Merge branch 'master' of https://github.com/Neo23x0/signature-base

Neo23x0 · Neo23x0 · commit e3c8052a07b3 · 2025-07-20T23:02:15.000+02:00
diff --git a/yara/apt_cn_twisted_panda.yar b/yara/apt_cn_twisted_panda.yar
@@ -32,7 +32,7 @@ rule APT_CN_TwistedPanda_loader {
       $seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 }
             
       // Decryption sequence
-      $decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? }
+      $decryption = { 8B C? [2-3] F6 D? 1A C? [4-6] 30 0? ?? 4? }
  
    condition:
       // MZ signature at offset 0 and ...
diff --git a/yara/apt_grizzlybear_uscert.yar b/yara/apt_grizzlybear_uscert.yar
@@ -1434,6 +1434,7 @@ rule IMPLANT_9_v1 {
       author = "US CERT"
       reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
       date = "2017-02-10"
+      modified = "2025-07-01"
       score = 85
       id = "5460ff29-681b-5d11-a6ba-5f294e8577e6"
    strings:
@@ -1443,7 +1444,7 @@ rule IMPLANT_9_v1 {
       $STR3 = { 8B 55 F8 8B C8 83 E1 03 8A 4C 11 08 8B 55 FC 32 0C 10 8B 17 88
          4C 02 04 40 3B 06 72 E3 }
    condition:
-      (uint16(0) == 0x5A4D or uint16(0)) and all of them
+      uint16(0) == 0x5A4D and all of them
 }
 
 /* TOO MANY FALSE POSITIVES
diff --git a/yara/apt_nk_andariel_jul24.yar b/yara/apt_nk_andariel_jul24.yar
@@ -90,6 +90,7 @@ rule MAL_APT_NK_Andariel_HHSD_FileTransferTool {
       description = "Detects a variant of the HHSD File Transfer Tool"
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
+      modified = "2025-07-09"
       score = 70
       id = "46b6dbaf-1272-5bbd-a586-5e48ba6c5022"
    strings:
@@ -111,17 +112,17 @@ rule MAL_APT_NK_Andariel_HHSD_FileTransferTool {
       // 41 02 D0                add     dl, r8b
       // 44 02 DA                add     r11b, dl
       // 3C 1F                   cmp     al, 1Fh
-      $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F }
+      // $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F }      removed due to 1 byte atom
       // B9 8D 10 B7 F8          mov     ecx, 0F8B7108Dh
       // E8 F1 BA FF FF          call    sub_140001280
       $hash_call_loadlib = { B? 8D 10 B7 F8 E8 }
       $hash_call_unk = { B? 91 B8 F6 88 E8 }
       
    condition:
       uint16(0) == 0x5a4d
-      and 1 of ($handshake, $err_xor_str, $buf_add_cmp_1f) 
+      and 1 of ($handshake, $err_xor_str) 
       and 1 of ($hash_call_*)
-      or 2 of ($handshake, $err_xor_str, $buf_add_cmp_1f)
+      or 2 of ($handshake, $err_xor_str)
 } 
 
 rule MAL_APT_NK_Andariel_Atharvan_3RAT {
diff --git a/yara/apt_winnti.yar b/yara/apt_winnti.yar
@@ -209,7 +209,7 @@ rule APT_Winnti_MAL_Dec19_3 {
       score = 75
       id = "2e001c91-0794-5940-ad8c-8e58a01e100c"
    strings:
-      $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [0-2] [8] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
+      $b1 = { 0F B7 ?? 16 [0-1] (81 E? | 25) 00 20 [8-10] 8B ?? 50 41 B9 40 00 00 00 41 B8 00 10 00 00 }
       $b2 = { 8B 40 28 [5-8] 48 03 C8 48 8B C1 [5-8] 48 89 41 28 }
       $b3 = { 48 6B ?? 28 [5-8] 8B ?? ?? 10 [5-8] 48 6B ?? 28 [5-8] 8B ?? ?? 14 }
       $b4 = { 83 B? 90 00 00 00 00 0F 84 [9-12] 83 B? 94 00 00 00 00 0F 84 }
diff --git a/yara/gen_nighthawk_c2.yar b/yara/gen_nighthawk_c2.yar
@@ -11,8 +11,8 @@ rule EXT_HKTL_Nighthawk_RAT
 		hash3 = "38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf"
 		hash4 = "f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e"
 		hash5 = "b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94"
-		modified = "2022-11-30"
-    date = "2022-11-22"
+		modified = "2025-07-01"
+		date = "2022-11-22"
 
 		id = "7a58b8bf-fb14-5758-bc2a-ad2c6fff1216"
 	strings:
@@ -26,7 +26,7 @@ rule EXT_HKTL_Nighthawk_RAT
 	condition:
 		uint16(0) == 0x5A4D and filesize < 2MB and
 		(3 of ($pattern*) or
-		(pe.section_index(".profile") and pe.section_index(".detourc") and pe.section_index(".detourd")))
+		(pe.section_index(".profile") >= 0 and pe.section_index(".detourc") >= 0 and pe.section_index(".detourd") >= 0))
 }
 
 rule HKTL_MAL_Nighthawk_Nov_2022_1 : nighthawk beacon {
diff --git a/yara/thor-webshells.yar b/yara/thor-webshells.yar
@@ -4741,6 +4741,7 @@ rule sql_php_php {
 		$s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
 	condition:
 		1 of them
+		and not uint32(0) == 0x6D783F3C /* <?xm */
 }
 rule cgi_python_py {
 	meta:

Original file line number	Diff line number	Diff line change
`@@ -4741,6 +4741,7 @@ rule sql_php_php {`
`4741`	`4741`	`$s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"`
`4742`	`4742`	`condition:`
`4743`	`4743`	`1 of them`
	`4744`	`+ and not uint32(0) == 0x6D783F3C /* <?xm */`
`4744`	`4745`	`}`
`4745`	`4746`	`rule cgi_python_py {`
`4746`	`4747`	`meta:`