Skip to content

Instantly share code, notes, and snippets.

@andretavare5
andretavare5 / win_colibriloader.yara
Last active March 24, 2023 14:00
Yara rule to detect ColibriLoader malware.
View win_colibriloader.yara
rule win_colibriloader : loader
{
meta:
author = "andretavare5"
description = "ColibriLoader malware"
org = "BitSight"
date = "2022-11-22"
md5 = "f1bbf3a0c6c52953803e5804f4e37b15"
reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri"
license = "CC BY-NC-SA 4.0"
@andretavare5
andretavare5 / win_packed_colibriloader.yara
Last active March 24, 2023 14:01
Yara rule to detect packed ColibriLoader malware.
View win_packed_colibriloader.yara
rule win_packed_colibriloader : packed loader
{
meta:
author = "andretavare5"
description = "Packed ColibriLoader malware"
org = "BitSight"
date = "2022-09-21"
md5 = "e0a68b98992c1699876f818a22b5b907"
reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri"
license = "CC BY-NC-SA 4.0"
@andretavare5
andretavare5 / win_matanbuchus.yara
Last active March 24, 2023 14:02
Yara rule to detect Matanbuchus malware.
View win_matanbuchus.yara
import "pe"
rule win_matanbuchus : loader
{
meta:
author = "andretavare5"
description = "Detects Matanbuchus MaaS loader and core"
org = "BitSight"
date = "2022-07-07"
md5 = "8fc15b030254c0d49f18d06c696d6986"
View privateloader_str_decrypt.py
import pefile
import struct
from capstone import *
def extract_var(op):
if ']' in op:
op = ''.join(op.split(' ')[-1])[:-1].replace('[', '')
return op
def search(instructions, var):
@andretavare5
andretavare5 / win_privateloader.yara
Last active March 24, 2023 14:03
Yara rule to detect PrivateLoader malware.
View win_privateloader.yara
rule win_privateloader : loader
{
meta:
author = "andretavare5"
org = "BitSight"
date = "2022-06-06"
md5 = "8f70a0f45532261cb4df2800b141551d"
reference = "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service"
license = "CC BY-NC-SA 4.0"