From 31382f60fa88d53a2487337aca25bee00705107f Mon Sep 17 00:00:00 2001
From: ditekshen <ditekshen@outlook.com>
Date: Thu, 16 Nov 2023 14:44:00 +0300
Subject: [PATCH] Add and update signtures

---
 data/yara/CAPE/LummaStealer.yar             |  4 +++-
 data/yara/CAPE/RustyStealer.yar             |  6 ++++++
 data/yara/CAPE/SapphireStealer.yar          | 20 ++++++++++++++++++++
 data/yara/binaries/indicator_suspicious.yar |  2 +-
 data/yara/binaries/indicator_tools.yar      | 16 ++++++++++++++++
 5 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 data/yara/CAPE/SapphireStealer.yar

diff --git a/data/yara/CAPE/LummaStealer.yar b/data/yara/CAPE/LummaStealer.yar
index 7705fed7..ca711572 100644
--- a/data/yara/CAPE/LummaStealer.yar
+++ b/data/yara/CAPE/LummaStealer.yar
@@ -17,6 +17,8 @@ rule LummaStealer {
         $s9 = "- Screen Resoluton:" ascii
         $s10 = "lid=%s" ascii
         $s11 = "&ver=" ascii
+        $s12 = "769cb9aa22f4ccc412f9cbc81feedd" fullword wide
+        $s13 = "gapi-node.io" fullword ascii
     condition:
         uint16(0) == 0x5a4d and (all of ($x*) or (1 of ($x*) and 2 of ($s*)) or 5 of ($s*) or 7 of them)
-} 
+}
diff --git a/data/yara/CAPE/RustyStealer.yar b/data/yara/CAPE/RustyStealer.yar
index 472ecf01..07e5ea5c 100644
--- a/data/yara/CAPE/RustyStealer.yar
+++ b/data/yara/CAPE/RustyStealer.yar
@@ -14,6 +14,12 @@ rule RustyStealer {
         $s8 = /\\logscx\\(passwords_|cookies_|creditcards_)/ ascii
         $s9 = "VirtualBoxVBoxVMWareVMCountry" ascii
         $s10 = "New Log From ( /  )" ascii
+        $s11 = "BrowserChromeKometaOrbitumSputnikTorchUranuCozMediaVivaldiAtomMail" ascii
+        $s12 = "BrowserBraveSoftwareCentBrowserChedotChrome" ascii
+        $s13 = "ChromeKometaOrbitumSputnikTorchUranuCozMediaVivaldi" ascii
+        $s14 = "hostnameencryptedUsernameencryptedPasswordstruct" ascii
+        $s15 = "encryptedPassword" fullword ascii
+        $s16 = "AutoFill@~" fullword ascii
     condition:
         uint16(0) == 0x5a4d and 6 of them
 }
diff --git a/data/yara/CAPE/SapphireStealer.yar b/data/yara/CAPE/SapphireStealer.yar
new file mode 100644
index 00000000..d7a3037f
--- /dev/null
+++ b/data/yara/CAPE/SapphireStealer.yar
@@ -0,0 +1,20 @@
+rule SapphireStealer {
+    meta:
+        author = "ditekSHen"
+        description = "Detects SapphireStealer"
+        cape_type = "SapphireStealer Payload"
+    strings:
+       $s1 = "Sapphire.Modules." ascii
+       $s2 = "sapphire\\" wide
+       $s3 = "by r3vengerx0" wide
+       $s4 = "Sapphire\\obj\\" ascii
+       $s5 = "[ERROR_GETSECRETKEY_METHOD]" fullword wide
+       $s6 = "[ERROR_CANT_GET_PASSWORD]" fullword wide
+       $s7 = "<h2>------NEW LOGS------</h2>" wide
+       $s8 = "[ERROR] can't create grab directory" wide
+       $s9 = "<UploadToTelegram>d__" ascii
+       $s10 = "UploadToTelegram" ascii
+       $s11 = ".SendLog+<UploadToTelegram>d__" ascii
+    condition:
+       uint16(0) == 0x5a4d and 5 of them
+}
diff --git a/data/yara/binaries/indicator_suspicious.yar b/data/yara/binaries/indicator_suspicious.yar
index be951554..d518aa12 100644
--- a/data/yara/binaries/indicator_suspicious.yar
+++ b/data/yara/binaries/indicator_suspicious.yar
@@ -1350,7 +1350,7 @@ rule INDICATOR_SUSPICIOUS_IMG_Embedded_B64_EXE {
         $h1 = "TVqQA" ascii
         $h2 = "AQqVT" ascii
     condition:
-        (uint32(0) == 0xe0ffd8ff or uint32(0) == 0x474e5089 or uint16(0) == 0x4d42) and ((2 of ($m*)) or (1 of ($h*)))
+        (uint32(0) == 0xd8ff or uint32(0) == 0x474e5089 or uint16(0) == 0x4d42) and ((2 of ($m*)) or (1 of ($h*)))
 }
 
 rule INDICATOR_SUSPICIOUS_EXE_TransferSh_URL {
diff --git a/data/yara/binaries/indicator_tools.yar b/data/yara/binaries/indicator_tools.yar
index 0ff2a5e8..61d27cd1 100644
--- a/data/yara/binaries/indicator_tools.yar
+++ b/data/yara/binaries/indicator_tools.yar
@@ -1716,3 +1716,19 @@ rule INDICATOR_TOOL_SharpLDAP {
     condition:
         uint16(0) == 0x5a4d and ((1 of ($x*) and 4 of ($s*)) or (5 of ($s*)))
 }
+
+rule INDICATOR_TOOL_Pandora {
+    meta:
+        author = "ditekSHen"
+        description = "Detects Pandora tool to extract credentials from password managers"
+    strings:
+        $s1 = "process PID:" fullword wide
+        $s2 = "Dump file created:" fullword wide
+        $s3 = "System.Security.AccessControl.FileSystemAccessRule('Everyone', 'FullControl', 'Allow')" ascii
+        $s4 = "{[math]::Round($_.PrivateMemorySize64" ascii
+        $s5 = "rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump $" ascii
+        $s6 = "\"payload\":{\"logins\":" ascii
+        $s7 = "\\pandora.pdb" ascii
+    condition:
+        uint16(0) == 0x5a4d and 5 of them
+}