Weekly Detection Rule (YARA and Snort) Information – Week 5, August 2024
The following is the information on Yara and Snort rules (week 5, August 2024) collected and shared by the AhnLab TIP service.
- 14 YARA Rules
| Detection name | Description | Source |
|---|---|---|
| PK_Chase_prohqcker | Phishing Kit impersonating Chase bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Colissimo_blackforce | Phishing Kit impersonating Colissimo | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_IDME_prohqcker | Phishing Kit impersonating ID.me | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_LCL_2024 | Phishing Kit impersonating LCL | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Metamask_f528764 | Phishing Kit impersonating Metamask | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Chase_drfxnd | Phishing Kit impersonating Chase bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Facebook_kasroudra | Phishing Kit impersonating Facebook | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Instagram_center | Phishing Kit impersonating Instagram | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Spotify_genius | Phishing Kit impersonating Spotify | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_StandardBank_bcc | Phishing Kit impersonating Standard Bank Online Banking | https://github.com/t4d/PhishingKit-Yara-Rules |
| case_26364_cobalt_strike_smb_beacon | Case 26364 – file e225857.exe Cobalt Strike SMB beacon | https://github.com/The-DFIR-Report/Yara-Rules |
| case_26364_Get_DataInfo | Case 26364 – file Get-DataInfo.ps1 | https://github.com/The-DFIR-Report/Yara-Rules |
| case_26364_socks32_systembc | Case 26364 – file socks32.exe SystemBC executable | https://github.com/The-DFIR-Report/Yara-Rules |
| case_26364_qwe | Case 26364 – file qwe.exe BlackSuit ransomware binary | https://github.com/The-DFIR-Report/Yara-Rules |
- 20 Snort Rules
| Detection name | Source |
|---|---|
| ET TROJAN NUMOZYLOD CnC Checkin M1 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN NUMOZYLOD CnC Checkin M2 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Ailurophile Infostealer Data Exfiltration Attempt M1 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Ailurophile Infostealer CnC Server Response M1 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Ailurophile Infostealer Data Exfiltration Attempt M2 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Ailurophile Infostealer CnC Server Response M2 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Cobalt Strike Malleable C2 (Amazon Profile) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Cobalt Strike Malleable C2 (Google Drive Profile) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Cobalt Strike Malleable C2 (MSNBC Video Profile) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Cobalt Strike Malleable C2 (Pandora Profile) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Possible Host Profile Exfiltration In Pipe Delimited Format | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Qwerty Stealer Data Exfiltration Attempt M1 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN BlankGrabber Stealer Exfiltration via Discord | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Qwerty Stealer Data Exfiltration Attempt M2 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Qwerty Stealer C2 Response | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Possible RAZR Ransomware User-Agent Observed | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN RAZR Ransomware CnC Checkin | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Cheana Stealer CnC Checkin | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Cheana Stealer Data Exfiltration Attempt | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN ELF/crond CnC Request (GET) | https://rules.emergingthreatspro.com/open/ |
