Rules for extra stuff (still useful)

dehoisted · Jul 4, 2021 · d7881fb · d7881fb
1 parent 5a8f10e
commit d7881fb
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 0 deletions.
diff --git a/Extra/anti_vm.yar b/Extra/anti_vm.yar
@@ -0,0 +1,37 @@
+rule anti_vm {
+    meta:
+        description = "Checks for vm names and paths used to detect virtual machines"
+        type = "Anti VM/Debug"
+    strings:
+       $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
+       $s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
+       $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion" nocase
+       $s4 = "SYSTEM\\CurrentControlSet\\Control\\SystemInformation" nocase
+       $s5 = "virtualbox" nocase
+       $s6 = "vmware" nocase
+       $s6 = "innotek gmbh"
+       $s7 = "SystemManufacturer"
+       $s8 = "SystemProductName"
+       $vbox = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide
+    condition:
+        any of them
+}
+
+rule anti_debug {
+    meta:
+        description = "Detects tools for analyzing files/anti debug tools"
+        type = "Anti VM/Debug"
+    strings:
+        $f1 = "procmon.exe" nocase
+        $f2 = "processmonitor.exe" nocase
+        $f3 = "wireshark.exe" nocase
+        $f4 = "fiddler.exe" nocase
+        $f5 = "ollydbg.exe" nocase
+        $f6 = "winhex.exe" nocase
+        $f7 = "processhacker.exe" nocase
+        $ex1 = "CheckRemoteDebuggerPresent"
+        $ex2 = "IsDebuggerPresent"
+        $ex3 = "IsDebugged"
+    condition:
+        any of them
+}
diff --git a/Extra/basic_file_sig.yar b/Extra/basic_file_sig.yar
@@ -0,0 +1,49 @@
+// If something is detected here, it doesn't automatically mean the file is malware of course
+
+import "pe"
+
+rule IsPE32
+{
+    meta:
+	   description = "Checks if architecture is 64 bit"
+       type = "PECheck"
+	condition:
+		uint16(0) == 0x5A4D and
+		uint16(uint32(0x3C)+0x18) == 0x010B
+}
+
+rule IsPE64
+{
+    meta:
+	   description = "Checks if architecture is 64 bit"
+       type = "PECheck"
+	condition:
+		uint16(0) == 0x5A4D and
+		uint16(uint32(0x3C)+0x18) == 0x020B
+}
+
+rule NATIVE_DLL
+{
+	meta:
+	   description = "Checks if file is a native DLL"
+	condition:
+		uint16(0) == 0x5A4D and
+		(uint16(uint32(0x3C)+0x16) & 0x2000) == 0x2000
+
+}
+
+rule DOTNET_EXE
+{
+    meta:
+	   type = "DOTNET"
+	condition:
+		pe.imports("mscoree.dll", "_CorExeMain")
+}
+
+rule DOTNET_DLL
+{
+    meta:
+	   type = "DOTNET"
+	condition:
+		pe.imports("mscoree.dll", "_CorDllMain")
+}
diff --git a/Extra/discord_token_logger.yar b/Extra/discord_token_logger.yar
@@ -0,0 +1,13 @@
+rule Discord_Token_Logger {
+    meta:
+        description = "Detects discord token logger"
+        type = "Malware/Gather Info"
+    strings:
+        $path1 = "\\Discord\\Local Storage\\leveldb"
+        $path2 = "\\Lightcord\\Local Storage\\leveldb"
+        $path3 = "\\Google\\Chrome\\User Data\\Default\\Local Storage\\leveldb"
+        $path4 = "\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Local Storage\\leveldb"
+        $lb = "\\Local Storage\\leveldb"
+    condition:
+        any of them
+}