r00tten/risk.yar

## risk.yar
rule Risk {

meta:
	author = "Mert Degirmenci"
	description = "YARA rule for the files whose hash is one of the below"
	date = "12.11.2019"
	hash1 = "c40d59f85e1b4bacf10643b535da804af2e99caba91ab860b221121e24a2a9bb"
	hash2 = "11455bc66548fd161362d300d24c6539c36c7b236aafd4f457d8ee2d8b6c9262"
	hash3 = "29659dd2cd05d0e3c97c2fd3687644a78622ad487178901cb67f14be314c168b"
	hash4 = "3c3b311505b8a3b280024d05017ff9edcb19e193c1760cac099d09fb165e93d7"
	hash5 = "6822a44b8ae526747479d59ea775b7dc5758880469f802caa9ad4ceade2218df"
	hash6 = "b0a8c2cb1e0afb0cdef74f983c4f16be2bcd87a93b3d3aa8cad21ec85d29153e"
	hash7 = "f7c2cd67d1a009454facf8ab9b0cbee0c9a53644cae7bbd4bc952917ec19522b"

strings:
	$s_guitar = "Hide_GuitarX" ascii

	//گ7ێو4ئوپڤچێ7ۆچ3ڤ31ث4ئ0ڕڕثئ53ئ58ژگ30235ەئێو4ۆ343ۆئە1ێ8ئ6427ڕ0و05204چو8ث36گ6چ44ۆڤڕگ305ێ4ڵێ6485چ150ڵۆڵ7ڕژۆثچ34ث0ثپچگپڕ08پڵ5ەوڵێث7ە3ث8ە11چپ80ڤەڵ8گ044گژچژڕ1ڵ111687پ0ژثپ14و748ە8ژ3پ5631گ1
	$sv_PA = { da af 37 db 8e d9 88 34 d8 a6 d9 88 d9 be da a4 }

	//3ڤ05ێئ5ڤڤ4ڵ3ڵ5ەە6ژڕ7ەژ83ڵ8ڵ8ئ58ئ2ڕو0ێڵ2ڵ36گ077ەئڤێڤ1ژ5ڤوڤ5وڕ16و24وپێڵ2ۆگ33ئژثگ5چ1وژ8وە263پۆگئڵ55ڤ14چ6ۆ15ثۆ711ثەئ84چوڵگگڤ0ئژڵچ2ڕە7ە7گچڕ1ڤ2چ6ێگپڕ238گگ6ڤگۆەە831ێەگ613وۆ6چ2ۆث07ڤێۆچ7330
	$sv_PA_GLV = { 33 da a4 30 35 db 8e d8 a6 35 da a4 da a4 34 da }

	//47ڵژڕو3606ژڵ45ژو5گچڵوڵ55ثڵ14پگ3پەڵ1ڵ1ڕ520ڤو6ڵ30ڕ0چچۆژگئەث1گ4175ڕۆگئوئ71چچ554ئ7وە5ژێڵ4107ەگژپ5پپ22ث4ث0ەث268چچڤگئئەث8ڕ2گژڵ4ێپ4ڤ13ڤ5ۆۆثئە2ڤوڤچ4ثپگ7ڕڕ33ث38ە1ەڕگەڕئڕڕپ3ژەثپپگژ6ێ50گ45ثچڕ
	$sv_F7 = { 34 37 da b5 da 98 da 95 d9 88 33 36 30 36 da 98 }

	//ثۆڤڵ2ێ76ڕپچ44ەپ4ە2147ڤ5ڤە20ووپئڤڤ6ڤژ3731پگڵڵڵێوگ27378ث8ڤەپئ80چڤڕ5پە630ثو7پ3ڤثوپۆگڕ1گەڕچژ7پئ243ثژ5ڕ0ژ7ڵ0ۆ6گ87ەژژ78ث0و6ۆ80ڵ583ژوچئ8ە2530ئ61چڤ6ڕ0ئڵچڕ33ئ2ڤ3ە88ۆڤ51ڤ548830ئگ622وچثگ51ڵئێ
	$sv_B0 = { d8 ab db 86 da a4 da b5 32 db 8e 37 36 da 95 d9 }

	//05ڕ1ث2ێ6چڵ2ثگژڤە1ڕ62ژڕڤ632ث6437ژ36ێپێ4و4ۆ6125ێژژگە31ڵچڤگەگ7گ0وۆ4چڕوڤێڵۆ56ثچچ05ثڤە1ڵڤ8ڕ8ئو52568ێ445ۆچ66ێ7ێ74گپ73ڵوگۆ76چ4وەئێو3ڕ7764433ڵ0گژچوثڵچئگثڕڤڤ6ڕ7ێپ3ە325ئ785ڤڕئپ2532ڵەێ26284ەڤ
	$sv_68 = { 30 35 da 95 31 d8 ab 32 db 8e 36 da 86 da b5 32 }

	//8ڕ812گو64گژ4ە1ڤگ4گڤۆژچچگچوپێ7ڵ775ڵ8ژڤ7ۆۆپ1ڕ7ۆ8385ئئ5ئئ3گ1چثگوۆ8ەڵڵ742ث56ەژث3ە1ڕ00ثگ4ەث423038533727ڵ1پ7ە3ەەڤ2ث8ثپەڵ4ە3ئپگ2ڕثۆە5پچ1ئپوێ0چ130ڵ8ڤث03ڤ32و8ڵێچ7ث745ێڵژە8ث783517ۆڤۆ1پ500و0چ
	$sv_3C = { 38 da 95 38 31 32 da af d9 88 36 34 da af da 98 }

	//082پ11ژپوەچئپەێگەڵێ1ژڤە3664گپ453158و15چەڕ37ڵئگ6ە6ڵچ5ۆ0ڕث17ئ36پپچژ4ڵێو63ژ77گ104چڵپڤڤڤڕپ0ث062214ژڕ3گثو627پ3ۆ6ێێچڵ6و23وڵڵوژێژچژێپ4ۆڤئ7ڕ3ڕچوچڤ4ۆۆگ6ثژ4و7ثث3ڕپ0ۆڵۆڵ52ە42ث0ێئۆۆگ482ێو4ڤڤپگ
	$sv_29 = { 30 38 32 d9 be 31 31 da 98 d9 be d9 88 db 95 da }

	//484	05E8	call	uint8[] Risk.Properties.pivXzWdzeJWjeaqOGHdveAHWAfZOfnJDIK::wjllPrhevNrbhVfoxikTPfvSRFDqBJfKVfax()
	//485	05ED	call	class [mscorlib]System.Reflection.Assembly [mscorlib]System.Reflection.Assembly::Load(uint8[])
	//486	05F2	stloc.0
	//487	05F3	ldloc.0
	//488	05F4	ldstr	"GuitarLibX.Hide_GuitarX"
	//489	05F9	callvirt	instance class [mscorlib]System.Type [mscorlib]System.Reflection.Assembly::GetType(string)
	//490	05FE	stloc.1
	//491	05FF	newobj	instance void Risk.rqshchHfcppuYqLlgwoXsYYTEvaNyXyVr::.ctor()
	//492	0604	stloc.2
	$s_loadSeq = { 28 A4 00 00 06 28 A9 00 00 0A 0A 06 72 BF 23 00 70 6F AA 00 00 0A 0B 73 01 00 00 06 0C }

condition:
	uint16(0) == 0x5a4d and $s_guitar and $s_loadSeq and any of ($sv_*)
}


rule nanoCore {

meta:
	author = "Mert Degirmenci"
	description = "Nano Core Client RAT variant"
	date = "25.12.2019"
	hash1 = "8d68e9e02e2289e0cc49f7b1dfe678a8b49ed4f02f31103907ec57ad3ecf59a1"

strings:
    // Deobfucated form:
    // private static void smethod_21()
    // {
    //     int num = 0;
    //     int num2 = Class24.smethod_22();
    //     for (int i = num; i <= num2; i += 250)
    //     {
    //         bool flag;
    //         Class8.mutex_0 = new Mutex(true, string.Format("Global\\{{{0}}}", Class24.smethod_2()), ref flag);
    //         if (flag)
    //         {
    //             return;
    //         }
    //         Thread.Sleep(250);
    //     }
    //     Class8.smethod_42();
    // }
    $s_mutex = { 16 28 46 01 00 06 18 2D 07 26 1B 2D 06 26 2B 4A 0C 2B F7 0B 2B F8 17 20 67 22 D0 1E 28 FF 00 00 06 28 32 01 00 06 8C 48 00 00 01 28 5C 00 00 0A 12 00 73 DD 00 00 0A 1A 2D 06 26 06 2C 0A 2B 07 80 35 00 00 04 2B F4 2A 20 FA 00 00 00 28 DE 00 00 0A 07 20 FA 00 00 00 58 0B 07 08 31 B8 28 88 00 00 06 }

    $s_res = { 10 00 00 00 E8 99 3F 18 32 75 76 2F 58 EE CA 83 35 F6 61 35 18 5D 01 00 78 1E 89 C0 2B 22 B3 76 }

condition:
	uint16(0) == 0x5a4d and all of them
}
	rule Risk {

	meta:
	author = "Mert Degirmenci"
	description = "YARA rule for the files whose hash is one of the below"
	date = "12.11.2019"
	hash1 = "c40d59f85e1b4bacf10643b535da804af2e99caba91ab860b221121e24a2a9bb"
	hash2 = "11455bc66548fd161362d300d24c6539c36c7b236aafd4f457d8ee2d8b6c9262"
	hash3 = "29659dd2cd05d0e3c97c2fd3687644a78622ad487178901cb67f14be314c168b"
	hash4 = "3c3b311505b8a3b280024d05017ff9edcb19e193c1760cac099d09fb165e93d7"
	hash5 = "6822a44b8ae526747479d59ea775b7dc5758880469f802caa9ad4ceade2218df"
	hash6 = "b0a8c2cb1e0afb0cdef74f983c4f16be2bcd87a93b3d3aa8cad21ec85d29153e"
	hash7 = "f7c2cd67d1a009454facf8ab9b0cbee0c9a53644cae7bbd4bc952917ec19522b"

	strings:
	$s_guitar = "Hide_GuitarX" ascii

	//گ7ێو4ئوپڤچێ7ۆچ3ڤ31ث4ئ0ڕڕثئ53ئ58ژگ30235ەئێو4ۆ343ۆئە1ێ8ئ6427ڕ0و05204چو8ث36گ6چ44ۆڤڕگ305ێ4ڵێ6485چ150ڵۆڵ7ڕژۆثچ34ث0ثپچگپڕ08پڵ5ەوڵێث7ە3ث8ە11چپ80ڤەڵ8گ044گژچژڕ1ڵ111687پ0ژثپ14و748ە8ژ3پ5631گ1
	$sv_PA = { da af 37 db 8e d9 88 34 d8 a6 d9 88 d9 be da a4 }

	//3ڤ05ێئ5ڤڤ4ڵ3ڵ5ەە6ژڕ7ەژ83ڵ8ڵ8ئ58ئ2ڕو0ێڵ2ڵ36گ077ەئڤێڤ1ژ5ڤوڤ5وڕ16و24وپێڵ2ۆگ33ئژثگ5چ1وژ8وە263پۆگئڵ55ڤ14چ6ۆ15ثۆ711ثەئ84چوڵگگڤ0ئژڵچ2ڕە7ە7گچڕ1ڤ2چ6ێگپڕ238گگ6ڤگۆەە831ێەگ613وۆ6چ2ۆث07ڤێۆچ7330
	$sv_PA_GLV = { 33 da a4 30 35 db 8e d8 a6 35 da a4 da a4 34 da }

	//47ڵژڕو3606ژڵ45ژو5گچڵوڵ55ثڵ14پگ3پەڵ1ڵ1ڕ520ڤو6ڵ30ڕ0چچۆژگئەث1گ4175ڕۆگئوئ71چچ554ئ7وە5ژێڵ4107ەگژپ5پپ22ث4ث0ەث268چچڤگئئەث8ڕ2گژڵ4ێپ4ڤ13ڤ5ۆۆثئە2ڤوڤچ4ثپگ7ڕڕ33ث38ە1ەڕگەڕئڕڕپ3ژەثپپگژ6ێ50گ45ثچڕ
	$sv_F7 = { 34 37 da b5 da 98 da 95 d9 88 33 36 30 36 da 98 }

	//ثۆڤڵ2ێ76ڕپچ44ەپ4ە2147ڤ5ڤە20ووپئڤڤ6ڤژ3731پگڵڵڵێوگ27378ث8ڤەپئ80چڤڕ5پە630ثو7پ3ڤثوپۆگڕ1گەڕچژ7پئ243ثژ5ڕ0ژ7ڵ0ۆ6گ87ەژژ78ث0و6ۆ80ڵ583ژوچئ8ە2530ئ61چڤ6ڕ0ئڵچڕ33ئ2ڤ3ە88ۆڤ51ڤ548830ئگ622وچثگ51ڵئێ
	$sv_B0 = { d8 ab db 86 da a4 da b5 32 db 8e 37 36 da 95 d9 }

	//05ڕ1ث2ێ6چڵ2ثگژڤە1ڕ62ژڕڤ632ث6437ژ36ێپێ4و4ۆ6125ێژژگە31ڵچڤگەگ7گ0وۆ4چڕوڤێڵۆ56ثچچ05ثڤە1ڵڤ8ڕ8ئو52568ێ445ۆچ66ێ7ێ74گپ73ڵوگۆ76چ4وەئێو3ڕ7764433ڵ0گژچوثڵچئگثڕڤڤ6ڕ7ێپ3ە325ئ785ڤڕئپ2532ڵەێ26284ەڤ
	$sv_68 = { 30 35 da 95 31 d8 ab 32 db 8e 36 da 86 da b5 32 }

	//8ڕ812گو64گژ4ە1ڤگ4گڤۆژچچگچوپێ7ڵ775ڵ8ژڤ7ۆۆپ1ڕ7ۆ8385ئئ5ئئ3گ1چثگوۆ8ەڵڵ742ث56ەژث3ە1ڕ00ثگ4ەث423038533727ڵ1پ7ە3ەەڤ2ث8ثپەڵ4ە3ئپگ2ڕثۆە5پچ1ئپوێ0چ130ڵ8ڤث03ڤ32و8ڵێچ7ث745ێڵژە8ث783517ۆڤۆ1پ500و0چ
	$sv_3C = { 38 da 95 38 31 32 da af d9 88 36 34 da af da 98 }

	//082پ11ژپوەچئپەێگەڵێ1ژڤە3664گپ453158و15چەڕ37ڵئگ6ە6ڵچ5ۆ0ڕث17ئ36پپچژ4ڵێو63ژ77گ104چڵپڤڤڤڕپ0ث062214ژڕ3گثو627پ3ۆ6ێێچڵ6و23وڵڵوژێژچژێپ4ۆڤئ7ڕ3ڕچوچڤ4ۆۆگ6ثژ4و7ثث3ڕپ0ۆڵۆڵ52ە42ث0ێئۆۆگ482ێو4ڤڤپگ
	$sv_29 = { 30 38 32 d9 be 31 31 da 98 d9 be d9 88 db 95 da }

	//484 05E8 call uint8[] Risk.Properties.pivXzWdzeJWjeaqOGHdveAHWAfZOfnJDIK::wjllPrhevNrbhVfoxikTPfvSRFDqBJfKVfax()
	//485 05ED call class [mscorlib]System.Reflection.Assembly [mscorlib]System.Reflection.Assembly::Load(uint8[])
	//486 05F2 stloc.0
	//487 05F3 ldloc.0
	//488 05F4 ldstr "GuitarLibX.Hide_GuitarX"
	//489 05F9 callvirt instance class [mscorlib]System.Type [mscorlib]System.Reflection.Assembly::GetType(string)
	//490 05FE stloc.1
	//491 05FF newobj instance void Risk.rqshchHfcppuYqLlgwoXsYYTEvaNyXyVr::.ctor()
	//492 0604 stloc.2
	$s_loadSeq = { 28 A4 00 00 06 28 A9 00 00 0A 0A 06 72 BF 23 00 70 6F AA 00 00 0A 0B 73 01 00 00 06 0C }

	condition:
	uint16(0) == 0x5a4d and $s_guitar and $s_loadSeq and any of ($sv_*)
	}


	rule nanoCore {

	meta:
	author = "Mert Degirmenci"
	description = "Nano Core Client RAT variant"
	date = "25.12.2019"
	hash1 = "8d68e9e02e2289e0cc49f7b1dfe678a8b49ed4f02f31103907ec57ad3ecf59a1"

	strings:
	// Deobfucated form:
	// private static void smethod_21()
	// {
	// int num = 0;
	// int num2 = Class24.smethod_22();
	// for (int i = num; i <= num2; i += 250)
	// {
	// bool flag;
	// Class8.mutex_0 = new Mutex(true, string.Format("Global\\{{{0}}}", Class24.smethod_2()), ref flag);
	// if (flag)
	// {
	// return;
	// }
	// Thread.Sleep(250);
	// }
	// Class8.smethod_42();
	// }
	$s_mutex = { 16 28 46 01 00 06 18 2D 07 26 1B 2D 06 26 2B 4A 0C 2B F7 0B 2B F8 17 20 67 22 D0 1E 28 FF 00 00 06 28 32 01 00 06 8C 48 00 00 01 28 5C 00 00 0A 12 00 73 DD 00 00 0A 1A 2D 06 26 06 2C 0A 2B 07 80 35 00 00 04 2B F4 2A 20 FA 00 00 00 28 DE 00 00 0A 07 20 FA 00 00 00 58 0B 07 08 31 B8 28 88 00 00 06 }

	$s_res = { 10 00 00 00 E8 99 3F 18 32 75 76 2F 58 EE CA 83 35 F6 61 35 18 5D 01 00 78 1E 89 C0 2B 22 B3 76 }

	condition:
	uint16(0) == 0x5a4d and all of them
	}