Merge branch 'master' of https://github.com/Neo23x0/signature-base

Author: Neo23x0

iocs/filename-iocs.txt

@@ -1388,7 +1388,7 @@ AppData\\Roaming\\btecache\.dll;90
 \\cgi-bin\\admin\\login\.jsp;75
 \\cgi-bin\\axis2-web\\index\.jsp;75
 \\cgi-bin\\index\.jsp;75
-\\cmd[0-9]{,3}\\cmd\.jsp;75
+\\cmd[0-9]{0,3}\\cmd\.jsp;75
 \\cmdcmd\\cmdcmd\.jsp;75
 \\cmdjsp\\cmdjsp\.jsp;75
 \\coleman\\index\.jsp;75
@@ -1699,8 +1699,8 @@ AppData\\Adobe\\qpbqrx\.dat;80
 \\eof\.exe;100
 
 # Suspicious EXE DLL in Non-Executable directory
-\\(images|img|js|fonts|css|swf|themes|log|error_docs)\\[^\\"]{,20}\.(exe|dll)$;60
-\\(wp-admin|wp-content|wp-includes)\\[^\\"]{,20}\.(exe|dll);60
+\\(images|img|js|fonts|css|swf|themes|log|error_docs)\\[^\\"]{0,20}\.(exe|dll)$;60
+\\(wp-admin|wp-content|wp-includes)\\[^\\"]{0,20}\.(exe|dll);60
 
 # APT29 Post-Election Acitivty https://goo.gl/4nyX1e
 \\RWP_16-038_Norris\.ZIP;80

yara/apt_unc3886_virtualpita.yar

@@ -1,73 +1,67 @@
-
-rule M_APT_VIRTUALPITA_1
-{
-       meta:
-             author = "Mandiant"
-             md5 = "fe34b7c071d96dac498b72a4a07cb246"
-             description = "Finds opcodes to set a port to bind on 2233, encompassing the setsockopt(), htons(), and bind() from 40973d to 409791 in fe34b7c071d96dac498b72a4a07cb246 (may produce some FPs - comment by Florian Roth)"
-             modified = "2023-11-25"
-             score = 60  // reduced score by Florian Roth due to FPs
-             id = "bdfbe29a-f7db-50d9-a909-d4ca96cc0731"
-      strings:
-            $x = {8b ?? ?? 4? b8 04 00 00 00 [0 - 4] ba 02 00 00 00 be 01 00 00 00 [0 - 2] e8 ?? ?? ?? ?? 89 4? ?? 83 7? ?? 00 79 [0 - 50] ba 10 00 00 00 [0 - 10] e8}
-      condition:
-            uint32(0) == 0x464c457f and all of them  
+rule M_APT_VIRTUALPITA_1 {
+   meta:
+      author = "Mandiant"
+      md5 = "fe34b7c071d96dac498b72a4a07cb246"
+      description = "Finds opcodes to set a port to bind on 2233, encompassing the setsockopt(), htons(), and bind() from 40973d to 409791 in fe34b7c071d96dac498b72a4a07cb246 (may produce some FPs - comment by Florian Roth)"
+      modified = "2023-11-25"
+      score = 60  // reduced score by Florian Roth due to FPs
+      id = "bdfbe29a-f7db-50d9-a909-d4ca96cc0731"
+   strings:
+      $x = { 8b ?? ?? 4? b8 04 00 00 00 [0-4] ba 02 00 00 00 be 01 00 00 00 [0-2] e8 ?? ?? ?? ?? 89 4? ?? 83 7? ?? 00 79 [0-50] ba 10 00 00 00 [0-10] e8 }
+   condition:
+      uint32(0) == 0x464c457f and all of them
 }
 
-rule M_APT_VIRTUALPITA_2
-{
-       meta:
-             author = "Mandiant"
-             md5 = "fe34b7c071d96dac498b72a4a07cb246"
-             description = "Finds opcodes to decode and parse the recieved data in the socket buffer in fe34b7c071d96dac498b72a4a07cb246.  Opcodes from 401a36 to 401adc"
-             id = "6a59cc54-e1a0-594f-9efb-af63d5c05259"
-      strings:
-            $x = {85 c0 74 ?? c7 05 ?? ?? ?? ?? fb ff ff ff c7 8? ?? ?? ?? ?? 00 00 00 00 e9 ?? ?? ?? ?? 4? 8b 05 ?? ?? ?? ?? 4? 83 c0 01 4? 89 05 ?? ?? ?? ?? c7 4? ?? 00 00 00 00 e9 ?? ?? ?? ?? 8b 4? ?? 4? 98 4? 8d 9? ?? ?? ?? ?? 4? 8d ?? e0 4? 8b 0? 4? 89 0? 4? 8b 4? ?? 4? 89 4? ?? 8b 4? ?? 4? 98 4? 8d b? ?? ?? ?? ?? b? ?? ?? ?? ?? e8 ?? ?? ?? ?? c7 4? ?? 00 00 00 00 eb ?? 8b 4? ?? 8b 4? ?? 01 c1 8b 4? ?? 03 4? ?? 4? 98 0f b6 9? ?? ?? ?? ?? 8b 4? ?? 4? 98 0f b6 8? ?? ?? ?? ?? 31 c2 4? 63 c1 88 9? ?? ?? ?? ?? 83 4? ?? 01}
-      condition:
-            uint32(0) == 0x464c457f and all of them  
+rule M_APT_VIRTUALPITA_2 {
+   meta:
+      author = "Mandiant"
+      md5 = "fe34b7c071d96dac498b72a4a07cb246"
+      description = "Finds opcodes to decode and parse the recieved data in the socket buffer in fe34b7c071d96dac498b72a4a07cb246.  Opcodes from 401a36 to 401adc"
+      id = "6a59cc54-e1a0-594f-9efb-af63d5c05259"
+   strings:
+      $x = { 85 c0 74 ?? c7 05 ?? ?? ?? ?? fb ff ff ff c7 8? ?? ?? ?? ?? 00 00 00 00 e9 ?? ?? ?? ?? 4? 8b 05 ?? ?? ?? ?? 4? 83 c0 01 4? 89 05 ?? ?? ?? ?? c7 4? ?? 00 00 00 00 e9 ?? ?? ?? ?? 8b 4? ?? 4? 98 4? 8d 9? ?? ?? ?? ?? 4? 8d ?? e0 4? 8b 0? 4? 89 0? 4? 8b 4? ?? 4? 89 4? ?? 8b 4? ?? 4? 98 4? 8d b? ?? ?? ?? ?? b? ?? ?? ?? ?? e8 ?? ?? ?? ?? c7 4? ?? 00 00 00 00 eb ?? 8b 4? ?? 8b 4? ?? 01 c1 8b 4? ?? 03 4? ?? 4? 98 0f b6 9? ?? ?? ?? ?? 8b 4? ?? 4? 98 0f b6 8? ?? ?? ?? ?? 31 c2 4? 63 c1 88 9? ?? ?? ?? ?? 83 4? ?? 01 }
+   condition:
+      uint32(0) == 0x464c457f and all of them
 }
 
-rule M_APT_VIRTUALPITA_3
-{
-       meta:
-             author = "Mandiant"
-             md5 = "fe34b7c071d96dac498b72a4a07cb246"
-             description = "Finds opcodes from 409dd8 to 409e46 in fe34b7c071d96dac498b72a4a07cb246 to set the HISTFILE environment variable to 'F' with a putenv() after loading each character individually."
-             id = "29ea2db0-4ab2-5e9c-8d42-7590ceabf99a"
-      strings:
-            $x = {4? 8b 4? ?? c6 00 48 4? 8b 4? ?? 4? 83 c0 05 c6 00 49 4? 8b 4? ?? 4? 83 c0 01 c6 00 49 4? 8b 4? ?? 4? 83 c0 06 c6 00 4c 4? 8b 4? ?? 4? 83 c0 02 c6 00 53 4? 8b 4? ?? 4? 83 c0 07 c6 00 45 4? 8b 4? ?? 4? 83 c0 03 c6 00 54 4? 8b 4? ?? 4? 83 c0 08 c6 00 3d 4? 8b 4? ?? 4? 83 c0 04 c6 00 46 4? 8b 4? ?? 4? 83 c0 09 c6 00 00 4? 8b 7? ?? e8}
-      condition:
-            uint32(0) == 0x464c457f and all of them
+rule M_APT_VIRTUALPITA_3 {
+   meta:
+      author = "Mandiant"
+      md5 = "fe34b7c071d96dac498b72a4a07cb246"
+      description = "Finds opcodes from 409dd8 to 409e46 in fe34b7c071d96dac498b72a4a07cb246 to set the HISTFILE environment variable to 'F' with a putenv() after loading each character individually."
+      id = "29ea2db0-4ab2-5e9c-8d42-7590ceabf99a"
+   strings:
+      $x = { 4? 8b 4? ?? c6 00 48 4? 8b 4? ?? 4? 83 c0 05 c6 00 49 4? 8b 4? ?? 4? 83 c0 01 c6 00 49 4? 8b 4? ?? 4? 83 c0 06 c6 00 4c 4? 8b 4? ?? 4? 83 c0 02 c6 00 53 4? 8b 4? ?? 4? 83 c0 07 c6 00 45 4? 8b 4? ?? 4? 83 c0 03 c6 00 54 4? 8b 4? ?? 4? 83 c0 08 c6 00 3d 4? 8b 4? ?? 4? 83 c0 04 c6 00 46 4? 8b 4? ?? 4? 83 c0 09 c6 00 00 4? 8b 7? ?? e8 }
+   condition:
+      uint32(0) == 0x464c457f and all of them
 }
 
-rule M_APT_VIRTUALPITA_4
-{
-       meta:
-             author = "Mandiant"
-             md5 = "fe34b7c071d96dac498b72a4a07cb246"
-             description = "Finds opcodes from 401f1c to 401f4f in fe34b7c071d96dac498b72a4a07cb246 to decode text with multiple XORs"
-             id = "58d4db75-fcd5-50c2-93ba-a8a4718ac0f6"
-      strings:
-            $x = {4? 8b 4? ?? 4? 83 c1 30 4? 8b 4? ?? 4? 8b 10 8b 4? ?? 4? 98 4? 8b 04 ?? ?? ?? ?? ?? 4? 31 c2 4? 8b 4? ?? 4? 83 c0 28 4? 8b 00 4? c1 e8 10 0f b6 c0 4? 98 4? 8b 04}
-      condition:
-            uint32(0) == 0x464c457f and all of them
+rule M_APT_VIRTUALPITA_4 {
+   meta:
+      author = "Mandiant"
+      md5 = "fe34b7c071d96dac498b72a4a07cb246"
+      description = "Finds opcodes from 401f1c to 401f4f in fe34b7c071d96dac498b72a4a07cb246 to decode text with multiple XORs"
+      id = "58d4db75-fcd5-50c2-93ba-a8a4718ac0f6"
+   strings:
+      $x = { 4? 8b 4? ?? 4? 83 c1 30 4? 8b 4? ?? 4? 8b 10 8b 4? ?? 4? 98 4? 8b 04 ?? ?? ?? ?? ?? 4? 31 c2 4? 8b 4? ?? 4? 83 c0 28 4? 8b 00 4? c1 e8 10 0f b6 c0 4? 98 4? 8b 04 }
+   condition:
+      uint32(0) == 0x464c457f and all of them
 
 }
 
-rule M_Hunting_Python_Backdoor_CommandParser_1
-{
-      meta:
-            author = "Mandiant"
-            md5 = "61ab3f6401d60ec36cd3ac980a8deb75"
-            description = "Finds strings indicative of the vmsyslog.py python backdoor."
-            id = "15cbca01-24e6-5538-bcfd-c3222337aaf5"
-      strings:
-            $key1 = "self.conn.readInt8()" ascii
-            $key2 = "upload" ascii
-            $key3 = "download" ascii
-            $key4 = "shell" ascii
-            $key5 = "execute" ascii
-            $re1 = /def\srun.{,20}command\s?=\s?self\.conn\.readInt8\(\).{,75}upload.{,75}download.{,75}shell.{,75}execute/s
-      condition:
-            filesize < 200KB and all of them
+rule M_Hunting_Python_Backdoor_CommandParser_1 {
+   meta:
+      author = "Mandiant"
+      md5 = "61ab3f6401d60ec36cd3ac980a8deb75"
+      description = "Finds strings indicative of the vmsyslog.py python backdoor."
+      id = "15cbca01-24e6-5538-bcfd-c3222337aaf5"
+   strings:
+      $key1 = "self.conn.readInt8()" ascii
+      $key2 = "upload" ascii
+      $key3 = "download" ascii
+      $key4 = "shell" ascii
+      $key5 = "execute" ascii
+      $re1 = /def\srun.{0,20}command\s?=\s?self\.conn\.readInt8\(\).{,75}upload.{,75}download.{,75}shell.{,75}execute/s
+   condition:
+      filesize < 200KB and all of them
 }

yara/mal_coralwave_remcos_dropper.yar

@@ -0,0 +1,29 @@
+rule MAL_CoralWave_LenovoSPKVOL_RemcosMicDrop {
+    meta:
+        description = "CoralWave loader masquerading as Lenovo audio DLL. Drops Remcos RAT."
+        author = "xstp"
+        date = "2026-01-01"
+        reference = "https://bazaar.abuse.ch/sample/050edadedd7947bc6418f7856a29df5b7b5550bf5eec7f5f37e9a7e1713036f6/"
+        hash = "65302b435a5bc30e8f0215455679635ec50b5b1caba9e55f9258d17c7238be54"
+        score = 85
+
+    strings:
+        $stub_1 = "BAyXuHpAGwdG8ebXF3GvZ32vO3ORY" ascii
+        $stub_2 = "IK5HT1XPlj3LoFkKi3YC4QwYQs7s" ascii
+        $stub_3 = "Xmk61GHDjDfjUjJhNjwDPXxM1Cdg" ascii
+
+        $fake_1 = "GetVolumeLevel" ascii
+        $fake_2 = "OpenSpeakerVolumeInterface" ascii
+        $fake_3 = "SetMuteState" ascii
+
+        $mutex = "Rmc-245S33" wide ascii
+        $log_file = "logs.dat" wide ascii
+        $audio_folder = "MicRecords" wide ascii
+
+    condition:
+        filesize < 5MB and uint16(0) == 0x5A4D and
+        (
+            2 of ($stub_*) or
+            (2 of ($fake_*) and 1 of ($mutex, $log_file, $audio_folder))
+        )
+}

yara/mal_etoroloro_nodepackage_dec25.yar

@@ -0,0 +1,27 @@
+
+rule MAL_Etoroloro_Malicious_NodePackage_Dec25 {
+   meta:
+      description = "Detects malicious component of node package named Etoroloro"
+      reference = "Internal Research"
+      author = "Pezier Pierre-Henri"
+      date = "2025-12-12"
+      score = 80
+      hash = "f08c5b748c91dd45fd73c5e85920f656e361d94b869e2147410b2b528c6ae78f"
+   strings:
+      $s1 = "DLLSideload."
+      $s2 = "Failed to expand path:" wide
+      $op1 = {
+         41 0f af c0           // imul    eax, r8d
+         48 8d 52 01           // lea     rdx, [rdx+1]
+         0f b6 c9              // movzx   ecx, cl
+         45 69 c0 35 d4 04 00  // imul    r8d, 4D435h
+         03 c1                 // add     eax, ecx
+         0f b6 0a              // movzx   ecx, byte ptr [rdx]
+         84 c9                 // test    cl, cl
+         75 e5                 // jnz     short loc_1800022C0
+      }
+   condition:
+      uint16(0) == 0x5a4d
+      and (all of ($s*) or $op1)
+}
+