Skip to content

Update third-party rules as of 2025-05-09 #913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
+1 −1
Closed

Update third-party rules as of 2025-05-09 #913

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion third_party/yara/elastic/RELEASE
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
bea1b2a43cad529db63cd548c92723934fe6c9c5
3537aa4ed9c7ed9dcd04da2efafbad38af47a017

Unchanged files with check annotations Beta

View file
rules/malware/family/rustdoor.yara
hash = "20b986b24d86d9a06746bdb0c25e21a24cb477acb36e7427a8c465c08d51c1e4"
strings:
$botkill = { 62 6F 74 6B 69 6C 6C }

Check warning on line 9 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L9 

warning[text_as_hex]: hex pattern could be written as text literal
 --> line:9:5
  |
9 |     $botkill      = { 62 6F 74 6B 69 6C 6C }
  |     --------------------------------------
  |     |
  |     this pattern can be written as a text literal
  |     help: replace with "botkill"
  |
$dialog = { 7A 69 70 74 61 73 6B }

Check warning on line 10 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L10 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:10:5
   |
10 |     $dialog       = { 7A 69 70 74 61 73 6B }
   |     --------------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "ziptask"
   |
$upload = { 75 70 6C 6F 61 64 5F 66 69 6C 65 73 72 63 }

Check warning on line 11 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L11 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:11:5
   |
11 |     $upload       = { 75 70 6C 6F 61 64 5F 66 69 6C 65 73 72 63 }
   |     -----------------------------------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "upload_filesrc"
   |
$launchagents = { 4C 61 75 6E 63 68 41 67 65 6E 74 73 2E 70 6C 69 73 74 }

Check warning on line 12 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L12 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:12:5
   |
12 |     $launchagents = { 4C 61 75 6E 63 68 41 67 65 6E 74 73 2E 70 6C 69 73 74 }
   |     -----------------------------------------------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "LaunchAgents.plist"
   |
condition:
filesize > 1MB and filesize < 10MB and all of them
filetypes = "macho"
strings:
$cfg_daemonize = { 64 61 65 6D 6F 6E 69 7A 65 }

Check warning on line 25 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L25 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:25:5
   |
25 |     $cfg_daemonize      = { 64 61 65 6D 6F 6E 69 7A 65 }
   |     --------------------------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "daemonize"
   |
$cfg_cron = { 63 68 65 63 6B 5F 63 72 6F 6E 5F 61 73 6B 65 64 }

Check warning on line 26 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L26 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:26:5
   |
26 |     $cfg_cron           = { 63 68 65 63 6B 5F 63 72 6F 6E 5F 61 73 6B 65 64 }
   |     -----------------------------------------------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "check_cron_asked"
   |
$cfg_lock_in_cron = { 6C 6F 63 6B 5F 69 6E 5F 63 72 6F 6E }

Check warning on line 27 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L27 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:27:5
   |
27 |     $cfg_lock_in_cron   = { 6C 6F 63 6B 5F 69 6E 5F 63 72 6F 6E }
   |     -----------------------------------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "lock_in_cron"
   |
$cfg_lock_in_dock = { 6C 6F 63 6B 5F 69 6E 5F 64 6F 63 6B }

Check warning on line 28 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L28 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:28:5
   |
28 |     $cfg_lock_in_dock   = { 6C 6F 63 6B 5F 69 6E 5F 64 6F 63 6B }
   |     -----------------------------------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "lock_in_dock"
   |
$cfg_lock_in_launch = { 6C 6F 63 6B 5F 69 6E 5F 6C 61 75 6E 63 68 }

Check warning on line 29 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L29 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:29:5
   |
29 |     $cfg_lock_in_launch = { 6C 6F 63 6B 5F 69 6E 5F 6C 61 75 6E 63 68 }
   |     -----------------------------------------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "lock_in_launch"
   |
$cfg_copy_files = { 63 6F 70 79 5F 66 69 6C 65 73 }

Check warning on line 30 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L30 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:30:5
   |
30 |     $cfg_copy_files     = { 63 6F 70 79 5F 66 69 6C 65 73 }
   |     -----------------------------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "copy_files"
   |
condition:
filesize > 1MB and filesize < 10MB and 4 of them
filetypes = "macho"
strings:
$botkill = { 62 6F 74 6B 69 6C 6C }

Check warning on line 43 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L43 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:43:5
   |
43 |     $botkill = { 62 6F 74 6B 69 6C 6C }
   |     ---------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "botkill"
   |
$upload = { 75 70 6C 6F 61 64 }

Check warning on line 44 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L44 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:44:5
   |
44 |     $upload  = { 75 70 6C 6F 61 64 }
   |     ------------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "upload"
   |
$sleep = { 73 6C 65 65 70 }

Check warning on line 45 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L45 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:45:5
   |
45 |     $sleep   = { 73 6C 65 65 70 }
   |     ---------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "sleep"
   |
$rmdir = { 72 6D 64 69 72 }

Check warning on line 46 in rules/malware/family/rustdoor.yara

VirusTotal YARA-CI / Rules Analysis

rules/malware/family/rustdoor.yara#L46 

warning[text_as_hex]: hex pattern could be written as text literal
  --> line:46:5
   |
46 |     $rmdir   = { 72 6D 64 69 72 }
   |     ---------------------------
   |     |
   |     this pattern can be written as a text literal
   |     help: replace with "rmdir"
   |
condition:
filesize > 1MB and filesize < 10MB and all of them