Andre Tavares andretavare5
andretavare5
/ win_colibriloader.yara
Last active
March 24, 2023 14:00
Yara rule to detect ColibriLoader malware.
View win_colibriloader.yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule win_colibriloader : loader | |
| { | |
| meta: | |
| author = "andretavare5" | |
| description = "ColibriLoader malware" | |
| org = "BitSight" | |
| date = "2022-11-22" | |
| md5 = "f1bbf3a0c6c52953803e5804f4e37b15" | |
| reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri" | |
| license = "CC BY-NC-SA 4.0" |
andretavare5
/ win_packed_colibriloader.yara
Last active
March 24, 2023 14:01
Yara rule to detect packed ColibriLoader malware.
View win_packed_colibriloader.yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule win_packed_colibriloader : packed loader | |
| { | |
| meta: | |
| author = "andretavare5" | |
| description = "Packed ColibriLoader malware" | |
| org = "BitSight" | |
| date = "2022-09-21" | |
| md5 = "e0a68b98992c1699876f818a22b5b907" | |
| reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri" | |
| license = "CC BY-NC-SA 4.0" |
andretavare5
/ win_matanbuchus.yara
Last active
March 24, 2023 14:02
Yara rule to detect Matanbuchus malware.
View win_matanbuchus.yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule win_matanbuchus : loader | |
| { | |
| meta: | |
| author = "andretavare5" | |
| description = "Detects Matanbuchus MaaS loader and core" | |
| org = "BitSight" | |
| date = "2022-07-07" | |
| md5 = "8fc15b030254c0d49f18d06c696d6986" |
andretavare5
/ privateloader_str_decrypt.py
Last active
October 4, 2022 10:14
Script that decrypts most of PrivateLoader stack strings - https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/
View privateloader_str_decrypt.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| import struct | |
| from capstone import * | |
| def extract_var(op): | |
| if ']' in op: | |
| op = ''.join(op.split(' ')[-1])[:-1].replace('[', '') | |
| return op | |
| def search(instructions, var): |
andretavare5
/ win_privateloader.yara
Last active
March 24, 2023 14:03
Yara rule to detect PrivateLoader malware.
View win_privateloader.yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule win_privateloader : loader | |
| { | |
| meta: | |
| author = "andretavare5" | |
| org = "BitSight" | |
| date = "2022-06-06" | |
| md5 = "8f70a0f45532261cb4df2800b141551d" | |
| reference = "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service" | |
| license = "CC BY-NC-SA 4.0" | |