utc": "2025-10-28 13:44:47" } ], "8069": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Maze", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Maze ransomware", "last_hit_utc": "2025-04-20 02:18:06" } ], "8070": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Megumin", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Megumin payload", "last_hit_utc": "2025-10-28 13:44:47" } ], "8071": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_MountLocker", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects MountLocker ransomware", "last_hit_utc": "2023-09-11 16:27:07" } ], "8072": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Mystic", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Hunt for Mystic Infostealer", "last_hit_utc": "2025-10-28 13:44:47" } ], "8073": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Nemty", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Nemty/Nefilim ransomware", "last_hit_utc": "2023-09-11 16:27:07" } ], "8074": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Neptune", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Neptune keylogger / infostealer", "last_hit_utc": "2025-01-03 20:06:09" } ], "8075": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Nermer", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Nermer ransomware", "last_hit_utc": "2022-02-22 17:08:04" } ], "8076": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Nibiru", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Nibiru ransomware", "last_hit_utc": "2022-11-30 15:57:02" } ], "8077": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_NWorm", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects NWorm/N-W0rm payload", "last_hit_utc": "2025-06-22 22:07:31" } ], "8078": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Orion", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Orion Keylogger payload", "last_hit_utc": "2021-07-24 07:09:43" } ], "8079": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_PELoader_INF", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PE loader / injector. Observed Gorgon TTPs", "last_hit_utc": "2021-05-14 08:14:12" } ], "8080": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Phorpiex", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Phorpiex variants", "last_hit_utc": "2021-10-31 00:03:03" } ], "8081": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_PingBack", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects PingBack ICMP backdoor", "last_hit_utc": "2022-10-11 03:58:04" } ], "8082": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_PowerPool_STG2", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects second stage PowerPool backdoor", "last_hit_utc": "2021-07-11 22:06:19" } ], "8083": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_PWSHLoader_RunPE01", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell PE loader / executer. Observed Gorgon TTPs", "last_hit_utc": "2025-10-28 13:44:48" } ], "8084": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_PWSH_PoshCookieStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects PowerShell PoshCookieStealer", "last_hit_utc": "2025-10-28 13:44:48" } ], "8085": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_QuilClipper", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects QuilClipper variants mostly in memory or extracted AutoIt script", "last_hit_utc": "2025-10-28 13:44:48" } ], "8086": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Qulab", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Qulab information stealer payload or artifacts", "last_hit_utc": "2025-10-28 13:44:48" } ], "8087": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_RanumBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RanumBot / Windigo / GoStealer", "last_hit_utc": "2021-05-06 01:32:04" } ], "8088": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_RanzyLocker", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects RanzyLocker / REntS ransomware", "last_hit_utc": "2021-08-05 11:12:41" } ], "8089": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_RomCom_Loader", "yara_rule_author": "ditekShen", "yara_rule_reference": null, "yara_rule_description": "Hunt for RomCom loader", "last_hit_utc": "2025-08-19 14:59:31" } ], "8090": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_RootTeamStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects RootTeam infostealer", "last_hit_utc": "2023-08-10 16:40:54" } ], "8091": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_S05Kitty", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Sector05 Kitty RAT payload", "last_hit_utc": "2021-11-03 12:20:05" } ], "8092": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Salfram", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Salfram executables", "last_hit_utc": "2021-04-30 12:05:53" } ], "8093": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Satan", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Satan ransomware", "last_hit_utc": "2023-03-11 18:25:07" } ], "8094": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Satana", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Satana ransomware", "last_hit_utc": "2025-10-28 13:44:48" } ], "8095": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_ScoutElite", "yara_rule_author": "ditekSHen", "yara_rule_reference": "https://github.com/ditekshen/back-in-2017", "yara_rule_description": "Detects ScoutElite", "last_hit_utc": "2025-10-28 13:44:48" } ], "8096": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Snatch", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Snatch / GoRansome / MauriGo ransomware", "last_hit_utc": "2022-10-12 09:59:03" } ], "8097": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Spacecolon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Spacecolon ransomware", "last_hit_utc": "2025-01-03 20:28:47" } ], "8098": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_SpyEye", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SpyEye", "last_hit_utc": "2021-03-05 21:32:14" } ], "8099": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Spyro", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Spyro / VoidCrypt / Limbozar ransomware", "last_hit_utc": "2022-09-27 18:12:05" } ], "8100": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_Spyro", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects Spyro / VoidCrypt ransomware", "last_hit_utc": "2021-09-28 09:22:43" } ], "8101": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_SunCrypt", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SunCrypt ransomware", "last_hit_utc": "2023-04-22 15:40:03" } ], "8102": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_SunCrypt", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects SunCrypt ransomware", "last_hit_utc": "2022-03-03 02:36:05" } ], "8103": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_SweetyStealer", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects SweetyStealer", "last_hit_utc": "2025-10-28 13:44:48" } ], "8104": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_TeslaRevenge", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects TeslaRevenge ransomware", "last_hit_utc": "2023-09-11 16:27:07" } ], "8105": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_TeslaRevenge", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects TeslaRevenge ransomware", "last_hit_utc": "2022-09-27 18:12:06" } ], "8106": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_TigerRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects TigerRAT", "last_hit_utc": "2022-09-08 07:11:02" } ], "8107": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_TrickbotModule", "yara_rule_author": "ditekshen", "yara_rule_reference": "", "yara_rule_description": "Detects Trickbot modules", "last_hit_utc": "2021-08-12 17:51:03" } ], "8108": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_TrueBot", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects TrueBot", "last_hit_utc": "2023-10-06 09:09:03" } ], "8109": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_VBS_DLAgent01", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects VBS MSHTA downloader", "last_hit_utc": "2025-10-28 13:44:48" } ], "8110": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_WhiffyRecon", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects Whiffy Recon", "last_hit_utc": "2023-10-02 16:32:04" } ], "8111": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_WSHRAT", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "WSHRAT keylogger plugin payload", "last_hit_utc": "2021-05-17 13:21:05" } ], "8112": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_XFiles", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "Detects X-Files infostealer (formerly BotSh1zoid)", "last_hit_utc": "2025-01-05 14:49:16" } ], "8113": [ { "sample_cnt": 1, "yara_rule_name": "MALWARE_Win_ZombieBoy", "yara_rule_author": "ditekSHen", "yara_rule_reference": "", "yara_rule_description": "Detects ZombieBoy Downloader", "last_hit_utc": "2022-07-23 07:16:04" } ], "8114": [ { "sample_cnt": 1, "yara_rule_name": "MALW_mailsercher_trickbot_module", "yara_rule_author": "Marc Salinas @Bondey_m", "yara_rule_reference": null, "yara_rule_description": " Detects mailsearcher module from Trickbot Trojan", "last_hit_utc": "2021-01-08 15:00:26" } ], "8115": [ { "sample_cnt": 1, "yara_rule_name": "MAL_AirdViper_Sample_Apr18_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Arid Viper malware sample", "last_hit_utc": "2023-03-06 20:18:03" } ], "8116": [ { "sample_cnt": 1, "yara_rule_name": "MAL_AirdViper_Sample_Apr18_1_RID310C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Arid Viper malware sample", "last_hit_utc": "2023-03-06 20:18:03" } ], "8117": [ { "sample_cnt": 1, "yara_rule_name": "MAL_APT_NK_Andariel_GoLang_Validalpha_Tasks", "yara_rule_author": "CISA.gov", "yara_rule_reference": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a", "yara_rule_description": "Detects a variant of the GoLang Validalpha malware", "last_hit_utc": "2025-10-28 13:44:43" } ], "8118": [ { "sample_cnt": 1, "yara_rule_name": "MAL_APT_NK_Andariel_KaosRAT_Yamabot", "yara_rule_author": "CISA.gov", "yara_rule_reference": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a", "yara_rule_description": "Detects the KaosRAT variant", "last_hit_utc": "2025-10-28 13:44:43" } ], "8119": [ { "sample_cnt": 1, "yara_rule_name": "MAL_APT_Operation_ShadowHammer_MalSetup", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://securelist.com/operation-shadowhammer/89992/", "yara_rule_description": "Detects a malicious file used by BARIUM group in Operation ShadowHammer", "last_hit_utc": "2024-06-11 10:49:04" } ], "8120": [ { "sample_cnt": 1, "yara_rule_name": "MAL_BazarLoader_Oct_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1454154412902002692", "yara_rule_description": "Detect BazarLoader implant", "last_hit_utc": "2021-12-03 00:53:03" } ], "8121": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Cisco_LINE_VIPER_Shellcode_Deobfuscation_Routine", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf", "yara_rule_description": "Detects LINE VIPER Cisco ASA malware code as part of a shellcode deobfuscation routine.", "last_hit_utc": "2025-10-28 13:44:44" } ], "8122": [ { "sample_cnt": 1, "yara_rule_name": "MAL_CRIME_RANSOM_DearCry_Mar21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/phillip_misner/status/1370197696280027136", "yara_rule_description": "Detects DearCry Ransomware affecting Exchange servers", "last_hit_utc": "2025-11-05 08:21:38" } ], "8123": [ { "sample_cnt": 1, "yara_rule_name": "MAL_CRIME_RANSOM_DearCry_Mar21_1_RID3164", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/phillip_misner/status/1370197696280027136", "yara_rule_description": "Detects DearCry Ransomware affecting Exchange servers", "last_hit_utc": "2025-11-05 08:21:38" } ], "8124": [ { "sample_cnt": 1, "yara_rule_name": "MAL_CRIME_RAT_WIN_PE_GodRat_Aug25", "yara_rule_author": "Arda Buyukkaya", "yara_rule_reference": "https://securelist.com/godrat/117119/", "yara_rule_description": "Detects GodRAT malware targeting Windows systems", "last_hit_utc": "2025-11-28 08:53:17" } ], "8125": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Driver_Gmer_Gmersys_Gmer_0052", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys, superman.sys", "last_hit_utc": "2025-01-03 22:01:56" } ], "8126": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Driver_Gmer_Gmersys_Gmer_18C9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys", "last_hit_utc": "2025-01-05 16:50:23" } ], "8127": [ { "sample_cnt": 1, "yara_rule_name": "MAL_EarthWorm_Socks_Proxy_ID_Generation", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf", "yara_rule_description": "Detects EarthWorm - a reverse socks proxy used by the threat group that deployed Pygmy Goat malware on Sophos XG firewall devices. The detection is based on the pool num generation x86 assembly.", "last_hit_utc": "2025-09-03 03:07:27" } ], "8128": [ { "sample_cnt": 1, "yara_rule_name": "MAL_ELF_Rekoobe_Nov_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect the Rekoobe rootkit", "last_hit_utc": "2025-05-16 01:34:13" } ], "8129": [ { "sample_cnt": 1, "yara_rule_name": "MAL_ELF_SALTWATER_Jun23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.barracuda.com/company/legal/esg-vulnerability", "yara_rule_description": "Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)", "last_hit_utc": "2025-10-28 13:44:44" } ], "8130": [ { "sample_cnt": 1, "yara_rule_name": "MAL_ELF_VPNFilter_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects VPNFilter malware", "last_hit_utc": "2021-11-25 23:07:04" } ], "8131": [ { "sample_cnt": 1, "yara_rule_name": "MAL_ELF_VPNFilter_3_RID2D6C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects VPNFilter malware", "last_hit_utc": "2021-11-25 23:07:04" } ], "8132": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Github_Repo_Compromise_MyJino_Ru_Aug22", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/stephenlacy/status/1554697077430505473", "yara_rule_description": "Detects URL mentioned in report on compromised Github repositories in August 2022", "last_hit_utc": "2025-10-28 13:44:44" } ], "8133": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Go_Modbus_Jul24_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_.pdf", "yara_rule_description": "Detects characteristics reported by Dragos for FrostyGoop ICS malware", "last_hit_utc": "2025-10-28 13:44:44" } ], "8134": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Grace_Dec22", "yara_rule_author": "X__Junior", "yara_rule_reference": "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "yara_rule_description": "Detects Grace (aka FlawedGrace and GraceWire) RAT", "last_hit_utc": "2025-10-28 13:44:44" } ], "8135": [ { "sample_cnt": 1, "yara_rule_name": "MAL_G_APT_Backdoor_BRICKSTORM_2", "yara_rule_author": "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)", "yara_rule_reference": "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign", "yara_rule_description": "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)", "last_hit_utc": "2026-01-29 17:40:32" } ], "8136": [ { "sample_cnt": 1, "yara_rule_name": "MAL_G_APT_Backdoor_BRICKSTORM_3", "yara_rule_author": "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)", "yara_rule_reference": "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign", "yara_rule_description": "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)", "last_hit_utc": "2026-01-29 17:40:32" } ], "8137": [ { "sample_cnt": 1, "yara_rule_name": "MAL_G_Dropper_BRICKSTEAL_1", "yara_rule_author": "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)", "yara_rule_reference": "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign", "yara_rule_description": "Detects backdoor BRICKSTEAL dropper used by APT group UNC5221 (China Nexus)", "last_hit_utc": "2025-10-28 13:44:44" } ], "8138": [ { "sample_cnt": 1, "yara_rule_name": "MAL_HeaderTip_Mar_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://cert.gov.ua/article/38097", "yara_rule_description": "Detect HeaderTip used uac0026 group (detect also the installers)", "last_hit_utc": "2024-03-01 15:52:02" } ], "8139": [ { "sample_cnt": 1, "yara_rule_name": "Mal_http_EXE", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/13Wgy1", "yara_rule_description": "Detects trojan from APT report named http.exe", "last_hit_utc": "2025-10-28 13:44:44" } ], "8140": [ { "sample_cnt": 1, "yara_rule_name": "MAL_IcedId_Core_LDR_202104", "yara_rule_author": "Thomas Barabosch, Telekom Security", "yara_rule_reference": "https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240", "yara_rule_description": "2021 loader for Bokbot / Icedid core (license.dat)", "last_hit_utc": "2025-10-28 13:44:44" } ], "8141": [ { "sample_cnt": 1, "yara_rule_name": "MAL_IceXLoader_Jun_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim", "yara_rule_description": "Detect IceXLoader loader (nim version)", "last_hit_utc": "2022-11-10 01:07:04" } ], "8142": [ { "sample_cnt": 1, "yara_rule_name": "Mal_Infostealer_Win32_Jupyter_InfoStealer_Module", "yara_rule_author": "BlackBerry Threat Research Team", "yara_rule_reference": null, "yara_rule_description": "Detects Jupter infostealer module", "last_hit_utc": "2023-06-20 13:43:02" } ], "8143": [ { "sample_cnt": 1, "yara_rule_name": "MAL_JAVA_Loader_Final_Jar_Aug25", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.malwation.com/blog/technical-analysis-of-a-stealth-java-loader-used-in-phishing-campaigns-targeting-turkiye", "yara_rule_description": "Detects a final Java loader JAR file used in phishing campaigns", "last_hit_utc": "2025-10-28 13:44:45" } ], "8144": [ { "sample_cnt": 1, "yara_rule_name": "MAL_JS_NPM_SupplyChain_Attack_Nov25", "yara_rule_author": "Marius Benthin", "yara_rule_reference": "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains", "yara_rule_description": "Detects malicious JavaScript worm bun_environment.js", "last_hit_utc": "2026-03-31 14:13:09" } ], "8145": [ { "sample_cnt": 1, "yara_rule_name": "MAL_JS_NPM_SupplyChain_Compromise_Sep25", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages", "yara_rule_description": "Detects a supply chain compromise in NPM packages (TinyColor, CrowdStrike etc.)", "last_hit_utc": "2026-03-31 14:13:09" } ], "8146": [ { "sample_cnt": 1, "yara_rule_name": "MAL_JS_SocGholish_Mar21_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": null, "yara_rule_description": "Triggers on SocGholish JS files", "last_hit_utc": "2021-04-06 16:07:10" } ], "8147": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Katz_Stealer_May25", "yara_rule_author": "MalGamy (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Katz stealer", "last_hit_utc": "2025-08-06 11:22:37" } ], "8148": [ { "sample_cnt": 1, "yara_rule_name": "MAL_KPot_Oct_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect KPot stealer (new variant October 2020)", "last_hit_utc": "2021-07-23 16:20:28" } ], "8149": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Kwampirs_Apr18", "yara_rule_author": "Symantec", "yara_rule_reference": "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "yara_rule_description": "Kwampirs dropper and main payload components", "last_hit_utc": "2022-10-17 09:03:03" } ], "8150": [ { "sample_cnt": 1, "yara_rule_name": "MAL_LNX_CamaroDragon_HorseShell_Oct23", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/", "yara_rule_description": "Detects CamaroDragon's HorseShell implant for routers", "last_hit_utc": "2025-10-28 13:44:45" } ], "8151": [ { "sample_cnt": 1, "yara_rule_name": "MAL_LNX_CamaroDragon_Sheel_Oct23", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/", "yara_rule_description": "Detects CamaroDragon's tool named sheel", "last_hit_utc": "2025-10-28 13:44:45" } ], "8152": [ { "sample_cnt": 1, "yara_rule_name": "mal_metasploit_shellcode_windows_meterpreter_reverse_http_x64", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/", "yara_rule_description": "Detects Metasploit import-hashes from the windows/x64/meterpreter/reverse_http payload", "last_hit_utc": "2025-01-07 13:13:02" } ], "8153": [ { "sample_cnt": 1, "yara_rule_name": "MAL_ME_RawDisk_Agent_Jan20_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Saudi National Cybersecurity Authority - Destructive Attack DUSTMAN", "yara_rule_description": "Detects suspicious malware using ElRawDisk", "last_hit_utc": "2025-01-03 19:34:02" } ], "8154": [ { "sample_cnt": 1, "yara_rule_name": "MAL_ME_RawDisk_Agent_Jan20_1_RID30A8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Saudi National Cybersecurity Authority - Destructive Attack DUSTMAN", "yara_rule_description": "Detects suspicious malware using ElRawDisk", "last_hit_utc": "2025-01-03 19:34:02" } ], "8155": [ { "sample_cnt": 1, "yara_rule_name": "MAL_ME_RawDisk_Agent_Jan20_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/jfslowik/status/1212501454549741568?s=09", "yara_rule_description": "Detects suspicious malware using ElRawDisk", "last_hit_utc": "2021-10-12 07:09:05" } ], "8156": [ { "sample_cnt": 1, "yara_rule_name": "MAL_ME_RawDisk_Agent_Jan20_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/jfslowik/status/1212501454549741568?s=09", "yara_rule_description": "Detects suspicious malware using ElRawDisk", "last_hit_utc": "2025-01-03 19:34:55" } ], "8157": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Neshta_Feb20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Neshta malware", "last_hit_utc": "2021-05-14 07:48:23" } ], "8158": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Nighthawk_Nov_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice", "yara_rule_description": "Detect the Nighthawk dropped beacon", "last_hit_utc": "2025-01-05 15:27:03" } ], "8159": [ { "sample_cnt": 1, "yara_rule_name": "MAL_NW0rm", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detect the final RAT dropped by N-W0rm", "last_hit_utc": "2025-06-22 22:07:31" } ], "8160": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Phoenix_Stealer_Jun_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/3xp0rtblog/status/1455111070566207493/", "yara_rule_description": "Detect the Phoenix Stealer", "last_hit_utc": "2021-11-10 17:34:19" } ], "8161": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Polazert_Apr_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/JAMESWT_MHT/status/1380773157615902720", "yara_rule_description": "Detect Polazert stealer", "last_hit_utc": "2021-09-17 07:20:40" } ], "8162": [ { "sample_cnt": 1, "yara_rule_name": "Mal_PotPlayer_DLL", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/13Wgy1", "yara_rule_description": "Detects a malicious PotPlayer.dll", "last_hit_utc": "2025-10-28 13:44:45" } ], "8163": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Prolock_Malware", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Prolock.Malware.yar", "yara_rule_description": "Detects Prolock malware in encrypted and decrypted mode", "last_hit_utc": "2025-10-19 09:23:31" } ], "8164": [ { "sample_cnt": 1, "yara_rule_name": "MAL_PY_Dimorf", "yara_rule_author": "Silas Cutler", "yara_rule_reference": "https://github.com/Ort0x36/Dimorf", "yara_rule_description": "Detection for Dimorf ransomeware", "last_hit_utc": "2025-10-28 13:44:45" } ], "8165": [ { "sample_cnt": 1, "yara_rule_name": "MAL_RANSOM_Crime_DearCry_Mar2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": "https://twitter.com/phillip_misner/status/1370197696280027136", "yara_rule_description": "Triggers on strings of known DearCry samples", "last_hit_utc": "2025-10-28 13:44:45" } ], "8166": [ { "sample_cnt": 1, "yara_rule_name": "MAL_RANSOM_DarkBit_Feb23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/idonaor1/status/1624703255770005506?s=12&t=mxHaauzwR6YOj5Px8cIeIw", "yara_rule_description": "Detects indicators found in DarkBit ransomware", "last_hit_utc": "2025-10-28 13:44:45" } ], "8167": [ { "sample_cnt": 1, "yara_rule_name": "MAL_RANSOM_ELF_ESXi_Attacks_Feb23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14", "yara_rule_description": "Detects ransomware exploiting and encrypting ESXi servers", "last_hit_utc": "2025-10-28 13:44:45" } ], "8168": [ { "sample_cnt": 1, "yara_rule_name": "MAL_RANSOM_LNX_macOS_LockBit_Apr23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1647384505550876675?s=20", "yara_rule_description": "Detects LockBit ransomware samples for Linux and macOS", "last_hit_utc": "2025-10-28 13:44:45" } ], "8169": [ { "sample_cnt": 1, "yara_rule_name": "MAL_RANSOM_LockBit_Locker_LOG_Apr23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://objective-see.org/blog/blog_0x75.html", "yara_rule_description": "Detects indicators found in LockBit ransomware log files", "last_hit_utc": "2025-10-28 13:44:46" } ], "8170": [ { "sample_cnt": 1, "yara_rule_name": "MAL_RANSOM_Lorenz_May21_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - DACH TE", "yara_rule_description": "Detects Lorenz Ransomware samples", "last_hit_utc": "2021-12-24 19:28:05" } ], "8171": [ { "sample_cnt": 1, "yara_rule_name": "MAL_RANSOM_Lorenz_May21_1_RID2F6C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research - DACH TE", "yara_rule_description": "Detects Lorenz Ransomware samples", "last_hit_utc": "2021-12-24 19:28:05" } ], "8172": [ { "sample_cnt": 1, "yara_rule_name": "MAL_RANSOM_SH_ESXi_Attacks_Feb23_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-14", "yara_rule_description": "Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh", "last_hit_utc": "2025-10-28 13:44:46" } ], "8173": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Rombertik_CarbonGrabber_RID3162", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blogs.cisco.com/security/talos/rombertik", "yara_rule_description": "Detects CarbonGrabber alias Rombertik - file Copy#064046.scr", "last_hit_utc": "2022-01-29 10:08:19" } ], "8174": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Shellcode_Loader_Apr23", "yara_rule_author": "X__Junior (Nextron Systems)", "yara_rule_reference": "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/", "yara_rule_description": "Detects Shellcode loader as seen being used by Gopuram backdoor", "last_hit_utc": "2025-03-23 20:42:53" } ], "8175": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Snake_Stealer", "yara_rule_author": "cauliflowerdoughnuts", "yara_rule_reference": null, "yara_rule_description": "Snake stealer", "last_hit_utc": "2025-06-06 13:28:06" } ], "8176": [ { "sample_cnt": 1, "yara_rule_name": "MAL_SUSP_Gamaredon_GetImportByHash", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": "https://twitter.com/r3c0nst/status/1392405576131436546?s=20", "yara_rule_description": "Detects Gamaredon APIHashing", "last_hit_utc": "2025-11-05 08:22:40" } ], "8177": [ { "sample_cnt": 1, "yara_rule_name": "mal_syscall_hellshall", "yara_rule_author": "Maxime THIEBAUT (@0xThiebaut)", "yara_rule_reference": "https://github.com/Maldev-Academy/HellHall", "yara_rule_description": "Detects suspicious syscall extraction and indirect syscall used in HellsHall", "last_hit_utc": "2025-04-11 08:19:21" } ], "8178": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Visel_Sample_May18_1_RID2F8D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://401trg.pw/burning-umbrella/", "yara_rule_description": "Detects Visel malware sample from Burning Umbrella report", "last_hit_utc": "2022-03-10 04:48:07" } ], "8179": [ { "sample_cnt": 1, "yara_rule_name": "MAL_WAR_Ivanti_EPMM_MobileIron_LogClear_JAVA_Aug23", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a", "yara_rule_description": "Detects LogClear.class found in the Ivanti EPMM / MobileIron Core compromises exploiting CVE-2023-35078", "last_hit_utc": "2025-10-28 13:44:46" } ], "8180": [ { "sample_cnt": 1, "yara_rule_name": "MAL_Winnti_BR_Report_TwinPeaks", "yara_rule_author": "@br_data repo", "yara_rule_reference": "https://github.com/br-data/2019-winnti-analyse", "yara_rule_description": "Detects Winnti samples", "last_hit_utc": "2025-11-05 08:22:40" } ], "8181": [ { "sample_cnt": 1, "yara_rule_name": "MAL_WIN_Megazord_Apr25", "yara_rule_author": "0x0d4y-Icaro Cesar", "yara_rule_reference": "https://ish.com.br/wp-content/uploads/2025/04/A-Anatomia-do-Ransomware-Akira-e-sua-expansao-multiplataforma.pdf", "yara_rule_description": "This Yara rule from ISH Tecnologia's Heimdall Security Research Team, detects the main components of the Megazord Ransomware", "last_hit_utc": "2025-06-11 08:29:48" } ], "8182": [ { "sample_cnt": 1, "yara_rule_name": "MAL_WIN_Ralordv1_Apr25", "yara_rule_author": "0x0d4y-Icaro Cesar", "yara_rule_reference": "https://ish.com.br/wp-content/uploads/2025/04/RALord-Novo-grupo-de-Ransomware-as-a-Service-1.pdf", "yara_rule_description": "This ISH Tecnologia Yara rule, detects the main components of the first version of RALord Ransomware", "last_hit_utc": "2025-07-30 09:47:26" } ], "8183": [ { "sample_cnt": 1, "yara_rule_name": "MAL_WIPER_BiBi_Oct23", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://x.com/ESETresearch/status/1719437301900595444?s=20", "yara_rule_description": "Detects BiBi wiper samples for Windows and Linux", "last_hit_utc": "2024-02-23 08:45:03" } ], "8184": [ { "sample_cnt": 1, "yara_rule_name": "Matanbuchus_MSI_2", "yara_rule_author": "Andre Gironda", "yara_rule_reference": "", "yara_rule_description": "Matanbuchus MSI contains CAB with DLL via Zip via HTML Smuggling via Zip as malspam attachment / TA570 who normally delivers Qakbot", "last_hit_utc": "2022-06-17 07:21:02" } ], "8185": [ { "sample_cnt": 1, "yara_rule_name": "Maze", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies Maze ransomware in memory or unpacked.", "last_hit_utc": "2021-09-07 06:10:16" } ], "8186": [ { "sample_cnt": 1, "yara_rule_name": "Medusa", "yara_rule_author": "Alberto Segura", "yara_rule_reference": null, "yara_rule_description": "Detects Medusa android malware", "last_hit_utc": "2025-01-03 20:22:03" } ], "8187": [ { "sample_cnt": 1, "yara_rule_name": "meduza", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked meduza malware samples.", "last_hit_utc": "2025-08-06 06:28:50" } ], "8188": [ { "sample_cnt": 1, "yara_rule_name": "megacortex_av_bat", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-22 04:40:31" } ], "8189": [ { "sample_cnt": 1, "yara_rule_name": "merlin_agent_01", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-15 15:56:03" } ], "8190": [ { "sample_cnt": 1, "yara_rule_name": "Methodology_OLE_CHARENCODING_2", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "Looking for suspicious char encoding", "last_hit_utc": "2021-05-26 13:03:38" } ], "8191": [ { "sample_cnt": 1, "yara_rule_name": "Microcin_Sample_5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf", "yara_rule_description": "Malware sample mentioned in Microcin technical report by Kaspersky", "last_hit_utc": "2025-10-28 13:44:49" } ], "8192": [ { "sample_cnt": 1, "yara_rule_name": "Microcin_Sample_5_RID2D9A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf", "yara_rule_description": "Malware sample mentioned in Microcin technical report by Kaspersky", "last_hit_utc": "2025-10-28 13:44:49" } ], "8193": [ { "sample_cnt": 1, "yara_rule_name": "mimikatzWrapper", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:44:49" } ], "8194": [ { "sample_cnt": 1, "yara_rule_name": "Mimikatz_Logfile", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects a log file generated by malicious hack tool mimikatz", "last_hit_utc": "2025-10-28 13:44:49" } ], "8195": [ { "sample_cnt": 1, "yara_rule_name": "Mimikatz_Logfile_RID2D78", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects a log file generated by malicious hack tool mimikatz", "last_hit_utc": "2025-10-28 13:44:49" } ], "8196": [ { "sample_cnt": 1, "yara_rule_name": "mimipenguin_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/huntergregal/mimipenguin", "yara_rule_description": "Detects Mimipenguin hack tool", "last_hit_utc": "2022-01-17 13:04:06" } ], "8197": [ { "sample_cnt": 1, "yara_rule_name": "mimipenguin_2_RID2C44", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/huntergregal/mimipenguin", "yara_rule_description": "Detects Mimipenguin hack tool", "last_hit_utc": "2022-01-17 13:04:05" } ], "8198": [ { "sample_cnt": 1, "yara_rule_name": "Mimipenguin_SH", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/huntergregal/mimipenguin", "yara_rule_description": "Detects Mimipenguin Password Extractor - Linux", "last_hit_utc": "2022-01-17 13:04:06" } ], "8199": [ { "sample_cnt": 1, "yara_rule_name": "Mimipenguin_SH", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/huntergregal/mimipenguin", "yara_rule_description": "Detects Mimipenguin Password Extractor - Linux", "last_hit_utc": "2025-10-28 13:44:49" } ], "8200": [ { "sample_cnt": 1, "yara_rule_name": "MiniRAT_Gen_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news", "yara_rule_description": "Detects Mini RAT malware", "last_hit_utc": "2023-03-10 18:30:05" } ], "8201": [ { "sample_cnt": 1, "yara_rule_name": "Mirage", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Mirage", "last_hit_utc": "2025-01-03 20:34:49" } ], "8202": [ { "sample_cnt": 1, "yara_rule_name": "MirageStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Mirage Identifying Strings", "last_hit_utc": "2025-01-03 20:34:49" } ], "8203": [ { "sample_cnt": 1, "yara_rule_name": "monitor_tool_pos", "yara_rule_author": "@patrickrolsen", "yara_rule_reference": "POS malware - Monitoring Tool??", "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:28:03" } ], "8204": [ { "sample_cnt": 1, "yara_rule_name": "Monsoon_APT_Malware_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", "yara_rule_description": "Detects malware from Monsoon APT", "last_hit_utc": "2020-07-08 10:59:57" } ], "8205": [ { "sample_cnt": 1, "yara_rule_name": "MossadProxy_APK", "yara_rule_author": "Nokia Deepfield ERT", "yara_rule_reference": "https://github.com/deepfield/public-research/tree/main/mossadproxy", "yara_rule_description": "MossadProxy APK wrapper (com.android.door or com.android.shop)", "last_hit_utc": "2026-03-26 19:58:15" } ], "8206": [ { "sample_cnt": 1, "yara_rule_name": "MS08_067_Exploit_Hacktools_CN", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file cs.exe", "last_hit_utc": "2025-10-28 13:44:50" } ], "8207": [ { "sample_cnt": 1, "yara_rule_name": "MS08_067_Exploit_Hacktools_CN", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set - file cs.exe", "last_hit_utc": "2025-10-28 13:44:50" } ], "8208": [ { "sample_cnt": 1, "yara_rule_name": "MSBuild_Mimikatz_Execution_via_XML", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml", "yara_rule_description": "Detects an XML that executes Mimikatz on an endpoint via MSBuild", "last_hit_utc": "2025-10-28 13:44:50" } ], "8209": [ { "sample_cnt": 1, "yara_rule_name": "MSBuild_Mimikatz_Execution_via_XML_RID3448", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml", "yara_rule_description": "Detects an XML that executes Mimikatz on an endpoint via MSBuild", "last_hit_utc": "2025-10-28 13:44:50" } ], "8210": [ { "sample_cnt": 1, "yara_rule_name": "Msfpayloads_msf_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.psh", "last_hit_utc": "2022-02-15 05:07:04" } ], "8211": [ { "sample_cnt": 1, "yara_rule_name": "Msfpayloads_msf_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.aspx", "last_hit_utc": "2025-10-28 13:44:50" } ], "8212": [ { "sample_cnt": 1, "yara_rule_name": "Msfpayloads_msf_4_RID2DCC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf.aspx", "last_hit_utc": "2025-10-28 13:44:50" } ], "8213": [ { "sample_cnt": 1, "yara_rule_name": "Msfpayloads_msf_exe", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf-exe.vba", "last_hit_utc": "2025-10-28 13:44:50" } ], "8214": [ { "sample_cnt": 1, "yara_rule_name": "Msfpayloads_msf_exe_RID2EDA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Metasploit Payloads - file msf-exe.vba", "last_hit_utc": "2025-10-28 13:44:50" } ], "8215": [ { "sample_cnt": 1, "yara_rule_name": "MSIExec_Pivot", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:08:57" } ], "8216": [ { "sample_cnt": 1, "yara_rule_name": "MSIL_Launcher_DUEDLLIGENCE_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'DUEDLLIGENCE' project.", "last_hit_utc": "2025-11-05 08:22:41" } ], "8217": [ { "sample_cnt": 1, "yara_rule_name": "MSVisualCv8DLLhsmallsig2", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 15:32:53" } ], "8218": [ { "sample_cnt": 1, "yara_rule_name": "multiple_php_webshells", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": "", "yara_rule_description": "Semi-Auto-generated - from files multiple_php_webshells", "last_hit_utc": "2021-08-20 23:47:04" } ], "8219": [ { "sample_cnt": 1, "yara_rule_name": "multiple_php_webshells_2", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt", "last_hit_utc": "2025-06-16 15:19:32" } ], "8220": [ { "sample_cnt": 1, "yara_rule_name": "Multi_EICAR_ac8f42d6", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-06 06:25:03" } ], "8221": [ { "sample_cnt": 1, "yara_rule_name": "Multi_Hacktool_Nps_f76f257d", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657", "yara_rule_description": null, "last_hit_utc": "2025-11-29 09:53:13" } ], "8222": [ { "sample_cnt": 1, "yara_rule_name": "Multi_Hacktool_Rakshasa_d5d3ef21", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657", "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:24:11" } ], "8223": [ { "sample_cnt": 1, "yara_rule_name": "Multi_Trojan_Gosar_31dba745", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-13 10:32:19" } ], "8224": [ { "sample_cnt": 1, "yara_rule_name": "Multi_WD_Strings_FullList_JS_stylesheet", "yara_rule_author": "David Ledbetter @Ledtech3", "yara_rule_reference": null, "yara_rule_description": "This rule detects Multiple use of wd properties like the strings it also detects the embeded stylesheet with the URL's", "last_hit_utc": "2025-01-03 20:34:50" } ], "8225": [ { "sample_cnt": 1, "yara_rule_name": "M_Hunting_Backdoor_ZIPLINE_1", "yara_rule_author": "Mandiant", "yara_rule_reference": "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "yara_rule_description": "This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor.", "last_hit_utc": "2024-02-15 15:03:03" } ], "8226": [ { "sample_cnt": 1, "yara_rule_name": "NakedPacker10byBigBoote", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-09 17:40:15" } ], "8227": [ { "sample_cnt": 1, "yara_rule_name": "Nanocore_RAT_Gen_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/", "yara_rule_description": "Detetcs the Nanocore RAT and similar malware", "last_hit_utc": "2025-10-28 13:44:51" } ], "8228": [ { "sample_cnt": 1, "yara_rule_name": "Nanocore_RAT_Gen_1_RID2D95", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/", "yara_rule_description": "Detetcs the Nanocore RAT and similar malware", "last_hit_utc": "2025-10-28 13:44:51" } ], "8229": [ { "sample_cnt": 1, "yara_rule_name": "Nautilus_common_strings", "yara_rule_author": "NCSC UK", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/turla-group-malware", "yara_rule_description": "Rule for detection of Nautilus based on common plaintext strings", "last_hit_utc": "2023-04-22 07:17:06" } ], "8230": [ { "sample_cnt": 1, "yara_rule_name": "Nautilus_rc4_key", "yara_rule_author": "NCSC UK", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/turla-group-malware", "yara_rule_description": "Rule for detection of Nautilus based on a hardcoded RC4 key", "last_hit_utc": "2025-11-05 08:22:41" } ], "8231": [ { "sample_cnt": 1, "yara_rule_name": "nbtscan_utility_softcell", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "yara_rule_description": "Rule to detect nbtscan utility used in the SoftCell operation", "last_hit_utc": "2021-04-28 22:56:40" } ], "8232": [ { "sample_cnt": 1, "yara_rule_name": "Ncrack", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "This signature detects the Ncrack brute force tool", "last_hit_utc": "2025-10-28 13:44:52" } ], "8233": [ { "sample_cnt": 1, "yara_rule_name": "Ncrack", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "This signature detects the Ncrack brute force tool", "last_hit_utc": "2025-10-28 13:44:52" } ], "8234": [ { "sample_cnt": 1, "yara_rule_name": "nefilim", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-05 13:41:05" } ], "8235": [ { "sample_cnt": 1, "yara_rule_name": "nefilim_ransomware", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/", "yara_rule_description": "Rule to detect Nefilim ransomware", "last_hit_utc": "2023-03-05 13:41:05" } ], "8236": [ { "sample_cnt": 1, "yara_rule_name": "Nemty", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Nemty Ransomware Payload", "last_hit_utc": "2023-04-23 06:01:38" } ], "8237": [ { "sample_cnt": 1, "yara_rule_name": "nemty_ransomware_2_6", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/", "yara_rule_description": "Rule to detect Nemty Ransomware version 2.6", "last_hit_utc": "2020-04-25 10:57:13" } ], "8238": [ { "sample_cnt": 1, "yara_rule_name": "NetBIOS_Name_Scanner", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file NetBIOS Name Scanner.exe", "last_hit_utc": "2025-10-28 13:44:52" } ], "8239": [ { "sample_cnt": 1, "yara_rule_name": "Netview_Hacktool_Output", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/mubix/netview", "yara_rule_description": "Network domain enumeration tool output - often used by attackers - file filename.txt", "last_hit_utc": "2025-10-28 13:44:52" } ], "8240": [ { "sample_cnt": 1, "yara_rule_name": "Netwalker", "yara_rule_author": "McAfee ATR team", "yara_rule_reference": "", "yara_rule_description": "Rule based on code overlap in RagnarLocker ransomware", "last_hit_utc": "2022-10-12 09:58:04" } ], "8241": [ { "sample_cnt": 1, "yara_rule_name": "netwalker_ransomware", "yara_rule_author": "McAfee ATR Team", "yara_rule_reference": "https://www.ccn-cert.cni.es/comunicacion-eventos/comunicados-ccn-cert/9802-publicado-un-informe-de-codigo-danino-sobre-netwalker.html", "yara_rule_description": "Rule to detect Netwalker ransomware", "last_hit_utc": "2022-10-12 09:58:04" } ], "8242": [ { "sample_cnt": 1, "yara_rule_name": "Neuron_common_strings", "yara_rule_author": "NCSC UK", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/turla-group-malware", "yara_rule_description": "Rule for detection of Neuron based on commonly used strings", "last_hit_utc": "2023-04-22 07:17:06" } ], "8243": [ { "sample_cnt": 1, "yara_rule_name": "Neuron_standalone_signature", "yara_rule_author": "NCSC UK", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/turla-group-malware", "yara_rule_description": "Rule for detection of Neuron based on a standalone signature from .NET metadata", "last_hit_utc": "2023-04-22 07:17:06" } ], "8244": [ { "sample_cnt": 1, "yara_rule_name": "Nexe", "yara_rule_author": "nwunderly", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-02-11 02:24:05" } ], "8245": [ { "sample_cnt": 1, "yara_rule_name": "NikiCert", "yara_rule_author": "@bartblaze, @nsquar3", "yara_rule_reference": "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/", "yara_rule_description": "Identifies Nexaweb digital certificate used in (likely) Kimsuky campaign.", "last_hit_utc": "2025-09-05 06:39:28" } ], "8246": [ { "sample_cnt": 1, "yara_rule_name": "NionSpy", "yara_rule_author": null, "yara_rule_reference": "https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector", "yara_rule_description": "Triggers on old and new variants of W32/NionSpy file infector", "last_hit_utc": "2023-07-13 19:41:05" } ], "8247": [ { "sample_cnt": 1, "yara_rule_name": "NLBrute", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies NLBrute, an RDP brute-forcing tool.", "last_hit_utc": "2025-01-05 15:13:10" } ], "8248": [ { "sample_cnt": 1, "yara_rule_name": "Noderat", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html", "yara_rule_description": "detect Noderat in memory", "last_hit_utc": "2025-10-28 13:44:52" } ], "8249": [ { "sample_cnt": 1, "yara_rule_name": "nSpackV23LiuXingPing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-04 10:24:44" } ], "8250": [ { "sample_cnt": 1, "yara_rule_name": "NTKrnlPackerAshkbizDanehkar", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-25 03:13:03" } ], "8251": [ { "sample_cnt": 1, "yara_rule_name": "NTkrnlSecureSuite01015NTkrnlSoftware", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-25 03:13:03" } ], "8252": [ { "sample_cnt": 1, "yara_rule_name": "NTkrnlSecureSuiteNTkrnlteam", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-25 03:13:03" } ], "8253": [ { "sample_cnt": 1, "yara_rule_name": "NTLM_Dump_Output", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "NTML Hash Dump output file - John/LC format", "last_hit_utc": "2025-10-28 13:44:52" } ], "8254": [ { "sample_cnt": 1, "yara_rule_name": "NullsoftInstallSystemv198", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:04:35" } ], "8255": [ { "sample_cnt": 1, "yara_rule_name": "NullsoftInstallSystemv20b2v20b3", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-05-14 14:33:02" } ], "8256": [ { "sample_cnt": 1, "yara_rule_name": "NullsoftPiMPInstallSystemv1x", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:04:35" } ], "8257": [ { "sample_cnt": 1, "yara_rule_name": "Office_as_MHTML", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/", "yara_rule_description": "Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158)", "last_hit_utc": "2021-11-03 11:53:03" } ], "8258": [ { "sample_cnt": 1, "yara_rule_name": "Office_as_MHTML", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/", "yara_rule_description": "Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158)", "last_hit_utc": "2023-09-05 08:00:02" } ], "8259": [ { "sample_cnt": 1, "yara_rule_name": "OfflRouter", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.csirt.gov.sk/wp-content/uploads/2021/08/analysis_offlrouter.pdf", "yara_rule_description": "Identifies OfflRouter, malware which spreads to Office documents and removable drives.", "last_hit_utc": "2024-05-28 18:01:03" } ], "8260": [ { "sample_cnt": 1, "yara_rule_name": "OilRig_Malware_Campaign_Gen1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/QMRZ8K", "yara_rule_description": "Detects malware from OilRig Campaign", "last_hit_utc": "2025-01-05 17:13:48" } ], "8261": [ { "sample_cnt": 1, "yara_rule_name": "OilRig_Malware_Campaign_Gen1_RID31A8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/QMRZ8K", "yara_rule_description": "Detects Oilrig malware samples", "last_hit_utc": "2025-01-05 17:13:48" } ], "8262": [ { "sample_cnt": 1, "yara_rule_name": "OilRig_Malware_Campaign_Gen2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/QMRZ8K", "yara_rule_description": "Detects Oilrig malware samples", "last_hit_utc": "2025-10-28 13:44:52" } ], "8263": [ { "sample_cnt": 1, "yara_rule_name": "OilRig_Malware_Campaign_Gen2_RID31A9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/QMRZ8K", "yara_rule_description": "Detects Oilrig malware samples", "last_hit_utc": "2025-10-28 13:44:52" } ], "8264": [ { "sample_cnt": 1, "yara_rule_name": "OilRig_Malware_Campaign_Mal1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/QMRZ8K", "yara_rule_description": "Detects malware from OilRig Campaign", "last_hit_utc": "2025-01-05 17:13:48" } ], "8265": [ { "sample_cnt": 1, "yara_rule_name": "OilRig_Malware_Campaign_Mal1_RID31A8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/QMRZ8K", "yara_rule_description": "Detects Oilrig malware samples", "last_hit_utc": "2025-01-05 17:13:48" } ], "8266": [ { "sample_cnt": 1, "yara_rule_name": "ONHAT_Proxy_Hacktool", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/p32Ozf", "yara_rule_description": "Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups", "last_hit_utc": "2025-10-28 13:44:52" } ], "8267": [ { "sample_cnt": 1, "yara_rule_name": "ONHAT_Proxy_Hacktool_RID2EA0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/p32Ozf", "yara_rule_description": "Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups", "last_hit_utc": "2025-10-28 13:44:52" } ], "8268": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_antivirusdetector", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Hack tool used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8269": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_BackDoorLogger", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Keylogger used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8270": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_CCProxy_Config", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "CCProxy config known from Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8271": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_CCProxy_Config", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "CCProxy config known from Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8272": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_CCProxy_Config_RID2F6E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "CCProxy config known from Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8273": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_csext", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Backdoor used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8274": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_Jasus", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "ARP cache poisoner used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8275": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_kagent", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Backdoor used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8276": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_mimikatzWrapper", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Mimikatz Wrapper used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8277": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_pvz_in", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Parviz tool used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8278": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_ShellCreator2", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells", "last_hit_utc": "2025-10-28 13:44:53" } ], "8279": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_SmartCopy2", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Malware or hack tool used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8280": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_SynFlooder", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Malware or hack tool used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:53" } ], "8281": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_TinyZBot", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Tiny Bot used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:54" } ], "8282": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_zhLookUp", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Hack tool used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:54" } ], "8283": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_zhmimikatz", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Mimikatz wrapper used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:54" } ], "8284": [ { "sample_cnt": 1, "yara_rule_name": "OPCLEAVER_ZhoupinExploitCrew", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Keywords used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:44:54" } ], "8285": [ { "sample_cnt": 1, "yara_rule_name": "OpCloudHopper_Malware_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects malware from Operation Cloud Hopper", "last_hit_utc": "2020-11-07 23:21:01" } ], "8286": [ { "sample_cnt": 1, "yara_rule_name": "OpCloudHopper_Malware_4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects malware from Operation Cloud Hopper", "last_hit_utc": "2022-05-26 07:43:02" } ], "8287": [ { "sample_cnt": 1, "yara_rule_name": "OpCloudHopper_Malware_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", "yara_rule_description": "Detects malware from Operation Cloud Hopper", "last_hit_utc": "2025-01-03 20:07:00" } ], "8288": [ { "sample_cnt": 1, "yara_rule_name": "OpCloudHopper_WmiDLL_inMemory", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "yara_rule_description": "Malware related to Operation Cloud Hopper - Page 25", "last_hit_utc": "2025-10-28 13:44:54" } ], "8289": [ { "sample_cnt": 1, "yara_rule_name": "OpCloudHopper_WmiDLL_inMemory_RID324C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "yara_rule_description": "Malware related to Operation Cloud Hopper - Page 25", "last_hit_utc": "2025-10-28 13:44:54" } ], "8290": [ { "sample_cnt": 1, "yara_rule_name": "ORiENV1XV2XFisunAV", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-06-20 09:17:02" } ], "8291": [ { "sample_cnt": 1, "yara_rule_name": "osx_3cx_backdoor_w0", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "yara_rule_description": "Detects the MACOS version of the ICONIC loader.", "last_hit_utc": "2023-07-26 18:01:02" } ], "8292": [ { "sample_cnt": 1, "yara_rule_name": "OSX_backdoor_EvilOSX", "yara_rule_author": "John Lambert @JohnLaTwC", "yara_rule_reference": "https://github.com/Marten4n6/EvilOSX, https://twitter.com/JohnLaTwC/status/966139336436498432", "yara_rule_description": "EvilOSX MacOS/OSX backdoor", "last_hit_utc": "2025-10-28 13:44:54" } ], "8293": [ { "sample_cnt": 1, "yara_rule_name": "OtherTools_xiaoa", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file xiaoa.exe", "last_hit_utc": "2025-01-05 15:05:51" } ], "8294": [ { "sample_cnt": 1, "yara_rule_name": "OtherTools_xiaoa_RID2D95", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file xiaoa.exe", "last_hit_utc": "2025-01-05 15:05:51" } ], "8295": [ { "sample_cnt": 1, "yara_rule_name": "Oyster", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.broomstick", "yara_rule_description": "Identifies Oyster aka Broomstick aka CleanUp backdoor.", "last_hit_utc": "2025-11-26 15:38:15" } ], "8296": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedAmsiBypass", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs", "last_hit_utc": "2025-10-28 13:44:54" } ], "8297": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedAmsiBypass_RID2D5B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass_RID2D5B.cs", "last_hit_utc": "2025-10-28 13:44:54" } ], "8298": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedBinaries", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs", "last_hit_utc": "2025-10-28 13:44:54" } ], "8299": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedBinaries_RID2C8C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries_RID2C8C.cs", "last_hit_utc": "2025-10-28 13:44:54" } ], "8300": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedExploits", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs", "last_hit_utc": "2025-10-28 13:44:54" } ], "8301": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedExploits_RID2CB7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits_RID2CB7.cs", "last_hit_utc": "2025-10-28 13:44:54" } ], "8302": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedPotato", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs", "last_hit_utc": "2022-04-29 21:41:03" } ], "8303": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedPowerCat", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs", "last_hit_utc": "2025-10-28 13:44:55" } ], "8304": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedPowerCat_RID2C84", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat_RID2C84.cs", "last_hit_utc": "2025-10-28 13:44:55" } ], "8305": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedShell_outputs", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs", "last_hit_utc": "2025-10-28 13:44:55" } ], "8306": [ { "sample_cnt": 1, "yara_rule_name": "p0wnedShell_outputs_RID2EDA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/Cn33liz/p0wnedShell", "yara_rule_description": "p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs", "last_hit_utc": "2025-10-28 13:44:55" } ], "8307": [ { "sample_cnt": 1, "yara_rule_name": "packer_win_spoonvm", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": null, "yara_rule_description": "Detects SpoonVM", "last_hit_utc": "2026-04-14 07:49:41" } ], "8308": [ { "sample_cnt": 1, "yara_rule_name": "packer_win_tiggre", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": null, "yara_rule_description": "Detects Tiggre packer", "last_hit_utc": "2025-10-04 10:53:01" } ], "8309": [ { "sample_cnt": 1, "yara_rule_name": "PacketSDK_Proxy_Tunnel_Malware", "yara_rule_author": "Valton Tahiri (cybee.ai)", "yara_rule_reference": "https://www.linkedin.com/in/valton-tahiri/", "yara_rule_description": "Detects PacketSDK-based proxy/tunnel component used in sysvideo/onedrivesync case", "last_hit_utc": "2025-12-18 15:59:15" } ], "8310": [ { "sample_cnt": 1, "yara_rule_name": "PAExec", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", "yara_rule_description": "Detects remote access tool PAEXec (like PsExec) - file PAExec.exe", "last_hit_utc": "2025-05-29 09:37:05" } ], "8311": [ { "sample_cnt": 1, "yara_rule_name": "PassCV_Sabre_Malware_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies", "yara_rule_description": "PassCV Malware mentioned in Cylance Report", "last_hit_utc": "2025-10-28 13:44:55" } ], "8312": [ { "sample_cnt": 1, "yara_rule_name": "PassCV_Sabre_Malware_2_RID2F46", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies", "yara_rule_description": "PassCV Malware mentioned in Cylance Report", "last_hit_utc": "2025-10-28 13:44:55" } ], "8313": [ { "sample_cnt": 1, "yara_rule_name": "PassCV_Sabre_Malware_5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies", "yara_rule_description": "PassCV Malware mentioned in Cylance Report", "last_hit_utc": "2025-11-05 08:22:41" } ], "8314": [ { "sample_cnt": 1, "yara_rule_name": "PassCV_Sabre_Malware_5_RID2F49", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies", "yara_rule_description": "PassCV Malware mentioned in Cylance Report", "last_hit_utc": "2025-11-05 08:22:42" } ], "8315": [ { "sample_cnt": 1, "yara_rule_name": "PassSniffer", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file PassSniffer.exe", "last_hit_utc": "2025-10-28 13:44:55" } ], "8316": [ { "sample_cnt": 1, "yara_rule_name": "PassSniffer", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file PassSniffer.exe", "last_hit_utc": "2025-10-28 13:44:55" } ], "8317": [ { "sample_cnt": 1, "yara_rule_name": "PassSniffer_zip_Folder_readme", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file readme.txt", "last_hit_utc": "2025-10-28 13:44:55" } ], "8318": [ { "sample_cnt": 1, "yara_rule_name": "PassSniffer_zip_Folder_readme", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file readme.txt", "last_hit_utc": "2025-10-28 13:44:55" } ], "8319": [ { "sample_cnt": 1, "yara_rule_name": "PassSniffer_zip_Folder_readme_RID32AF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Disclosed hacktool set (old stuff) - file readme.txt", "last_hit_utc": "2025-10-28 13:44:55" } ], "8320": [ { "sample_cnt": 1, "yara_rule_name": "Payload_Exe2Hex", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/g0tmi1k/exe2hex", "yara_rule_description": "Detects payload generated by exe2hex", "last_hit_utc": "2025-10-28 13:44:56" } ], "8321": [ { "sample_cnt": 1, "yara_rule_name": "Payload_Exe2Hex_RID2CB3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/g0tmi1k/exe2hex", "yara_rule_description": "Detects payload generated by exe2hex", "last_hit_utc": "2025-10-28 13:44:56" } ], "8322": [ { "sample_cnt": 1, "yara_rule_name": "PEArmor04600759hying", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-04 10:44:42" } ], "8323": [ { "sample_cnt": 1, "yara_rule_name": "PEBundlev310", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-04 13:35:04" } ], "8324": [ { "sample_cnt": 1, "yara_rule_name": "PEDiminisherV01Teraphy", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:57:55" } ], "8325": [ { "sample_cnt": 1, "yara_rule_name": "PellesC280290EXEX86CRTLIB", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-21 18:25:03" } ], "8326": [ { "sample_cnt": 1, "yara_rule_name": "PENinja", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-21 22:30:13" } ], "8327": [ { "sample_cnt": 1, "yara_rule_name": "PenquinTurla", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-28 13:33:22" } ], "8328": [ { "sample_cnt": 1, "yara_rule_name": "PenquinTurla", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-01-13 16:34:42" } ], "8329": [ { "sample_cnt": 1, "yara_rule_name": "pentagon", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked pentagon malware samples.", "last_hit_utc": "2025-07-29 06:52:37" } ], "8330": [ { "sample_cnt": 1, "yara_rule_name": "PEPaCKv10CCopyright1998byANAKiN", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-05-07 20:29:03" } ], "8331": [ { "sample_cnt": 1, "yara_rule_name": "PerlApp602ActiveState", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-20 12:22:03" } ], "8332": [ { "sample_cnt": 1, "yara_rule_name": "Petite14", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-23 04:56:10" } ], "8333": [ { "sample_cnt": 1, "yara_rule_name": "PEzor_x64_Release", "yara_rule_author": "Still", "yara_rule_reference": "", "yara_rule_description": "attempts to match the PEzor packer (release; x64)", "last_hit_utc": "2021-11-11 16:56:04" } ], "8334": [ { "sample_cnt": 1, "yara_rule_name": "phemedrone", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked phemedrone malware samples.", "last_hit_utc": "2025-08-14 13:14:35" } ], "8335": [ { "sample_cnt": 1, "yara_rule_name": "phorp_New_2021_B", "yara_rule_author": "@is_henderson", "yara_rule_reference": "", "yara_rule_description": "Detecting recent phorpiex variant", "last_hit_utc": "2021-10-31 00:03:03" } ], "8336": [ { "sample_cnt": 1, "yara_rule_name": "PHP_Obfuscator", "yara_rule_author": "@Pro_Integritate", "yara_rule_reference": null, "yara_rule_description": "PHP Obfuscator, used sometimes by PHP webshells", "last_hit_utc": "2025-01-05 14:58:16" } ], "8337": [ { "sample_cnt": 1, "yara_rule_name": "PHP_Webshell_1_Feb17", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127", "yara_rule_description": "Detects a simple cloaked PHP web shell", "last_hit_utc": "2022-02-22 03:37:04" } ], "8338": [ { "sample_cnt": 1, "yara_rule_name": "PHP_Webshell_1_Feb17", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127", "yara_rule_description": "Detects a simple cloaked PHP web shell", "last_hit_utc": "2025-10-28 13:44:57" } ], "8339": [ { "sample_cnt": 1, "yara_rule_name": "PikaBot", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "PikaBot Loader", "last_hit_utc": "2023-07-26 22:15:04" } ], "8340": [ { "sample_cnt": 1, "yara_rule_name": "PikaBot", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Pikabot Payload", "last_hit_utc": "2025-01-03 23:02:33" } ], "8341": [ { "sample_cnt": 1, "yara_rule_name": "PikaBotLoader", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Pikabot Loader", "last_hit_utc": "2024-03-26 19:58:43" } ], "8342": [ { "sample_cnt": 1, "yara_rule_name": "Pirpi_1609_B", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects Pirpi Backdoor", "last_hit_utc": "2025-10-28 13:44:57" } ], "8343": [ { "sample_cnt": 1, "yara_rule_name": "Pirpi_1609_B_RID2AE5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects Pirpi Backdoor", "last_hit_utc": "2025-10-28 13:44:57" } ], "8344": [ { "sample_cnt": 1, "yara_rule_name": "PlugX_J16_Gen2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "VT Research", "yara_rule_description": "Detects PlugX Malware Samples from June 2016", "last_hit_utc": "2025-10-28 13:44:57" } ], "8345": [ { "sample_cnt": 1, "yara_rule_name": "PlugX_J16_Gen2_RID2BBC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "MISP 3954", "yara_rule_description": "Detects PlugX Malware Samples from June 2016", "last_hit_utc": "2025-10-28 13:44:57" } ], "8346": [ { "sample_cnt": 1, "yara_rule_name": "PLUGX_RedLeaves", "yara_rule_author": "US-CERT Code Analysis Team", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-117A", "yara_rule_description": "Detects specific RedLeaves and PlugX binaries", "last_hit_utc": "2025-10-28 13:44:58" } ], "8347": [ { "sample_cnt": 1, "yara_rule_name": "PNG_File_Malware_Abuse", "yara_rule_author": "d1v35h", "yara_rule_reference": null, "yara_rule_description": "Detects malicious PNG files leveraging this technique", "last_hit_utc": "2025-01-16 16:55:03" } ], "8348": [ { "sample_cnt": 1, "yara_rule_name": "PolyEnEV001LennartHedlund", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:34:15" } ], "8349": [ { "sample_cnt": 1, "yara_rule_name": "pool_mine_example", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "rig_win64 - file pool_mine_example.cmd", "last_hit_utc": "2022-03-18 07:24:06" } ], "8350": [ { "sample_cnt": 1, "yara_rule_name": "PortScanner", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file PortScanner.exe", "last_hit_utc": "2025-10-28 13:44:58" } ], "8351": [ { "sample_cnt": 1, "yara_rule_name": "poshc2_apt_33_2019", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 15:09:31" } ], "8352": [ { "sample_cnt": 1, "yara_rule_name": "POSHSPY_Malware", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", "yara_rule_description": "Detects", "last_hit_utc": "2025-10-28 13:44:58" } ], "8353": [ { "sample_cnt": 1, "yara_rule_name": "POSHSPY_Malware_RID2C6F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", "yara_rule_description": "Detects", "last_hit_utc": "2025-10-28 13:44:58" } ], "8354": [ { "sample_cnt": 1, "yara_rule_name": "pos_malwre_dexter_stardust", "yara_rule_author": "@patrickrolsen", "yara_rule_reference": "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658", "yara_rule_description": "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf", "last_hit_utc": "2025-01-03 19:38:58" } ], "8355": [ { "sample_cnt": 1, "yara_rule_name": "potential_Stage1exe_DEV0586", "yara_rule_author": "CD_R0M_", "yara_rule_reference": "https://twitter.com/ffforward/status/1482697016987865096", "yara_rule_description": "Sample identified by @ffforward. Potentially related to Stage1.exe binary microsoft referenced", "last_hit_utc": "2023-04-15 21:27:03" } ], "8356": [ { "sample_cnt": 1, "yara_rule_name": "Powerpoint_Code_Execution", "yara_rule_author": "Ahmet Payaslioglu", "yara_rule_reference": "", "yara_rule_description": "New code execution technique using Powerpoint has been seen in the wild. The technique is triggered by using hyperlinks instead of Run Program/Macro. This new method has bypassed all the vendors for 220 days since 2022-02-02.", "last_hit_utc": "2022-09-26 22:04:05" } ], "8357": [ { "sample_cnt": 1, "yara_rule_name": "PowerShell_Emp_Eval_Jul17_A1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "PowerShell Empire Eval", "yara_rule_description": "Detects suspicious sample with PowerShell content ", "last_hit_utc": "2020-06-10 08:00:42" } ], "8358": [ { "sample_cnt": 1, "yara_rule_name": "PowerShell_ISESteroids_Obfuscation", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/danielhbohannon/status/877953970437844993", "yara_rule_description": "Detects PowerShell ISESteroids obfuscation", "last_hit_utc": "2025-10-28 13:44:58" } ], "8359": [ { "sample_cnt": 1, "yara_rule_name": "PowerShell_ISESteroids_Obfuscation_RID347F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/danielhbohannon/status/877953970437844993", "yara_rule_description": "Detects PowerShell ISESteroids obfuscation", "last_hit_utc": "2025-10-28 13:44:59" } ], "8360": [ { "sample_cnt": 1, "yara_rule_name": "PowerShell_JAB_B64", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/ItsReallyNick/status/980915287922040832", "yara_rule_description": "Detects base464 encoded $ sign at the beginning of a string", "last_hit_utc": "2021-09-30 02:34:10" } ], "8361": [ { "sample_cnt": 1, "yara_rule_name": "Powershell_Netcat", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Detects a Powershell version of the Netcat network hacking tool", "last_hit_utc": "2025-10-28 13:44:59" } ], "8362": [ { "sample_cnt": 1, "yara_rule_name": "Powershell_Netcat", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects a Powershell version of the Netcat network hacking tool", "last_hit_utc": "2025-10-28 13:44:59" } ], "8363": [ { "sample_cnt": 1, "yara_rule_name": "Powershell_Netcat_RID2DF4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects a Powershell version of the Netcat network hacking tool", "last_hit_utc": "2025-10-28 13:44:59" } ], "8364": [ { "sample_cnt": 1, "yara_rule_name": "PowerShell_XOR_Function_Specific", "yara_rule_author": "Gemini", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a specific PowerShell function that performs XOR encoding and decoding.", "last_hit_utc": "2026-03-13 18:43:15" } ], "8365": [ { "sample_cnt": 1, "yara_rule_name": "Powerstager", "yara_rule_author": "Jeff White - jwhite@paloaltonetworks.com @noottrak", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/", "yara_rule_description": "Detects PowerStager Windows executable, both x86 and x64", "last_hit_utc": "2025-01-03 19:38:17" } ], "8366": [ { "sample_cnt": 1, "yara_rule_name": "power_pe_injection", "yara_rule_author": "Benjamin DELPY (gentilkiwi)", "yara_rule_reference": "", "yara_rule_description": "PowerShell with PE Reflective Injection", "last_hit_utc": "2022-04-20 12:05:03" } ], "8367": [ { "sample_cnt": 1, "yara_rule_name": "PP_CN_APT_ZeroT_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx", "yara_rule_description": "Detects malware from the Proofpoint CN APT ZeroT incident", "last_hit_utc": "2025-10-28 13:44:59" } ], "8368": [ { "sample_cnt": 1, "yara_rule_name": "PP_CN_APT_ZeroT_3_RID2CCA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx", "yara_rule_description": "Detects malware from the Proofpoint CN APT ZeroT incident", "last_hit_utc": "2025-10-28 13:44:59" } ], "8369": [ { "sample_cnt": 1, "yara_rule_name": "PP_CN_APT_ZeroT_5", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx", "yara_rule_description": "Detects malware from the Proofpoint CN APT ZeroT incident", "last_hit_utc": "2025-10-28 13:44:59" } ], "8370": [ { "sample_cnt": 1, "yara_rule_name": "PP_CN_APT_ZeroT_5_RID2CCC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx", "yara_rule_description": "Detects malware from the Proofpoint CN APT ZeroT incident", "last_hit_utc": "2025-10-28 13:44:59" } ], "8371": [ { "sample_cnt": 1, "yara_rule_name": "privateloader", "yara_rule_author": "andre@tavares.re", "yara_rule_reference": null, "yara_rule_description": "PrivateLoader pay-per-install malware", "last_hit_utc": "2025-01-05 15:04:03" } ], "8372": [ { "sample_cnt": 1, "yara_rule_name": "Prolock_Malware", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Prolock.Malware.yar", "yara_rule_description": "Detects Prolock malware in encrypted and decrypted mode", "last_hit_utc": "2025-10-19 09:23:32" } ], "8373": [ { "sample_cnt": 1, "yara_rule_name": "PROMETHIUM_NEODYMIUM_Malware_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/8abDE6", "yara_rule_description": "Detects PROMETHIUM and NEODYMIUM malware", "last_hit_utc": "2025-10-28 13:44:59" } ], "8374": [ { "sample_cnt": 1, "yara_rule_name": "PROMETHIUM_NEODYMIUM_Malware_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/8abDE6", "yara_rule_description": "Detects PROMETHIUM and NEODYMIUM malware", "last_hit_utc": "2025-10-28 13:44:59" } ], "8375": [ { "sample_cnt": 1, "yara_rule_name": "ProPort_zip_Folder_ProPort", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file ProPort.exe", "last_hit_utc": "2025-10-28 13:44:59" } ], "8376": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Inveigh_BruteForce_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - from files Inveigh-BruteForce.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "8377": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Inveigh_BruteForce_2_RID3394", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - from files Inveigh-BruteForce.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "8378": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Inveigh_BruteForce_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - from files Inveigh-BruteForce.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "8379": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Inveigh_BruteForce_3_RID3395", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - from files Inveigh-BruteForce.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "8380": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Invoke_Mimikatz", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - file Invoke-Mimikatz.ps1", "last_hit_utc": "2022-04-20 12:05:03" } ], "8381": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1", "last_hit_utc": "2022-04-20 12:05:03" } ], "8382": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Invoke_RelfectivePEInjection", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - file Invoke-RelfectivePEInjection.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "8383": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Invoke_RelfectivePEInjection_RID36F5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - file Invoke-RelfectivePEInjection.ps1", "last_hit_utc": "2025-10-28 13:45:00" } ], "8384": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Persistence", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - file Persistence.ps1", "last_hit_utc": "2025-10-28 13:45:01" } ], "8385": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Persistence_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - from files Persistence.ps1", "last_hit_utc": "2025-10-28 13:45:01" } ], "8386": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Persistence_2_RID30FF", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - from files Persistence.ps1", "last_hit_utc": "2025-10-28 13:45:01" } ], "8387": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_Persistence_RID306E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - file Persistence.ps1", "last_hit_utc": "2025-10-28 13:45:01" } ], "8388": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_PowerUp", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Auto-generated rule - file PowerUp.ps1", "last_hit_utc": "2025-02-07 05:58:11" } ], "8389": [ { "sample_cnt": 1, "yara_rule_name": "ps1_toolkit_PowerUp_RID2EBB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/vysec/ps1-toolkit", "yara_rule_description": "Semiautomatically generated YARA rule - file PowerUp.ps1", "last_hit_utc": "2025-02-07 05:58:11" } ], "8390": [ { "sample_cnt": 1, "yara_rule_name": "PSAttack_EXE", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/gdssecurity/PSAttack/releases/", "yara_rule_description": "PSAttack - Powershell attack tool - file PSAttack.exe", "last_hit_utc": "2025-11-05 08:22:42" } ], "8391": [ { "sample_cnt": 1, "yara_rule_name": "PSAttack_EXE_RID2B4D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/gdssecurity/PSAttack/releases/", "yara_rule_description": "PSAttack - Powershell attack tool - file PSAttack.exe", "last_hit_utc": "2025-11-05 08:22:42" } ], "8392": [ { "sample_cnt": 1, "yara_rule_name": "PScan_Portscan_1", "yara_rule_author": "F. Roth", "yara_rule_reference": null, "yara_rule_description": "PScan - Port Scanner", "last_hit_utc": "2025-10-28 13:45:01" } ], "8393": [ { "sample_cnt": 1, "yara_rule_name": "PseudoSigner02FSG131Anorganix", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-13 01:26:29" } ], "8394": [ { "sample_cnt": 1, "yara_rule_name": "pstgdump", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - file pstgdump.exe", "last_hit_utc": "2025-10-28 13:45:01" } ], "8395": [ { "sample_cnt": 1, "yara_rule_name": "pstgdump_RID2A85", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - file pstgdump_RID2A85.exe", "last_hit_utc": "2025-10-28 13:45:01" } ], "8396": [ { "sample_cnt": 1, "yara_rule_name": "PS_AMSI_Bypass", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1", "yara_rule_description": "Detects PowerShell AMSI Bypass", "last_hit_utc": "2025-10-28 13:44:59" } ], "8397": [ { "sample_cnt": 1, "yara_rule_name": "PS_AMSI_Bypass_RID2C0E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1", "yara_rule_description": "Detects PowerShell AMSI Bypass", "last_hit_utc": "2025-10-28 13:45:00" } ], "8398": [ { "sample_cnt": 1, "yara_rule_name": "PUA_VULN_Driver_Adlicesoftware_Truesight_Truesight_BFC2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - truesight.sys", "last_hit_utc": "2025-01-20 11:48:02" } ], "8399": [ { "sample_cnt": 1, "yara_rule_name": "PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys", "last_hit_utc": "2025-07-09 07:54:19" } ], "8400": [ { "sample_cnt": 1, "yara_rule_name": "PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys", "last_hit_utc": "2025-12-02 07:28:13" } ], "8401": [ { "sample_cnt": 1, "yara_rule_name": "PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys", "last_hit_utc": "2025-07-08 13:45:36" } ], "8402": [ { "sample_cnt": 1, "yara_rule_name": "PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/magicsword-io/LOLDrivers", "yara_rule_description": "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64", "last_hit_utc": "2025-01-03 21:53:06" } ], "8403": [ { "sample_cnt": 1, "yara_rule_name": "pvz_in", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:45:01" } ], "8404": [ { "sample_cnt": 1, "yara_rule_name": "PwDump", "yara_rule_author": "Marc Stroebel", "yara_rule_reference": null, "yara_rule_description": "PwDump 6 variant", "last_hit_utc": "2025-10-28 13:45:01" } ], "8405": [ { "sample_cnt": 1, "yara_rule_name": "Python_Discord_Malware", "yara_rule_author": "@iam-py-test", "yara_rule_reference": null, "yara_rule_description": "Detects Python Discord malware similar to https://bazaar.abuse.ch/sample/08c447936983f4de8e7c03d9115968d4dea075bb68e1b770b5037678ef5c86aa/", "last_hit_utc": "2025-12-04 06:05:23" } ], "8406": [ { "sample_cnt": 1, "yara_rule_name": "QakBot4", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "QakBot v4 Payload", "last_hit_utc": "2024-04-18 08:37:02" } ], "8407": [ { "sample_cnt": 1, "yara_rule_name": "QakBot5", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "QakBot v5 Payload", "last_hit_utc": "2024-04-24 14:45:03" } ], "8408": [ { "sample_cnt": 1, "yara_rule_name": "qakbot_string_decrypt", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-11-28 09:24:57" } ], "8409": [ { "sample_cnt": 1, "yara_rule_name": "QQ_zip_Folder_QQ", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file QQ.exe", "last_hit_utc": "2025-11-05 08:22:43" } ], "8410": [ { "sample_cnt": 1, "yara_rule_name": "QQ_zip_Folder_QQ", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file QQ.exe", "last_hit_utc": "2025-11-05 08:22:43" } ], "8411": [ { "sample_cnt": 1, "yara_rule_name": "QuarianStrings", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Quarian Identifying Strings", "last_hit_utc": "2025-06-16 16:41:28" } ], "8412": [ { "sample_cnt": 1, "yara_rule_name": "r57shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file r57shell.php", "last_hit_utc": "2025-06-16 15:19:32" } ], "8413": [ { "sample_cnt": 1, "yara_rule_name": "r57shell", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file r57shell.php", "last_hit_utc": "2025-06-16 15:19:32" } ], "8414": [ { "sample_cnt": 1, "yara_rule_name": "r57shell_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file r57shell.php", "last_hit_utc": "2025-06-16 15:19:32" } ], "8415": [ { "sample_cnt": 1, "yara_rule_name": "r57shell_2", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file r57shell.php", "last_hit_utc": "2025-06-16 15:19:32" } ], "8416": [ { "sample_cnt": 1, "yara_rule_name": "r57shell_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file r57shell.php", "last_hit_utc": "2025-06-16 15:19:32" } ], "8417": [ { "sample_cnt": 1, "yara_rule_name": "r57shell_3", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file r57shell.php", "last_hit_utc": "2025-06-16 15:19:32" } ], "8418": [ { "sample_cnt": 1, "yara_rule_name": "RaccoonV2", "yara_rule_author": "@_FirehaK ", "yara_rule_reference": null, "yara_rule_description": "This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.", "last_hit_utc": "2025-01-05 15:08:06" } ], "8419": [ { "sample_cnt": 1, "yara_rule_name": "raccoon_", "yara_rule_author": "Michelle Khalil", "yara_rule_reference": null, "yara_rule_description": "This rule detects unpacked raccoon malware samples.", "last_hit_utc": "2025-06-27 05:51:29" } ], "8420": [ { "sample_cnt": 1, "yara_rule_name": "Raccoon_Stealer_V2", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Detects Raccoon Stealer", "last_hit_utc": "2022-08-09 07:28:05" } ], "8421": [ { "sample_cnt": 1, "yara_rule_name": "RagnarLocker", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies RagnarLocker ransomware unpacked or in memory.", "last_hit_utc": "2020-08-28 05:13:09" } ], "8422": [ { "sample_cnt": 1, "yara_rule_name": "Ramnit", "yara_rule_author": "nazywam", "yara_rule_reference": "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", "yara_rule_description": "detect Ramnit", "last_hit_utc": "2025-07-14 13:42:25" } ], "8423": [ { "sample_cnt": 1, "yara_rule_name": "Ransomware_DEVMAN_WindowsLocker", "yara_rule_author": "German Fernandez | CronUp - Cyber Threat Intelligence", "yara_rule_reference": "DEVMAN Ransomware en Sector Salud de Chile.", "yara_rule_description": "DEVMAN ransomware (Windows Locker)", "last_hit_utc": "2026-02-01 04:07:19" } ], "8424": [ { "sample_cnt": 1, "yara_rule_name": "RANSOM_ESXiArgs_Ransomware_Bash_Feb23", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "yara_rule_description": "Detects the ESXiArgs Ransomware encryption bash script", "last_hit_utc": "2023-02-12 10:28:04" } ], "8425": [ { "sample_cnt": 1, "yara_rule_name": "RANSOM_ESXiArgs_Ransomware_Python_Feb23", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "yara_rule_description": "Detects the ESXiArgs Ransomware encryption python script", "last_hit_utc": "2025-10-28 13:45:02" } ], "8426": [ { "sample_cnt": 1, "yara_rule_name": "Ransom_Maze", "yara_rule_author": "McAfee ATR", "yara_rule_reference": null, "yara_rule_description": "Detecting MAZE Ransomware", "last_hit_utc": "2025-04-20 02:18:06" } ], "8427": [ { "sample_cnt": 1, "yara_rule_name": "ransom_mespinoza", "yara_rule_author": "Christiaan Beek @ McAfee ATR", "yara_rule_reference": "", "yara_rule_description": "rule to detect Mespinoza ransomware", "last_hit_utc": "2022-05-25 22:53:02" } ], "8428": [ { "sample_cnt": 1, "yara_rule_name": "RANSOM_wastedlocker", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect unpacked samples of WastedLocker", "last_hit_utc": "2020-10-21 19:33:09" } ], "8429": [ { "sample_cnt": 1, "yara_rule_name": "RAN_Black_Basta_Apr_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/MarceloRivero/status/1519398885193654273", "yara_rule_description": "Detect black basta ransomware", "last_hit_utc": "2022-11-03 07:56:04" } ], "8430": [ { "sample_cnt": 1, "yara_rule_name": "RAN_BlueSky_Aug_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://unit42.paloaltonetworks.com/bluesky-ransomware/", "yara_rule_description": "Detect the BlueSky ransomware", "last_hit_utc": "2023-02-03 15:47:02" } ], "8431": [ { "sample_cnt": 1, "yara_rule_name": "RAN_Conti_Jan_2023_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect Windows x86 version of Conti ransomware", "last_hit_utc": "2023-03-07 05:07:03" } ], "8432": [ { "sample_cnt": 1, "yara_rule_name": "RAN_CryLock_Oct_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "", "yara_rule_description": "Detect CryLock ransomware V2.0.0", "last_hit_utc": "2021-07-17 13:34:41" } ], "8433": [ { "sample_cnt": 1, "yara_rule_name": "Ran_Egregor_Oct_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect Egregor / Maze ransomware by Maze blocks", "last_hit_utc": "2025-04-20 02:18:06" } ], "8434": [ { "sample_cnt": 1, "yara_rule_name": "RAN_ELF_ALPHV_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect the ELF version of ALPHV ransomware", "last_hit_utc": "2022-11-15 12:30:03" } ], "8435": [ { "sample_cnt": 1, "yara_rule_name": "Ran_ELF_EXX_Nov_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect EXX variant ELF ransomware", "last_hit_utc": "2021-12-24 11:34:10" } ], "8436": [ { "sample_cnt": 1, "yara_rule_name": "RAN_ELF_Hive_Dec_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/ESETresearch/status/1454100591261667329", "yara_rule_description": "Detect ELF version of Hive ransomware (x64 version)", "last_hit_utc": "2025-01-05 16:18:29" } ], "8437": [ { "sample_cnt": 1, "yara_rule_name": "RAN_ELF_REvil_Jun_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "", "yara_rule_description": "Detect the ELF version of REvil ransomware", "last_hit_utc": "2021-12-24 00:24:06" } ], "8438": [ { "sample_cnt": 1, "yara_rule_name": "RAN_ELF_Royal_Feb_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/BushidoToken/status/1621087221905514496", "yara_rule_description": "Detect ELF version of Royal ransomware", "last_hit_utc": "2023-05-03 22:11:03" } ], "8439": [ { "sample_cnt": 1, "yara_rule_name": "RAN_ESXI_Hive_Oct_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect Rust version of Hive v5.4 ransomware (x64 version) used against ESXI servers", "last_hit_utc": "2022-12-14 15:03:03" } ], "8440": [ { "sample_cnt": 1, "yara_rule_name": "RAN_Hive_Sept_2022_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/rivitna2/status/1570457232088637441", "yara_rule_description": "Detect Rust version of Hive v5.4 ransomware (x64 version)", "last_hit_utc": "2022-12-12 18:19:03" } ], "8441": [ { "sample_cnt": 1, "yara_rule_name": "Ran_Mem_RagnarLocker_Nov_2020_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect memory artefacts of the Ragnarlocker ransomware (Nov 2020)", "last_hit_utc": "2025-01-05 14:57:11" } ], "8442": [ { "sample_cnt": 1, "yara_rule_name": "RAN_Qilim_Nov_2023_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1725849024731771022", "yara_rule_description": "Detect both versions of Qilim ransomware (ELF+Win)", "last_hit_utc": "2025-10-16 16:22:32" } ], "8443": [ { "sample_cnt": 1, "yara_rule_name": "Ran_RanzyLocker_Hunting_Mar_2021_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detect RanzyLocker ransomware", "last_hit_utc": "2021-08-05 11:12:41" } ], "8444": [ { "sample_cnt": 1, "yara_rule_name": "RAT_Adzok", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Adzok", "yara_rule_description": "Detects Adzok RAT", "last_hit_utc": "2025-10-28 13:45:02" } ], "8445": [ { "sample_cnt": 1, "yara_rule_name": "RAT_Ap0calypse", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Ap0calypse", "yara_rule_description": "Detects Ap0calypse RAT", "last_hit_utc": "2025-10-28 13:45:02" } ], "8446": [ { "sample_cnt": 1, "yara_rule_name": "RAT_Arcom", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Arcom", "yara_rule_description": "Detects Arcom RAT", "last_hit_utc": "2025-06-22 22:05:39" } ], "8447": [ { "sample_cnt": 1, "yara_rule_name": "RAT_BlackNix", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/BlackNix", "yara_rule_description": "Detects BlackNix RAT", "last_hit_utc": "2025-11-05 08:22:43" } ], "8448": [ { "sample_cnt": 1, "yara_rule_name": "RAT_ClientMesh", "yara_rule_author": "Kevin Breen (slightly modified by Florian Roth to improve performance)", "yara_rule_reference": "http://malwareconfig.com/stats/ClientMesh", "yara_rule_description": "Detects ClientMesh RAT", "last_hit_utc": "2025-10-28 13:45:03" } ], "8449": [ { "sample_cnt": 1, "yara_rule_name": "RAT_DarkRAT", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/DarkRAT", "yara_rule_description": "Detects DarkRAT", "last_hit_utc": "2025-10-28 13:45:03" } ], "8450": [ { "sample_cnt": 1, "yara_rule_name": "RAT_LostDoor", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/LostDoor", "yara_rule_description": "Detects LostDoor RAT", "last_hit_utc": "2025-10-28 13:45:03" } ], "8451": [ { "sample_cnt": 1, "yara_rule_name": "RAT_Punisher", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/Punisher", "yara_rule_description": "Detects Punisher RAT", "last_hit_utc": "2022-07-13 13:49:03" } ], "8452": [ { "sample_cnt": 1, "yara_rule_name": "RAT_QRat", "yara_rule_author": "Kevin Breen @KevTheHermit", "yara_rule_reference": "http://malwareconfig.com", "yara_rule_description": "Detects QRAT", "last_hit_utc": "2025-10-28 13:45:04" } ], "8453": [ { "sample_cnt": 1, "yara_rule_name": "RAT_Sub7Nation", "yara_rule_author": "Kevin Breen (slightly modified by Florian Roth to improve performance)", "yara_rule_reference": "http://malwareconfig.com/stats/Sub7Nation", "yara_rule_description": "Detects Sub7Nation RAT", "last_hit_utc": "2025-10-28 13:45:04" } ], "8454": [ { "sample_cnt": 1, "yara_rule_name": "RAT_ToxicEye_IL", "yara_rule_author": "albertzsigovits", "yara_rule_reference": "https://bazaar.abuse.ch/browse/signature/toxiceye/", "yara_rule_description": null, "last_hit_utc": "2025-03-04 05:38:08" } ], "8455": [ { "sample_cnt": 1, "yara_rule_name": "RAT_unrecom", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/unrecom", "yara_rule_description": "Detects unrecom RAT", "last_hit_utc": "2025-10-28 13:45:04" } ], "8456": [ { "sample_cnt": 1, "yara_rule_name": "RAT_xRAT", "yara_rule_author": "Kevin Breen ", "yara_rule_reference": "http://malwareconfig.com/stats/xRat", "yara_rule_description": "Detects xRAT", "last_hit_utc": "2021-07-23 00:59:24" } ], "8457": [ { "sample_cnt": 1, "yara_rule_name": "ReactOS_cmd_valid", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php", "yara_rule_description": "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset", "last_hit_utc": "2025-11-05 08:22:43" } ], "8458": [ { "sample_cnt": 1, "yara_rule_name": "RedDelta_loader", "yara_rule_author": "Intezer Labs", "yara_rule_reference": "https://www.intezer.com", "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:04" } ], "8459": [ { "sample_cnt": 1, "yara_rule_name": "REDLEAVES_DroppedFile_ImplantLoader_Starburn", "yara_rule_author": "USG", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-117A", "yara_rule_description": "Detects the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT", "last_hit_utc": "2023-04-22 07:17:06" } ], "8460": [ { "sample_cnt": 1, "yara_rule_name": "RedOctoberPluginFileInfo", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-01-31 15:13:01" } ], "8461": [ { "sample_cnt": 1, "yara_rule_name": "redSails_PY", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/BeetleChunks/redsails", "yara_rule_description": "Detects Red Sails Hacktool - Python", "last_hit_utc": "2025-10-28 13:45:05" } ], "8462": [ { "sample_cnt": 1, "yara_rule_name": "redSails_PY_RID2B50", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/BeetleChunks/redsails", "yara_rule_description": "Detects Red Sails Hacktool - Python", "last_hit_utc": "2025-10-28 13:45:05" } ], "8463": [ { "sample_cnt": 1, "yara_rule_name": "RedTrace", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects RedTrace Ransomware", "last_hit_utc": "2025-06-24 07:13:34" } ], "8464": [ { "sample_cnt": 1, "yara_rule_name": "Reflective_DLL_Loader_Aug17_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Reflective DLL Loader", "last_hit_utc": "2025-10-28 13:45:05" } ], "8465": [ { "sample_cnt": 1, "yara_rule_name": "Reflective_DLL_Loader_Aug17_3_RID3181", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Reflective DLL Loader", "last_hit_utc": "2025-10-28 13:45:05" } ], "8466": [ { "sample_cnt": 1, "yara_rule_name": "regshell", "yara_rule_author": "Yara Bulk Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Webshells Auto-generated - file regshell.exe", "last_hit_utc": "2023-08-29 13:01:10" } ], "8467": [ { "sample_cnt": 1, "yara_rule_name": "Rehashed_RAT_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations", "yara_rule_description": "Detects malware from Rehashed RAT incident", "last_hit_utc": "2020-12-19 07:44:23" } ], "8468": [ { "sample_cnt": 1, "yara_rule_name": "Rehashed_RAT_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations", "yara_rule_description": "Detects malware from Rehashed RAT incident", "last_hit_utc": "2025-10-28 13:45:05" } ], "8469": [ { "sample_cnt": 1, "yara_rule_name": "Rehashed_RAT_2_RID2C0C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations", "yara_rule_description": "Detects malware from Rehashed RAT incident", "last_hit_utc": "2025-10-28 13:45:05" } ], "8470": [ { "sample_cnt": 1, "yara_rule_name": "RemCom_RemoteCommandExecution", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/tezXZt", "yara_rule_description": "Detects strings from RemCom tool", "last_hit_utc": "2022-10-05 10:04:03" } ], "8471": [ { "sample_cnt": 1, "yara_rule_name": "remsec_encrypted_api", "yara_rule_author": "", "yara_rule_reference": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets", "yara_rule_description": "Detects malware from Symantec's Strider APT report", "last_hit_utc": "2022-03-06 06:29:25" } ], "8472": [ { "sample_cnt": 1, "yara_rule_name": "remsec_executable_blob_32", "yara_rule_author": "", "yara_rule_reference": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets", "yara_rule_description": "Detects malware from Symantec's Strider APT report", "last_hit_utc": "2022-03-05 21:51:03" } ], "8473": [ { "sample_cnt": 1, "yara_rule_name": "remsec_executable_blob_parser", "yara_rule_author": "", "yara_rule_reference": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets", "yara_rule_description": "Detects malware from Symantec's Strider APT report", "last_hit_utc": "2022-03-05 21:51:03" } ], "8474": [ { "sample_cnt": 1, "yara_rule_name": "Responder", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://github.com/lgandx/Responder", "yara_rule_description": "Identifies Responder, an LLMNR, NBT-NS and MDNS poisoner.", "last_hit_utc": "2026-03-23 08:57:15" } ], "8475": [ { "sample_cnt": 1, "yara_rule_name": "RokRAT", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", "yara_rule_description": "Identifies RokRAT.", "last_hit_utc": "2025-08-06 06:34:28" } ], "8476": [ { "sample_cnt": 1, "yara_rule_name": "ROKRAT_Nov17_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ROKRAT malware", "last_hit_utc": "2025-11-05 08:22:44" } ], "8477": [ { "sample_cnt": 1, "yara_rule_name": "ROKRAT_Nov17_1_RID2B6E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects ROKRAT malware", "last_hit_utc": "2025-11-05 08:22:44" } ], "8478": [ { "sample_cnt": 1, "yara_rule_name": "Rombertik_CarbonGrabber", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blogs.cisco.com/security/talos/rombertik", "yara_rule_description": "Detects CarbonGrabber alias Rombertik - file Copy#064046.scr", "last_hit_utc": "2022-01-29 10:08:19" } ], "8479": [ { "sample_cnt": 1, "yara_rule_name": "RottenPotato_Potato", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/foxglovesec/RottenPotato", "yara_rule_description": "Detects a component of privilege escalation tool Rotten Potato - file Potato.exe", "last_hit_utc": "2022-05-19 19:46:03" } ], "8480": [ { "sample_cnt": 1, "yara_rule_name": "RottenPotato_Potato", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/foxglovesec/RottenPotato", "yara_rule_description": "Detects a component of privilege escalation tool Rotten Potato - file Potato.exe", "last_hit_utc": "2025-11-05 08:21:39" } ], "8481": [ { "sample_cnt": 1, "yara_rule_name": "RoyalRoad_code_pattern1", "yara_rule_author": "nao_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2022-08-08 16:04:03" } ], "8482": [ { "sample_cnt": 1, "yara_rule_name": "RoyalRoad_code_pattern4ab", "yara_rule_author": "nao_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2021-07-01 07:43:44" } ], "8483": [ { "sample_cnt": 1, "yara_rule_name": "RoyalRoad_code_pattern4ab", "yara_rule_author": "neo_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2020-09-08 09:06:16" } ], "8484": [ { "sample_cnt": 1, "yara_rule_name": "RoyalRoad_code_pattern4ce", "yara_rule_author": "nao_sec", "yara_rule_reference": "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", "yara_rule_description": "Detects RoyalRoad weaponized RTF documents", "last_hit_utc": "2022-04-28 17:04:03" } ], "8485": [ { "sample_cnt": 1, "yara_rule_name": "rtf_bluetea_builder", "yara_rule_author": "Marc Rivero | McAfee ATR Team", "yara_rule_reference": "https://blog.360totalsecurity.com/en/bluetea-action-drive-the-life-trojan-update-email-worm-module-and-spread-through-covid-19-outbreak/", "yara_rule_description": "Rule to detect the RTF files created to distribute BlueTea trojan", "last_hit_utc": "2021-01-06 18:11:23" } ], "8486": [ { "sample_cnt": 1, "yara_rule_name": "rtf_CVE_2018_0802", "yara_rule_author": "Rich Warren", "yara_rule_reference": "http://www.freebuf.com/vuls/159789.html", "yara_rule_description": "Attempts to exploit CVE-2018-0802", "last_hit_utc": "2022-08-08 15:18:03" } ], "8487": [ { "sample_cnt": 1, "yara_rule_name": "RTF_LNK_InternetExplorer_IDLIST_Suspicious", "yara_rule_author": "node5", "yara_rule_reference": null, "yara_rule_description": "Detects RTF with hex-encoded OLE LNK containing IE IDLIST with suspicious URI items", "last_hit_utc": "2026-04-01 13:52:24" } ], "8488": [ { "sample_cnt": 1, "yara_rule_name": "RUAG_APT_Malware_Gen2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects malware used in the RUAG APT case", "last_hit_utc": "2025-10-28 13:45:06" } ], "8489": [ { "sample_cnt": 1, "yara_rule_name": "RUAG_APT_srsvc_RID2C14", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects malware used in the RUAG APT case", "last_hit_utc": "2025-11-05 08:22:44" } ], "8490": [ { "sample_cnt": 1, "yara_rule_name": "Rustyloader_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24", "yara_rule_description": "Corroded buerloader", "last_hit_utc": "2026-02-26 08:58:18" } ], "8491": [ { "sample_cnt": 1, "yara_rule_name": "Ryuk_Ransomware", "yara_rule_author": "Christiaan Beek - McAfee ATR team", "yara_rule_reference": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/", "yara_rule_description": "Ryuk Ransomware hunting rule", "last_hit_utc": "2020-06-10 12:38:13" } ], "8492": [ { "sample_cnt": 1, "yara_rule_name": "Ryuk_SequentialComparisons_B", "yara_rule_author": "Malware Utkonos", "yara_rule_reference": "", "yara_rule_description": "Sequential comparison of SID lookup result characters, variant B.", "last_hit_utc": "2022-01-28 10:30:17" } ], "8493": [ { "sample_cnt": 1, "yara_rule_name": "Sality_Malware_Oct16", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an unspecififed malware - October 2016", "last_hit_utc": "2020-11-07 23:21:35" } ], "8494": [ { "sample_cnt": 1, "yara_rule_name": "scanarator", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file scanarator.exe", "last_hit_utc": "2025-10-28 13:45:06" } ], "8495": [ { "sample_cnt": 1, "yara_rule_name": "scanarator_iis", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file iis.exe", "last_hit_utc": "2025-10-28 13:45:06" } ], "8496": [ { "sample_cnt": 1, "yara_rule_name": "servpw", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - file servpw.exe", "last_hit_utc": "2025-11-05 08:22:44" } ], "8497": [ { "sample_cnt": 1, "yara_rule_name": "servpw_RID29B8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/igxLyF", "yara_rule_description": "Detects a tool used by APT groups - file servpw_RID29B8.exe", "last_hit_utc": "2025-11-05 08:22:44" } ], "8498": [ { "sample_cnt": 1, "yara_rule_name": "shadowHammer", "yara_rule_author": "Alex Mundo | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Rule to detect ShadowHammer using the fake domain of asus and binary (overlay and not overlay, disk and memory)", "last_hit_utc": "2021-03-02 17:07:37" } ], "8499": [ { "sample_cnt": 1, "yara_rule_name": "SharpHostInfo", "yara_rule_author": "@bartblaze", "yara_rule_reference": "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities", "yara_rule_description": "Identifies SharpHostInfo, a tool used for quickly detecting intranet host information and also abused by attackers such as Storm-2603.", "last_hit_utc": "2025-09-26 07:30:52" } ], "8500": [ { "sample_cnt": 1, "yara_rule_name": "shellbot_pl", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": "", "yara_rule_description": "Semi-Auto-generated - file shellbot.pl.txt", "last_hit_utc": "2021-12-29 12:01:05" } ], "8501": [ { "sample_cnt": 1, "yara_rule_name": "ShellCreator2", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:45:07" } ], "8502": [ { "sample_cnt": 1, "yara_rule_name": "shells_PHP_wso", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": "", "yara_rule_description": "Semi-Auto-generated - file wso.txt", "last_hit_utc": "2021-08-20 23:47:04" } ], "8503": [ { "sample_cnt": 1, "yara_rule_name": "shimrat", "yara_rule_author": "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)", "yara_rule_reference": null, "yara_rule_description": "Detects ShimRat and the ShimRat loader", "last_hit_utc": "2025-10-28 13:45:08" } ], "8504": [ { "sample_cnt": 1, "yara_rule_name": "shimratreporter", "yara_rule_author": "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)", "yara_rule_reference": null, "yara_rule_description": "Detects ShimRatReporter", "last_hit_utc": "2025-10-28 13:45:08" } ], "8505": [ { "sample_cnt": 1, "yara_rule_name": "signed_drv_IoCreateDevice", "yara_rule_author": "wonderkun", "yara_rule_reference": null, "yara_rule_description": "signed_sys_with_vulnerablity", "last_hit_utc": "2025-06-25 13:05:33" } ], "8506": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_2323", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file 2323.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "8507": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_2323", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file 2323.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "8508": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_findoor", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file findoor.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "8509": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_findoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file findoor.exe", "last_hit_utc": "2025-10-28 13:45:08" } ], "8510": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_letmein", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file letmein.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8511": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_letmein", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file letmein.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8512": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_listip", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file listip.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8513": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_listip", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file listip.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8514": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_nbtdump", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file nbtdump.exe", "last_hit_utc": "2025-11-05 08:22:44" } ], "8515": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_nbtdump", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file nbtdump.exe", "last_hit_utc": "2025-11-05 08:22:44" } ], "8516": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_RunAsEx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file RunAsEx.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8517": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_RunAsEx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file RunAsEx.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8518": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_sqlcmd", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file sqlcmd.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8519": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_sqlcmd", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file sqlcmd.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8520": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_TFTPD32", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file TFTPD32.EXE", "last_hit_utc": "2025-11-05 08:22:44" } ], "8521": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_TFTPD32", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file TFTPD32.EXE", "last_hit_utc": "2025-11-05 08:22:44" } ], "8522": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_token", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file token.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8523": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_token", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file token.exe", "last_hit_utc": "2025-10-28 13:45:09" } ], "8524": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_webget", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file webget.exe", "last_hit_utc": "2025-10-28 13:45:10" } ], "8525": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_webget", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file webget.exe", "last_hit_utc": "2025-10-28 13:45:10" } ], "8526": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_xsniff", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file xsniff.exe", "last_hit_utc": "2025-10-28 13:45:10" } ], "8527": [ { "sample_cnt": 1, "yara_rule_name": "sig_238_xsniff", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file xsniff.exe", "last_hit_utc": "2025-10-28 13:45:10" } ], "8528": [ { "sample_cnt": 1, "yara_rule_name": "Silence_malware_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://securelist.com/the-silence/83009/", "yara_rule_description": "Detects malware sample mentioned in the Silence report on Securelist", "last_hit_utc": "2025-10-28 13:45:10" } ], "8529": [ { "sample_cnt": 1, "yara_rule_name": "Silence_malware_2_RID2DAD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/the-silence/83009/", "yara_rule_description": "Detects malware sample mentioned in the Silence report on Securelist", "last_hit_utc": "2025-10-28 13:45:10" } ], "8530": [ { "sample_cnt": 1, "yara_rule_name": "skeleton_key_injected_code", "yara_rule_author": "Dell SecureWorks Counter Threat Unit", "yara_rule_reference": "http://goo.gl/aAk3lN", "yara_rule_description": "Skeleton Key injected Code http://goo.gl/aAk3lN", "last_hit_utc": "2025-11-05 08:22:44" } ], "8531": [ { "sample_cnt": 1, "yara_rule_name": "Slingshot_APT_Malware_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/apt-slingshot/84312/", "yara_rule_description": "Detects malware from Slingshot APT", "last_hit_utc": "2021-05-03 07:24:47" } ], "8532": [ { "sample_cnt": 1, "yara_rule_name": "Slingshot_APT_Malware_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/apt-slingshot/84312/", "yara_rule_description": "Detects malware from Slingshot APT", "last_hit_utc": "2021-05-03 07:24:47" } ], "8533": [ { "sample_cnt": 1, "yara_rule_name": "Slingshot_APT_Malware_4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/apt-slingshot/84312/", "yara_rule_description": "Detects malware from Slingshot APT", "last_hit_utc": "2021-05-03 07:24:47" } ], "8534": [ { "sample_cnt": 1, "yara_rule_name": "SmartCopy2", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:45:10" } ], "8535": [ { "sample_cnt": 1, "yara_rule_name": "Smartniff", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file Smartniff.exe", "last_hit_utc": "2025-01-05 16:56:10" } ], "8536": [ { "sample_cnt": 1, "yara_rule_name": "SmokeLoader", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "SmokeLoader Payload", "last_hit_utc": "2025-12-07 06:27:16" } ], "8537": [ { "sample_cnt": 1, "yara_rule_name": "SocGholish_Variant_B", "yara_rule_author": "Ankit Anubhav -ankitanubhav.info", "yara_rule_reference": "", "yara_rule_description": "Detects SocGholish obfuscated variant first observed in July 2022", "last_hit_utc": "2022-07-19 15:45:03" } ], "8538": [ { "sample_cnt": 1, "yara_rule_name": "Socks5Systemz", "yara_rule_author": "kevoreilly", "yara_rule_reference": null, "yara_rule_description": "Socks5Systemz Payload", "last_hit_utc": "2026-03-25 12:07:17" } ], "8539": [ { "sample_cnt": 1, "yara_rule_name": "Socks5Systemz_december", "yara_rule_author": "ch4daev", "yara_rule_reference": null, "yara_rule_description": "Detect socks5systemz botnet", "last_hit_utc": "2025-01-03 22:44:25" } ], "8540": [ { "sample_cnt": 1, "yara_rule_name": "Sofacy_Bundestag_Winexe", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf", "yara_rule_description": "Winexe tool used by Sofacy group in Bundestag APT", "last_hit_utc": "2025-01-03 22:37:32" } ], "8541": [ { "sample_cnt": 1, "yara_rule_name": "Sofacy_Fybis_ELF_Backdoor_Gen1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", "yara_rule_description": "Detects Sofacy Fysbis Linux Backdoor", "last_hit_utc": "2025-10-28 13:45:10" } ], "8542": [ { "sample_cnt": 1, "yara_rule_name": "Sofacy_Fybis_ELF_Backdoor_Gen1_RID3236", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", "yara_rule_description": "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1", "last_hit_utc": "2025-10-28 13:45:10" } ], "8543": [ { "sample_cnt": 1, "yara_rule_name": "Sofacy_Jun16_Sample2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/mzAa97", "yara_rule_description": "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report", "last_hit_utc": "2025-11-05 08:22:44" } ], "8544": [ { "sample_cnt": 1, "yara_rule_name": "Sofacy_Oct17_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "yara_rule_description": "Detects Sofacy malware reported in October 2017", "last_hit_utc": "2025-11-05 08:21:39" } ], "8545": [ { "sample_cnt": 1, "yara_rule_name": "Sofacy_Oct17_2_RID2BF4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "yara_rule_description": "Detects Sofacy malware reported in October 2017", "last_hit_utc": "2025-11-05 08:21:39" } ], "8546": [ { "sample_cnt": 1, "yara_rule_name": "SoftSentryv30", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:06:13" } ], "8547": [ { "sample_cnt": 1, "yara_rule_name": "solo_mine_example", "yara_rule_author": "yarGen Rule Generator", "yara_rule_reference": "https://github.com/Neo23x0/yarGen", "yara_rule_description": "rig_win64 - file solo_mine_example.cmd", "last_hit_utc": "2022-03-18 07:24:06" } ], "8548": [ { "sample_cnt": 1, "yara_rule_name": "SparklingGoblin_ChaCha20", "yara_rule_author": "ESET Research", "yara_rule_reference": "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "yara_rule_description": "SparklingGoblin ChaCha20 implementations", "last_hit_utc": "2026-02-02 15:07:25" } ], "8549": [ { "sample_cnt": 1, "yara_rule_name": "splitjoin", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file splitjoin.exe", "last_hit_utc": "2025-11-05 08:22:44" } ], "8550": [ { "sample_cnt": 1, "yara_rule_name": "splitjoin", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file splitjoin.exe", "last_hit_utc": "2025-11-05 08:22:44" } ], "8551": [ { "sample_cnt": 1, "yara_rule_name": "SplitJoin_V1_3_3_rar_Folder_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file splitjoin.exe", "last_hit_utc": "2025-10-28 13:45:11" } ], "8552": [ { "sample_cnt": 1, "yara_rule_name": "SplitJoin_V1_3_3_rar_Folder_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file splitjoin.exe", "last_hit_utc": "2025-10-28 13:45:11" } ], "8553": [ { "sample_cnt": 1, "yara_rule_name": "sqlcheck", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file sqlcheck.exe", "last_hit_utc": "2025-10-28 13:45:11" } ], "8554": [ { "sample_cnt": 1, "yara_rule_name": "sqlcheck", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file sqlcheck.exe", "last_hit_utc": "2025-10-28 13:45:11" } ], "8555": [ { "sample_cnt": 1, "yara_rule_name": "sqlcmd_loader", "yara_rule_author": "@luc4m", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-30 17:24:03" } ], "8556": [ { "sample_cnt": 1, "yara_rule_name": "SQLMap", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "This signature detects the SQLMap SQL injection tool", "last_hit_utc": "2025-10-28 13:45:11" } ], "8557": [ { "sample_cnt": 1, "yara_rule_name": "SQLMap", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "This signature detects the SQLMap SQL injection tool", "last_hit_utc": "2025-10-28 13:45:11" } ], "8558": [ { "sample_cnt": 1, "yara_rule_name": "SquirrelWaffle", "yara_rule_author": "kevoreilly", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-10-27 10:42:04" } ], "8559": [ { "sample_cnt": 1, "yara_rule_name": "ssh_server_with_hardcoded_private_key", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-10-08 10:42:05" } ], "8560": [ { "sample_cnt": 1, "yara_rule_name": "stantinko_ihctrl32", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:11" } ], "8561": [ { "sample_cnt": 1, "yara_rule_name": "stantinko_pdb", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:11" } ], "8562": [ { "sample_cnt": 1, "yara_rule_name": "stantinko_wsaudio", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:11" } ], "8563": [ { "sample_cnt": 1, "yara_rule_name": "STARSYPOUND_APT1", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-06-28 05:33:32" } ], "8564": [ { "sample_cnt": 1, "yara_rule_name": "StealcConfig", "yara_rule_author": "NDA0E", "yara_rule_reference": null, "yara_rule_description": "Detects Stealc Config", "last_hit_utc": "2025-01-23 14:38:39" } ], "8565": [ { "sample_cnt": 1, "yara_rule_name": "STEALER_emirates_statement", "yara_rule_author": "Christiaan Beek | McAfee ATR Team", "yara_rule_reference": null, "yara_rule_description": "Credentials Stealing Attack", "last_hit_utc": "2025-10-28 13:45:11" } ], "8566": [ { "sample_cnt": 1, "yara_rule_name": "StealthWasp_s_Basic_PortScanner_v1_2", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe", "last_hit_utc": "2025-10-28 13:45:11" } ], "8567": [ { "sample_cnt": 1, "yara_rule_name": "StormKitty", "yara_rule_author": "ditekSHen", "yara_rule_reference": null, "yara_rule_description": "StormKitty infostealer payload", "last_hit_utc": "2025-06-16 16:17:00" } ], "8568": [ { "sample_cnt": 1, "yara_rule_name": "StreamEx_ShellCrew", "yara_rule_author": "Cylance", "yara_rule_reference": "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar", "yara_rule_description": "Detects a", "last_hit_utc": "2025-10-28 13:45:11" } ], "8569": [ { "sample_cnt": 1, "yara_rule_name": "StrelaStealer", "yara_rule_author": "@hackNpatch@infosec.exchange", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-17 19:42:03" } ], "8570": [ { "sample_cnt": 1, "yara_rule_name": "Stuxnet_maindll_decrypted_unpacked", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Stuxnet Sample - file maindll.decrypted.unpacked.dll_", "last_hit_utc": "2025-11-05 08:21:39" } ], "8571": [ { "sample_cnt": 1, "yara_rule_name": "STUXSHOP_config", "yara_rule_author": "JAG-S (turla@chronicle.security)", "yara_rule_reference": "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0", "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:11" } ], "8572": [ { "sample_cnt": 1, "yara_rule_name": "subTee_nativecmd_RID2D93", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/", "yara_rule_description": "NativeCmd - used by various threat groups", "last_hit_utc": "2025-11-05 08:22:44" } ], "8573": [ { "sample_cnt": 1, "yara_rule_name": "suspicious_obfuscated_script_detection", "yara_rule_author": "Lucas Acha (http://www.lukeacha.com)", "yara_rule_reference": null, "yara_rule_description": "Observed strings with suspicious AutoIT scripts", "last_hit_utc": "2024-03-28 17:52:03" } ], "8574": [ { "sample_cnt": 1, "yara_rule_name": "suspicious_rich_header_Sep2021_1", "yara_rule_author": "Nils Kuhnert", "yara_rule_reference": "", "yara_rule_description": "Suspicious rich header which clusters crime'ish samples. Needs additional research.", "last_hit_utc": "2021-09-30 09:42:31" } ], "8575": [ { "sample_cnt": 1, "yara_rule_name": "Suspicious_Script_Running_from_HTTP", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100", "yara_rule_description": "Detects a suspicious", "last_hit_utc": "2025-10-28 13:45:13" } ], "8576": [ { "sample_cnt": 1, "yara_rule_name": "Suspicious_Script_Running_from_HTTP_RID350E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100", "yara_rule_description": "Detects a suspicious", "last_hit_utc": "2025-10-28 13:45:13" } ], "8577": [ { "sample_cnt": 1, "yara_rule_name": "Suspicious_SFX", "yara_rule_author": "marcin@ulikowski.pl", "yara_rule_reference": "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/", "yara_rule_description": "Detects self-extracting archives (SFX) executing cmd.exe or powershell.exe", "last_hit_utc": "2025-05-07 19:35:29" } ], "8578": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_Base64_Encoded_Hacktool_Dev", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/cyb3rops/status/1270626274826911744", "yara_rule_description": "Detects a suspicious base64 encoded keyword", "last_hit_utc": "2022-08-22 12:43:03" } ], "8579": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_DOC_LNK_in_ZIP", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/RedDrip7/status/1145877272945025029", "yara_rule_description": "Detects suspicious .doc.lnk file in ZIP archive", "last_hit_utc": "2025-03-03 23:49:15" } ], "8580": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_DOC_LNK_in_ZIP_RID2D5D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/RedDrip7/status/1145877272945025029", "yara_rule_description": "Detects suspicious .doc.lnk file in ZIP archive", "last_hit_utc": "2025-03-03 23:49:15" } ], "8581": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_Doc_WordXMLRels_May22", "yara_rule_author": "Tobias Michalski, Christian Burkard, Wojciech Cie\u015blak", "yara_rule_reference": "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "yara_rule_description": "Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190", "last_hit_utc": "2022-06-16 11:29:02" } ], "8582": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_ELF_SPARC_Hunting_SBZ_UniqueStrings", "yara_rule_author": "netadr, modified by Florian Roth for performance reasons", "yara_rule_reference": "https://netadr.github.io/blog/a-quick-glimpse-sbz/", "yara_rule_description": "This rule is UNTESTED against a large dataset and is for hunting purposes only.", "last_hit_utc": "2025-10-28 13:45:12" } ], "8583": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_Email_Redirection_Spoofing_Feb25", "yara_rule_author": "Jonathan Peters (cod3nym)", "yara_rule_reference": "https://any.run/cybersecurity-blog/cyber-attacks-january-2025/#fake-youtube-links-redirect-users-to-phishing-pages-11298", "yara_rule_description": "Detects redirect spoofing in embedded URLs. This technique is used by threat actors to obscure the actual destination of a link", "last_hit_utc": "2025-10-28 13:45:12" } ], "8584": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_EXPL_CommVault_CVE_2025_57791_Aug25_1", "yara_rule_author": "X__Junior", "yara_rule_reference": "https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/", "yara_rule_description": "Detects potential exploit for WT-2025-0050, authentication bypass through QCommand argument injection", "last_hit_utc": "2025-10-28 13:45:12" } ], "8585": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_EXPL_LNX_CUPS_CVE_2024_47177_Sep24", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8", "yara_rule_description": "Detects suspicious FoomaticRIPCommandLine command in printer config, which could be used to exploit CUPS CVE-2024-47177", "last_hit_utc": "2025-10-28 13:45:12" } ], "8586": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_Imphash_PassRevealer_PY_EXE", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects an imphash used by password revealer and hack tools", "last_hit_utc": "2020-11-03 13:09:23" } ], "8587": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_JDNIExploit_Error_Indicators_Dec21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/marcioalm/status/1470361495405875200?s=20", "yara_rule_description": "Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation", "last_hit_utc": "2025-10-28 13:45:12" } ], "8588": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_LNK_Staging_Directory", "yara_rule_author": "SECUINFRA Falcon Team", "yara_rule_reference": null, "yara_rule_description": "Detects typical staging directories being referenced inside lnk files", "last_hit_utc": "2025-10-12 20:57:31" } ], "8589": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_LNX_Base64_Download_Exec_Apr24", "yara_rule_author": "Paul Hager", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious base64 encoded shell commands used for downloading and executing further stages", "last_hit_utc": "2025-09-25 08:28:36" } ], "8590": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_Macro_StarOffice", "yara_rule_author": "John Lambert @JohnLaTwC", "yara_rule_reference": "https://twitter.com/JohnLaTwC/status/1093259873993732096", "yara_rule_description": "Suspicious macro in StarOffice", "last_hit_utc": "2026-02-22 18:17:27" } ], "8591": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_OBFUSC_Indiators_XML_OfficeDoc_Sep21_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/sudosev/status/1439205606129377282", "yara_rule_description": "Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents", "last_hit_utc": "2022-10-05 10:04:03" } ], "8592": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_OBFUSC_Indiators_XML_OfficeDoc_Sep21_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/sudosev/status/1439205606129377282", "yara_rule_description": "Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents", "last_hit_utc": "2022-10-05 10:04:02" } ], "8593": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_OBFUSC_PowerShell_True_Jun20_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/corneacristian/mimikatz-bypass/", "yara_rule_description": "Detects indicators often found in obfuscated PowerShell scripts", "last_hit_utc": "2022-10-01 19:00:03" } ], "8594": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_OfficeDoc_VBA_Base64Decode", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/cpaton/Scripting/blob/master/VBA/Base64.bas", "yara_rule_description": "Detects suspicious VBA code with Base64 decode functions", "last_hit_utc": "2025-02-24 10:31:06" } ], "8595": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_OfficeDoc_VBA_Base64Decode_RID31DD", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/cpaton/Scripting/blob/master/VBA/Base64.bas", "yara_rule_description": "Detects suspicious VBA code with Base64 decode functions", "last_hit_utc": "2025-02-24 10:31:06" } ], "8596": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_PDB_Strings_Keylogger_Backdoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects PDB strings used in backdoors or keyloggers", "last_hit_utc": "2026-04-22 16:10:46" } ], "8597": [ { "sample_cnt": 1, "yara_rule_name": "Susp_PowerShell_Sep17_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious PowerShell script in combo with VBS or JS", "last_hit_utc": "2022-01-24 12:55:24" } ], "8598": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_REVSHELL_GENERATOR_PS_OBFUSC", "yara_rule_author": "Ayush(Securityinbits)", "yara_rule_reference": "https://powershellforhackers.com/tools/revshell", "yara_rule_description": "Detects PowerShell reverse-shell scripts produced by https://powershellforhackers.com/tools/revshell/", "last_hit_utc": "2025-07-30 11:04:12" } ], "8599": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_Script_Obfuscation_Char_Concat", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/JaromirHorejsi/status/1047084277920411648", "yara_rule_description": "Detects strings found in sample from CN group repo leak in October 2018", "last_hit_utc": "2025-01-03 20:34:52" } ], "8600": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_Script_Obfuscation_Char_Concat_RID34A0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/JaromirHorejsi/status/1047084277920411648", "yara_rule_description": "Detects strings found in sample from CN group repo leak in October 2018", "last_hit_utc": "2025-01-03 20:34:52" } ], "8601": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_SFX_RunProgram_WScript", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious SFX as used by Gamaredon group", "last_hit_utc": "2022-03-15 07:54:21" } ], "8602": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_SFX_RunProgram_WScript_RID3143", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects suspicious SFX as used by Gamaredon group", "last_hit_utc": "2022-03-15 07:54:21" } ], "8603": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_SVG_JS_Payload_Mar25", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects a suspicious SVG file that contains a JavaScript payload. This rule is a generic rule that might generate false positives. A match should be further investigated.", "last_hit_utc": "2025-10-20 12:41:50" } ], "8604": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_VHD_Suspicious_Small_Size", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/MeltX0R/status/1208095892877774850", "yara_rule_description": "Detects suspicious VHD files", "last_hit_utc": "2026-02-23 07:14:22" } ], "8605": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_XMRIG_Reference", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/itaitevet/status/1141677424045953024", "yara_rule_description": "Detects an executable with a suspicious XMRIG crypto miner reference", "last_hit_utc": "2025-01-03 21:36:21" } ], "8606": [ { "sample_cnt": 1, "yara_rule_name": "SUSP_XMRIG_Reference_RID2E30", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/itaitevet/status/1141677424045953024", "yara_rule_description": "Detects an executable with a suspicious XMRIG crypto miner reference", "last_hit_utc": "2025-01-03 21:36:21" } ], "8607": [ { "sample_cnt": 1, "yara_rule_name": "SUS_UNC_InEmail", "yara_rule_author": "Nicholas Dhaeyer - @DhaeyerWolf", "yara_rule_reference": null, "yara_rule_description": "Looks for a suspicious UNC string in .eml files & .ole files", "last_hit_utc": "2025-01-05 16:04:53" } ], "8608": [ { "sample_cnt": 1, "yara_rule_name": "SUS_Unsigned_APPX_MSIX_Installer_Feb23", "yara_rule_author": "SECUINFRA Falcon Team (@SI_FalconTeam)", "yara_rule_reference": "https://twitter.com/SI_FalconTeam/status/1620500572481945600", "yara_rule_description": "Detects suspicious, unsigned Microsoft Windows APPX/MSIX Installer Packages", "last_hit_utc": "2025-10-29 16:46:30" } ], "8609": [ { "sample_cnt": 1, "yara_rule_name": "swfdoc_hunter", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-01-22 05:02:07" } ], "8610": [ { "sample_cnt": 1, "yara_rule_name": "SwitchSniffer", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file SwitchSniffer.exe", "last_hit_utc": "2025-11-05 08:22:45" } ], "8611": [ { "sample_cnt": 1, "yara_rule_name": "Symbolic_Link_Files_Macros_File_Characteristic", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-24 08:14:57" } ], "8612": [ { "sample_cnt": 1, "yara_rule_name": "Symbolic_Link_Files_Macros_File_Characteristic", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-11-07 11:23:03" } ], "8613": [ { "sample_cnt": 1, "yara_rule_name": "TA17_318B_volgmer", "yara_rule_author": "US CERT", "yara_rule_reference": "https://www.us-cert.gov/ncas/alerts/TA17-318B", "yara_rule_description": "Malformed User Agent in Volgmer malware", "last_hit_utc": "2025-11-05 08:22:45" } ], "8614": [ { "sample_cnt": 1, "yara_rule_name": "TA505_bin_21Nov_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/58_158_177_102/status/1197432303057637377", "yara_rule_description": "module1.bin", "last_hit_utc": "2026-03-06 17:51:15" } ], "8615": [ { "sample_cnt": 1, "yara_rule_name": "TA505_Maldoc_21Nov_1", "yara_rule_author": "Arkbird_SOLG", "yara_rule_reference": "https://twitter.com/58_158_177_102/status/1197432303057637377", "yara_rule_description": "invitation.doc", "last_hit_utc": "2025-01-03 22:21:45" } ], "8616": [ { "sample_cnt": 1, "yara_rule_name": "TDL_loader_bootstrap_shellcode", "yara_rule_author": "SBousseaden", "yara_rule_reference": "https://github.com/hfiref0x/TDL", "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:34:55" } ], "8617": [ { "sample_cnt": 1, "yara_rule_name": "TeleBots_IntercepterNG", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/4if3HG", "yara_rule_description": "Detects TeleBots malware - IntercepterNG", "last_hit_utc": "2025-10-28 13:45:13" } ], "8618": [ { "sample_cnt": 1, "yara_rule_name": "TeleBots_IntercepterNG_RID2FAC", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/4if3HG", "yara_rule_description": "Detects TeleBots malware - IntercepterNG", "last_hit_utc": "2025-10-28 13:45:13" } ], "8619": [ { "sample_cnt": 1, "yara_rule_name": "TeleDoor_Backdoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://goo.gl/CpfJQQ", "yara_rule_description": "Detects the TeleDoor Backdoor as used in Petya Attack in June 2017", "last_hit_utc": "2025-11-05 08:22:45" } ], "8620": [ { "sample_cnt": 1, "yara_rule_name": "TeleDoor_Backdoor_RID2DB3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/CpfJQQ", "yara_rule_description": "Detects the TeleDoor Backdoor as used in Petya Attack in June 2017", "last_hit_utc": "2025-11-05 08:22:45" } ], "8621": [ { "sample_cnt": 1, "yara_rule_name": "tElock096tE", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-06 07:07:08" } ], "8622": [ { "sample_cnt": 1, "yara_rule_name": "tElock098tE", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-23 19:36:02" } ], "8623": [ { "sample_cnt": 1, "yara_rule_name": "tElock099tE", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-28 11:23:34" } ], "8624": [ { "sample_cnt": 1, "yara_rule_name": "tElockv071", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-06 00:32:04" } ], "8625": [ { "sample_cnt": 1, "yara_rule_name": "tElockv098", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-23 19:36:02" } ], "8626": [ { "sample_cnt": 1, "yara_rule_name": "tElockv098tE", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-23 19:36:02" } ], "8627": [ { "sample_cnt": 1, "yara_rule_name": "tElockv099SpecialBuildheXerforgot", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-28 11:23:34" } ], "8628": [ { "sample_cnt": 1, "yara_rule_name": "templatr", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file templatr.php", "last_hit_utc": "2024-02-15 15:28:02" } ], "8629": [ { "sample_cnt": 1, "yara_rule_name": "test_rezer0", "yara_rule_author": "oranzii", "yara_rule_reference": null, "yara_rule_description": "Detects a loader", "last_hit_utc": "2024-01-13 21:07:03" } ], "8630": [ { "sample_cnt": 1, "yara_rule_name": "test_rule_for_agrntTesla_or_exe_files_basic", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-02-09 07:42:03" } ], "8631": [ { "sample_cnt": 1, "yara_rule_name": "themida1005httpwwworeanscom", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:19:21" } ], "8632": [ { "sample_cnt": 1, "yara_rule_name": "Themida10xx1800compressedengineOreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:19:21" } ], "8633": [ { "sample_cnt": 1, "yara_rule_name": "Themida1201compressedOreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:19:21" } ], "8634": [ { "sample_cnt": 1, "yara_rule_name": "ThemidaOreansTechnologies2004", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:19:21" } ], "8635": [ { "sample_cnt": 1, "yara_rule_name": "ThemidaWinLicenseV1000V1800OreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:19:21" } ], "8636": [ { "sample_cnt": 1, "yara_rule_name": "ThemidaWinLicenseV10XV17XDLLOreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:19:21" } ], "8637": [ { "sample_cnt": 1, "yara_rule_name": "ThemidaWinLicenseV1XNoCompressionSecureEngineOreansTechnologies", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:12:09" } ], "8638": [ { "sample_cnt": 1, "yara_rule_name": "thequickbrow_APT1", "yara_rule_author": "AlienVault Labs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:34:53" } ], "8639": [ { "sample_cnt": 1, "yara_rule_name": "Thinstall24x25xJititSoftware", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:10:00" } ], "8640": [ { "sample_cnt": 1, "yara_rule_name": "Thinstall25xxJtit", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:10:00" } ], "8641": [ { "sample_cnt": 1, "yara_rule_name": "ThinstallEmbedded2501Jitit", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:10:00" } ], "8642": [ { "sample_cnt": 1, "yara_rule_name": "tick_xxmm_strings", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect xxmm in memory", "last_hit_utc": "2025-10-28 13:45:14" } ], "8643": [ { "sample_cnt": 1, "yara_rule_name": "TidePool_Malware", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/m2CXWR", "yara_rule_description": "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks", "last_hit_utc": "2025-11-05 08:21:40" } ], "8644": [ { "sample_cnt": 1, "yara_rule_name": "TidePool_Malware_RID2D59", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/m2CXWR", "yara_rule_description": "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks", "last_hit_utc": "2025-11-05 08:21:40" } ], "8645": [ { "sample_cnt": 1, "yara_rule_name": "tinyturla", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "tinyturla", "last_hit_utc": "2025-06-30 19:09:44" } ], "8646": [ { "sample_cnt": 1, "yara_rule_name": "TinyZBot", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:45:14" } ], "8647": [ { "sample_cnt": 1, "yara_rule_name": "Tiny_Network_Tool_Generic", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)", "last_hit_utc": "2025-05-12 06:29:13" } ], "8648": [ { "sample_cnt": 1, "yara_rule_name": "Tiny_Network_Tool_Generic", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)", "last_hit_utc": "2025-05-12 06:29:13" } ], "8649": [ { "sample_cnt": 1, "yara_rule_name": "Tool_MSIL_SharpGrep_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpGrep' project.", "last_hit_utc": "2025-11-05 08:22:46" } ], "8650": [ { "sample_cnt": 1, "yara_rule_name": "Trickbot_PermaDll_UEFI_Module", "yara_rule_author": "@VK_Intel | Advanced Intelligence", "yara_rule_reference": null, "yara_rule_description": "Detects TrickBot Banking module permaDll", "last_hit_utc": "2025-10-28 13:45:15" } ], "8651": [ { "sample_cnt": 1, "yara_rule_name": "Trj_Ponmocup_Downloader", "yara_rule_author": "Centro Criptol\u00f3gico Nacional (CCN)", "yara_rule_reference": null, "yara_rule_description": "Ponmocup Downloader", "last_hit_utc": "2021-05-04 01:02:56" } ], "8652": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_MSIL_GORAT_Module_PowerShell_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Module - PowerShell' project.", "last_hit_utc": "2025-11-05 08:22:46" } ], "8653": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_MSIL_GORAT_Plugin_DOTNET_1", "yara_rule_author": "FireEye", "yara_rule_reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html", "yara_rule_description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Plugin - .NET' project.", "last_hit_utc": "2025-11-05 08:22:46" } ], "8654": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_Win32_Adupib", "yara_rule_author": "Microsoft", "yara_rule_reference": null, "yara_rule_description": "Adupib SSL Backdoor", "last_hit_utc": "2025-10-28 13:45:15" } ], "8655": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_Win32_Plakelog", "yara_rule_author": "Microsoft", "yara_rule_reference": null, "yara_rule_description": "Raw-input based keylogger", "last_hit_utc": "2025-11-05 08:22:46" } ], "8656": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_Win32_Plakelog", "yara_rule_author": "Microsoft", "yara_rule_reference": "", "yara_rule_description": "Raw-input based keylogger", "last_hit_utc": "2022-10-05 10:04:03" } ], "8657": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_Win32_PlaKeylog_B", "yara_rule_author": "Microsoft", "yara_rule_reference": null, "yara_rule_description": "Keylogger component", "last_hit_utc": "2025-11-05 08:22:46" } ], "8658": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_Win32_PlaKeylog_B", "yara_rule_author": "Microsoft", "yara_rule_reference": "", "yara_rule_description": "Keylogger component", "last_hit_utc": "2022-04-20 02:35:02" } ], "8659": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_Win32_Plakpers", "yara_rule_author": "Microsoft", "yara_rule_reference": "", "yara_rule_description": "Injector / loader component", "last_hit_utc": "2022-10-05 10:04:03" } ], "8660": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_Win32_Plaplex", "yara_rule_author": "Microsoft", "yara_rule_reference": null, "yara_rule_description": "Variant of the JPin backdoor", "last_hit_utc": "2025-10-28 13:45:15" } ], "8661": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_Win32_PlaSrv", "yara_rule_author": "Microsoft", "yara_rule_reference": "", "yara_rule_description": "Hotpatching Injector", "last_hit_utc": "2022-04-20 02:35:02" } ], "8662": [ { "sample_cnt": 1, "yara_rule_name": "Trojan_Win32_Platual", "yara_rule_author": "Microsoft", "yara_rule_reference": "", "yara_rule_description": "Installer component", "last_hit_utc": "2022-04-20 02:35:02" } ], "8663": [ { "sample_cnt": 1, "yara_rule_name": "troj_elf_cetus_a", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": null, "yara_rule_description": "Detects Cetus Linux Malware.", "last_hit_utc": "2026-01-09 07:54:32" } ], "8664": [ { "sample_cnt": 1, "yara_rule_name": "troj_win_headertip", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": null, "yara_rule_description": "Detects HeaderTip DLL", "last_hit_utc": "2024-03-01 15:52:02" } ], "8665": [ { "sample_cnt": 1, "yara_rule_name": "troj_win_powerstager", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": null, "yara_rule_description": "Detects PowerStager Windows executable, both x86 and x64.", "last_hit_utc": "2025-01-03 19:38:17" } ], "8666": [ { "sample_cnt": 1, "yara_rule_name": "troj_win_vbkryjetor", "yara_rule_author": "Jeff White (karttoon@gmail.com) @noottrak", "yara_rule_reference": "", "yara_rule_description": "Detects VBKryjetor trojan.", "last_hit_utc": "2022-08-31 02:23:02" } ], "8667": [ { "sample_cnt": 1, "yara_rule_name": "Turla_APT_Malware_Gen1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects Turla malware (based on sample used in the RUAG APT case)", "last_hit_utc": "2022-10-16 21:53:04" } ], "8668": [ { "sample_cnt": 1, "yara_rule_name": "Turla_APT_Malware_Gen1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects Turla malware (based on sample used in the RUAG APT case)", "last_hit_utc": "2025-10-28 13:45:15" } ], "8669": [ { "sample_cnt": 1, "yara_rule_name": "Turla_APT_Malware_Gen2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects Turla malware (based on sample used in the RUAG APT case)", "last_hit_utc": "2022-10-16 21:53:04" } ], "8670": [ { "sample_cnt": 1, "yara_rule_name": "Turla_APT_Malware_Gen3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects Turla malware (based on sample used in the RUAG APT case)", "last_hit_utc": "2022-10-16 21:53:04" } ], "8671": [ { "sample_cnt": 1, "yara_rule_name": "Turla_APT_srsvc", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", "yara_rule_description": "Detects Turla malware (based on sample used in the RUAG APT case)", "last_hit_utc": "2025-11-05 08:22:46" } ], "8672": [ { "sample_cnt": 1, "yara_rule_name": "turla_outlook_filenames", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf", "yara_rule_description": "Turla Outlook filenames", "last_hit_utc": "2025-10-28 13:45:15" } ], "8673": [ { "sample_cnt": 1, "yara_rule_name": "turla_outlook_gen", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf", "yara_rule_description": "Turla Outlook malware", "last_hit_utc": "2025-10-28 13:45:15" } ], "8674": [ { "sample_cnt": 1, "yara_rule_name": "turla_outlook_pdf", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf", "yara_rule_description": "Detect PDF documents generated by Turla Outlook malware", "last_hit_utc": "2025-06-16 16:43:56" } ], "8675": [ { "sample_cnt": 1, "yara_rule_name": "turla_png_dropper", "yara_rule_author": "Ben Humphrey", "yara_rule_reference": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "yara_rule_description": "Detects the PNG Dropper used by the Turla group", "last_hit_utc": "2025-11-05 08:22:46" } ], "8676": [ { "sample_cnt": 1, "yara_rule_name": "UACME_Akagi_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/hfiref0x/UACME", "yara_rule_description": "Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe", "last_hit_utc": "2022-04-19 21:59:03" } ], "8677": [ { "sample_cnt": 1, "yara_rule_name": "UACME_Akagi_2_RID2B49", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/hfiref0x/UACME", "yara_rule_description": "Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe", "last_hit_utc": "2022-04-19 21:59:03" } ], "8678": [ { "sample_cnt": 1, "yara_rule_name": "unastealer3_mem", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://www.hybrid-analysis.com/string-search/results/54fb74afabde582ae0a730401ea31ee5e0d9cf33582c8a64d634350150cdd78b", "yara_rule_description": "Una Stealer", "last_hit_utc": "2025-01-03 20:34:53" } ], "8679": [ { "sample_cnt": 1, "yara_rule_name": "unastealer3_other", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://www.hybrid-analysis.com/string-search/results/54fb74afabde582ae0a730401ea31ee5e0d9cf33582c8a64d634350150cdd78b", "yara_rule_description": "Una Stealer", "last_hit_utc": "2021-11-17 02:12:05" } ], "8680": [ { "sample_cnt": 1, "yara_rule_name": "Unauthorized_Proxy_Server_RAT", "yara_rule_author": "US-CERT Code Analysis Team", "yara_rule_reference": "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:46" } ], "8681": [ { "sample_cnt": 1, "yara_rule_name": "Unit78020_Malware_Gen1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://threatconnect.com/camerashy/?utm_campaign=CameraShy", "yara_rule_description": "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule", "last_hit_utc": "2025-11-05 08:22:46" } ], "8682": [ { "sample_cnt": 1, "yara_rule_name": "Unit78020_Malware_Gen1_RID2E84", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://threatconnect.com/camerashy/?utm_campaign=CameraShy", "yara_rule_description": "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule", "last_hit_utc": "2025-11-05 08:22:46" } ], "8683": [ { "sample_cnt": 1, "yara_rule_name": "unknownstealer3_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "https://www.hybrid-analysis.com/yara-search/results/526f6ebd0e1dafa57c797ab3e0165c03abe0d21d03287429973e7f78814f342a", "yara_rule_description": "Unknamed Stealer", "last_hit_utc": "2021-06-28 23:56:09" } ], "8684": [ { "sample_cnt": 1, "yara_rule_name": "Unk_BR_Banker", "yara_rule_author": "@bartblaze", "yara_rule_reference": null, "yara_rule_description": "Identifies an unknown Brazilian banking trojan.", "last_hit_utc": "2025-01-05 17:27:37" } ], "8685": [ { "sample_cnt": 1, "yara_rule_name": "UnPack_rar_Folder_InjectT", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file InjectT.exe", "last_hit_utc": "2025-10-28 13:45:16" } ], "8686": [ { "sample_cnt": 1, "yara_rule_name": "UnPack_rar_Folder_InjectT", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file InjectT.exe", "last_hit_utc": "2025-10-28 13:45:16" } ], "8687": [ { "sample_cnt": 1, "yara_rule_name": "UnPack_rar_Folder_TBack", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file TBack.DLL", "last_hit_utc": "2025-10-28 13:45:16" } ], "8688": [ { "sample_cnt": 1, "yara_rule_name": "UnPack_rar_Folder_TBack", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file TBack.DLL", "last_hit_utc": "2025-10-28 13:45:16" } ], "8689": [ { "sample_cnt": 1, "yara_rule_name": "Upack022023betaDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-15 10:37:33" } ], "8690": [ { "sample_cnt": 1, "yara_rule_name": "Upackv022v023BetaDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-15 10:37:33" } ], "8691": [ { "sample_cnt": 1, "yara_rule_name": "Upackv031betaDwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-08 07:41:03" } ], "8692": [ { "sample_cnt": 1, "yara_rule_name": "Upackv0399Dwing", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-27 19:23:19" } ], "8693": [ { "sample_cnt": 1, "yara_rule_name": "UPXScramblerRCv1x", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:37:25" } ], "8694": [ { "sample_cnt": 1, "yara_rule_name": "URL_File_Local_EXE", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://twitter.com/malwareforme/status/915300883012870144", "yara_rule_description": "Detects an .url file that points to a local executable", "last_hit_utc": "2025-01-03 19:17:50" } ], "8695": [ { "sample_cnt": 1, "yara_rule_name": "URL_File_Local_EXE_RID2D6E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://twitter.com/malwareforme/status/915300883012870144", "yara_rule_description": "Detects an .url file that points to a local executable", "last_hit_utc": "2025-01-03 19:17:50" } ], "8696": [ { "sample_cnt": 1, "yara_rule_name": "User_Function_String", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "yara_rule_description": "Detects user function string from NCSC report", "last_hit_utc": "2025-10-28 13:45:16" } ], "8697": [ { "sample_cnt": 1, "yara_rule_name": "USSR031bySpirit", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-23 01:39:03" } ], "8698": [ { "sample_cnt": 1, "yara_rule_name": "uxcryptor", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "UXCryptor Payload", "last_hit_utc": "2023-05-19 06:18:56" } ], "8699": [ { "sample_cnt": 1, "yara_rule_name": "VBS_WMIExec_Tool_Apr17_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Tools related to Operation Cloud Hopper", "last_hit_utc": "2025-10-28 13:45:16" } ], "8700": [ { "sample_cnt": 1, "yara_rule_name": "VBS_WMIExec_Tool_Apr17_1_RID2F44", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/maaaaz/impacket-examples-windows", "yara_rule_description": "Tools related to Operation Cloud Hopper", "last_hit_utc": "2025-10-28 13:45:16" } ], "8701": [ { "sample_cnt": 1, "yara_rule_name": "VenomRAT_v36", "yara_rule_author": "kirkderp", "yara_rule_reference": "https://github.com/kirkderp/yara", "yara_rule_description": "VenomRAT v3.6 (dcRAT/qwqdanchun fork) -- AMSI/ETW bypass, plugin loader, process kill list", "last_hit_utc": "2026-04-21 14:28:30" } ], "8702": [ { "sample_cnt": 1, "yara_rule_name": "VioletClient_Detection", "yara_rule_author": "Anonymous", "yara_rule_reference": null, "yara_rule_description": "Detects VioletClient string presence", "last_hit_utc": "2025-11-20 01:15:26" } ], "8703": [ { "sample_cnt": 1, "yara_rule_name": "VPNFilterStage1", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-24 08:25:57" } ], "8704": [ { "sample_cnt": 1, "yara_rule_name": "VPNFilterStage1", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-11-25 23:07:04" } ], "8705": [ { "sample_cnt": 1, "yara_rule_name": "VPNFilterStage2", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-03-24 08:25:57" } ], "8706": [ { "sample_cnt": 1, "yara_rule_name": "VPNFilterStage2", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-11-25 23:07:04" } ], "8707": [ { "sample_cnt": 1, "yara_rule_name": "VSSown_VBS", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere", "last_hit_utc": "2025-10-28 13:45:17" } ], "8708": [ { "sample_cnt": 1, "yara_rule_name": "VSSown_VBS_RID2AAB", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere", "last_hit_utc": "2025-10-28 13:45:17" } ], "8709": [ { "sample_cnt": 1, "yara_rule_name": "VUBrute_config", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/xiIphp", "yara_rule_description": "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini", "last_hit_utc": "2025-10-28 13:45:17" } ], "8710": [ { "sample_cnt": 1, "yara_rule_name": "VUBrute_config", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/xiIphp", "yara_rule_description": "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini", "last_hit_utc": "2025-10-28 13:45:17" } ], "8711": [ { "sample_cnt": 1, "yara_rule_name": "VUBrute_VUBrute", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe", "last_hit_utc": "2025-10-28 13:45:17" } ], "8712": [ { "sample_cnt": 1, "yara_rule_name": "VUBrute_VUBrute", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe", "last_hit_utc": "2025-10-28 13:45:17" } ], "8713": [ { "sample_cnt": 1, "yara_rule_name": "VULN_Confluence_Questions_Plugin_CVE_2022_26138_Jul22_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/", "yara_rule_description": "Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138", "last_hit_utc": "2025-10-28 13:45:17" } ], "8714": [ { "sample_cnt": 1, "yara_rule_name": "VUL_JQuery_FileUpload_CVE_2018_9206", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/", "yara_rule_description": "Detects JQuery File Upload vulnerability CVE-2018-9206", "last_hit_utc": "2025-10-28 13:45:17" } ], "8715": [ { "sample_cnt": 1, "yara_rule_name": "VUL_JQuery_FileUpload_CVE_2018_9206_RID32A2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/", "yara_rule_description": "Detects JQuery File Upload vulnerability CVE-2018-9206", "last_hit_utc": "2025-10-28 13:45:17" } ], "8716": [ { "sample_cnt": 1, "yara_rule_name": "WaterBug_fa_malware", "yara_rule_author": "Symantec Security Response", "yara_rule_reference": "http://t.co/rF35OaAXrl", "yara_rule_description": "Symantec Waterbug Attack - FA malware variant", "last_hit_utc": "2025-11-05 08:22:47" } ], "8717": [ { "sample_cnt": 1, "yara_rule_name": "WaterBug_wipbot_2013_dll", "yara_rule_author": "Symantec Security Response", "yara_rule_reference": "http://t.co/rF35OaAXrl", "yara_rule_description": "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component", "last_hit_utc": "2025-10-28 13:45:17" } ], "8718": [ { "sample_cnt": 1, "yara_rule_name": "WCE_in_memory", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Windows Credential Editor (WCE) in memory (and also on disk)", "last_hit_utc": "2025-10-28 13:45:17" } ], "8719": [ { "sample_cnt": 1, "yara_rule_name": "WCE_in_memory_RID2C1E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Windows Credential Editor (WCE) in memory (and also on disk)", "last_hit_utc": "2025-10-28 13:45:17" } ], "8720": [ { "sample_cnt": 1, "yara_rule_name": "webshell_201_3_ma_download", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp", "last_hit_utc": "2022-12-04 16:38:04" } ], "8721": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_APT_PHP_DEWMODE_UNC2546_Feb21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "yara_rule_description": "Detects DEWMODE webshells", "last_hit_utc": "2025-10-28 13:45:19" } ], "8722": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_ASPX_Chopper_Like_Mar21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Chopper like ASPX Webshells", "last_hit_utc": "2025-10-28 13:45:20" } ], "8723": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_ASPX_Chopper_Like_Mar21_1_RID3288", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Chopper like ASPX Webshells", "last_hit_utc": "2025-10-28 13:45:20" } ], "8724": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_ASPX_FileExplorer_Mar21_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Chopper like ASPX Webshells", "last_hit_utc": "2025-10-28 13:45:21" } ], "8725": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_ASPX_FileExplorer_Mar21_1_RID32A4", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects Chopper like ASPX Webshells", "last_hit_utc": "2025-10-28 13:45:21" } ], "8726": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_ASPX_SportsBall", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "yara_rule_description": "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.", "last_hit_utc": "2025-10-28 13:45:21" } ], "8727": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_aZRaiLPhp_v1_0", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php", "last_hit_utc": "2023-08-29 13:01:13" } ], "8728": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_aZRaiLPhp_v1_0_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php", "last_hit_utc": "2025-10-28 13:45:21" } ], "8729": [ { "sample_cnt": 1, "yara_rule_name": "webshell_b374k_str", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "", "yara_rule_description": "Webshell b374k", "last_hit_utc": "2022-08-09 15:10:03" } ], "8730": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/nikicat/web-malware-collection", "yara_rule_description": "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ...", "last_hit_utc": "2023-08-29 13:01:14" } ], "8731": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57_RID3A88", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/nikicat/web-malware-collection", "yara_rule_description": "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ...", "last_hit_utc": "2023-08-29 13:01:14" } ], "8732": [ { "sample_cnt": 1, "yara_rule_name": "webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2022-12-04 16:38:04" } ], "8733": [ { "sample_cnt": 1, "yara_rule_name": "webshell_browser_201_3_ma_download", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp", "last_hit_utc": "2022-12-04 16:38:04" } ], "8734": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_browser_201_3_ma_download_RID3412", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp", "last_hit_utc": "2022-12-04 16:38:04" } ], "8735": [ { "sample_cnt": 1, "yara_rule_name": "webshell_browser_201_3_ma_ma2_download", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp", "last_hit_utc": "2022-12-04 16:38:04" } ], "8736": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_browser_201_3_ma_ma2_download_RID3571", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp", "last_hit_utc": "2022-12-04 16:38:04" } ], "8737": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_c100", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/nikicat/web-malware-collection", "yara_rule_description": "Detects Webshell - rule generated from from files c100 v. 777shell", "last_hit_utc": "2023-08-29 13:01:14" } ], "8738": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_c99madshell_v2_1_RID305C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt", "last_hit_utc": "2025-06-16 15:19:34" } ], "8739": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_c99shell_v1_0_RID2F28", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt", "last_hit_utc": "2025-06-16 15:19:34" } ], "8740": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_c99shell_v1_0_SsEs_RID3105", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt", "last_hit_utc": "2025-06-16 15:19:34" } ], "8741": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_c99_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/nikicat/web-malware-collection", "yara_rule_description": "Detects C99 Webshell", "last_hit_utc": "2023-08-29 13:01:14" } ], "8742": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_c99_4_RID2C0E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/nikicat/web-malware-collection", "yara_rule_description": "Detects C99 Webshell", "last_hit_utc": "2023-08-29 13:01:14" } ], "8743": [ { "sample_cnt": 1, "yara_rule_name": "webshell_c99_c99shell_c99_w4cking_Shell_xxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci] .Biz was here.php, acid.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99.php, c99shell.php", "last_hit_utc": "2025-06-16 15:19:33" } ], "8744": [ { "sample_cnt": 1, "yara_rule_name": "webshell_c99_c99shell_c99_w4cking_Shell_xxx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-06-16 15:19:33" } ], "8745": [ { "sample_cnt": 1, "yara_rule_name": "webshell_c99_generic", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated", "last_hit_utc": "2025-06-16 15:19:33" } ], "8746": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_c99_generic2_RID2EE9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated", "last_hit_utc": "2025-06-16 15:19:33" } ], "8747": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_c99_generic_RID2EB7", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated", "last_hit_utc": "2025-06-16 15:19:33" } ], "8748": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_C99_Shell_ci_Biz_RID3061", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects Web Shell from tennc webshell repo", "last_hit_utc": "2025-06-16 15:19:34" } ], "8749": [ { "sample_cnt": 1, "yara_rule_name": "webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php", "last_hit_utc": "2025-06-16 15:19:34" } ], "8750": [ { "sample_cnt": 1, "yara_rule_name": "webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-06-16 15:19:34" } ], "8751": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_C99_w4cking_Shell_RID30C8", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects Web Shell from tennc webshell repo", "last_hit_utc": "2025-06-16 15:19:34" } ], "8752": [ { "sample_cnt": 1, "yara_rule_name": "webshell_e8eaf8da94012e866e51547cd63bb996379690bf", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/bartblaze/PHP-backdoors", "yara_rule_description": "Detects a web shell", "last_hit_utc": "2025-10-28 13:45:26" } ], "8753": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_e8eaf8da94012e866e51547cd63bb996379690bf_RID3586", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/bartblaze/PHP-backdoors", "yara_rule_description": "Detects a web shell", "last_hit_utc": "2025-10-28 13:45:26" } ], "8754": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_FeliksPack3___PHP_Shells_r57_RID34C2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file r57.php", "last_hit_utc": "2025-06-16 15:19:34" } ], "8755": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_FSO_s_c99_RID2D94", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file c99.php", "last_hit_utc": "2025-06-16 15:19:34" } ], "8756": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_Generic_PHP_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php", "last_hit_utc": "2023-08-29 13:01:17" } ], "8757": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_Generic_PHP_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files Dive Shell 1.0", "last_hit_utc": "2023-08-29 13:01:17" } ], "8758": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_Generic_PHP_9", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php", "last_hit_utc": "2023-08-29 13:01:17" } ], "8759": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_GFS", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php", "last_hit_utc": "2025-06-16 15:19:34" } ], "8760": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_GFS", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php", "last_hit_utc": "2025-06-16 15:19:34" } ], "8761": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_G_APT_BackdoorWebshell_SLAYSTYLE_1", "yara_rule_author": "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)", "yara_rule_reference": "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign", "yara_rule_description": "Detects webshell used by APT group UNC5221 (China Nexus)", "last_hit_utc": "2025-11-04 10:03:55" } ], "8762": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_G_APT_BackdoorWebshell_SLAYSTYLE_2", "yara_rule_author": "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)", "yara_rule_reference": "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign", "yara_rule_description": "Detects webshell used by APT group UNC5221 (China Nexus)", "last_hit_utc": "2025-11-04 10:03:55" } ], "8763": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_h4ntu_shell__powered_by_tsoi_", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php", "last_hit_utc": "2023-08-29 13:01:18" } ], "8764": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_h4ntu_shell__powered_by_tsoi_", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php", "last_hit_utc": "2023-08-29 13:01:18" } ], "8765": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_h4ntu_shell__powered_by_tsoi__RID365B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php", "last_hit_utc": "2023-08-29 13:01:18" } ], "8766": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_ironshell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file ironshell.php", "last_hit_utc": "2023-08-29 13:01:18" } ], "8767": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_IronShell_4", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file ironshell.php", "last_hit_utc": "2025-10-28 13:45:29" } ], "8768": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_JAVA_VersaMem_JAR_Aug24_2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://x.com/craiu/status/1828687700884336990", "yara_rule_description": "Detects VersaMem Java webshell samples (as used by Volt Typhoon)", "last_hit_utc": "2025-01-03 21:42:10" } ], "8769": [ { "sample_cnt": 1, "yara_rule_name": "webshell_jsp_by_string", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.", "last_hit_utc": "2022-01-17 13:04:06" } ], "8770": [ { "sample_cnt": 1, "yara_rule_name": "webshell_jsp_cmd", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Web Shell - file cmd.jsp", "last_hit_utc": "2022-01-17 13:04:06" } ], "8771": [ { "sample_cnt": 1, "yara_rule_name": "webshell_jsp_generic_classloader", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Generic JSP webshell which uses classloader to execute user input", "last_hit_utc": "2022-01-17 13:04:06" } ], "8772": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_JSP_MA_download_RID3037", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp", "last_hit_utc": "2022-12-04 16:38:04" } ], "8773": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_JSP_Nov21_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.ic3.gov/Media/News/2021/211117-2.pdf", "yara_rule_description": "Detects JSP webshells", "last_hit_utc": "2022-10-05 10:05:01" } ], "8774": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php", "last_hit_utc": "2023-08-29 13:01:19" } ], "8775": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php", "last_hit_utc": "2025-10-28 13:45:30" } ], "8776": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_multiple_php_webshells_2_RID3472", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated", "last_hit_utc": "2025-06-16 15:19:34" } ], "8777": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_PAS_webshell_SQLDumpFile", "yara_rule_author": "FR/ANSSI/SDO", "yara_rule_reference": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "yara_rule_description": "Detects SQL dump file created by P.A.S. webshell", "last_hit_utc": "2025-10-28 13:45:31" } ], "8778": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_PAS_webshell_ZIPArchiveFile", "yara_rule_author": "FR/ANSSI/SDO (modified by Florian Roth)", "yara_rule_reference": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "yara_rule_description": "Detects an archive file created by P.A.S. for download operation", "last_hit_utc": "2025-10-28 13:45:31" } ], "8779": [ { "sample_cnt": 1, "yara_rule_name": "webshell_PHP_404", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Web Shell - file 404.php", "last_hit_utc": "2021-08-20 23:47:04" } ], "8780": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_php_backdoor", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file php-backdoor.php", "last_hit_utc": "2023-08-29 13:01:20" } ], "8781": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_PHP_Backdoor_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file php-backdoor.php", "last_hit_utc": "2025-10-28 13:45:32" } ], "8782": [ { "sample_cnt": 1, "yara_rule_name": "webshell_php_by_string_known_webshell", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.", "last_hit_utc": "2021-12-24 21:28:04" } ], "8783": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_PHP_DEWMODE_UNC2546_Feb21_1_RID3187", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "yara_rule_description": "Detects DEWMODE webshells", "last_hit_utc": "2025-10-28 13:45:33" } ], "8784": [ { "sample_cnt": 1, "yara_rule_name": "webshell_php_dynamic_big", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k", "last_hit_utc": "2021-08-20 23:47:04" } ], "8785": [ { "sample_cnt": 1, "yara_rule_name": "webshell_php_function_via_get", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "Webshell which sends eval/assert via GET", "last_hit_utc": "2021-08-20 23:47:04" } ], "8786": [ { "sample_cnt": 1, "yara_rule_name": "webshell_php_gzinflated", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": null, "yara_rule_description": "PHP webshell which directly eval()s obfuscated string", "last_hit_utc": "2021-05-24 11:13:06" } ], "8787": [ { "sample_cnt": 1, "yara_rule_name": "webshell_php_obfuscated", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "PHP webshell obfuscated", "last_hit_utc": "2022-02-22 03:37:04" } ], "8788": [ { "sample_cnt": 1, "yara_rule_name": "webshell_php_obfuscated_3", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "PHP webshell which eval()s obfuscated string", "last_hit_utc": "2022-05-11 00:13:02" } ], "8789": [ { "sample_cnt": 1, "yara_rule_name": "webshell_php_obfuscated_encoding_mixed_dec_and_hex", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "PHP webshell obfuscated by encoding of mixed hex and dec", "last_hit_utc": "2021-08-22 09:11:05" } ], "8790": [ { "sample_cnt": 1, "yara_rule_name": "webshell_PHP_r57142", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Web Shell - file r57142.php", "last_hit_utc": "2021-08-20 23:47:04" } ], "8791": [ { "sample_cnt": 1, "yara_rule_name": "webshell_php_strings_susp", "yara_rule_author": "Arnim Rupp", "yara_rule_reference": "", "yara_rule_description": "typical webshell strings, suspicious", "last_hit_utc": "2021-12-24 21:28:04" } ], "8792": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_php_webshells_myshell_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file myshell.php", "last_hit_utc": "2025-10-28 13:45:35" } ], "8793": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_r577_php_php_SnIpEr_3_RID322B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-06-16 15:19:35" } ], "8794": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_r57shell_2_RID2E2D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file r57shell.php", "last_hit_utc": "2025-06-16 15:19:35" } ], "8795": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_r57shell_3_RID2E2E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file r57shell.php", "last_hit_utc": "2025-06-16 15:19:35" } ], "8796": [ { "sample_cnt": 1, "yara_rule_name": "webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php", "last_hit_utc": "2025-06-16 15:19:35" } ], "8797": [ { "sample_cnt": 1, "yara_rule_name": "webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-06-16 15:19:35" } ], "8798": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_r57shell_RID2D9C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Webshells Auto-generated - file r57shell.php", "last_hit_utc": "2025-06-16 15:19:35" } ], "8799": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_r57shell_SnIpEr_EgY_SpIdEr_RID3416", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Detects Web Shell from tennc webshell repo", "last_hit_utc": "2025-06-16 15:19:35" } ], "8800": [ { "sample_cnt": 1, "yara_rule_name": "webshell_Shell_ci_Biz_was_here_c100_v_xxx", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php", "last_hit_utc": "2025-06-16 15:19:36" } ], "8801": [ { "sample_cnt": 1, "yara_rule_name": "webshell_Shell_ci_Biz_was_here_c100_v_xxx", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell", "last_hit_utc": "2025-06-16 15:19:36" } ], "8802": [ { "sample_cnt": 1, "yara_rule_name": "webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php", "last_hit_utc": "2025-06-16 15:19:36" } ], "8803": [ { "sample_cnt": 1, "yara_rule_name": "webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php", "last_hit_utc": "2025-06-16 15:19:36" } ], "8804": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend_RID3A73", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php", "last_hit_utc": "2025-06-16 15:19:36" } ], "8805": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_SpecialShell_99a_RID3091", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated", "last_hit_utc": "2025-06-16 15:19:36" } ], "8806": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_SpecialShell_99c_RID3093", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-06-16 15:19:36" } ], "8807": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_SpecialShell_99d_RID3094", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-06-16 15:19:36" } ], "8808": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_SpecialShell_99_php_c_RID3299", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-06-16 15:19:36" } ], "8809": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_SpecialShell_99_php_php_RID337E", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-06-16 15:19:36" } ], "8810": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_Spy_r57_RID2D1F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-06-16 15:19:36" } ], "8811": [ { "sample_cnt": 1, "yara_rule_name": "Webshell_templatr_RID2E0F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://tools.zjqhr.com/", "yara_rule_description": "Chinese Hacktool Set - file templatr.php", "last_hit_utc": "2024-02-15 15:28:03" } ], "8812": [ { "sample_cnt": 1, "yara_rule_name": "webshell_webshells_new_JJJsp2", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file JJJsp2.jsp", "last_hit_utc": "2020-08-29 08:36:42" } ], "8813": [ { "sample_cnt": 1, "yara_rule_name": "webshell_webshells_new_JJjsp3", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Web shells - generated from file JJjsp3.jsp", "last_hit_utc": "2020-08-29 08:36:42" } ], "8814": [ { "sample_cnt": 1, "yara_rule_name": "webshell_webshells_new_php5", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Web shells - generated from file php5.php", "last_hit_utc": "2022-01-17 13:04:06" } ], "8815": [ { "sample_cnt": 1, "yara_rule_name": "webshell_webshell_cnseay02_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Web Shell - file webshell-cnseay02-1.php", "last_hit_utc": "2022-01-17 13:04:06" } ], "8816": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_WinX_Shell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file WinX Shell.php", "last_hit_utc": "2023-08-29 13:01:28" } ], "8817": [ { "sample_cnt": 1, "yara_rule_name": "WebShell_WinX_Shell_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - file WinX Shell.php", "last_hit_utc": "2025-10-28 13:45:46" } ], "8818": [ { "sample_cnt": 1, "yara_rule_name": "webshell_wso2_5_1_wso2_5_wso2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php", "last_hit_utc": "2025-01-23 05:09:03" } ], "8819": [ { "sample_cnt": 1, "yara_rule_name": "WEBSHELL_Z_WebShell_1", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "yara_rule_description": "Detects Z Webshell from NCSC report", "last_hit_utc": "2025-10-28 13:45:46" } ], "8820": [ { "sample_cnt": 1, "yara_rule_name": "Webshell__1_c2007_php_php_c100_php_RID3309", "yara_rule_author": "Florian Roth", "yara_rule_reference": "-", "yara_rule_description": "Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt", "last_hit_utc": "2025-06-16 15:19:32" } ], "8821": [ { "sample_cnt": 1, "yara_rule_name": "WebShell__CrystalShell_v_1_sosyete_stres", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php", "last_hit_utc": "2025-06-16 15:19:33" } ], "8822": [ { "sample_cnt": 1, "yara_rule_name": "WebShell__CrystalShell_v_1_sosyete_stres", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php", "last_hit_utc": "2025-06-16 15:19:32" } ], "8823": [ { "sample_cnt": 1, "yara_rule_name": "WebShell__findsock_php_findsock_shell_php_reverse_shell", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php", "last_hit_utc": "2022-05-13 10:17:03" } ], "8824": [ { "sample_cnt": 1, "yara_rule_name": "Wellmess", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect WellMess in memory", "last_hit_utc": "2020-09-08 14:33:18" } ], "8825": [ { "sample_cnt": 1, "yara_rule_name": "whitesnake_stealer", "yara_rule_author": "Nikolaos 'n0t' Totosis", "yara_rule_reference": null, "yara_rule_description": "WhiteSname Stealer Payload", "last_hit_utc": "2023-05-14 18:43:03" } ], "8826": [ { "sample_cnt": 1, "yara_rule_name": "WildNeutron_Sample_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/", "yara_rule_description": "Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0", "last_hit_utc": "2025-06-16 15:52:32" } ], "8827": [ { "sample_cnt": 1, "yara_rule_name": "WiltedTulip_powershell", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects powershell script used in Operation Wilted Tulip", "last_hit_utc": "2025-10-28 13:45:47" } ], "8828": [ { "sample_cnt": 1, "yara_rule_name": "WiltedTulip_powershell_RID302C", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects powershell script used in Operation Wilted Tulip", "last_hit_utc": "2025-10-28 13:45:47" } ], "8829": [ { "sample_cnt": 1, "yara_rule_name": "WiltedTulip_Tools_clrlg", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects Windows eventlog cleaner used in Operation Wilted Tulip - file clrlg.bat", "last_hit_utc": "2026-03-27 07:22:19" } ], "8830": [ { "sample_cnt": 1, "yara_rule_name": "WiltedTulip_Tools_clrlg_RID306B", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.clearskysec.com/tulip", "yara_rule_description": "Detects Windows eventlog cleaner used in Operation Wilted Tulip - file clrlg.bat", "last_hit_utc": "2026-03-27 07:22:19" } ], "8831": [ { "sample_cnt": 1, "yara_rule_name": "Win32FertgerHavex", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-11 15:43:21" } ], "8832": [ { "sample_cnt": 1, "yara_rule_name": "Win32OPCHavex", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-20 18:13:20" } ], "8833": [ { "sample_cnt": 1, "yara_rule_name": "win32_agent_tesla", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting AgentTesla malware", "last_hit_utc": "2025-06-16 16:19:00" } ], "8834": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Buzus_Softpulse", "yara_rule_author": "Florian Roth", "yara_rule_reference": "", "yara_rule_description": "Trojan Buzus / Softpulse", "last_hit_utc": "2022-07-15 17:20:03" } ], "8835": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Infostealer_LumarStealer", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects LumarStealer infostealer.", "last_hit_utc": "2025-01-05 17:25:00" } ], "8836": [ { "sample_cnt": 1, "yara_rule_name": "WIN32_MALWR_POSSIBLE_EMOTET_07_20", "yara_rule_author": "Jesper Mikkelsen", "yara_rule_reference": "https://www.virustotal.com/gui/file/03665e203217c40ee4e82777fd756c8e696d4068f5346f39cc132bd8bc4dc3c7/details", "yara_rule_description": "Possible EMOTET payload", "last_hit_utc": "2025-01-03 20:06:11" } ], "8837": [ { "sample_cnt": 1, "yara_rule_name": "Win32_PUA_Domaiq", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Domaiq potentially unwanted application.", "last_hit_utc": "2025-12-30 09:32:14" } ], "8838": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_CryptoLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects CryptoLocker ransomware.", "last_hit_utc": "2023-06-09 06:53:02" } ], "8839": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Crysis", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Crysis ransomware.", "last_hit_utc": "2023-01-24 09:18:07" } ], "8840": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Elpaco", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Elpaco ransomware.", "last_hit_utc": "2025-05-31 19:12:28" } ], "8841": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_FCT", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects FCT ransomware.", "last_hit_utc": "2022-04-25 13:07:02" } ], "8842": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_GPCode", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Gpcode ransomware.", "last_hit_utc": "2023-01-15 13:30:09" } ], "8843": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_HDDCryptor", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects HDDCryptor ransomware.", "last_hit_utc": "2022-08-19 15:47:02" } ], "8844": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Koxic", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Koxic ransomware.", "last_hit_utc": "2022-10-11 08:31:29" } ], "8845": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Lorenz", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Lorenz ransomware.", "last_hit_utc": "2023-03-10 18:59:03" } ], "8846": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Makop", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Makop ransomware.", "last_hit_utc": "2023-04-15 03:12:03" } ], "8847": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_MedusaLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects MedusaLocker ransomware.", "last_hit_utc": "2023-03-11 04:47:02" } ], "8848": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_MountLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects MountLocker ransomware.", "last_hit_utc": "2021-05-12 17:20:28" } ], "8849": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Nefilim", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Nefilim ransomware.", "last_hit_utc": "2023-03-05 13:41:05" } ], "8850": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Plague17", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Plague17 ransomware.", "last_hit_utc": "2022-11-30 15:52:03" } ], "8851": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Povlsomware", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Povlsomware ransomware.", "last_hit_utc": "2023-11-20 22:55:04" } ], "8852": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_PXJ", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects PXJ ransomware.", "last_hit_utc": "2022-04-28 11:03:02" } ], "8853": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Ryuk", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Ryuk ransomware.", "last_hit_utc": "2022-01-28 10:30:17" } ], "8854": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Sage", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Sage ransomware.", "last_hit_utc": "2022-04-29 06:54:08" } ], "8855": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Saturn", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Saturn ransomware.", "last_hit_utc": "2023-03-06 20:18:03" } ], "8856": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_TorrentLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects TorrentLocker ransomware.", "last_hit_utc": "2021-03-15 19:32:06" } ], "8857": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_WormLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects WormLocker ransomware.", "last_hit_utc": "2022-06-20 17:19:02" } ], "8858": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_Zeoticus", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Zeoticus ransomware.", "last_hit_utc": "2021-04-24 15:04:44" } ], "8859": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Ransomware_ZeroLocker", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects ZeroLocker ransomware.", "last_hit_utc": "2022-09-24 09:41:08" } ], "8860": [ { "sample_cnt": 1, "yara_rule_name": "WIN32_RANSOM_SODINOKIBI_CONFIG_DECRYPT", "yara_rule_author": "!j", "yara_rule_reference": null, "yara_rule_description": "detects the config decryption pattern of sodinokibi", "last_hit_utc": "2021-05-03 17:05:13" } ], "8861": [ { "sample_cnt": 1, "yara_rule_name": "win32_safengine", "yara_rule_author": "Reedus0", "yara_rule_reference": null, "yara_rule_description": "Rule for detecting safengine packer", "last_hit_utc": "2025-06-16 15:20:11" } ], "8862": [ { "sample_cnt": 1, "yara_rule_name": "Win32_Trojan_HermeticWiper", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects HermeticWiper trojan.", "last_hit_utc": "2022-03-29 17:31:03" } ], "8863": [ { "sample_cnt": 1, "yara_rule_name": "Win64_Backdoor_Konni", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Konni backdoor.", "last_hit_utc": "2024-06-05 10:59:02" } ], "8864": [ { "sample_cnt": 1, "yara_rule_name": "Win64_Backdoor_MiyaRAT", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects MiyaRAT backdoor.", "last_hit_utc": "2025-11-24 16:38:22" } ], "8865": [ { "sample_cnt": 1, "yara_rule_name": "Win64_Backdoor_wmRAT", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects wmRAT backdoor.", "last_hit_utc": "2025-11-24 16:38:21" } ], "8866": [ { "sample_cnt": 1, "yara_rule_name": "Win64_Infostealer_Skuld", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Skuld infostealer.", "last_hit_utc": "2025-06-26 07:52:42" } ], "8867": [ { "sample_cnt": 1, "yara_rule_name": "Win64_Ransomware_Ako", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "Yara rule that detects Ako ransomware.", "last_hit_utc": "2022-04-24 03:49:02" } ], "8868": [ { "sample_cnt": 1, "yara_rule_name": "Win64_Ransomware_Albabat", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Albabat ransomware.", "last_hit_utc": "2025-06-16 16:03:53" } ], "8869": [ { "sample_cnt": 1, "yara_rule_name": "Win64_Ransomware_Curator", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Curator ransomware.", "last_hit_utc": "2021-05-21 09:42:43" } ], "8870": [ { "sample_cnt": 1, "yara_rule_name": "Win64_Ransomware_Pandora", "yara_rule_author": "ReversingLabs", "yara_rule_reference": null, "yara_rule_description": "Yara rule that detects Pandora ransomware.", "last_hit_utc": "2023-02-03 15:38:03" } ], "8871": [ { "sample_cnt": 1, "yara_rule_name": "Win7Elevatev2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html", "yara_rule_description": "Detects Win7Elevate - Windows UAC bypass utility", "last_hit_utc": "2025-11-05 08:22:49" } ], "8872": [ { "sample_cnt": 1, "yara_rule_name": "WindosShell_s1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/odzhan/shells/", "yara_rule_description": "Detects simple Windows shell - file s1.exe", "last_hit_utc": "2025-10-28 13:45:50" } ], "8873": [ { "sample_cnt": 1, "yara_rule_name": "WindosShell_s1_RID2C80", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/odzhan/shells/", "yara_rule_description": "Detects simple Windows shell - file s1.exe", "last_hit_utc": "2025-10-28 13:45:50" } ], "8874": [ { "sample_cnt": 1, "yara_rule_name": "WindowsShell_Gen", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/odzhan/shells/", "yara_rule_description": "Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe", "last_hit_utc": "2025-10-28 13:45:51" } ], "8875": [ { "sample_cnt": 1, "yara_rule_name": "WindowsShell_Gen2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/odzhan/shells/", "yara_rule_description": "Detects simple Windows shell - from files s3.exe, s4.exe", "last_hit_utc": "2025-10-28 13:45:51" } ], "8876": [ { "sample_cnt": 1, "yara_rule_name": "WindowsShell_Gen2_RID2D9F", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/odzhan/shells/", "yara_rule_description": "Detects simple Windows shell - from files s3.exe, s4.exe", "last_hit_utc": "2025-10-28 13:45:51" } ], "8877": [ { "sample_cnt": 1, "yara_rule_name": "WindowsShell_Gen_RID2D6D", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/odzhan/shells/", "yara_rule_description": "Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe", "last_hit_utc": "2025-10-28 13:45:51" } ], "8878": [ { "sample_cnt": 1, "yara_rule_name": "WindowsShell_s3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/odzhan/shells/", "yara_rule_description": "Detects simple Windows shell - file s3.exe", "last_hit_utc": "2025-10-28 13:45:51" } ], "8879": [ { "sample_cnt": 1, "yara_rule_name": "WindowsShell_s3_RID2CF9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/odzhan/shells/", "yara_rule_description": "Detects simple Windows shell - file s3.exe", "last_hit_utc": "2025-10-28 13:45:51" } ], "8880": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Exploit_Eternalblue_ead33bf8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-01-31 15:13:02" } ], "8881": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Exploit_IoRing_1e4a8f47", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:45:37" } ], "8882": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Exploit_RpcJunction_0405253b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:40:46" } ], "8883": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_MalCert_276c83b7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:02:22" } ], "8884": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_MalCert_ad55864e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-11 10:10:28" } ], "8885": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_MalCert_c9e89da2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-03-19 03:51:10" } ], "8886": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_MalCert_e507f27b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-01 22:05:09" } ], "8887": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_0ff403df", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 22:25:20" } ], "8888": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_2ae9b09e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-02-28 02:45:10" } ], "8889": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_2f726f2d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-10 11:37:52" } ], "8890": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_3613fa12", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:47:48" } ], "8891": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_48cbdc20", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:35:22" } ], "8892": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_4a605e93", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-24 14:45:03" } ], "8893": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_4c37e16e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-06 06:34:29" } ], "8894": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_54b0ec47", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:26:44" } ], "8895": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_59698796", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:04:45" } ], "8896": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_5be3a474", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-08-06 06:34:29" } ], "8897": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_5e33bb4b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:42:45" } ], "8898": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_6542ebda", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-26 07:31:15" } ], "8899": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_7bb75582", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:04:45" } ], "8900": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_8b790aba", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-02 02:28:28" } ], "8901": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_90e4f085", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-04-09 13:31:03" } ], "8902": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_a82f45a8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-15 08:10:41" } ], "8903": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_aa30a738", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-05 15:11:19" } ], "8904": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_b191061e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-15 07:41:50" } ], "8905": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_b7870213", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:39:24" } ], "8906": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_ba807e3e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:18:38" } ], "8907": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_bbf2a354", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 23:12:48" } ], "8908": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_bf7aae24", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:29:55" } ], "8909": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_c3c4e847", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-04-26 07:31:15" } ], "8910": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_cafbd6a3", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-12 18:40:32" } ], "8911": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Generic_Threat_d6625ad7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:21:13" } ], "8912": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Hacktool_Capcom_7abae448", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Subject: CAPCOM Co.,Ltd.", "last_hit_utc": "2022-11-25 23:33:02" } ], "8913": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Hacktool_DarkLoadLibrary_c25ee4eb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-04 07:30:22" } ], "8914": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Hacktool_EDRWFP_f6d7db7a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 21:11:06" } ], "8915": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Hacktool_Gmer_8aabdd5e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:50:23" } ], "8916": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Hacktool_LeiGod_3f5c98c4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-08 13:45:36" } ], "8917": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Hacktool_SharpChromium_41ce5080", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:14:31" } ], "8918": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Hacktool_SharPersist_06606812", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:49" } ], "8919": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Hacktool_SharpRDP_80895fcb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-22 18:16:18" } ], "8920": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Hacktool_SharpView_2c7603ad", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-11 16:27:10" } ], "8921": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Loader_SquirrelWaffle", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Identifies strings/byte sequence used in unpacked SquirrelWaffle loader", "last_hit_utc": "2023-03-24 08:00:56" } ], "8922": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Clop_6a1670aa", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", "yara_rule_description": "Identifies CLOP ransomware in unpacked state", "last_hit_utc": "2023-06-06 18:13:02" } ], "8923": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Clop_9ac9ea3e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", "yara_rule_description": "Identifies CLOP ransomware in unpacked state", "last_hit_utc": "2023-06-06 18:13:02" } ], "8924": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Conti_89f3f6fa", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-16 06:52:06" } ], "8925": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Helloxd_0c50f01b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-11 16:27:10" } ], "8926": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Makop_3e388338", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-07 18:00:05" } ], "8927": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Maze_46f40c40", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/", "yara_rule_description": "Identifies MAZE ransomware", "last_hit_utc": "2025-04-20 02:18:07" } ], "8928": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Maze_61254061", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/", "yara_rule_description": "Identifies MAZE ransomware", "last_hit_utc": "2025-04-20 02:18:07" } ], "8929": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Maze_f88f136f", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/", "yara_rule_description": "Identifies MAZE ransomware", "last_hit_utc": "2025-04-20 02:18:07" } ], "8930": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Nightsky_253c4d0d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-02-03 15:38:03" } ], "8931": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Pandora_bca8ce23", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-02-03 15:38:03" } ], "8932": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Ragnarok_1cab7ea1", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20", "yara_rule_description": "Identifies RAGNAROK ransomware", "last_hit_utc": "2024-06-11 10:49:04" } ], "8933": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Ragnarok_7e802f95", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20", "yara_rule_description": "Identifies RAGNAROK ransomware", "last_hit_utc": "2025-11-05 08:22:49" } ], "8934": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Ragnarok_efafbe48", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20", "yara_rule_description": "Identifies RAGNAROK ransomware", "last_hit_utc": "2023-09-11 16:27:10" } ], "8935": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Royal_b7d42109", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-01-30 11:38:03" } ], "8936": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Ryuk_72b5fd9d", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "yara_rule_description": "Identifies RYUK ransomware", "last_hit_utc": "2022-12-20 10:42:04" } ], "8937": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Ransomware_Ryuk_88daaf8e", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "yara_rule_description": "Identifies RYUK ransomware", "last_hit_utc": "2022-12-20 10:42:04" } ], "8938": [ { "sample_cnt": 1, "yara_rule_name": "Windows_RemoteAdmin_UltraVNC_965f054a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-09-27 05:33:08" } ], "8939": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_ArkeiStealer_84c7086a", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-13 02:45:03" } ], "8940": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Bitrat_34bd6c83", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:32:32" } ], "8941": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Blister_cb99a1df", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:49" } ], "8942": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Clipbanker_b60a50b8", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-06-30 07:52:03" } ], "8943": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_CobaltStrike_09b79efa", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies Invoke Assembly module from Cobalt Strike", "last_hit_utc": "2025-01-05 17:08:19" } ], "8944": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_CobaltStrike_15f680fb", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies Netview module from Cobalt Strike", "last_hit_utc": "2025-01-05 17:08:19" } ], "8945": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_CobaltStrike_29374056", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Identifies Cobalt Strike MZ Reflective Loader.", "last_hit_utc": "2022-10-30 18:15:04" } ], "8946": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_CobaltStrike_5b4383ec", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies Portscan module from Cobalt Strike", "last_hit_utc": "2025-01-05 17:08:19" } ], "8947": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_CobaltStrike_8519072e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies Cobalt Strike trial/default versions", "last_hit_utc": "2022-12-21 20:04:03" } ], "8948": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_CobaltStrike_91e08059", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": "Identifies Post Ex module from Cobalt Strike", "last_hit_utc": "2025-01-05 17:08:19" } ], "8949": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_CobaltStrike_91e08059", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies Post Ex module from Cobalt Strike", "last_hit_utc": "2025-01-05 17:08:19" } ], "8950": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_CobaltStrike_b54b94ac", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Rule for beacon sleep obfuscation routine", "last_hit_utc": "2022-10-27 17:56:30" } ], "8951": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_CobaltStrike_c851687a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Identifies UAC Bypass module from Cobalt Strike", "last_hit_utc": "2025-01-05 17:08:19" } ], "8952": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_DarkGate_fa1f1338", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-01-20 09:16:03" } ], "8953": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_DarkVNC_bd803c2e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-06-30 20:03:34" } ], "8954": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_DoubleBack_d2246a35", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-12-27 18:30:05" } ], "8955": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Dridex_63ddf193", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-28 04:31:33" } ], "8956": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_FalseFont_d1f0d357", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:37:14" } ], "8957": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Generic_eb47e754", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-19 22:35:17" } ], "8958": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Generic_f0c79978", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:49" } ], "8959": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Gh0st_ee6de6bc", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "Identifies a variant of Gh0st Rat", "last_hit_utc": "2022-10-30 18:12:03" } ], "8960": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_GhostPulse_3fe1d02d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:48:22" } ], "8961": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Glupteba_4669dcd6", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-06-26 04:11:04" } ], "8962": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Glupteba_70557305", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-06-26 04:11:04" } ], "8963": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Gozi_261f5ac5", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:39:25" } ], "8964": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_HazelCobra_6a9fe48a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:51:05" } ], "8965": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Jupyter_56152e31", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-04 08:55:22" } ], "8966": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Jupyter_56152e31", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 20:34:55" } ], "8967": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Lumma_f2dabb49", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-02-17 04:29:15" } ], "8968": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Metasploit_2092c42a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 17:04:20" } ], "8969": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_NightshadeC2_80e08aba", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-29 04:04:18" } ], "8970": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_NukeSped_b8e6cc07", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-04-15 07:44:38" } ], "8971": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_OnlyLogger_b9e88336", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-01-05 00:36:03" } ], "8972": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Pandastealer_8b333e76", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-07 16:57:04" } ], "8973": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Parallax_b4ea4f1a", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "yara_rule_description": null, "last_hit_utc": "2024-03-15 19:15:05" } ], "8974": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_PikaBot_5441f511", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/pikabot-i-choose-you", "yara_rule_description": "Related to Pikabot core", "last_hit_utc": "2025-01-03 23:02:33" } ], "8975": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_PikaBot_5b220e9c", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-03-02 17:12:03" } ], "8976": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_PikaBot_95db8b5a", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/pikabot-i-choose-you", "yara_rule_description": "Related to Pikabot loader", "last_hit_utc": "2024-03-26 19:58:43" } ], "8977": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Qbot_7d5dc64a", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-08-18 03:28:03" } ], "8978": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_RedLineStealer_983cd7a7", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:19:44" } ], "8979": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_RedLineStealer_d25e974b", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-01-12 11:34:03" } ], "8980": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_RedLineStealer_d4b38e13", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-11-30 21:51:01" } ], "8981": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Remotemanipulator_9ec52153", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-09 04:21:01" } ], "8982": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Revengerat_db91bcc6", "yara_rule_author": "Elastic Security", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-10 10:18:03" } ], "8983": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Rhadamanthys_cf5dd2e2", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-07-16 14:25:45" } ], "8984": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Smokeloader_4e31426e", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-07 06:27:16" } ], "8985": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Smokeloader_a01aa3ab", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-07 06:27:16" } ], "8986": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_SystemBC_5e883723", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-01-13 16:50:03" } ], "8987": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Trickbot_91516cf4", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Generic signature used to identify Trickbot module usage", "last_hit_utc": "2025-01-05 16:50:19" } ], "8988": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Trickbot_dcf25dde", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Targets networkDll64.dll module containing functionality to gather network and system information", "last_hit_utc": "2025-01-05 16:50:19" } ], "8989": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Vidar_32fea8da", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-05-02 07:14:09" } ], "8990": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Vidar_5e3e5c75", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-15 07:00:29" } ], "8991": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Winos_a60d5880", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-13 04:28:16" } ], "8992": [ { "sample_cnt": 1, "yara_rule_name": "Windows_Trojan_Xpertrat_ce03c41d", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-06-10 18:06:03" } ], "8993": [ { "sample_cnt": 1, "yara_rule_name": "Windows_VulnDriver_IoBitUnlocker_defb90fd", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://theevilbit.github.io/posts/iobit_unlocker_lpe/", "yara_rule_description": "Name: IObitUnlocker.sys, Version: 1.0.X.Y to 1.3.X.Y", "last_hit_utc": "2025-12-02 07:28:13" } ], "8994": [ { "sample_cnt": 1, "yara_rule_name": "WinEggDropShellFinal_zip_Folder_InjectT", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file InjectT.exe", "last_hit_utc": "2025-10-28 13:45:51" } ], "8995": [ { "sample_cnt": 1, "yara_rule_name": "WinEggDropShellFinal_zip_Folder_InjectT", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - file InjectT.exe", "last_hit_utc": "2025-10-28 13:45:51" } ], "8996": [ { "sample_cnt": 1, "yara_rule_name": "Winexe_RemoteExec", "yara_rule_author": "Florian Roth (Nextron Systems), Robert Simmons", "yara_rule_reference": "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf", "yara_rule_description": "Winexe tool for remote execution (also used by Sofacy group)", "last_hit_utc": "2025-01-03 22:37:32" } ], "8997": [ { "sample_cnt": 1, "yara_rule_name": "Winexe_RemoteExec_RID2DD1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf", "yara_rule_description": "Winexe tool for remote execution (also used by Sofacy group)", "last_hit_utc": "2025-01-03 22:37:32" } ], "8998": [ { "sample_cnt": 1, "yara_rule_name": "WinLock", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies WinLock (aka Blocker) ransomware variants generically.", "last_hit_utc": "2022-03-12 08:31:04" } ], "8999": [ { "sample_cnt": 1, "yara_rule_name": "WINNTI_KingSoft_Moz_Confustion", "yara_rule_author": "Markus Neis", "yara_rule_reference": "https://www.virustotal.com/en/file/070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496/analysis/", "yara_rule_description": "Detects Barium sample with Copyright confusion", "last_hit_utc": "2021-02-27 01:45:58" } ], "9000": [ { "sample_cnt": 1, "yara_rule_name": "Winnti_Linux", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-12-19 22:35:17" } ], "9001": [ { "sample_cnt": 1, "yara_rule_name": "WinUpackv039finalByDwingc2005h1", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-17 18:13:03" } ], "9002": [ { "sample_cnt": 1, "yara_rule_name": "win_abaddon_pos_w0", "yara_rule_author": "Darien Huss, Proofpoint", "yara_rule_reference": "md5,317f9c57f7983e2608d5b2f00db954ff", "yara_rule_description": "AbaddonPOS", "last_hit_utc": "2025-01-03 20:34:54" } ], "9003": [ { "sample_cnt": 1, "yara_rule_name": "win_abantes_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-03 19:33:59" } ], "9004": [ { "sample_cnt": 1, "yara_rule_name": "win_abantes_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-06-04 23:14:22" } ], "9005": [ { "sample_cnt": 1, "yara_rule_name": "win_abcsync_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.abcsync.", "last_hit_utc": "2025-08-31 02:29:35" } ], "9006": [ { "sample_cnt": 1, "yara_rule_name": "win_acidbox_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.acidbox.", "last_hit_utc": "2025-01-05 15:46:14" } ], "9007": [ { "sample_cnt": 1, "yara_rule_name": "win_agent_btz_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.agent_btz.", "last_hit_utc": "2022-08-31 04:01:03" } ], "9008": [ { "sample_cnt": 1, "yara_rule_name": "win_agent_tesla_w0", "yara_rule_author": "InQuest Labs", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2021-11-22 05:31:04" } ], "9009": [ { "sample_cnt": 1, "yara_rule_name": "win_agent_tesla_w1337", "yara_rule_author": "govcert_ch", "yara_rule_reference": null, "yara_rule_description": "Detect Agent Tesla based on common .NET code sequences", "last_hit_utc": "2021-02-22 12:35:06" } ], "9010": [ { "sample_cnt": 1, "yara_rule_name": "win_amadey_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.amadey.", "last_hit_utc": "2021-12-09 14:07:04" } ], "9011": [ { "sample_cnt": 1, "yara_rule_name": "win_antilam_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-05-06 19:11:42" } ], "9012": [ { "sample_cnt": 1, "yara_rule_name": "win_appleseed_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.appleseed.", "last_hit_utc": "2021-11-03 12:22:54" } ], "9013": [ { "sample_cnt": 1, "yara_rule_name": "win_arkei_stealer_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-06 11:58:22" } ], "9014": [ { "sample_cnt": 1, "yara_rule_name": "win_arkei_stealer_w0", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-10-05 05:33:07" } ], "9015": [ { "sample_cnt": 1, "yara_rule_name": "win_artra_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.artra.", "last_hit_utc": "2021-08-28 14:48:36" } ], "9016": [ { "sample_cnt": 1, "yara_rule_name": "win_astralocker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.astralocker.", "last_hit_utc": "2022-11-07 18:20:03" } ], "9017": [ { "sample_cnt": 1, "yara_rule_name": "win_atmspitter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.atmspitter.", "last_hit_utc": "2025-06-16 16:45:17" } ], "9018": [ { "sample_cnt": 1, "yara_rule_name": "win_avzhan_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-07 20:32:59" } ], "9019": [ { "sample_cnt": 1, "yara_rule_name": "win_badencript_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-06-19 13:45:03" } ], "9020": [ { "sample_cnt": 1, "yara_rule_name": "win_badnews_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.badnews.", "last_hit_utc": "2022-04-13 06:06:02" } ], "9021": [ { "sample_cnt": 1, "yara_rule_name": "win_bandook_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-07-02 06:02:10" } ], "9022": [ { "sample_cnt": 1, "yara_rule_name": "win_batchwiper_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.batchwiper.", "last_hit_utc": "2023-02-03 15:53:03" } ], "9023": [ { "sample_cnt": 1, "yara_rule_name": "win_billgates_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.billgates.", "last_hit_utc": "2021-07-28 18:34:00" } ], "9024": [ { "sample_cnt": 1, "yara_rule_name": "win_biodata_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-07-15 15:54:03" } ], "9025": [ { "sample_cnt": 1, "yara_rule_name": "win_bit_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-17 12:15:58" } ], "9026": [ { "sample_cnt": 1, "yara_rule_name": "win_bit_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-08-23 18:49:04" } ], "9027": [ { "sample_cnt": 1, "yara_rule_name": "win_blackbasta_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.blackbasta.", "last_hit_utc": "2025-07-25 03:05:34" } ], "9028": [ { "sample_cnt": 1, "yara_rule_name": "win_blackbasta_w0", "yara_rule_author": "rcoliveira@protonmail.com", "yara_rule_reference": null, "yara_rule_description": "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.", "last_hit_utc": "2025-01-03 21:34:58" } ], "9029": [ { "sample_cnt": 1, "yara_rule_name": "win_blackremote_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-02-07 14:48:03" } ], "9030": [ { "sample_cnt": 1, "yara_rule_name": "win_blindingcan_w0", "yara_rule_author": "CISA Code & Media Analysis", "yara_rule_reference": null, "yara_rule_description": "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT", "last_hit_utc": "2025-11-05 08:22:47" } ], "9031": [ { "sample_cnt": 1, "yara_rule_name": "win_blister_w0", "yara_rule_author": "Elastic Security", "yara_rule_reference": null, "yara_rule_description": "Detects Blister loader.", "last_hit_utc": "2025-11-05 08:22:47" } ], "9032": [ { "sample_cnt": 1, "yara_rule_name": "win_brambul_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.brambul.", "last_hit_utc": "2025-04-21 03:14:05" } ], "9033": [ { "sample_cnt": 1, "yara_rule_name": "win_buer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.buer.", "last_hit_utc": "2022-06-27 15:47:02" } ], "9034": [ { "sample_cnt": 1, "yara_rule_name": "win_buer_unpacked_w0", "yara_rule_author": "Rony (@r0ny_123)", "yara_rule_reference": "", "yara_rule_description": "Detects Buer", "last_hit_utc": "2023-08-24 07:25:03" } ], "9035": [ { "sample_cnt": 1, "yara_rule_name": "win_buzus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.buzus.", "last_hit_utc": "2025-04-27 18:07:12" } ], "9036": [ { "sample_cnt": 1, "yara_rule_name": "win_cargobay_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cargobay.", "last_hit_utc": "2025-01-05 17:13:46" } ], "9037": [ { "sample_cnt": 1, "yara_rule_name": "win_cerbu_miner_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-04-25 11:52:00" } ], "9038": [ { "sample_cnt": 1, "yara_rule_name": "win_chaos_w2", "yara_rule_author": "BlackBerry Threat Research", "yara_rule_reference": null, "yara_rule_description": "Detects Chaos Ransomware Builder", "last_hit_utc": "2023-02-18 16:32:04" } ], "9039": [ { "sample_cnt": 1, "yara_rule_name": "win_citadel_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.citadel.", "last_hit_utc": "2025-01-31 10:01:03" } ], "9040": [ { "sample_cnt": 1, "yara_rule_name": "win_citadel_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.citadel.", "last_hit_utc": "2021-09-07 06:10:28" } ], "9041": [ { "sample_cnt": 1, "yara_rule_name": "win_clop_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.clop.", "last_hit_utc": "2023-06-06 18:13:02" } ], "9042": [ { "sample_cnt": 1, "yara_rule_name": "win_cloudeye_w0", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "Shellcode injector and downloader via RegAsm.exe payload", "last_hit_utc": "2024-06-08 23:26:03" } ], "9043": [ { "sample_cnt": 1, "yara_rule_name": "win_cobalt_strike_a0", "yara_rule_author": "Daniel Roethlisberger, Swisscom CSIRT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-08-12 20:04:05" } ], "9044": [ { "sample_cnt": 1, "yara_rule_name": "win_cobian_rat_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-06-01 10:48:03" } ], "9045": [ { "sample_cnt": 1, "yara_rule_name": "win_cobra_w0", "yara_rule_author": "ESET Research", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-10-16 21:53:03" } ], "9046": [ { "sample_cnt": 1, "yara_rule_name": "win_coldseal_w0", "yara_rule_author": "mho ", "yara_rule_reference": "", "yara_rule_description": "High amount of delimiter strings, show that this file contains a payload encrypted using Cold$eal Project. This will hit on a lot of ransomware like Cerber, Locky, GandCrab.", "last_hit_utc": "2021-08-31 10:23:03" } ], "9047": [ { "sample_cnt": 1, "yara_rule_name": "win_colibriloader", "yara_rule_author": "andretavare5", "yara_rule_reference": "", "yara_rule_description": "ColibriLoader malware", "last_hit_utc": "2022-10-12 15:49:01" } ], "9048": [ { "sample_cnt": 1, "yara_rule_name": "win_colibriloader_unpacked", "yara_rule_author": "andretavare5", "yara_rule_reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri", "yara_rule_description": "ColibriLoader malware", "last_hit_utc": "2023-02-13 10:51:04" } ], "9049": [ { "sample_cnt": 1, "yara_rule_name": "win_colibri_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.colibri.", "last_hit_utc": "2023-02-13 10:51:04" } ], "9050": [ { "sample_cnt": 1, "yara_rule_name": "win_colibri_w0", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "Detect_colibri_loader", "last_hit_utc": "2023-02-13 10:51:04" } ], "9051": [ { "sample_cnt": 1, "yara_rule_name": "win_conficker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-08 20:42:05" } ], "9052": [ { "sample_cnt": 1, "yara_rule_name": "win_confucius_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-01-15 15:59:34" } ], "9053": [ { "sample_cnt": 1, "yara_rule_name": "win_conti_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-02-21 15:30:10" } ], "9054": [ { "sample_cnt": 1, "yara_rule_name": "win_corebot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-18 07:35:03" } ], "9055": [ { "sample_cnt": 1, "yara_rule_name": "win_coredn_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-12-10 05:32:54" } ], "9056": [ { "sample_cnt": 1, "yara_rule_name": "win_covid22_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.covid22.", "last_hit_utc": "2025-01-23 13:21:42" } ], "9057": [ { "sample_cnt": 1, "yara_rule_name": "win_cryptbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cryptbot.", "last_hit_utc": "2022-11-30 06:26:41" } ], "9058": [ { "sample_cnt": 1, "yara_rule_name": "win_cryptolocker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cryptolocker.", "last_hit_utc": "2023-06-09 06:53:02" } ], "9059": [ { "sample_cnt": 1, "yara_rule_name": "win_csext_w0", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Backdoor used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:45:48" } ], "9060": [ { "sample_cnt": 1, "yara_rule_name": "win_cycbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.cycbot.", "last_hit_utc": "2025-04-27 20:13:12" } ], "9061": [ { "sample_cnt": 1, "yara_rule_name": "win_darkgate__tmt", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-04 08:37:02" } ], "9062": [ { "sample_cnt": 1, "yara_rule_name": "win_darkpulsar_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.darkpulsar.", "last_hit_utc": "2025-09-15 11:02:46" } ], "9063": [ { "sample_cnt": 1, "yara_rule_name": "win_darktequila_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.darktequila.", "last_hit_utc": "2023-06-26 22:28:21" } ], "9064": [ { "sample_cnt": 1, "yara_rule_name": "win_darkvnc_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.darkvnc.", "last_hit_utc": "2023-06-30 20:03:34" } ], "9065": [ { "sample_cnt": 1, "yara_rule_name": "win_dbatloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-06-23 17:55:03" } ], "9066": [ { "sample_cnt": 1, "yara_rule_name": "win_dcrat_w0", "yara_rule_author": "ditekshen", "yara_rule_reference": null, "yara_rule_description": "DCRat payload", "last_hit_utc": "2025-10-28 13:45:48" } ], "9067": [ { "sample_cnt": 1, "yara_rule_name": "win_deepdata_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.deepdata.", "last_hit_utc": "2026-04-27 04:45:30" } ], "9068": [ { "sample_cnt": 1, "yara_rule_name": "win_deltas_w0", "yara_rule_author": "Novetta Threat Research & Interdiction Group - trig@novetta.com", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:47" } ], "9069": [ { "sample_cnt": 1, "yara_rule_name": "win_dexter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-04-25 12:45:40" } ], "9070": [ { "sample_cnt": 1, "yara_rule_name": "win_dexter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.dexter.", "last_hit_utc": "2022-01-10 17:57:04" } ], "9071": [ { "sample_cnt": 1, "yara_rule_name": "win_diceloader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.diceloader.", "last_hit_utc": "2025-01-03 19:29:55" } ], "9072": [ { "sample_cnt": 1, "yara_rule_name": "win_dimnie_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-06-20 10:10:04" } ], "9073": [ { "sample_cnt": 1, "yara_rule_name": "win_dimnie_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-06-20 10:10:04" } ], "9074": [ { "sample_cnt": 1, "yara_rule_name": "win_dircrypt_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.dircrypt.", "last_hit_utc": "2022-12-04 18:44:03" } ], "9075": [ { "sample_cnt": 1, "yara_rule_name": "win_diztakun_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.diztakun.", "last_hit_utc": "2023-06-08 21:11:03" } ], "9076": [ { "sample_cnt": 1, "yara_rule_name": "win_doublepulsar_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.doublepulsar.", "last_hit_utc": "2025-09-15 11:02:46" } ], "9077": [ { "sample_cnt": 1, "yara_rule_name": "win_dragonforce_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.dragonforce.", "last_hit_utc": "2026-01-22 05:24:29" } ], "9078": [ { "sample_cnt": 1, "yara_rule_name": "win_dreambot_a0", "yara_rule_author": "mak, Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-01-01 23:08:08" } ], "9079": [ { "sample_cnt": 1, "yara_rule_name": "win_dridex_g0", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": "Unpacked Dridex binary in memory", "last_hit_utc": "2021-04-26 20:24:08" } ], "9080": [ { "sample_cnt": 1, "yara_rule_name": "win_dtrack_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-18 11:29:46" } ], "9081": [ { "sample_cnt": 1, "yara_rule_name": "win_dtrack_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:22:47" } ], "9082": [ { "sample_cnt": 1, "yara_rule_name": "win_dustman_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.dustman.", "last_hit_utc": "2025-01-03 19:34:02" } ], "9083": [ { "sample_cnt": 1, "yara_rule_name": "win_dyre_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.dyre.", "last_hit_utc": "2025-01-03 19:34:54" } ], "9084": [ { "sample_cnt": 1, "yara_rule_name": "win_epsilon_red_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.epsilon_red.", "last_hit_utc": "2022-05-17 15:34:02" } ], "9085": [ { "sample_cnt": 1, "yara_rule_name": "win_erbium_stealer_a1_2622", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects the unpacked Erbium stealer", "last_hit_utc": "2025-01-05 15:13:13" } ], "9086": [ { "sample_cnt": 1, "yara_rule_name": "win_eternal_petya_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.eternal_petya.", "last_hit_utc": "2022-04-19 15:33:02" } ], "9087": [ { "sample_cnt": 1, "yara_rule_name": "win_eternal_petya_w0", "yara_rule_author": "ReversingLabs", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-04-19 15:33:02" } ], "9088": [ { "sample_cnt": 1, "yara_rule_name": "win_extreme_rat_w1", "yara_rule_author": "Seth Hardy ", "yara_rule_reference": null, "yara_rule_description": "XtremeRAT", "last_hit_utc": "2025-01-05 15:01:53" } ], "9089": [ { "sample_cnt": 1, "yara_rule_name": "win_fanny_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.fanny.", "last_hit_utc": "2026-03-22 06:23:27" } ], "9090": [ { "sample_cnt": 1, "yara_rule_name": "win_fast_pos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.fast_pos.", "last_hit_utc": "2022-07-30 14:14:03" } ], "9091": [ { "sample_cnt": 1, "yara_rule_name": "win_fct_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.fct.", "last_hit_utc": "2022-04-25 13:07:02" } ], "9092": [ { "sample_cnt": 1, "yara_rule_name": "win_fudmodule_w0", "yara_rule_author": "Jan Vojtesek - Avast Decoded", "yara_rule_reference": "https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/", "yara_rule_description": "Detects win.fudmodule.", "last_hit_utc": "2025-11-05 08:22:48" } ], "9093": [ { "sample_cnt": 1, "yara_rule_name": "win_fudmodule_w1", "yara_rule_author": "Luigino Camastra, GenDigital", "yara_rule_reference": "https://www.gendigital.com/blog/preview/lazarus-fudmodule", "yara_rule_description": "Detects win.fudmodule.", "last_hit_utc": "2025-11-05 08:22:48" } ], "9094": [ { "sample_cnt": 1, "yara_rule_name": "win_gaudox_a0", "yara_rule_author": "Slavo Greminger", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-08-09 18:16:04" } ], "9095": [ { "sample_cnt": 1, "yara_rule_name": "win_gaudox_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-08-09 18:16:04" } ], "9096": [ { "sample_cnt": 1, "yara_rule_name": "win_gazer_w0", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "yara_rule_description": "Turla Gazer malware", "last_hit_utc": "2022-03-10 12:53:05" } ], "9097": [ { "sample_cnt": 1, "yara_rule_name": "win_gazer_w2", "yara_rule_author": "ESET Research", "yara_rule_reference": "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "yara_rule_description": "Turla Gazer malware", "last_hit_utc": "2022-03-10 12:53:05" } ], "9098": [ { "sample_cnt": 1, "yara_rule_name": "win_ghole_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/NpJpVZ", "yara_rule_description": "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ", "last_hit_utc": "2025-10-28 13:45:48" } ], "9099": [ { "sample_cnt": 1, "yara_rule_name": "win_gimmick_w1", "yara_rule_author": "threatintel@volexity.com", "yara_rule_reference": null, "yara_rule_description": "Detects the macOS port of the GIMMICK malware.", "last_hit_utc": "2025-10-28 13:45:49" } ], "9100": [ { "sample_cnt": 1, "yara_rule_name": "win_globeimposter_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-02-25 05:08:14" } ], "9101": [ { "sample_cnt": 1, "yara_rule_name": "win_gootkit_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-02-09 11:26:05" } ], "9102": [ { "sample_cnt": 1, "yara_rule_name": "win_gpcode_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.gpcode.", "last_hit_utc": "2022-03-26 01:26:49" } ], "9103": [ { "sample_cnt": 1, "yara_rule_name": "win_gracewire_loader_dec_2022", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": "Yara rule to detect GraceWireLoader via usage of Stack Strings", "last_hit_utc": "2025-03-07 19:43:29" } ], "9104": [ { "sample_cnt": 1, "yara_rule_name": "win_grandsteal_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-09-07 08:27:41" } ], "9105": [ { "sample_cnt": 1, "yara_rule_name": "win_graphsteel_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.graphsteel.", "last_hit_utc": "2022-08-11 11:52:03" } ], "9106": [ { "sample_cnt": 1, "yara_rule_name": "win_gravity_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2023-06-15 11:03:47" } ], "9107": [ { "sample_cnt": 1, "yara_rule_name": "win_grease_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.grease.", "last_hit_utc": "2022-03-18 10:28:05" } ], "9108": [ { "sample_cnt": 1, "yara_rule_name": "win_green_dispenser_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.green_dispenser.", "last_hit_utc": "2025-06-16 16:45:17" } ], "9109": [ { "sample_cnt": 1, "yara_rule_name": "win_grimplant_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.grimplant.", "last_hit_utc": "2025-06-16 16:26:36" } ], "9110": [ { "sample_cnt": 1, "yara_rule_name": "win_gsecdump_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.gsecdump.", "last_hit_utc": "2025-01-03 23:04:42" } ], "9111": [ { "sample_cnt": 1, "yara_rule_name": "win_hamweq_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-03-03 12:39:31" } ], "9112": [ { "sample_cnt": 1, "yara_rule_name": "win_havoc_w0", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 11:24:40" } ], "9113": [ { "sample_cnt": 1, "yara_rule_name": "win_havoc_w1", "yara_rule_author": "embee_research @ HuntressLabs", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-11-05 11:24:40" } ], "9114": [ { "sample_cnt": 1, "yara_rule_name": "win_headertip_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.headertip.", "last_hit_utc": "2024-03-01 15:52:02" } ], "9115": [ { "sample_cnt": 1, "yara_rule_name": "win_hermes_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.hermes.", "last_hit_utc": "2022-10-04 09:57:02" } ], "9116": [ { "sample_cnt": 1, "yara_rule_name": "win_highnoon_bin_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", "yara_rule_description": "Detects APT41 malware HIGHNOON.BIN", "last_hit_utc": "2025-11-05 08:22:48" } ], "9117": [ { "sample_cnt": 1, "yara_rule_name": "win_hijackloader_w0", "yara_rule_author": "Elastic Security", "yara_rule_reference": "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks", "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:40:03" } ], "9118": [ { "sample_cnt": 1, "yara_rule_name": "win_hive_w0", "yara_rule_author": "rivitna", "yara_rule_reference": null, "yara_rule_description": "Hive v3 ransomware Windows/Linux/FreeBSD payload", "last_hit_utc": "2025-01-05 16:18:29" } ], "9119": [ { "sample_cnt": 1, "yara_rule_name": "win_hyperbro_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-11 14:36:01" } ], "9120": [ { "sample_cnt": 1, "yara_rule_name": "win_hyperssl_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-11 07:52:31" } ], "9121": [ { "sample_cnt": 1, "yara_rule_name": "win_icedid_snowloader_bytecodes_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-12-12 20:44:02" } ], "9122": [ { "sample_cnt": 1, "yara_rule_name": "win_iceid_core_ldr_202104", "yara_rule_author": "Thomas Barabosch, Telekom Security", "yara_rule_reference": null, "yara_rule_description": "2021 loader for Bokbot / Icedid core (license.dat)", "last_hit_utc": "2025-10-28 13:45:49" } ], "9123": [ { "sample_cnt": 1, "yara_rule_name": "win_iconic_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.iconic_stealer.", "last_hit_utc": "2025-10-14 19:21:42" } ], "9124": [ { "sample_cnt": 1, "yara_rule_name": "win_imminentrat_j1_7e208e97", "yara_rule_author": "Johannes Bader", "yara_rule_reference": null, "yara_rule_description": "detects the imminent rat", "last_hit_utc": "2025-01-03 21:09:54" } ], "9125": [ { "sample_cnt": 1, "yara_rule_name": "win_industroyer_w0", "yara_rule_author": "Dragos Inc", "yara_rule_reference": "https://dragos.com/blog/crashoverride/", "yara_rule_description": "CRASHOVERRIDE v1 Suspicious Export", "last_hit_utc": "2025-11-23 10:26:31" } ], "9126": [ { "sample_cnt": 1, "yara_rule_name": "win_invisimole_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.invisimole.", "last_hit_utc": "2022-03-05 21:51:03" } ], "9127": [ { "sample_cnt": 1, "yara_rule_name": "win_isr_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.isr_stealer.", "last_hit_utc": "2021-08-02 05:44:26" } ], "9128": [ { "sample_cnt": 1, "yara_rule_name": "win_jaku_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-28 09:15:14" } ], "9129": [ { "sample_cnt": 1, "yara_rule_name": "win_jasus_w0", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "ARP cache poisoner used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:45:49" } ], "9130": [ { "sample_cnt": 1, "yara_rule_name": "win_jimmy_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/", "yara_rule_description": null, "last_hit_utc": "2020-04-22 10:36:03" } ], "9131": [ { "sample_cnt": 1, "yara_rule_name": "win_juicy_potato_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.juicy_potato.", "last_hit_utc": "2022-08-04 06:11:02" } ], "9132": [ { "sample_cnt": 1, "yara_rule_name": "win_juicy_potato_w0", "yara_rule_author": "SpiderLabs", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2026-03-23 08:47:11" } ], "9133": [ { "sample_cnt": 1, "yara_rule_name": "win_juicy_potato_w0", "yara_rule_author": "SpiderLabs", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-08-04 06:11:02" } ], "9134": [ { "sample_cnt": 1, "yara_rule_name": "win_kagent_w0", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Backdoor used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:45:49" } ], "9135": [ { "sample_cnt": 1, "yara_rule_name": "win_kins_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-19 16:34:26" } ], "9136": [ { "sample_cnt": 1, "yara_rule_name": "win_kleptoparasite_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.kleptoparasite_stealer.", "last_hit_utc": "2022-08-31 04:03:02" } ], "9137": [ { "sample_cnt": 1, "yara_rule_name": "win_konni_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-11 11:00:02" } ], "9138": [ { "sample_cnt": 1, "yara_rule_name": "win_korlia_w0", "yara_rule_author": "Nick Hoffman", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-05 16:27:36" } ], "9139": [ { "sample_cnt": 1, "yara_rule_name": "win_korlia_w1", "yara_rule_author": "pinksawtooth", "yara_rule_reference": "https://www.paloaltonetworks.jp/company/in-the-news/2018/unit42-bisonal-malware-used-attacks-russia-south-korea", "yara_rule_description": "rule to detect korlia/bisonal", "last_hit_utc": "2023-09-21 11:33:08" } ], "9140": [ { "sample_cnt": 1, "yara_rule_name": "win_kovter_a0", "yara_rule_author": "pnx", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-31 00:40:08" } ], "9141": [ { "sample_cnt": 1, "yara_rule_name": "win_kpot_stealer_w0", "yara_rule_author": "Fumik0_", "yara_rule_reference": null, "yara_rule_description": "Kpot", "last_hit_utc": "2020-05-11 12:06:17" } ], "9142": [ { "sample_cnt": 1, "yara_rule_name": "win_kuluoz_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-06-24 09:38:18" } ], "9143": [ { "sample_cnt": 1, "yara_rule_name": "win_kutaki_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-11 06:09:48" } ], "9144": [ { "sample_cnt": 1, "yara_rule_name": "win_kwampirs_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.kwampirs.", "last_hit_utc": "2022-10-17 09:03:03" } ], "9145": [ { "sample_cnt": 1, "yara_rule_name": "win_kwampirs_w0", "yara_rule_author": "Symantec", "yara_rule_reference": "", "yara_rule_description": "Kwampirs dropper and main payload components", "last_hit_utc": "2022-10-17 09:03:03" } ], "9146": [ { "sample_cnt": 1, "yara_rule_name": "win_kwampirs_w2", "yara_rule_author": "pancak3lullz", "yara_rule_reference": "", "yara_rule_description": "Kwampirs implant xor and rsa keys", "last_hit_utc": "2022-10-17 09:03:03" } ], "9147": [ { "sample_cnt": 1, "yara_rule_name": "win_laziok_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.laziok.", "last_hit_utc": "2023-02-04 21:47:03" } ], "9148": [ { "sample_cnt": 1, "yara_rule_name": "win_lazycat_w0", "yara_rule_author": "Cybaze Zlab_Yoroi", "yara_rule_reference": null, "yara_rule_description": "Yara Rule for LazyCat", "last_hit_utc": "2025-06-26 19:48:29" } ], "9149": [ { "sample_cnt": 1, "yara_rule_name": "win_locky_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.locky.", "last_hit_utc": "2022-10-08 07:54:03" } ], "9150": [ { "sample_cnt": 1, "yara_rule_name": "win_lordix_w0", "yara_rule_author": "Alex Holland (Bromium Labs)", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-05-30 06:39:49" } ], "9151": [ { "sample_cnt": 1, "yara_rule_name": "win_loup_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.loup.", "last_hit_utc": "2025-01-05 15:07:58" } ], "9152": [ { "sample_cnt": 1, "yara_rule_name": "win_lumma_simple_strings", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-05 16:30:03" } ], "9153": [ { "sample_cnt": 1, "yara_rule_name": "win_lumma_w0", "yara_rule_author": "@malgamy12", "yara_rule_reference": null, "yara_rule_description": "detect_Lumma_stealer", "last_hit_utc": "2026-03-28 14:26:16" } ], "9154": [ { "sample_cnt": 1, "yara_rule_name": "win_lumma_w1", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-02-05 16:30:03" } ], "9155": [ { "sample_cnt": 1, "yara_rule_name": "win_lyposit_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.lyposit.", "last_hit_utc": "2025-04-28 05:11:23" } ], "9156": [ { "sample_cnt": 1, "yara_rule_name": "win_mailto_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mailto.", "last_hit_utc": "2022-10-12 09:58:04" } ], "9157": [ { "sample_cnt": 1, "yara_rule_name": "win_mailto_w0", "yara_rule_author": "Crowdstrike", "yara_rule_reference": "", "yara_rule_description": "Detects the Netwalker ransomware", "last_hit_utc": "2022-10-12 09:58:04" } ], "9158": [ { "sample_cnt": 1, "yara_rule_name": "win_mailto_w1", "yara_rule_author": "Crowdstrike", "yara_rule_reference": "", "yara_rule_description": "Detects the Netwalker ransomware", "last_hit_utc": "2022-10-12 09:58:04" } ], "9159": [ { "sample_cnt": 1, "yara_rule_name": "win_makop_ransomware_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.makop_ransomware.", "last_hit_utc": "2022-11-11 18:34:04" } ], "9160": [ { "sample_cnt": 1, "yara_rule_name": "win_maktub_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-23 15:29:10" } ], "9161": [ { "sample_cnt": 1, "yara_rule_name": "win_maoloa_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.maoloa.", "last_hit_utc": "2025-08-05 19:23:41" } ], "9162": [ { "sample_cnt": 1, "yara_rule_name": "win_mariposa_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-12-27 04:22:04" } ], "9163": [ { "sample_cnt": 1, "yara_rule_name": "win_mariposa_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mariposa.", "last_hit_utc": "2025-03-24 06:43:25" } ], "9164": [ { "sample_cnt": 1, "yara_rule_name": "win_mars_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mars_stealer.", "last_hit_utc": "2023-05-31 05:42:05" } ], "9165": [ { "sample_cnt": 1, "yara_rule_name": "win_matsnu_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.matsnu.", "last_hit_utc": "2024-03-09 19:45:04" } ], "9166": [ { "sample_cnt": 1, "yara_rule_name": "win_maze_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.maze.", "last_hit_utc": "2025-04-20 02:18:07" } ], "9167": [ { "sample_cnt": 1, "yara_rule_name": "win_mbrlock_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mbrlock.", "last_hit_utc": "2023-06-09 06:52:03" } ], "9168": [ { "sample_cnt": 1, "yara_rule_name": "win_mbrlock_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mbrlock.", "last_hit_utc": "2022-02-22 18:31:04" } ], "9169": [ { "sample_cnt": 1, "yara_rule_name": "win_mekotio_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-08-19 18:57:04" } ], "9170": [ { "sample_cnt": 1, "yara_rule_name": "win_merlin_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-08 04:27:31" } ], "9171": [ { "sample_cnt": 1, "yara_rule_name": "win_miancha_w0", "yara_rule_author": null, "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2022-01-04 05:47:15" } ], "9172": [ { "sample_cnt": 1, "yara_rule_name": "win_micropsia_w0", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-07-27 06:54:16" } ], "9173": [ { "sample_cnt": 1, "yara_rule_name": "win_mikoponi_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.mikoponi.", "last_hit_utc": "2022-09-25 16:54:07" } ], "9174": [ { "sample_cnt": 1, "yara_rule_name": "win_mimic_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mimic.", "last_hit_utc": "2025-01-05 17:09:55" } ], "9175": [ { "sample_cnt": 1, "yara_rule_name": "win_misha_w0", "yara_rule_author": "Daniel Plohmann", "yara_rule_reference": null, "yara_rule_description": "Detect the unpacked payload for win.misha.", "last_hit_utc": "2024-02-03 11:24:45" } ], "9176": [ { "sample_cnt": 1, "yara_rule_name": "win_mispadu_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-03 19:21:42" } ], "9177": [ { "sample_cnt": 1, "yara_rule_name": "win_miuref_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.miuref.", "last_hit_utc": "2024-03-28 16:25:04" } ], "9178": [ { "sample_cnt": 1, "yara_rule_name": "win_morphine_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-03-24 16:12:09" } ], "9179": [ { "sample_cnt": 1, "yara_rule_name": "win_mosquito_w2", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", "yara_rule_description": "Detects malware sample from Turla Mosquito report", "last_hit_utc": "2025-11-05 08:22:48" } ], "9180": [ { "sample_cnt": 1, "yara_rule_name": "win_mrdec_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mrdec.", "last_hit_utc": "2026-03-15 08:49:20" } ], "9181": [ { "sample_cnt": 1, "yara_rule_name": "win_murofet_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-25 18:21:11" } ], "9182": [ { "sample_cnt": 1, "yara_rule_name": "win_mydogs_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-11-03 12:23:57" } ], "9183": [ { "sample_cnt": 1, "yara_rule_name": "win_mydoom_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.mydoom.", "last_hit_utc": "2025-02-07 15:33:23" } ], "9184": [ { "sample_cnt": 1, "yara_rule_name": "win_mylobot_a0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-11-09 11:22:05" } ], "9185": [ { "sample_cnt": 1, "yara_rule_name": "win_mylobot_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-11-09 11:22:05" } ], "9186": [ { "sample_cnt": 1, "yara_rule_name": "win_nautilus_w0", "yara_rule_author": "NCSC UK", "yara_rule_reference": null, "yara_rule_description": "Rule for detection of Nautilus based on assembly code for a modified RC4 loop", "last_hit_utc": "2023-04-22 07:17:07" } ], "9187": [ { "sample_cnt": 1, "yara_rule_name": "win_navrat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.navrat.", "last_hit_utc": "2022-03-10 09:26:08" } ], "9188": [ { "sample_cnt": 1, "yara_rule_name": "win_ncctrojan_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.ncctrojan.", "last_hit_utc": "2022-03-29 13:43:03" } ], "9189": [ { "sample_cnt": 1, "yara_rule_name": "win_neconyd_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.neconyd.", "last_hit_utc": "2026-03-03 13:31:10" } ], "9190": [ { "sample_cnt": 1, "yara_rule_name": "win_nefilim_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.nefilim.", "last_hit_utc": "2023-03-05 13:41:05" } ], "9191": [ { "sample_cnt": 1, "yara_rule_name": "win_nemty_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.nemty.", "last_hit_utc": "2023-04-23 06:01:38" } ], "9192": [ { "sample_cnt": 1, "yara_rule_name": "win_netspy_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.netspy.", "last_hit_utc": "2025-01-03 21:48:45" } ], "9193": [ { "sample_cnt": 1, "yara_rule_name": "win_neuron_w0", "yara_rule_author": "NCSC UK", "yara_rule_reference": null, "yara_rule_description": "Rule for detection of Neuron based on commonly used strings", "last_hit_utc": "2023-04-22 07:17:07" } ], "9194": [ { "sample_cnt": 1, "yara_rule_name": "win_neuron_w1", "yara_rule_author": "NCSC UK", "yara_rule_reference": null, "yara_rule_description": "Rule for detection of Neuron based on a standalone signature from .NET metadata", "last_hit_utc": "2023-04-22 07:17:07" } ], "9195": [ { "sample_cnt": 1, "yara_rule_name": "win_nim_blackout_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.nim_blackout.", "last_hit_utc": "2025-01-03 19:38:23" } ], "9196": [ { "sample_cnt": 1, "yara_rule_name": "win_nymaim_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-11 11:14:28" } ], "9197": [ { "sample_cnt": 1, "yara_rule_name": "win_observer_stealer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.observer_stealer.", "last_hit_utc": "2024-05-06 15:31:03" } ], "9198": [ { "sample_cnt": 1, "yara_rule_name": "win_orcarat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.orcarat.", "last_hit_utc": "2023-07-31 02:15:03" } ], "9199": [ { "sample_cnt": 1, "yara_rule_name": "win_orcarat_w0", "yara_rule_author": "PwC Cyber Threat Operations :: @tlansec", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-07-31 02:15:03" } ], "9200": [ { "sample_cnt": 1, "yara_rule_name": "win_owlproxy_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.owlproxy.", "last_hit_utc": "2022-03-01 12:09:03" } ], "9201": [ { "sample_cnt": 1, "yara_rule_name": "win_pandabanker_g0", "yara_rule_author": "slavo/mak", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-07-20 02:06:05" } ], "9202": [ { "sample_cnt": 1, "yara_rule_name": "win_pandora_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.pandora.", "last_hit_utc": "2023-02-03 15:38:03" } ], "9203": [ { "sample_cnt": 1, "yara_rule_name": "win_pandora_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.pandora.", "last_hit_utc": "2022-04-20 09:53:04" } ], "9204": [ { "sample_cnt": 1, "yara_rule_name": "win_paradies_clipper_w0", "yara_rule_author": "igal lytzki", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-06-16 16:57:26" } ], "9205": [ { "sample_cnt": 1, "yara_rule_name": "win_parallax_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.parallax.", "last_hit_utc": "2023-01-16 21:46:03" } ], "9206": [ { "sample_cnt": 1, "yara_rule_name": "win_parasite_http_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.parasite_http.", "last_hit_utc": "2022-05-26 16:48:31" } ], "9207": [ { "sample_cnt": 1, "yara_rule_name": "win_pikabot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.pikabot.", "last_hit_utc": "2024-02-09 02:24:29" } ], "9208": [ { "sample_cnt": 1, "yara_rule_name": "win_pikabot_resource_entropy_oct_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": "Pikabot Loaders embedding encrypted inside of numerous png images", "last_hit_utc": "2025-01-03 19:32:51" } ], "9209": [ { "sample_cnt": 1, "yara_rule_name": "win_play_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.play.", "last_hit_utc": "2024-06-27 02:17:03" } ], "9210": [ { "sample_cnt": 1, "yara_rule_name": "win_plugx_w1", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "PlugX Identifying Strings", "last_hit_utc": "2023-04-22 07:17:07" } ], "9211": [ { "sample_cnt": 1, "yara_rule_name": "win_pocodown_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.pocodown.", "last_hit_utc": "2022-08-07 14:09:03" } ], "9212": [ { "sample_cnt": 1, "yara_rule_name": "win_poison_ivy_w0", "yara_rule_author": "Matthew Ulm", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2021-07-02 06:02:10" } ], "9213": [ { "sample_cnt": 1, "yara_rule_name": "win_poslurp_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-24 08:41:11" } ], "9214": [ { "sample_cnt": 1, "yara_rule_name": "Win_PrivEsc_folderperm", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://www.greyhathacker.net/?p=738", "yara_rule_description": "Detects a tool that can be used for privilege escalation - file folderperm.ps1", "last_hit_utc": "2025-10-28 13:45:49" } ], "9215": [ { "sample_cnt": 1, "yara_rule_name": "Win_PrivEsc_folderperm_RID2FE9", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://www.greyhathacker.net/?p=738", "yara_rule_description": "Detects a tool that can be used for privilege escalation - file folderperm.ps1", "last_hit_utc": "2025-10-28 13:45:49" } ], "9216": [ { "sample_cnt": 1, "yara_rule_name": "Win_PrivEsc_gp3finder_v4_0", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/", "yara_rule_description": "Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe", "last_hit_utc": "2025-10-28 13:45:49" } ], "9217": [ { "sample_cnt": 1, "yara_rule_name": "Win_PrivEsc_gp3finder_v4_0_RID30D3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/", "yara_rule_description": "Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe", "last_hit_utc": "2025-10-28 13:45:49" } ], "9218": [ { "sample_cnt": 1, "yara_rule_name": "win_proteus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-05-10 21:01:03" } ], "9219": [ { "sample_cnt": 1, "yara_rule_name": "win_pseudo_manuscrypt_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.pseudo_manuscrypt.", "last_hit_utc": "2023-08-11 09:50:06" } ], "9220": [ { "sample_cnt": 1, "yara_rule_name": "win_pwndlocker_w0", "yara_rule_author": "Frank Boldewin (@r3c0nst)", "yara_rule_reference": "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Prolock.Malware.yar", "yara_rule_description": "Detects Prolock malware in encrypted and decrypted mode", "last_hit_utc": "2025-10-19 09:23:32" } ], "9221": [ { "sample_cnt": 1, "yara_rule_name": "win_pylocky_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-04-23 22:18:19" } ], "9222": [ { "sample_cnt": 1, "yara_rule_name": "win_qaccel_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-07 21:51:56" } ], "9223": [ { "sample_cnt": 1, "yara_rule_name": "win_qakbot_string_decrypt_nov_2022", "yara_rule_author": "Embee_Research @ Huntress", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-11-28 09:24:57" } ], "9224": [ { "sample_cnt": 1, "yara_rule_name": "win_quan_pin_loader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.quan_pin_loader.", "last_hit_utc": "2026-02-12 12:39:15" } ], "9225": [ { "sample_cnt": 1, "yara_rule_name": "win_ratankbapos_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-02 08:46:15" } ], "9226": [ { "sample_cnt": 1, "yara_rule_name": "win_rctrl_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.rctrl.", "last_hit_utc": "2023-03-15 22:30:05" } ], "9227": [ { "sample_cnt": 1, "yara_rule_name": "win_rdat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.rdat.", "last_hit_utc": "2025-06-16 15:17:34" } ], "9228": [ { "sample_cnt": 1, "yara_rule_name": "win_rdat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.rdat.", "last_hit_utc": "2021-07-16 23:07:32" } ], "9229": [ { "sample_cnt": 1, "yara_rule_name": "win_remsec_strider_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.remsec_strider.", "last_hit_utc": "2022-03-06 06:29:25" } ], "9230": [ { "sample_cnt": 1, "yara_rule_name": "win_remy_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-21 02:59:59" } ], "9231": [ { "sample_cnt": 1, "yara_rule_name": "win_retefe_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.retefe.", "last_hit_utc": "2025-01-03 19:21:30" } ], "9232": [ { "sample_cnt": 1, "yara_rule_name": "win_revil_a0", "yara_rule_author": "BYEMAN", "yara_rule_reference": null, "yara_rule_description": "detects UPX-packed and unpacked versions of REvil/Sodinokibi ransomware", "last_hit_utc": "2020-09-17 20:12:04" } ], "9233": [ { "sample_cnt": 1, "yara_rule_name": "win_rgdoor_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "yara_rule_description": "Detects RGDoor backdoor used by OilRig group", "last_hit_utc": "2025-11-05 08:22:48" } ], "9234": [ { "sample_cnt": 1, "yara_rule_name": "win_rincux_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-11 09:53:08" } ], "9235": [ { "sample_cnt": 1, "yara_rule_name": "win_rokrat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.rokrat.", "last_hit_utc": "2025-08-06 06:34:29" } ], "9236": [ { "sample_cnt": 1, "yara_rule_name": "win_rombertik_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blogs.cisco.com/security/talos/rombertik", "yara_rule_description": "Detects CarbonGrabber alias Rombertik - file Copy#064046.scr", "last_hit_utc": "2022-01-29 10:08:19" } ], "9237": [ { "sample_cnt": 1, "yara_rule_name": "win_romcom_rat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.romcom_rat.", "last_hit_utc": "2022-11-04 18:25:03" } ], "9238": [ { "sample_cnt": 1, "yara_rule_name": "win_royal_dns_w1", "yara_rule_author": "David Cannings", "yara_rule_reference": null, "yara_rule_description": "DLL implant, originally rights.dll and runs as a service", "last_hit_utc": "2025-11-05 08:22:48" } ], "9239": [ { "sample_cnt": 1, "yara_rule_name": "win_runningrat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.runningrat.", "last_hit_utc": "2022-04-17 21:03:02" } ], "9240": [ { "sample_cnt": 1, "yara_rule_name": "win_sage_ransom_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.sage_ransom.", "last_hit_utc": "2022-04-29 06:54:08" } ], "9241": [ { "sample_cnt": 1, "yara_rule_name": "win_sakula_rat_w1", "yara_rule_author": "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou", "yara_rule_reference": null, "yara_rule_description": "Sakula v1.1", "last_hit_utc": "2025-11-05 08:22:48" } ], "9242": [ { "sample_cnt": 1, "yara_rule_name": "win_scarab_ransom_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-28 07:18:52" } ], "9243": [ { "sample_cnt": 1, "yara_rule_name": "win_sepulcher_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.sepulcher.", "last_hit_utc": "2025-01-03 19:35:01" } ], "9244": [ { "sample_cnt": 1, "yara_rule_name": "win_shifu_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.shifu.", "last_hit_utc": "2022-10-17 09:24:14" } ], "9245": [ { "sample_cnt": 1, "yara_rule_name": "win_sienna_purple_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.sienna_purple.", "last_hit_utc": "2023-02-09 22:09:02" } ], "9246": [ { "sample_cnt": 1, "yara_rule_name": "win_sinowal_w0", "yara_rule_author": "Seth Hardy", "yara_rule_reference": null, "yara_rule_description": "Quarian Identifying Strings", "last_hit_utc": "2025-06-16 16:41:29" } ], "9247": [ { "sample_cnt": 1, "yara_rule_name": "win_slingshot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-05-13 06:41:47" } ], "9248": [ { "sample_cnt": 1, "yara_rule_name": "win_sliver_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-08 04:27:31" } ], "9249": [ { "sample_cnt": 1, "yara_rule_name": "win_smokeloader_g4", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-06-19 15:50:05" } ], "9250": [ { "sample_cnt": 1, "yara_rule_name": "win_smokeloader_g5", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-06-19 15:50:05" } ], "9251": [ { "sample_cnt": 1, "yara_rule_name": "win_snake_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-04-23 15:35:03" } ], "9252": [ { "sample_cnt": 1, "yara_rule_name": "win_socelars_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.socelars.", "last_hit_utc": "2025-01-05 15:04:04" } ], "9253": [ { "sample_cnt": 1, "yara_rule_name": "win_socksbot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-04 02:42:05" } ], "9254": [ { "sample_cnt": 1, "yara_rule_name": "win_soul_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.soul.", "last_hit_utc": "2023-02-17 05:14:02" } ], "9255": [ { "sample_cnt": 1, "yara_rule_name": "win_spybot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.spybot.", "last_hit_utc": "2025-01-05 16:03:52" } ], "9256": [ { "sample_cnt": 1, "yara_rule_name": "win_spyder_patchwork_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.spyder_patchwork.", "last_hit_utc": "2025-03-12 11:42:10" } ], "9257": [ { "sample_cnt": 1, "yara_rule_name": "win_spyeye_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-25 17:25:11" } ], "9258": [ { "sample_cnt": 1, "yara_rule_name": "win_spyeye_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.spyeye.", "last_hit_utc": "2025-01-07 21:01:28" } ], "9259": [ { "sample_cnt": 1, "yara_rule_name": "win_squirrelwaffle_loader", "yara_rule_author": "Rony(@r0ny_123)", "yara_rule_reference": null, "yara_rule_description": "Detects unpacked squirrelwaffle loader", "last_hit_utc": "2023-04-22 07:17:07" } ], "9260": [ { "sample_cnt": 1, "yara_rule_name": "win_starsypound_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-06-28 05:33:32" } ], "9261": [ { "sample_cnt": 1, "yara_rule_name": "win_stresspaint_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-04 08:52:46" } ], "9262": [ { "sample_cnt": 1, "yara_rule_name": "win_strongpity_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-01-01 23:40:18" } ], "9263": [ { "sample_cnt": 1, "yara_rule_name": "win_strongpity_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.strongpity.", "last_hit_utc": "2025-01-05 15:11:46" } ], "9264": [ { "sample_cnt": 1, "yara_rule_name": "win_stuxnet_w0", "yara_rule_author": "JAG-S (turla@chronicle.security)", "yara_rule_reference": null, "yara_rule_description": "Stuxshop standalone sample configuration", "last_hit_utc": "2025-10-28 13:45:50" } ], "9265": [ { "sample_cnt": 1, "yara_rule_name": "win_syscon_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://goo.gl/JAHZVL", "yara_rule_description": null, "last_hit_utc": "2025-11-05 08:21:41" } ], "9266": [ { "sample_cnt": 1, "yara_rule_name": "win_taidoor_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.taidoor.", "last_hit_utc": "2022-03-10 04:54:38" } ], "9267": [ { "sample_cnt": 1, "yara_rule_name": "win_taintedscribe_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.taintedscribe.", "last_hit_utc": "2022-04-26 08:09:03" } ], "9268": [ { "sample_cnt": 1, "yara_rule_name": "win_tempedreve_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.tempedreve.", "last_hit_utc": "2022-10-12 16:42:59" } ], "9269": [ { "sample_cnt": 1, "yara_rule_name": "win_thunderx_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-19 11:47:50" } ], "9270": [ { "sample_cnt": 1, "yara_rule_name": "win_tinynuke_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.tinynuke.", "last_hit_utc": "2022-01-28 21:08:17" } ], "9271": [ { "sample_cnt": 1, "yara_rule_name": "win_tinynuke_g0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-04-25 12:30:23" } ], "9272": [ { "sample_cnt": 1, "yara_rule_name": "win_tinyturla_ng_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.tinyturla_ng.", "last_hit_utc": "2025-06-30 19:09:44" } ], "9273": [ { "sample_cnt": 1, "yara_rule_name": "win_tinyzbot_w0", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Tiny Bot used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:45:50" } ], "9274": [ { "sample_cnt": 1, "yara_rule_name": "win_tinyzbot_w1", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:45:50" } ], "9275": [ { "sample_cnt": 1, "yara_rule_name": "win_tofsee_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.tofsee.", "last_hit_utc": "2022-11-26 15:02:46" } ], "9276": [ { "sample_cnt": 1, "yara_rule_name": "win_tor_loader_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.tor_loader.", "last_hit_utc": "2026-02-23 00:42:20" } ], "9277": [ { "sample_cnt": 1, "yara_rule_name": "win_trickbot_a3", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-11-07 21:22:06" } ], "9278": [ { "sample_cnt": 1, "yara_rule_name": "win_trickbot_g2", "yara_rule_author": "mak", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-11-07 21:22:07" } ], "9279": [ { "sample_cnt": 1, "yara_rule_name": "win_trickbot_g3", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-11-07 21:22:07" } ], "9280": [ { "sample_cnt": 1, "yara_rule_name": "win_trickbot_w0", "yara_rule_author": "Marc Salinas @Bondey_m", "yara_rule_reference": "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", "yara_rule_description": "Detects mailsearcher module from Trickbot Trojan", "last_hit_utc": "2021-01-08 15:00:26" } ], "9281": [ { "sample_cnt": 1, "yara_rule_name": "win_turla_silentmoon_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-03-18 20:49:37" } ], "9282": [ { "sample_cnt": 1, "yara_rule_name": "win_turnedup_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-07-22 11:50:54" } ], "9283": [ { "sample_cnt": 1, "yara_rule_name": "win_turnedup_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.turnedup.", "last_hit_utc": "2022-03-10 04:50:09" } ], "9284": [ { "sample_cnt": 1, "yara_rule_name": "win_tyupkin_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-04-20 07:29:08" } ], "9285": [ { "sample_cnt": 1, "yara_rule_name": "win_unidentified_023_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.unidentified_023.", "last_hit_utc": "2021-08-26 19:02:03" } ], "9286": [ { "sample_cnt": 1, "yara_rule_name": "win_unidentified_060_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-11 07:52:31" } ], "9287": [ { "sample_cnt": 1, "yara_rule_name": "win_unidentified_063_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-10-02 08:25:12" } ], "9288": [ { "sample_cnt": 1, "yara_rule_name": "win_unidentified_075_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-08-27 12:47:10" } ], "9289": [ { "sample_cnt": 1, "yara_rule_name": "win_unidentified_077_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-02-18 01:22:44" } ], "9290": [ { "sample_cnt": 1, "yara_rule_name": "win_unidentified_091_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.unidentified_091.", "last_hit_utc": "2022-07-12 07:42:03" } ], "9291": [ { "sample_cnt": 1, "yara_rule_name": "win_unidentified_109_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.unidentified_109.", "last_hit_utc": "2025-01-03 19:57:14" } ], "9292": [ { "sample_cnt": 1, "yara_rule_name": "win_velso_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.velso.", "last_hit_utc": "2025-01-03 20:34:03" } ], "9293": [ { "sample_cnt": 1, "yara_rule_name": "win_venus_locker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-11-30 15:18:03" } ], "9294": [ { "sample_cnt": 1, "yara_rule_name": "win_venus_locker_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-09-24 09:41:07" } ], "9295": [ { "sample_cnt": 1, "yara_rule_name": "win_vflooder_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.vflooder.", "last_hit_utc": "2022-04-04 20:38:03" } ], "9296": [ { "sample_cnt": 1, "yara_rule_name": "win_vhd_ransomware_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2021-04-11 10:36:29" } ], "9297": [ { "sample_cnt": 1, "yara_rule_name": "win_vhd_ransomware_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.vhd_ransomware.", "last_hit_utc": "2022-04-28 11:03:02" } ], "9298": [ { "sample_cnt": 1, "yara_rule_name": "win_virut_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.virut.", "last_hit_utc": "2023-07-25 07:47:03" } ], "9299": [ { "sample_cnt": 1, "yara_rule_name": "win_vmzeus_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.vmzeus.", "last_hit_utc": "2021-09-07 06:10:26" } ], "9300": [ { "sample_cnt": 1, "yara_rule_name": "win_vmzeus_g1", "yara_rule_author": "Daniel Plohmann fkie.fraunhofer.de>", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-12-25 01:06:04" } ], "9301": [ { "sample_cnt": 1, "yara_rule_name": "win_void_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-09-11 05:48:26" } ], "9302": [ { "sample_cnt": 1, "yara_rule_name": "win_volgmer_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-06-10 08:44:31" } ], "9303": [ { "sample_cnt": 1, "yara_rule_name": "win_warmcookie_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.warmcookie.", "last_hit_utc": "2025-11-05 10:16:50" } ], "9304": [ { "sample_cnt": 1, "yara_rule_name": "win_webc2_qbp_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2022-07-02 21:12:31" } ], "9305": [ { "sample_cnt": 1, "yara_rule_name": "win_winnti_w1", "yara_rule_author": "BR Data", "yara_rule_reference": null, "yara_rule_description": "rules used for retrohunting by BR Data.", "last_hit_utc": "2025-11-05 08:22:49" } ], "9306": [ { "sample_cnt": 1, "yara_rule_name": "win_wpbrutebot_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.wpbrutebot.", "last_hit_utc": "2025-09-19 10:50:50" } ], "9307": [ { "sample_cnt": 1, "yara_rule_name": "win_xagent_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-04-25 10:24:20" } ], "9308": [ { "sample_cnt": 1, "yara_rule_name": "win_xfilesstealer_w0", "yara_rule_author": "Johannes Bader @viql", "yara_rule_reference": "", "yara_rule_description": "detects XFiles-Stealer", "last_hit_utc": "2022-05-04 16:39:02" } ], "9309": [ { "sample_cnt": 1, "yara_rule_name": "win_xfscashncr_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2020-11-17 12:35:18" } ], "9310": [ { "sample_cnt": 1, "yara_rule_name": "win_xpertrat_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "Detects win.xpertrat.", "last_hit_utc": "2023-06-10 18:06:03" } ], "9311": [ { "sample_cnt": 1, "yara_rule_name": "win_yanluowang_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": "", "yara_rule_description": "Detects win.yanluowang.", "last_hit_utc": "2022-10-13 09:37:02" } ], "9312": [ { "sample_cnt": 1, "yara_rule_name": "win_zeppelin_auto", "yara_rule_author": "Felix Bilstein - yara-signator at cocacoding dot com", "yara_rule_reference": null, "yara_rule_description": "autogenerated rule brought to you by yara-signator", "last_hit_utc": "2025-01-23 02:57:03" } ], "9313": [ { "sample_cnt": 1, "yara_rule_name": "win_zhmimikatz_w0", "yara_rule_author": "Cylance Inc.", "yara_rule_reference": "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "yara_rule_description": "Mimikatz wrapper used by attackers in Operation Cleaver", "last_hit_utc": "2025-10-28 13:45:50" } ], "9314": [ { "sample_cnt": 1, "yara_rule_name": "win_zloader_a0", "yara_rule_author": "Slavo Greminger, SWITCH-CERT", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2020-11-01 13:14:04" } ], "9315": [ { "sample_cnt": 1, "yara_rule_name": "win_zxshell_w0", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": null, "last_hit_utc": "2025-10-28 13:45:50" } ], "9316": [ { "sample_cnt": 1, "yara_rule_name": "WMImplant", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html", "yara_rule_description": "Auto-generated rule - file WMImplant.ps1", "last_hit_utc": "2025-10-28 13:45:51" } ], "9317": [ { "sample_cnt": 1, "yara_rule_name": "WMImplant_RID2A8A", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html", "yara_rule_description": "Detects WMI implant- file WMImplant_RID2A8A.ps1", "last_hit_utc": "2025-10-28 13:45:52" } ], "9318": [ { "sample_cnt": 1, "yara_rule_name": "wndTest", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-11-05 08:22:50" } ], "9319": [ { "sample_cnt": 1, "yara_rule_name": "WoolenGoldfish_Generic_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/NpJpVZ", "yara_rule_description": "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ", "last_hit_utc": "2025-11-05 08:22:50" } ], "9320": [ { "sample_cnt": 1, "yara_rule_name": "WoolenGoldfish_Generic_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/NpJpVZ", "yara_rule_description": "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ", "last_hit_utc": "2025-11-05 08:22:50" } ], "9321": [ { "sample_cnt": 1, "yara_rule_name": "WoolenGoldfish_Generic_1_RID3061", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/NpJpVZ", "yara_rule_description": "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ", "last_hit_utc": "2025-11-05 08:22:50" } ], "9322": [ { "sample_cnt": 1, "yara_rule_name": "WoolenGoldfish_Generic_3", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/NpJpVZ", "yara_rule_description": "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ", "last_hit_utc": "2025-10-28 13:45:52" } ], "9323": [ { "sample_cnt": 1, "yara_rule_name": "WoolenGoldfish_Generic_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/NpJpVZ", "yara_rule_description": "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ", "last_hit_utc": "2025-10-28 13:45:52" } ], "9324": [ { "sample_cnt": 1, "yara_rule_name": "WoolenGoldfish_Sample_1", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/NpJpVZ", "yara_rule_description": "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ", "last_hit_utc": "2025-10-28 13:45:52" } ], "9325": [ { "sample_cnt": 1, "yara_rule_name": "WoolenGoldfish_Sample_1", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "http://goo.gl/NpJpVZ", "yara_rule_description": "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ", "last_hit_utc": "2025-10-28 13:45:52" } ], "9326": [ { "sample_cnt": 1, "yara_rule_name": "WoolenGoldfish_Sample_1_RID3006", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://goo.gl/NpJpVZ", "yara_rule_description": "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ", "last_hit_utc": "2025-10-28 13:45:52" } ], "9327": [ { "sample_cnt": 1, "yara_rule_name": "wsh_rat_rdp", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "Alerts on the WSH RAT .NET RDP module", "last_hit_utc": "2021-02-09 06:43:04" } ], "9328": [ { "sample_cnt": 1, "yara_rule_name": "wsh_rat_rdp", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "Alerts on the WSH RAT .NET RDP module", "last_hit_utc": "2022-06-19 20:02:03" } ], "9329": [ { "sample_cnt": 1, "yara_rule_name": "ws_HERMETIC_WIPER_Generic_ft_peexe", "yara_rule_author": "SentinelLabs", "yara_rule_reference": "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "yara_rule_description": "", "last_hit_utc": "2022-03-29 17:31:03" } ], "9330": [ { "sample_cnt": 1, "yara_rule_name": "XHider10GlobaL", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2024-05-14 10:42:06" } ], "9331": [ { "sample_cnt": 1, "yara_rule_name": "XiaoBa", "yara_rule_author": "@bartblaze", "yara_rule_reference": "", "yara_rule_description": "Identifies XiaoBa ransomware unpacked or in memory.", "last_hit_utc": "2021-11-28 16:09:04" } ], "9332": [ { "sample_cnt": 1, "yara_rule_name": "XLoaderRule", "yara_rule_author": "@is_henderson", "yara_rule_reference": "https://www.virustotal.com/gui/file/97d6b194da410db82d9974aec984cff8ac0a6ad59ec72b79d4b2a4672b5aa8aa/community", "yara_rule_description": "XLoader sample pulled from VT 26 July. 1 Detection", "last_hit_utc": "2021-08-06 12:58:17" } ], "9333": [ { "sample_cnt": 1, "yara_rule_name": "xls_yag", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "Excel 2003 file format detection", "last_hit_utc": "2022-07-14 10:07:02" } ], "9334": [ { "sample_cnt": 1, "yara_rule_name": "XOR_4byte_Key", "yara_rule_author": "Florian Roth", "yara_rule_reference": "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family", "yara_rule_description": "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)", "last_hit_utc": "2021-09-07 06:26:08" } ], "9335": [ { "sample_cnt": 1, "yara_rule_name": "Xtreme_RAT_Gen_Imp", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects XTREME sample analyzed in September 2017", "last_hit_utc": "2020-10-15 23:04:53" } ], "9336": [ { "sample_cnt": 1, "yara_rule_name": "Xtreme_Sep17_2", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects XTREME sample analyzed in September 2017", "last_hit_utc": "2025-01-03 19:37:27" } ], "9337": [ { "sample_cnt": 1, "yara_rule_name": "Xtreme_Sep17_2_RID2C06", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects XTREME sample analyzed in September 2017", "last_hit_utc": "2025-01-03 19:37:27" } ], "9338": [ { "sample_cnt": 1, "yara_rule_name": "Xtreme_Sep17_3_RID2C07", "yara_rule_author": "Florian Roth", "yara_rule_reference": "Internal Research", "yara_rule_description": "Detects XTREME sample analyzed in September 2017", "last_hit_utc": "2022-11-05 01:47:02" } ], "9339": [ { "sample_cnt": 1, "yara_rule_name": "XTunnel", "yara_rule_author": "", "yara_rule_reference": "", "yara_rule_description": "", "last_hit_utc": "2022-08-07 14:09:03" } ], "9340": [ { "sample_cnt": 1, "yara_rule_name": "xxmm", "yara_rule_author": "JPCERT/CC Incident Response Group", "yara_rule_reference": "internal research", "yara_rule_description": "detect xxmm in memory", "last_hit_utc": "2025-10-28 13:45:52" } ], "9341": [ { "sample_cnt": 1, "yara_rule_name": "yarahub_win_mystic_stealer_bytecodes_sep_2023", "yara_rule_author": "Matthew @ Embee_Research", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2025-01-03 19:24:58" } ], "9342": [ { "sample_cnt": 1, "yara_rule_name": "yodasProtector102103AshkbizDanehkar", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-24 03:33:05" } ], "9343": [ { "sample_cnt": 1, "yara_rule_name": "yodasProtector102AshkibizDanehlar", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-24 03:33:05" } ], "9344": [ { "sample_cnt": 1, "yara_rule_name": "yodasProtectorV1032AshkbizDanehkar", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-24 03:33:05" } ], "9345": [ { "sample_cnt": 1, "yara_rule_name": "YodasProtectorv1032Beta2AshkbizDanehkar", "yara_rule_author": "malware-lu", "yara_rule_reference": null, "yara_rule_description": null, "last_hit_utc": "2023-10-24 03:33:05" } ], "9346": [ { "sample_cnt": 1, "yara_rule_name": "Ysoserial_Payload_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://github.com/frohoff/ysoserial", "yara_rule_description": "Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin", "last_hit_utc": "2025-10-28 13:45:52" } ], "9347": [ { "sample_cnt": 1, "yara_rule_name": "Ysoserial_Payload_3_RID2E87", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://github.com/frohoff/ysoserial", "yara_rule_description": "Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin", "last_hit_utc": "2025-10-28 13:45:52" } ], "9348": [ { "sample_cnt": 1, "yara_rule_name": "zhLookUp", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:45:53" } ], "9349": [ { "sample_cnt": 1, "yara_rule_name": "zhmimikatz", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:45:53" } ], "9350": [ { "sample_cnt": 1, "yara_rule_name": "ZhoupinExploitCrew", "yara_rule_author": "Cylance", "yara_rule_reference": null, "yara_rule_description": "http://cylance.com/opcleaver", "last_hit_utc": "2025-10-28 13:45:53" } ], "9351": [ { "sample_cnt": 1, "yara_rule_name": "zipExec", "yara_rule_author": "Marius 'f0wL' Genheimer ", "yara_rule_reference": "https://github.com/Tylous/ZipExec", "yara_rule_description": "Detects zipExec Golang Loader/Crypter", "last_hit_utc": "2022-11-01 15:20:04" } ], "9352": [ { "sample_cnt": 1, "yara_rule_name": "zip_img_stego", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": "", "yara_rule_description": "This rule attempts to identify ZIP (and JAR, APK, DOCX, etc.) archives embedded within various image filetypes.", "last_hit_utc": "2022-02-04 10:27:03" } ], "9353": [ { "sample_cnt": 1, "yara_rule_name": "zip_iso_stego", "yara_rule_author": "jeFF0Falltrades", "yara_rule_reference": null, "yara_rule_description": "This rule identifies a specific phishing technique of sending ISO file attachments containing ZIP (and JAR, APK, DOCX, etc.) archives which in turn contain malicious executables.", "last_hit_utc": "2025-06-16 16:39:32" } ], "9354": [ { "sample_cnt": 1, "yara_rule_name": "zloader", "yara_rule_author": "Felix Bilstein", "yara_rule_reference": "https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/parsers/mwcp/Zloader.py", "yara_rule_description": "ZLoader", "last_hit_utc": "2025-01-03 20:07:02" } ], "9355": [ { "sample_cnt": 1, "yara_rule_name": "Zloader", "yara_rule_author": "kevoreilly, enzok", "yara_rule_reference": null, "yara_rule_description": "Zloader Payload", "last_hit_utc": "2025-01-03 23:03:45" } ], "9356": [ { "sample_cnt": 1, "yara_rule_name": "zloader_new_bin", "yara_rule_author": "James_inthe_box", "yara_rule_reference": "3e39f52e05238299ed622b996be05792b025d18bc56c878d772ee9002fef1015", "yara_rule_description": "zloader_new odd", "last_hit_utc": "2021-09-21 21:06:06" } ], "9357": [ { "sample_cnt": 1, "yara_rule_name": "ZxShell_Jul17", "yara_rule_author": "Florian Roth", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell - CN threat group", "last_hit_utc": "2022-10-05 10:04:02" } ], "9358": [ { "sample_cnt": 1, "yara_rule_name": "ZxShell_Related_Malware_CN_Group_Jul17_3", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": "https://blogs.rsa.com/cat-phishing/", "yara_rule_description": "Detects a ZxShell related sample from a CN threat group", "last_hit_utc": "2024-03-01 14:47:03" } ], "9359": [ { "sample_cnt": 1, "yara_rule_name": "Z_WebShell", "yara_rule_author": "NCSC", "yara_rule_reference": "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "yara_rule_description": "Detects Z Webshell from NCSC report", "last_hit_utc": "2022-10-05 10:04:03" } ], "9360": [ { "sample_cnt": 1, "yara_rule_name": "_1_c2007_php_php_c100_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ], "9361": [ { "sample_cnt": 1, "yara_rule_name": "_Bitchin_Threads_", "yara_rule_author": "yarGen Yara Rule Generator by Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Auto-generated rule on file =Bitchin Threads=.exe", "last_hit_utc": "2025-10-28 13:43:46" } ], "9362": [ { "sample_cnt": 1, "yara_rule_name": "_c99shell_v1_0_php_php_c99php_SsEs_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ], "9363": [ { "sample_cnt": 1, "yara_rule_name": "_c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ], "9364": [ { "sample_cnt": 1, "yara_rule_name": "_FsHttp_FsPop_FsSniffer", "yara_rule_author": "Florian Roth", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe", "last_hit_utc": "2025-10-28 13:43:46" } ], "9365": [ { "sample_cnt": 1, "yara_rule_name": "_FsHttp_FsPop_FsSniffer", "yara_rule_author": "Florian Roth (Nextron Systems)", "yara_rule_reference": null, "yara_rule_description": "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe", "last_hit_utc": "2025-10-28 13:43:46" } ], "9366": [ { "sample_cnt": 1, "yara_rule_name": "_r577_php_php_r57_Shell_php_php_spy_php_php_s_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ], "9367": [ { "sample_cnt": 1, "yara_rule_name": "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ], "9368": [ { "sample_cnt": 1, "yara_rule_name": "_Ransom_Maze", "yara_rule_author": "Christiaan Beek @ McAfee ATR", "yara_rule_reference": null, "yara_rule_description": "Detecting MAZE Ransomware", "last_hit_utc": "2020-08-06 08:06:53" } ], "9369": [ { "sample_cnt": 1, "yara_rule_name": "_webadmin_php_php_iMHaPFtp_php_php_Private_i3lue_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files webadmin.php.php.txt, iMHaPFtp.php.php.txt, Private-i3lue.php.txt", "last_hit_utc": "2023-08-29 13:01:03" } ], "9370": [ { "sample_cnt": 1, "yara_rule_name": "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ], "9371": [ { "sample_cnt": 1, "yara_rule_name": "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ], "9372": [ { "sample_cnt": 1, "yara_rule_name": "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ], "9373": [ { "sample_cnt": 1, "yara_rule_name": "_w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ], "9374": [ { "sample_cnt": 1, "yara_rule_name": "_w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php", "yara_rule_author": "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls", "yara_rule_reference": null, "yara_rule_description": "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt", "last_hit_utc": "2025-06-16 15:19:30" } ] }