This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule win_privateloader | |
{ | |
meta: | |
author = "andretavare5" | |
description = "Detects PrivateLoader malware." | |
org = "Bitsight" | |
date = "2024-01-29" | |
sample1_md5 = "8f70a0f45532261cb4df2800b141551d" // loader module Jan 2022 | |
sample2_md5 = "dbf48bf522a272297266c35b965c6054" // service module Nov 2023 | |
sample3_md5 = "51bb70b9a31d07c7d57da0c5b26545d4" // core module Dez 2023 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BST MALWARE PrivateLoader"; flow:established,to_server; content:"POST"; http_method; pcre:"/(\/api\/(flash|firepro)\.php)/U"; pcre:"/data=[A-Za-z0-9%_-]+={0,2}/"; content:"application/x-www-form-urlencoded"; http_header; reference:url,https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service; sid:2008025;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GET /api/bing_release.php HTTP/1.1 | |
Connection: Keep-Alive | |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 | |
Host: 77.105.147[.]130 | |
HTTP/1.1 200 OK | |
Date: Mon, 05 Feb 2024 10:15:18 GMT | |
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 | |
X-Powered-By: PHP/8.2.12 | |
Content-Length: 8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def decompress(data, size): | |
def core(acu_0, acu_1, array, index): | |
tmp_acu_1 = acu_1 | |
acu_1 = acu_1 - 1 & 0xFFFFFFFF | |
if tmp_acu_1 == 0: | |
acu_0 = ((array[index + 1] << 8) + array[index]) & 0xFFFFFFFF | |
acu_1 = 0xF | |
index += 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version 8 | |
client.timeout_connect 30 | |
client.timeout_read 60 | |
client.timeout_write 60 | |
server.sleep_connect 30 | |
server.timeout_connect 30 | |
server.timeout_read 60 | |
server.timeout_write 60 | |
target.timeout_connect 30 | |
target.timeout_read 60 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version 12 | |
download_period 100 | |
needmacrs $xmrcpu | |
kills cores_gt_1 | |
tasks cores_gt_1 | |
grabb.download_id 9 | |
grabb.ifs | |
grabb.size_min 200000 | |
grabb.size_max 350000 | |
grabb.run $grabb |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule win_tofsee | |
{ | |
meta: | |
author = "akrasuski1" | |
published_at = "https://gist.github.com/akrasuski1/756ae39f96d2714087e6d7f252a95b19" | |
revision_by = "andretavare5" | |
description = "Tofsee malware" | |
org = "BitSight" | |
date = "2023-03-24" | |
md5 = "92e466525e810b79ae23eac344a52027" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def decrypt(enc_str, key1, key2): | |
out = [] | |
for i in range(len(enc_str)): | |
out.append(key1 ^ enc_str[i]) | |
if i % 2: | |
key1 = (key1 + key2 - 1) & 0xFF | |
else: | |
key1 = (key1 + key2 + 1) & 0xFF | |
return bytes(out) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"BitSight MALWARE Possible Tofsee Server Hello"; flow:established,from_server; dsize:200; flowbits:set,TOFSEE_C2_GREET; flowbits:noalert; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.tofsee; sid:2008025; rev:1;) | |
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"BitSight MALWARE Tofsee Hello"; flow:established,from_client; dsize:125; flowbits:isset,TOFSEE_C2_GREET; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.tofsee; sid:2008026; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alert http $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"BitSight MALWARE ColibriLoader"; flow:established,to_server; content:"GET";http_method; content:"gate.php?type=check&uid=";http_uri; pcre:"/^[a-zA-Z0-9]{20}$/V"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri; sid:2008025;) |
NewerOlder