Hello! This repository contains a set of my detection rules to improve detection and hunting visibility and context. Where applicable, YARA has its description with the name and the variant of the malware family.
The YARA-rules directory contains the following YARA rules :
- Anti-VM.yara - Identifies anti-virtual machine checks.
- Exhaust_RAT.yara - This rule detects Exhaust RAT malware samples.
- Meta_STEALER.yara - Detection rules for Metastealer malware.
- PikaBot_V3_LOADER.yara - Detection rules for the PikaBot version 3 malware.
- Pikabot_V1&V2_LOADER.yara - This rule detects Pikabot loader malware samples of V1 & V2.
- SUSP_BAT_OBFUSC.yara - Detects indicators of obfuscation in Windows Batch files.
- True_Bot.yara - Detection rules for the TrueBot malware.
- WinDefender_AntiEmaulation.yara - Detects a specific anti-emulation technique against the WinDefender.
- APT_Turla_SilentMoon.yara - This rule detects SilentMoon malware samples.
The scripts directory contains the following scripts :
- Pikabot_V3_C2.py - Configuration extractor for PikaBot version 3.
- TrueBot_C2.py - Configuration extractor for TrueBot.
- metastealer_decrypt_strings.py - Decryption script for Metastealer malware.
These scripts are designed to extract configuration and decrypt strings from malware samples that the YARA rules detect.
If you have any questions or need further information, you can contact me at:
- LinkedIn: Apophis133
- Blog: Apophis133
- Twitter: @Ap0phis133