VNC's

1. rule Generic_Hvnc_bin
2. {
3. meta:
4. description = "Hnvc"
5. author = "James_inthe_box"
6. reference = "dc13ca67a150402f26094c85113a2cb9b4b999c8815e0de43faa06c1baf2cf13"
7. date = "2018/09"
8. maltype = "Stealer"
9.  
10. strings:
11. $mz = { 4d 5a }
12. $string1 = "VncStartServer"
13. $string2 = "#hvnc"
14. $string3 = "VncStopServer"
15. $string5 = "Opera" wide
16. $regex1 = /([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{1,5}/ wide
17.  
18. condition:
19. ($mz at 0) and (all of ($string*)) and $regex1 and filesize < 600KB
20. }
21.  
22. rule Generic_Hvnc_mem
23. {
24. meta:
25. description = "Hnvc"
26. author = "James_inthe_box"
27. reference = "dc13ca67a150402f26094c85113a2cb9b4b999c8815e0de43faa06c1baf2cf13"
28. date = "2018/09"
29. maltype = "Stealer"
30.  
31. strings:
32. $string1 = "VncStartServer"
33. $string2 = "#hvnc"
34. $string3 = "VncStopServer"
35. $string6 = "Opera" wide
36. $regex1 = /([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{1,5}/ wide
37.  
38. condition:
39. all of them and filesize > 600KB
40. }
41.  
42. rule Abs0lem_hvnc_bin
43. {
44. meta:
45. description = "Abs0lem hvnc"
46. author = "James_inthe_box"
47. reference = "813bbce7de26ca67e2dec4a70ceee7065facf845373c30fe44a970c66c12f439"
48. date = "2018/09"
49. maltype = "Stealer"
50.  
51. strings:
52. $string1 = "ABS0LEM-HVNC-%08X%08X"
53.  
54. condition:
55. all of them and Generic_Hvnc_bin
56. }
57.  
58.  
59. rule Abs0lem_hvnc_mem
60. {
61. meta:
62. description = "Abs0lem hvnc"
63. author = "James_inthe_box"
64. reference = "813bbce7de26ca67e2dec4a70ceee7065facf845373c30fe44a970c66c12f439"
65. date = "2018/09"
66. maltype = "Stealer"
67.  
68. strings:
69. $string1 = "ABS0LEM-HVNC-%08X%08X"
70.  
71. condition:
72. all of them and Generic_Hvnc_mem
73. }
74.  
75. rule DarkVNC_hvnc_bin
76. {
77. meta:
78. description = "DarkVNC"
79. author = "James_inthe_box"
80. reference = "35408635b78a61972dd48935fbbeb1fce067615c3cebf4498472252fbf893914"
81. date = "2018/09"
82. maltype = "Stealer"
83.  
84. strings:
85. $string1 = "(%S)_%08x-DARKVNC"
86.  
87. condition:
88. all of them and Generic_Hvnc_bin
89. }
90.  
91.  
92. rule DarkVNC_hvnc_mem
93. {
94. meta:
95. description = "DarkVNC"
96. author = "James_inthe_box"
97. reference = "35408635b78a61972dd48935fbbeb1fce067615c3cebf4498472252fbf893914"
98. date = "2018/09"
99. maltype = "Stealer"
100.  
101. strings:
102. $string1 = "(%S)_%08x-DARKVNC"
103.  
104. condition:
105. all of them and Generic_Hvnc_mem
106. }
107.  
108. rule Vncold_hvnc_mem
109. {
110. meta:
111. description = "VNCold hvnc varient"
112. author = "James_inthe_box"
113. reference = "3adfcd410678aeb41bc482ca955077c844c9b56748c7989d10ef003e0757f06c"
114. date = "2018/09"
115. maltype = "Stealer"
116.  
117. strings:
118. $string1 = "(%S)_%08x-VNCOLD"
119.  
120. condition:
121. all of them and Generic_Hvnc_bin
122. }
123.  
124. rule Vncold_hvnc_memory
125. {
126. meta:
127. description = "VNCold hvnc varient"
128. author = "James_inthe_box"
129. reference = "3adfcd410678aeb41bc482ca955077c844c9b56748c7989d10ef003e0757f06c"
130. date = "2018/09"
131. maltype = "Stealer"
132.  
133. strings:
134. $string1 = "(%S)_%08x-VNCOLD"
135.  
136. condition:
137. all of them and Generic_Hvnc_mem
138. }
139.  
140. ~~~
141. Florian Roth had this version which is much more optimized:
142. rule MAL_MaliciousVNC_Feb19_1 {
143. meta:
144. description = "Detects a malicious VNC variant"
145. author = "James_inthe_box / Modified by Florian Roth"
146. reference = "3adfcd410678aeb41bc482ca955077c844c9b56748c7989d10ef003e0757f06c"
147. date = "2019-02-09"
148. strings:
149. $x1 = "(%S)_%08x-VNCOLD"
150. $x2 = "(%S)_%08x-DARKVNC"
151. $x3 = "ABS0LEM-HVNC-%08X%08X"
152.  
153. $s1 = "VncStartServer"
154. $s2 = "#hvnc"
155. $s3 = "VncStopServer"
156. $s4 = "(%S)_%08x"
157. $s5 = "Opera" wide
158. condition:
159. 1 of ($x*) or 5 of them
160. }
161. ~~~