Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule Generic_Hvnc_bin
- {
- meta:
- description = "Hnvc"
- author = "James_inthe_box"
- reference = "dc13ca67a150402f26094c85113a2cb9b4b999c8815e0de43faa06c1baf2cf13"
- date = "2018/09"
- maltype = "Stealer"
- strings:
- $mz = { 4d 5a }
- $string1 = "VncStartServer"
- $string2 = "#hvnc"
- $string3 = "VncStopServer"
- $string5 = "Opera" wide
- $regex1 = /([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{1,5}/ wide
- condition:
- ($mz at 0) and (all of ($string*)) and $regex1 and filesize < 600KB
- }
- rule Generic_Hvnc_mem
- {
- meta:
- description = "Hnvc"
- author = "James_inthe_box"
- reference = "dc13ca67a150402f26094c85113a2cb9b4b999c8815e0de43faa06c1baf2cf13"
- date = "2018/09"
- maltype = "Stealer"
- strings:
- $string1 = "VncStartServer"
- $string2 = "#hvnc"
- $string3 = "VncStopServer"
- $string6 = "Opera" wide
- $regex1 = /([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{1,5}/ wide
- condition:
- all of them and filesize > 600KB
- }
- rule Abs0lem_hvnc_bin
- {
- meta:
- description = "Abs0lem hvnc"
- author = "James_inthe_box"
- reference = "813bbce7de26ca67e2dec4a70ceee7065facf845373c30fe44a970c66c12f439"
- date = "2018/09"
- maltype = "Stealer"
- strings:
- $string1 = "ABS0LEM-HVNC-%08X%08X"
- condition:
- all of them and Generic_Hvnc_bin
- }
- rule Abs0lem_hvnc_mem
- {
- meta:
- description = "Abs0lem hvnc"
- author = "James_inthe_box"
- reference = "813bbce7de26ca67e2dec4a70ceee7065facf845373c30fe44a970c66c12f439"
- date = "2018/09"
- maltype = "Stealer"
- strings:
- $string1 = "ABS0LEM-HVNC-%08X%08X"
- condition:
- all of them and Generic_Hvnc_mem
- }
- rule DarkVNC_hvnc_bin
- {
- meta:
- description = "DarkVNC"
- author = "James_inthe_box"
- reference = "35408635b78a61972dd48935fbbeb1fce067615c3cebf4498472252fbf893914"
- date = "2018/09"
- maltype = "Stealer"
- strings:
- $string1 = "(%S)_%08x-DARKVNC"
- condition:
- all of them and Generic_Hvnc_bin
- }
- rule DarkVNC_hvnc_mem
- {
- meta:
- description = "DarkVNC"
- author = "James_inthe_box"
- reference = "35408635b78a61972dd48935fbbeb1fce067615c3cebf4498472252fbf893914"
- date = "2018/09"
- maltype = "Stealer"
- strings:
- $string1 = "(%S)_%08x-DARKVNC"
- condition:
- all of them and Generic_Hvnc_mem
- }
- rule Vncold_hvnc_mem
- {
- meta:
- description = "VNCold hvnc varient"
- author = "James_inthe_box"
- reference = "3adfcd410678aeb41bc482ca955077c844c9b56748c7989d10ef003e0757f06c"
- date = "2018/09"
- maltype = "Stealer"
- strings:
- $string1 = "(%S)_%08x-VNCOLD"
- condition:
- all of them and Generic_Hvnc_bin
- }
- rule Vncold_hvnc_memory
- {
- meta:
- description = "VNCold hvnc varient"
- author = "James_inthe_box"
- reference = "3adfcd410678aeb41bc482ca955077c844c9b56748c7989d10ef003e0757f06c"
- date = "2018/09"
- maltype = "Stealer"
- strings:
- $string1 = "(%S)_%08x-VNCOLD"
- condition:
- all of them and Generic_Hvnc_mem
- }
- ~~~
- Florian Roth had this version which is much more optimized:
- rule MAL_MaliciousVNC_Feb19_1 {
- meta:
- description = "Detects a malicious VNC variant"
- author = "James_inthe_box / Modified by Florian Roth"
- reference = "3adfcd410678aeb41bc482ca955077c844c9b56748c7989d10ef003e0757f06c"
- date = "2019-02-09"
- strings:
- $x1 = "(%S)_%08x-VNCOLD"
- $x2 = "(%S)_%08x-DARKVNC"
- $x3 = "ABS0LEM-HVNC-%08X%08X"
- $s1 = "VncStartServer"
- $s2 = "#hvnc"
- $s3 = "VncStopServer"
- $s4 = "(%S)_%08x"
- $s5 = "Opera" wide
- condition:
- 1 of ($x*) or 5 of them
- }
- ~~~
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement