Messing with a couple of anomaly rules for #100daysofyara 1. Packer related API strings and no import Rule: github.com/mgreen27/100... 2. Downloader related API strings and no import Rule: github.com/mgreen27/100...

#100daysofyara hunting inspired from a sample share from VT 1. Microsoft Teams without a MS cert 2. Detect cert metadata github.com/mgreen27/100... 3. Anomaly detection for PE files with large difference between physical and virtual size of a section github.com/mgreen27/100...

#100DaysofYara Day 23 Socks5Systemz, sample from the bazaar. 32 bit installer for the tool, based on the compilation information, strings for "\silent" and "\verysilent", and mentions of Inno Setup, used to create windows installers. www.bitsight.com/blog/unveili... github.com/augustvansic...

#100DaysOfYara Day 24 A QakBot spotted in the wild (2025) Some easy strings for dangerous api calls for encryption and WSA calls for connection functionality, an ip that upon review looks like it’s hosting a C2 (web ports with firewall deny all w/exceptions likely) github.com/augustvansic...

#100DaysofYara Day 14 This sample is a PE32 DLL that is designed for the I386 arch, in C++. I used some more hex strings this time, looks like this is either mimicking a game DLL or pretending to be. Sample was tagged to WannaCry. github.com/augustvansic...

#100daysofyara more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try. Rule: github.com/mgreen27/100...

#100DaysOfYara Day 13 A MacOS Macho binary from MalwareZoo: Backdoor/Worm Some of the api calls are not core library referenced and could prevent inclusion in the App Store, so I added them as ascii strings. Also added some dylib strings github.com/augustvansic...

#100DaysOfYara Day 12 Today's sample was a PE32 DLL tagged to DarkTortilla. Strings, strings and more strings made this one easy to make a rule, didn't need to throw it in Binja. A couple rules were based on environmental condition requests, signs of host enumeration. github.com/augustvansic...

#100DaysOfYara Day 11 I got some exposure to Android APK Lua Malware. Interesting file struture and execution flow, I used this resource for some help on understanding the basics and learn about some specialized tools: par.nsf.gov/servlets/pur... and Rule: github.com/augustvansic...

#100DaysOfYara Day 10 Todays sample was a sample of Storm Kitty Open source Stealer/Keylogger written in C++, logs are sent to a telegram address which you can see in the strings. malpedia.caad.fkie.fraunhofer.de/details/win.... github.com/augustvansic...

#100daysofyara sometimes simple rules work really well! In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform. Rule: github.com/mgreen27/100...

#100daysofyara This rule detects PE files with SUBSYSTEM_WINDOWS_GUI and no Window API function import. Rule: github.com/mgreen27/100...

#100DaysOfYara Day 15 I had more to say than what allows in a post here so it’s on medium @ : medium.com/@august.vans...

#100daysofyara MSC files appear to store their icons inside a BinaryStorage field. Todays rule hits on a suspicious PDF icon. Rule: github.com/mgreen27/100...

#100DaysOfYara Day 16 Todays Sample: a PE64 EXE tagged to SpyLyRAT Some unique loads in this directly from github. And some common API calls that are commonly used for manipulating processes. github.com/augustvansic...

#100DaysOfYara Day 17 Sliver Beacon EXE Sliver uses MinGW to compile beacons, and it was definitely in strings, so I added that rule. String for sleep - time based evasion, a couple of other hardcoded strings. I did some dynamic analysis and the domain drops payloads too.

This #100daysofyara rule looking for a PE with unusual NumberofRVAandSizes attribute github.com/mgreen27/100...

#100DaysOfYara Day 18 Happy Saturday (Go Chiefs) Today I did a quick rule for a sample of Redline, a 32 bit PE. A lot was obfuscated with this sample, but there were some C## .NET calls to use for rules. github.com/augustvansic...

#100DaysOfYara Day 19 PE64 DLL with a lot of capability, tagged to legion loader. github.com/augustvansic...

Todays #100daysofyara rule looks for a PE file with an unusual debug info type. Yara doesnt directly expose these debug structures so had to search for the RSDS header and find type field by offset. github.com/mgreen27/100...

#100DaysOfYara Day 21 Cobalt Strike Beacon of the EXE flavor References from Tech Company from China in strings, debugger enum, executable called and a close handle on a variable. Interesting: Icon for binary is apple, compiled for Windows/PE64 and Windows API LIbs github.com/augustvansic...

#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection. Rule: github.com/mgreen27/100... VQL: github.com/mgreen27/100...

I finally got around to making my first contribution to #100DaysofYARA 2025 with two YARA rules. My first rule looks to detect Qbit Stealer, a Golang stealer which never really took off. My second rule is designed to hunt various "calling cards" the developer left, which might find related malware.

#100DaysOfYara Day 22 Today I dug into Binlex. Binlex extracts instructions, basic blocks, and functions from binary files and organizes them into a structured hierarchy. Im still working on learning the rule syntax with blyara to create rules. github.com/augustvansic...

Introducing: What is this stealer? A new repository that allows for you to identify Stealer family by the system information text file format commonly included in stealer malware exfiltration logs. Includes Yara rules! Check it out and contribute! github.com/MalBeacon/wh...

#100DaysofYARA wanna track DPRK Macho maldevs but don't wanna dump strings or reverse anything? track their dependency and permission preferences! github.com/100DaysofYAR...

#100DaysofYARA throwback to @0xkyle.bsky.social and I finding a weird payload getting dropped by UNK_SweetSpector - it was like a weird cross-mutation of SugarGh0st and what Unit42 called TunnelSpecter and SweetSpecter. payload uses Incognito framework for token forgery github.com/100DaysofYAR...

#100daysofyara todays post is generic and looking at LNK files. Finding samples with specific attributes that may not be parsed (or dumped by yara-x) can be difficult. This rule finds LNK files with the rare in field CodePage language setting. Rules: github.com/mgreen27/100...

x: @RustyNoob619 #100DaysofYARA Day 5 Added a couple of new YARA rules for TTPs 🐧 First is to detect embedded Windows PE payloads in a file as Base 64 encoding Second is to spot modification of memory protect flags which is typically used for code injection/unpacking github.com/RustyNoob-61...

Rule: github.com/mgreen27/100...

crossposting here #100daysofyara continuing to explore yara-x today I tried to detect a renamed QEMU exe using pe attributes and a dynamic variable.

#100DaysOfYara Day 3 Another Macho binary, tagged to Lazarus github.com/augustvansic... ALSO I wrote a basic Rev Shell in C. Included a video to show functionality but the hardcoded IP/Port is local, so it will benign. Feel free to use for a rule: github.com/augustvansic...

x: @mgreen27 #100daysofyara yesterday I checked out a LNK that was associated with a BYO tinycore linux image . Todays rule covers an interesting way to detect the image with MBR specific signature. (1/2)

x: @RustyNoob619 #100DaysofYara Day 4 YARA rules for the LNK, VBS & HTA files used in the UAC-0099 infection chain reported by @_CERT_UA against Ukrainian Gov entities in Nov-Dec 2024 The rules reference the ruleset from Day3, so please use it in combo for it to work 🐧 github.com/RustyNoob-61...

x: @RustyNoob619 #100DaysofYara Day 3 Continuing from yesterday on UAC-0099, I have taken a different approach to detecting LNK, VBS & HTA files used in their infection chain 🐧 There were many TTPs that were common between those files, so here is a ruleset... github.com/RustyNoob-61...

#100DaysofYARA we're brute forcing Steve's prompt with regular expressions :P github.com/100DaysofYAR...

#100DaysOfYara Day 3 Thought this was an meterpreter implant but I compared it to an implant I made; much more functionality for the ITW sample. Rule = unique win32 api calls, IP’s, imports.

New blog post for #100DaysofYARA , in this one I look at a VenomRAT sample and create rules based on PE metadata and an encryption salt value. forensicitguy.github.io/exploring-ve... #malware

x: @cioaonk Day Two: @Volexity's reporting on the "Nearest Neighbor Attack" ranks high on most intriguing cyber attacks of 2024 for me personally. Today's #100DaysofYARA is a simple detection of the windows native Cipher tool used to clean up artifacts on systems.

#100DaysOfYara Day 2: LBB.exe, Lockbit 4 PE github.com/augustvansic...

x: @cioaonk Day One of #100DaysOfYara Complete! Inspired by @delivr_to's recent report on image-less QR Codes rendered in HTML: blog.delivr.to/delivr-tos-t...

x: @RustyNoob619 #100DaysofYara Wrote a YARA rule for UAC-0099 group RAR/EXE malware samples that were reported by @_CERT_UA to be used in campaign against Ukraine Gov entities between Nov & Dec 2024 🐧 First rule in challenge this year leveraging the PE YARA module :) github.com/RustyNoob-61...

Yara rule to match concatenated zip files. I like this one (biased) because of how we are able to avoid matching nested zip files. More info: x.com/threatinsigh... #yara github.com/EmergingThre...

shout out to Lars for his rule last year that I took inspiration from and shouts to @0xkyle.bsky.social for teaching me all of the ZIP structure things

#100DaysofYARA day 2 - one cluster in my portfolio, TA427 really likes to use password-protected ZIP files with an MSC file as the only embedded file (used to use .VBS files) lets look for ZIPs that match those features! github.com/100DaysofYAR...

Day 2 of #100DaysOfYARA - I believe we have people posting on both BSky and X, we'll be reposting their stuff here too!

#100daysofyara I like taking the approach of having multiple YARA rules to detect the same thing from different perspectives, like these rules for Cronos Crypter. One looks for just strings, another a string + encryption salt, 3rd for assembly name

Powered the VM up and ready to start my first entry to #100DaysOfYARA 2025 edition! 🔥

Ok day 1 of #100DaysofYara: I assigned some strings based on the less common lines from the Lockbit 4 loader that would likely be common in malicious code and not typically in normal admin, as well as a hex string for the PE itself

Gonna take a hangover day & start #100DaysOfYara late. Couldn't keep up last year & I'll see how it goes this year. I don't have the creativity of @greg-l.bsky.social Might do some scripting & play more with yara-x like @stvemillertime.bsky.social I have a half written gRPC service for file scanning