Messing with a couple of anomaly rules for #100daysofyara
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...
#100daysofyara hunting inspired from a sample share from VT
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...
#100DaysofYara Day 23
Socks5Systemz, sample from the bazaar. 32 bit installer for the tool, based on the compilation information, strings for "\silent" and "\verysilent", and mentions of Inno Setup, used to create windows installers.
www.bitsight.com/blog/unveili...
github.com/augustvansic...
#100DaysOfYara Day 24
A QakBot spotted in the wild (2025)
Some easy strings for dangerous api calls for encryption and WSA calls for connection functionality, an ip that upon review looks like itβs hosting a C2 (web ports with firewall deny all w/exceptions likely)
github.com/augustvansic...
#100DaysofYara Day 14
This sample is a PE32 DLL that is designed for the I386 arch, in C++. I used some more hex strings this time, looks like this is either mimicking a game DLL or pretending to be. Sample was tagged to WannaCry.
github.com/augustvansic...
yara-x dump
#100daysofyara
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.
Rule: github.com/mgreen27/100...
#100DaysOfYara Day 13
A MacOS Macho binary from MalwareZoo: Backdoor/Worm
Some of the api calls are not core library referenced and could prevent inclusion in the App Store, so I added them as ascii strings.
Also added some dylib strings
github.com/augustvansic...
#100DaysOfYara Day 12
Today's sample was a PE32 DLL tagged to DarkTortilla. Strings, strings and more strings made this one easy to make a rule, didn't need to throw it in Binja. A couple rules were based on environmental condition requests, signs of host enumeration.
github.com/augustvansic...
#100DaysOfYara Day 11
I got some exposure to Android APK Lua Malware. Interesting file struture and execution flow, I used this resource for some help on understanding the basics and learn about some specialized tools:
par.nsf.gov/servlets/pur...
and
Rule:
github.com/augustvansic...
#100DaysOfYara Day 10
Todays sample was a sample of Storm Kitty Open source Stealer/Keylogger written in C++, logs are sent to a telegram address which you can see in the strings.
malpedia.caad.fkie.fraunhofer.de/details/win....
github.com/augustvansic...
#100daysofyara sometimes simple rules work really well!
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.
Rule: github.com/mgreen27/100...
#100daysofyara This rule detects PE files with SUBSYSTEM_WINDOWS_GUI and no Window API function import.
Rule: github.com/mgreen27/100...
#100DaysOfYara
Day 15
I had more to say than what allows in a post here so itβs on medium @ : medium.com/@august.vans...
#100daysofyara MSC files appear to store their icons inside a BinaryStorage field. Todays rule hits on a suspicious PDF icon.
Rule: github.com/mgreen27/100...
#100DaysOfYara Day 16
Todays Sample: a PE64 EXE tagged to SpyLyRAT
Some unique loads in this directly from github.
And some common API calls that are commonly used for manipulating processes.
github.com/augustvansic...
#100DaysOfYara Day 17
Sliver Beacon EXE
Sliver uses MinGW to compile beacons, and it was definitely in strings, so I added that rule. String for sleep - time based evasion, a couple of other hardcoded strings.
I did some dynamic analysis and the domain drops payloads too.
This #100daysofyara rule looking for a PE with unusual NumberofRVAandSizes attribute
github.com/mgreen27/100...
#100DaysOfYara Day 18
Happy Saturday (Go Chiefs)
Today I did a quick rule for a sample of Redline, a 32 bit PE. A lot was obfuscated with this sample, but there were some C## .NET calls to use for rules.
github.com/augustvansic...
#100DaysOfYara Day 19
PE64 DLL with a lot of capability, tagged to legion loader.
github.com/augustvansic...
Todays #100daysofyara rule looks for a PE file with an unusual debug info type. Yara doesnt directly expose these debug structures so had to search for the RSDS header and find type field by offset.
github.com/mgreen27/100...
#100DaysOfYara Day 21
Cobalt Strike Beacon of the EXE flavor
References from Tech Company from China in strings, debugger enum, executable called and a close handle on a variable. Interesting: Icon for binary is apple, compiled for Windows/PE64 and Windows API LIbs
github.com/augustvansic...
#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
my first yara rule for 100daysofyara 2025, designed to detect qbit stealer.
Second qbit rule, designed to detect calling cards from the developer.
I finally got around to making my first contribution to #100DaysofYARA 2025 with two YARA rules. My first rule looks to detect Qbit Stealer, a Golang stealer which never really took off. My second rule is designed to hunt various "calling cards" the developer left, which might find related malware.
#100DaysOfYara Day 22
Today I dug into Binlex. Binlex extracts instructions, basic blocks, and functions from binary files and organizes them into a structured hierarchy. Im still working on learning the rule syntax with blyara to create rules.
github.com/augustvansic...
Introducing: What is this stealer?
A new repository that allows for you to identify Stealer family by the system information text file format commonly included in stealer malware exfiltration logs. Includes Yara rules!
Check it out and contribute!
github.com/MalBeacon/wh...
#100DaysofYARA wanna track DPRK Macho maldevs but don't wanna dump strings or reverse anything?
track their dependency and permission preferences!
github.com/100DaysofYAR...
#100DaysofYARA throwback to @0xkyle.bsky.social and I finding a weird payload getting dropped by UNK_SweetSpector - it was like a weird cross-mutation of SugarGh0st and what Unit42 called TunnelSpecter and SweetSpecter. payload uses Incognito framework for token forgery
github.com/100DaysofYAR...
#100daysofyara todays post is generic and looking at LNK files. Finding samples with specific attributes that may not be parsed (or dumped by yara-x) can be difficult. This rule finds LNK files with the rare in field CodePage language setting.
Rules: github.com/mgreen27/100...
x: @RustyNoob619
#100DaysofYARA Day 5
Added a couple of new YARA rules for TTPs π§
First is to detect embedded Windows PE payloads in a file as Base 64 encoding
Second is to spot modification of memory protect flags which is typically used for code injection/unpacking
github.com/RustyNoob-61...
