Add and update signtures

CAPESandbox · Nov 16, 2023 · 31382f6 · 31382f6
1 parent 9fbae47
commit 31382f6
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 2 deletions.
diff --git a/data/yara/CAPE/LummaStealer.yar b/data/yara/CAPE/LummaStealer.yar
@@ -17,6 +17,8 @@ rule LummaStealer {
         $s9 = "- Screen Resoluton:" ascii
         $s10 = "lid=%s" ascii
         $s11 = "&ver=" ascii
+        $s12 = "769cb9aa22f4ccc412f9cbc81feedd" fullword wide
+        $s13 = "gapi-node.io" fullword ascii
     condition:
         uint16(0) == 0x5a4d and (all of ($x*) or (1 of ($x*) and 2 of ($s*)) or 5 of ($s*) or 7 of them)
-} 
+}
diff --git a/data/yara/CAPE/RustyStealer.yar b/data/yara/CAPE/RustyStealer.yar
@@ -14,6 +14,12 @@ rule RustyStealer {
         $s8 = /\\logscx\\(passwords_|cookies_|creditcards_)/ ascii
         $s9 = "VirtualBoxVBoxVMWareVMCountry" ascii
         $s10 = "New Log From ( /  )" ascii
+        $s11 = "BrowserChromeKometaOrbitumSputnikTorchUranuCozMediaVivaldiAtomMail" ascii
+        $s12 = "BrowserBraveSoftwareCentBrowserChedotChrome" ascii
+        $s13 = "ChromeKometaOrbitumSputnikTorchUranuCozMediaVivaldi" ascii
+        $s14 = "hostnameencryptedUsernameencryptedPasswordstruct" ascii
+        $s15 = "encryptedPassword" fullword ascii
+        $s16 = "AutoFill@~" fullword ascii
     condition:
         uint16(0) == 0x5a4d and 6 of them
 }
diff --git a/data/yara/CAPE/SapphireStealer.yar b/data/yara/CAPE/SapphireStealer.yar
@@ -0,0 +1,20 @@
+rule SapphireStealer {
+    meta:
+        author = "ditekSHen"
+        description = "Detects SapphireStealer"
+        cape_type = "SapphireStealer Payload"
+    strings:
+       $s1 = "Sapphire.Modules." ascii
+       $s2 = "sapphire\\" wide
+       $s3 = "by r3vengerx0" wide
+       $s4 = "Sapphire\\obj\\" ascii
+       $s5 = "[ERROR_GETSECRETKEY_METHOD]" fullword wide
+       $s6 = "[ERROR_CANT_GET_PASSWORD]" fullword wide
+       $s7 = "<h2>------NEW LOGS------</h2>" wide
+       $s8 = "[ERROR] can't create grab directory" wide
+       $s9 = "<UploadToTelegram>d__" ascii
+       $s10 = "UploadToTelegram" ascii
+       $s11 = ".SendLog+<UploadToTelegram>d__" ascii
+    condition:
+       uint16(0) == 0x5a4d and 5 of them
+}
diff --git a/data/yara/binaries/indicator_suspicious.yar b/data/yara/binaries/indicator_suspicious.yar
@@ -1350,7 +1350,7 @@ rule INDICATOR_SUSPICIOUS_IMG_Embedded_B64_EXE {
         $h1 = "TVqQA" ascii
         $h2 = "AQqVT" ascii
     condition:
-        (uint32(0) == 0xe0ffd8ff or uint32(0) == 0x474e5089 or uint16(0) == 0x4d42) and ((2 of ($m*)) or (1 of ($h*)))
+        (uint32(0) == 0xd8ff or uint32(0) == 0x474e5089 or uint16(0) == 0x4d42) and ((2 of ($m*)) or (1 of ($h*)))
 }
 
 rule INDICATOR_SUSPICIOUS_EXE_TransferSh_URL {

diff --git a/data/yara/binaries/indicator_tools.yar b/data/yara/binaries/indicator_tools.yar
@@ -1716,3 +1716,19 @@ rule INDICATOR_TOOL_SharpLDAP {
     condition:
         uint16(0) == 0x5a4d and ((1 of ($x*) and 4 of ($s*)) or (5 of ($s*)))
 }
+
+rule INDICATOR_TOOL_Pandora {
+    meta:
+        author = "ditekSHen"
+        description = "Detects Pandora tool to extract credentials from password managers"
+    strings:
+        $s1 = "process PID:" fullword wide
+        $s2 = "Dump file created:" fullword wide
+        $s3 = "System.Security.AccessControl.FileSystemAccessRule('Everyone', 'FullControl', 'Allow')" ascii
+        $s4 = "{[math]::Round($_.PrivateMemorySize64" ascii
+        $s5 = "rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump $" ascii
+        $s6 = "\"payload\":{\"logins\":" ascii
+        $s7 = "\\pandora.pdb" ascii
+    condition:
+        uint16(0) == 0x5a4d and 5 of them
+}