misp-circl-feed/feeds/circl/misp/f7d4de59-58ac-409e-a3cb-d50261b3f825.json

2886 lines
2.9 MiB
JSON
Raw Permalink Normal View History

2024-08-07 08:13:15 +00:00
{
"Event": {
"analysis": "2",
"date": "2024-02-19",
"extends_uuid": "",
"info": "OSINT - Backmydata Ransomware Indicators of Compromise (IOCs) - alerts - dnsc.ro",
"publish_timestamp": "1708337279",
"published": true,
"threat_level_id": "4",
"timestamp": "1708337267",
"uuid": "f7d4de59-58ac-409e-a3cb-d50261b3f825",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:malpedia=\"Phobos\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:sigma-rules=\"Publicly Accessible RDP Service\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:sector=\"Health\"",
"relationship_type": "targets"
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:ransomware=\"Phobos\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "328a6d1d-388a-4f89-8c40-ab20a4824d53",
"value": "31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "48bd8f5e-55ec-4b3a-8b14-442867ab5506",
"value": "a6527183e3cbf81602de16f3448a8754f6cecd05dc3568fa2795de534b366da4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "4ac80912-9d91-4e74-a99b-4111efe78f67",
"value": "59756c8f4c760f1b29311a5732cb3fdd41d4b5bc9c88cd77c560e27b6e59780c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "1785f41c-84a3-4a8d-9382-5adf664e4b09",
"value": "b42725211240828ccc505d193d8ea5915e395c9f43e71496ff0ece4f72e3e4ab"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "d19320d8-8e6f-4dc8-8111-cf32fada60a6",
"value": "7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "3e53ea7e-d877-4bc8-bc65-4885ccb1205c",
"value": "6a87226ed5cca8e072507d6c24289c57757dd96177f329a00b00e40427a1d473"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "3ee529bd-bc30-4cda-9c1b-619a8a156dd7",
"value": "de374c1b9a05c2203e66917202c42d11eac4368f635ccaaadf02346035e82562"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "98bb175a-f775-43be-9dcb-09ee5eca2df1",
"value": "91041b616969e1526ee6dce23f8d18afdd353786ac6afa0b6611903263ee6f63"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "b44979b6-f96a-44df-8a70-8c3458a6b529",
"value": "8e4b218bdbd8e098fff749fe5e5bbf00275d21f398b34216a573224e192094b8"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "81ad7b35-cf80-475e-b50b-9cf3e442f52e",
"value": "04cc60eba7041e0cef2deb1bec9a087432344737dd2e5141c9cda981506ca1a5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "c392410b-3742-4766-9311-d2398370b686",
"value": "7fee96ae0ed1972a80abbd4529dc81ec033083857455bbf3c803c4f47e1ac31c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "56063820-7383-4855-b909-b3dcdf0b9f43",
"value": "e01b0e7feadd08a7ea87c1cde44e7b97daf9632eaee8311ef6967f33258d03c1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "b8428079-ccaa-4ec9-88d0-39046607382c",
"value": "64788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "cd9f689e-37cd-4dae-a217-bfb078c5bcbc",
"value": "5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "ad929209-ea9d-4a3c-a9b2-626d4f4c09e5",
"value": "205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334512",
"to_ids": true,
"type": "sha256",
"uuid": "a28870ae-58ad-438f-9148-91d5a6e3402b",
"value": "ae474417854ac1b6190e15cc514728433a26cc815fdc6d12150ef55e92d643ea"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334513",
"to_ids": true,
"type": "sha256",
"uuid": "2df194e3-d6ce-4dc4-9760-1816dbfb27c4",
"value": "c92580318be4effdb37aa67145748826f6a9e285bc2426410dc280e61e3c7620"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334513",
"to_ids": true,
"type": "sha256",
"uuid": "76f079ff-ec7e-4f1c-bd04-a83611e729e0",
"value": "1e13fd79ad54fe98e08d9ffca2c287a470c50c2876608edce2fe38e07c245266"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334513",
"to_ids": true,
"type": "sha256",
"uuid": "1b46b734-5059-498d-8074-8c17f7596a2a",
"value": "816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334513",
"to_ids": true,
"type": "sha256",
"uuid": "45ee801f-248f-4bc1-8ecd-fcfe7d5e8abd",
"value": "b556d90b30f217d5ef20ebe3f15cce6382c4199e900b5ad2262a751909da1b34"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334513",
"to_ids": true,
"type": "sha256",
"uuid": "795bcc04-3a13-4fc2-af39-d68fcdaf142a",
"value": "48b77c1efbc3197128391a35d0e1ed0b5cc3a05b96dd12c98ac73ffc6a886fc8"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1708334513",
"to_ids": true,
"type": "sha256",
"uuid": "39eb8836-95bb-4704-a9d5-609b2a886d06",
"value": "12f13d129579c68ec3cc05bef69880b6a891296fa9fce69b979b1c04998f125c"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1708329218",
"uuid": "81afe512-f965-4077-864c-badee95de693",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1708329218",
"to_ids": false,
"type": "text",
"uuid": "65954c4c-7630-4604-b256-db78566e2c61",
"value": "During the night of 11 to 12 February 2024 there was a ransomware cyber-attack on the\r\nRomanian Soft Company (RSC) www.rsc.ro, which develops, manages and markets the\r\nHippocrates computer system (a.k.a. HIS). According to DNSC data, the attack disrupted the\r\nactivity of 26 Romanian hospitals using the Hippocrates IT system.\r\nThe malware used in the attack is Backmydata ransomware application that is part of the\r\nPhobos malware family, known for propagating through Remote Desktop Protocol (RDP)\r\nconnections. Backmydata is designed to encrypt target files using a complex algorithm.\r\nEncrypted files are renamed with .backmydata extension. After encryption, the malware\r\nprovides two ransom notes (info.hta and info.txt), with details of the steps to be taken for\r\ncontacting the attackers and how to pay the ransom.\r\nThe Directorate recommends to all healthcare entities, whether or not they have been affected\r\nby the Backmydata ransomware attack, to scan their IT &C infrastructure using the YARA\r\nscanning script."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1708329219",
"to_ids": false,
"type": "text",
"uuid": "a13dba20-ff2e-4fa2-ade4-5697cf43f273",
"value": "Alert"
},
{
"category": "External analysis",
"comment": "",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDMyIDAgUi9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4vTWV0YWRhdGEgMTcxIDAgUi9WaWV3ZXJQcmVmZXJlbmNlcyAxNzIgMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAyL0tpZHNbIDMgMCBSIDE5IDAgUl0gPj4NCmVuZG9iag0KMyAwIG9iag0KPDwvVHlwZS9QYWdlL1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9Gb250PDwvRjEgNSAwIFIvRjIgOSAwIFIvRjMgMTEgMCBSPj4vRXh0R1N0YXRlPDwvR1M3IDcgMCBSL0dTOCA4IDAgUj4+L1hPYmplY3Q8PC9JbWFnZTE2IDE2IDAgUi9JbWFnZTE4IDE4IDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0L0ltYWdlQi9JbWFnZUMvSW1hZ2VJXSA+Pi9Bbm5vdHNbIDE3IDAgUl0gL01lZGlhQm94WyAwIDAgNTk1LjIgODQxLjhdIC9Db250ZW50cyA0IDAgUi9Hcm91cDw8L1R5cGUvR3JvdXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVudHMgMD4+DQplbmRvYmoNCjQgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggNzM5Mz4+DQpzdHJlYW0NCnicxV3rj9w2kv9uwP9Dfzp0LzKy+NLjEBhnj53HIZt4Y+8tDs7i0PMexJ6Ztceb9X9/rKLEH0WRM203NRsgslqiWEWy3lXkPHn24fbybHt8u/r22yfPbm+3xxenJ6u3T95c3/z9yZvPN6dPXm3PL6+2t5fXV09efzq6pUc/nG5PTj88fbp6/uJw9Y/Hj+qqpv+6rulX9cr0ppKrTouqW304ffzob39aXT1+9PzN40dPvhMrIVdvzh4/ErZhvRIrJbvKmFUrZaXU6s172+j71+3q/KPtdXXOv7rh1/ePH71drzZ/X73578ePXtru/vL40Y7AbcvVyz8frp5kRvv8+vb2+n1+wN9dX99+3YDlqrVPJyNuqtqsVF810vCA68rUksbqbvYYJjfTK/u/aOgq29UH26/SVWdh6a6q7T9GNpUw9nVju9P89dmfGMrugNzYVG5s9V1j+7auVfP0QDb2xrRPhaB/zdMDpe2NEE8PRGtvavX0gFrIQ9u0D5pq/fSAWurvbEtJN7ZFH7wwtgtpb0R96B6MXQkLRHbhTf0doLU1QeueKpEC9iJAq1PUR5/og8H4wWnbGb3Q9MCEo5VP+VM/avSaxUyoGHk8ORxvno03HrlxXPYjwbPY2TdqgtT4xGMz4C21nUhVh7MxzPR8yPRpOLD6qaDfzfPpkoRr9TX0nWMp2aiq7u6hu6/kqSzMrqvUw4JUUldKPjDMpq7UA0+t6hsrxR4UpFay0vdJrtIwm67S7X0wX20OZLvebg70+nxzoMz6cnPQr6/sU22fFsWnV5V44Cmwre+ddVEUpKlrsjQedJi220rcA3N1YCFoaxwdv10/KQ2+uxf827UsC1PIqn9gWWWErtp7Yc4Y6rQsElaSiIUkSQlxTgaaFFnEXpbl77qSd4I7KCzF7wH3fiOUW3qWou/KrnxXdXdC/8+NNZvs0ltbb329kd36zD7Qw5UROra0SQSp2vV/nVjilIOg/2jv6+Ftxb18sE+068V22CQvf2yECS7uQ+pW3dttyXkRnbDq/I55iZjhTk/ti/xS1bBjaRelt+5lv+p7UvLAeHhMaLpX/oNjckR/fL89P7We1Ivr1YjWP+gj61iZVaNbWm5hvalWrRr+gZ5XT17fbK8I9z8f/vhiVT/5aXt1vlqfXh18/3wDBHfqa5xX0VSSRErIzsZ937dV66aXp9ZN6zMmoJ9eEs3/yqv7Zrau+yLQWYmbAT8XcaVG2/Zk7cfw5mbCvvC0IWGZAdcUB2d01WTArcg2MJqNg6ouDrm1YrrNjnRuGOwNr6+6PLyqPJWaqs9PbE+iyU6srMuPVDiTJDNSXR6ecxEz8FKCNpJUYn9JJeZWh2ZEm0ZUzVxQ/HVjFdLPG6nWh1ZKNeufrNwSJL2shnq9OTDNcP3RPunX39k2crh/+WIJgSZyiEbTF+gEYSwcD1VZs8d09+kEmZnpnfq6YwRSiSqrE57PJmxvcPaLLgduS3aHtS/M+ncySN5v2vXnjV1ia4SI2r29HW5L46WkIAdkV920P7iGfKw0OKd9ebhX1uYSZP4JwdPxx6ZxLz4w7c99kX0R09aekQ83D5b58tS3g/xRS3FFbT0fEoz2nzliP/ICXRFZivWlJVgVEicvllufjyx9VvZB4x6frTZmkFt+TW+shT+0988uP3JXp/zUff8bS7F6/cshQ3dd/7YpvyT2Q21yQ99hTfRSa9I3ZD1au0entIKdjVfkqr3YWPfIGbNvePrmPure3GtainJmUMnLfW3JXKkRbqOcAXen2DeZydylK59Ds/ba1HS0iPc0ldawulftz12s5/aXoA9kx1PTCmMXpq4a/n/MEN33svMvheSxhO9phQQ+Nr39b9agHRso1Vd9N3mve1blHrr1RkXUgIG6BpQQMJPXxgWyw+/1lzUYxt/ojtiJ3tj1kWb+nlfNTZAb5xe16ELzZZjHaaNhLj0i7u0UGd9mADVO+LyngG/GWZ82GmYe4+apn4LzbcaRDcsT9xTReG1mbYZlmEDTETTfJoCm8z3d2WoQeK88gzYDTw5Z00b0xIpD1tSa8zr+dMLebYa990mRc8yusXq8NjPefkHe/SdSWB9YwVxyMOmKHpyvbi9Ifp7Sxaop4R67FucXt2SWra5Z5Z1trB5aiY001o2W1PpAd6T9yFJhjcfvJN59x+Y5d320aQfgn5zipDfuwWcXixK1cN/WdOE7PXTVD2Au6MLdfRgVpX3/B123Q6zq62NSiaoDZxym53SfqHQClBXNKgfKjW31gYJ/7p7X6KM1KtzEv7fX3lqJdq3CiR3WlCb2mG55omkhhiksOABN3luW/vYJ4CZAMdPfOVdMLbcgNB7+75txNtys8SSubCsZENZXx9xHSVAb+6+XBIofjrKgCIvXpB8y3kNIDgGlOG4OHrhpsB6z6IZvmLlv3TsrBA6v+RPX082mDT8e+NW2+m29sUAdaNfZYcmVFr0m/ZkaMCXCZO1iXb9tdjBPu/IiV9bSyvkQvaoWPalr1ZGCbI2rrEk8/pXXjBkWl2ojRhlJrM00Gzy7vn+Q/QKDbDRZixmq+4bQcwL4AoR27H8zlZyMEuefdpS9u31HF0d5RF00XtcXfTCjX3d7fkqsSk25VfCeIMy+dLNGTM8Qb0eRyQ0jdRIRUGYhxwVnDm/sfQsrxhtLK9RSmV6SOxnIgqKSwFj20PM1+WGjh3W4YTdzlArH0JuBkOTh+2k5xrKA9T95YRqoXm5O37E0oBu0cJ8GEsLBY1qm9aiiZ85YILzJ1x3lknVy7TvX4Bk5y4xcgKFDhNZ+Ys9sjJoYJYQGG0A/sxUzyKnVCcdU/Dy4W9BgTCD0Xt2lVwZCd6jQfATWDs0ipoep9W61MxJQQzQz0M/gFxSloK7OKNBjzzJuQI513f1toASgTZ11SNPAplsDK/BrVNMFFpDm8sbPbDD57yak+2nk76xx+4N/mWSMkuacq2vIT2/MejRkR/tvmDxXHy11ZjlrnvvYB9deJxFN61R4QKKeukDG1ElJl8wf5BII+1O0IREdj8VNashtka5gUsrZzyFxgYEvOUR75bXc1wgMCIv9alxinW1N405l5uL54C2JxiJjqf93F28/EIYD7t3wbsRZjFxup0TK4ckVeSIfB+tRUMievQ9hhveu7alzW/hr9/wmuPKUX1oU6hDi5fWGmbekvyA5a5+ejaJenFaCgghpSKCPQAQMVOSFGCxtR4GuUeh+F3ZXjGUb0Z
"deleted": false,
"disable_correlation": false,
"object_relation": "report-file",
"timestamp": "1708329219",
"to_ids": false,
"type": "attachment",
"uuid": "8cc00c06-e312-4167-a156-78643f259c32",
"value": "DNSC ALERT v2024.02.16 Backmydata Ransomware Attack IOCs UPDATE ENG.pdf"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708329370",
"uuid": "844c6519-6095-4045-b402-abb4d59b5f70",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708329370",
"to_ids": false,
"type": "text",
"uuid": "e474c34f-52f7-4cbf-a151-b8598dd0df5a",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708329370",
"to_ids": true,
"type": "yara",
"uuid": "dd965a0a-5f6e-4e04-a47e-418f6034e312",
"value": "rule Phobos_CrypterBinary {\r\n meta:\r\n description = \"Phobos Ransomware Crypter Binary\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-12\"\r\n hash1 = \"396a2f2dd09c936e93d250e8467ac7a9c0a923ea7f9a395e63c375b877a399a6\"\r\n strings:\r\n $s1 = \"\\\\.#* 0_\" fullword ascii\r\n $s2 = \"9F:b:{:\" fullword ascii \r\n $s3 = \"D$(Y_^[\" fullword ascii \r\n $s4 = \"tEWVVVV\" fullword ascii\r\n $s5 = \"YSVWj(j\" fullword ascii\r\n $s6 = \"^yMQb O8y\" fullword ascii\r\n $s7 = \"tjWWVhKE@\" fullword ascii\r\n $s8 = \"D$LPVVVWVVV\" fullword ascii\r\n $s9 = \"D$PPSj\" fullword ascii \r\n $s10 = \"YY9\\\\$0t\" fullword ascii \r\n $s11 = \"8$8/8|8\" fullword ascii \r\n $s12 = \"SVWj23\" fullword ascii \r\n $s13 = \"\\\\\\\\?\\\\X:\" fullword wide\r\n $s14 = \"\\\\\\\\?\\\\ :\" fullword wide\r\n $s15 = \"\\\\\\\\?\\\\UNC\\\\\\\\\\\\e-\" fullword wide\r\n $s16 = \"D$HY_^[\" fullword ascii\r\n $s17 = \"L{gYm+\" fullword ascii\r\n $s18 = \"2*262H2Q2^2j2\" fullword ascii\r\n $s19 = \"9\\\\$Pt.\" fullword ascii\r\n $s20 = \"Y9\\\\$4t&9\\\\$Xt \" fullword ascii\r\n\r\n $op0 = { 53 e8 34 7d 00 00 59 89 45 dc 8d 45 cc 50 68 06 }\r\n $op1 = { 39 5c 24 34 74 0a 39 5c 24 44 0f 84 af }\r\n $op2 = { 6a 18 c7 46 34 00 00 01 00 c7 46 30 00 00 10 00 }\r\n\r\n $ap0 = \"MPR.dll\" fullword ascii\r\n $ap1 = \"WS2_32.dll\" fullword ascii\r\n $ap2 = \"WINHTTP.dll\" fullword ascii\r\n $ap3 = \"KERNEL32.dll\" fullword ascii\r\n $ap4 = \"USER32.dll\" fullword ascii\r\n $ap5 = \"ADVAPI32.dll\" fullword ascii\r\n $ap6 = \"SHELL32.dll\" fullword ascii\r\n $ap7 = \"ole32.dll\" fullword ascii\r\n $ap8 = \"GetTickCount\" fullword ascii\r\n $ap9 = \"GetIpAddrTable\" fullword ascii\r\n\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 8 of them and all of ($op*) and all of ($ap*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708329370",
"to_ids": false,
"type": "text",
"uuid": "49a4d243-90cc-41fb-8c49-482156f11f35",
"value": "Phobos_CrypterBinary"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708329435",
"uuid": "b15731f7-8cb9-4b09-a2dc-3c9a696941ea",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708329435",
"to_ids": false,
"type": "text",
"uuid": "ec6a07de-b516-4cc4-a246-8c3656e64721",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708329435",
"to_ids": true,
"type": "yara",
"uuid": "f9b4199b-2632-4b9a-a5e3-0f5351bcdc53",
"value": "rule Phobos_kprocesshacker {\r\n meta:\r\n description = \"Phobos kprocesshacker.sys\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-14\"\r\n hash1 = \"70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4\"\r\n strings:\r\n $x1 = \"d:\\\\projects\\\\processhacker2\\\\kprocesshacker\\\\bin\\\\amd64\\\\kprocesshacker.pdb\" fullword ascii\r\n $x2 = \"kprocesshacker.sys\" fullword wide\r\n $s3 = \":http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O\" fullword ascii\r\n $s4 = \":http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0@\" fullword ascii\r\n $s5 = \"\\\\Device\\\\KProcessHacker3\" fullword wide\r\n $s6 = \"KProcessHacker\" fullword wide\r\n $s7 = \"www.digicert.com1503\" fullword ascii\r\n $s8 = \"http://ocsp.digicert.com0R\" fullword ascii\r\n $s9 = \"Fhttp://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0\" fullword ascii\r\n $s10 = \"*http://crl3.digicert.com/sha2-ha-cs-g1.crl00\" fullword ascii\r\n $s11 = \"*http://crl4.digicert.com/sha2-ha-cs-g1.crl0L\" fullword ascii\r\n $s12 = \"DynamicConfiguration\" fullword wide\r\n $s13 = \"Sydney1\" fullword ascii\r\n $s14 = \"\\\\CDvQbX/0\" fullword ascii\r\n $s15 = \" Microsoft Code Verification Root0\" fullword ascii\r\n $s16 = \"SHA256\" fullword wide /* Goodware String - occured 507 times */\r\n $s17 = \"New South Wales1\" fullword ascii /* Goodware String - occured 1 times */\r\n $s18 = \"CIQh't%\" fullword ascii\r\n $s19 = \"DigiCert, Inc.1*0(\" fullword ascii\r\n $s20 = \"Licensed under the GNU GPL, v3.\" fullword wide\r\n\r\n $op0 = { 8c 99 00 00 58 20 00 00 c0 90 }\r\n\r\n $ap0 = \"PsGetCurrentProcessId\" fullword ascii\r\n $ap1 = \"SePrivilegeCheck\" fullword ascii\r\n $ap2 = \"PsInitialSystemProcess\" fullword ascii\r\n $ap3 = \"ZwQuerySystemInformation\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 100KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) and all of ($ap*))\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708329435",
"to_ids": false,
"type": "text",
"uuid": "8e33a94c-6797-42cb-83b2-7db198f4df9b",
"value": "Phobos_kprocesshacker"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708329466",
"uuid": "62545fc3-9def-4287-8006-16d271f7f824",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708329466",
"to_ids": false,
"type": "text",
"uuid": "6429d90a-538a-4c15-9e81-72124dc63822",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708329466",
"to_ids": true,
"type": "yara",
"uuid": "a888b9bc-f30d-4d28-bd07-92b3f85d6f4b",
"value": "rule Phobos_mimikatz_drv {\r\n meta:\r\n description = \"mimidrv.sys\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96\"\r\n strings:\r\n $s1 = \"powershell.exe\" fullword ascii\r\n $s2 = \"$http://blog.gentilkiwi.com/mimikatz 0\" fullword ascii\r\n $s3 = \"mimikatz.exe\" fullword ascii\r\n $s4 = \"c:\\\\security\\\\mimikatz\\\\mimidrv\\\\objfre_wnet_amd64\\\\amd64\\\\mimidrv.pdb\" fullword ascii\r\n $s5 = \"mimidrv.sys\" fullword wide\r\n $s6 = \"!http://ocsp.globalsign.com/rootr103\" fullword ascii\r\n $s7 = \"\\\"http://crl.globalsign.com/root.crl0c\" fullword ascii\r\n $s8 = \" ! ZwSetInformationProcess 0x%08x for %u/%-14S\" fullword wide\r\n $s9 = \"MmProbeAndLockProcessPages\" fullword wide\r\n $s10 = \"PsSetCreateProcessNotifyRoutine\" fullword wide\r\n $s11 = \"PostOperation : \" fullword wide\r\n $s12 = \"KeServiceDescriptorTable : 0x%p (%u)\" fullword wide\r\n $s13 = \"Raw command (not implemented yet) : %s\" fullword wide\r\n $s14 = \"* Callback [type %u] - Handle 0x%p (@ 0x%p)\" fullword wide\r\n $s15 = \"SeRegisterLogonSessionTerminatedRoutineEx\" fullword wide\r\n $s16 = \"RtlGetSystemBootStatus\" fullword wide\r\n $s17 = \"Copyright (c) 2007 - 2020 gentilkiwi (Benjamin DELPY)\" fullword wide\r\n $s18 = \"*mimikatz driver 2.2.\" fullword wide\r\n $s19 = \"\\\\DosDevices\\\\mimidrv\" fullword wide\r\n $s20 = \"ObReferenceSecurityDescriptor\" fullword wide\r\n\r\n $op0 = { f8 b4 00 00 30 50 00 00 c0 b0 }\r\n $op1 = { 61 01 49 6f 44 65 6c 65 74 65 53 79 6d 62 6f 6c }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 100KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708329466",
"to_ids": false,
"type": "text",
"uuid": "1f24d3ca-e619-4b8a-8ebc-6d4e5089f20f",
"value": "Phobos_mimikatz_drv"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708329499",
"uuid": "74041ee4-4095-4f29-bb2a-67bc2d1696d2",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708329500",
"to_ids": false,
"type": "text",
"uuid": "6669df7f-060c-4b3d-b442-c73e7efc3017",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708329500",
"to_ids": true,
"type": "yara",
"uuid": "0c319653-d93c-4a1c-a74f-86aa928b06e9",
"value": "rule Phobos_mimikatz_drv_32 {\r\n meta:\r\n description = \"mimidrv_32.sys\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f\"\r\n strings:\r\n $s1 = \"powershell.exe\" fullword ascii\r\n $s2 = \"$http://blog.gentilkiwi.com/mimikatz 0\" fullword ascii\r\n $s3 = \"mimikatz.exe\" fullword ascii\r\n $s4 = \"c:\\\\security\\\\mimikatz\\\\mimidrv\\\\objfre_wnet_x86\\\\i386\\\\mimidrv.pdb\" fullword ascii\r\n $s5 = \"mimidrv.sys\" fullword wide\r\n $s6 = \"PsCreateSystemProcess\" fullword wide\r\n $s7 = \"!http://ocsp.globalsign.com/rootr103\" fullword ascii\r\n $s8 = \"\\\"http://crl.globalsign.com/root.crl0c\" fullword ascii\r\n $s9 = \" ! ZwSetInformationProcess 0x%08x for %u/%-14S\" fullword wide\r\n $s10 = \"PsSetCreateProcessNotifyRoutine\" fullword wide\r\n $s11 = \"PsGetThreadSessionId\" fullword wide\r\n $s12 = \"NtSetInformationProcess\" fullword wide\r\n $s13 = \"PostOperation : \" fullword wide\r\n $s14 = \"KeServiceDescriptorTable : 0x%p (%u)\" fullword wide\r\n $s15 = \"Raw command (not implemented yet) : %s\" fullword wide\r\n $s16 = \"* Callback [type %u] - Handle 0x%p (@ 0x%p)\" fullword wide\r\n $s17 = \"Copyright (c) 2007 - 2020 gentilkiwi (Benjamin DELPY)\" fullword wide\r\n $s18 = \"*mimikatz driver 2.2.\" fullword wide\r\n $s19 = \"\\\\DosDevices\\\\mimidrv\" fullword wide\r\n $s20 = \"CREATE_NAMED_PIPE\" fullword wide\r\n\r\n $op0 = { a1 88 64 01 00 b9 4e e6 40 bb 85 c0 74 04 3b c1 }\r\n $op1 = { 3c 84 00 00 18 40 00 00 8c 80 }\r\n $op2 = { 96 84 00 00 7e 84 00 00 62 84 00 00 4a 84 00 00 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 90KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708329500",
"to_ids": false,
"type": "text",
"uuid": "dd01cf96-1ee6-4dc5-b7bc-ad1f92bc319d",
"value": "Phobos_mimikatz_drv_32"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708329532",
"uuid": "b80144b5-fd6e-4a2e-a49a-d46edbc24757",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708329533",
"to_ids": false,
"type": "text",
"uuid": "f6700c74-dbce-4fe5-b13b-5954805921e7",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708329533",
"to_ids": true,
"type": "yara",
"uuid": "f656eac6-facf-4872-b561-defcf9b3cc04",
"value": "rule Phobos_BulletsPassView64 {\r\n meta:\r\n description = \"BulletsPassView64.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"e71cda5e7c018f18aefcdfbce171cfeee7b8d556e5036d8b8f0864efc5f2156b\"\r\n strings:\r\n $s1 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"am\" ascii\r\n $s2 = \"BulletsPassView.exe\" fullword wide\r\n $s3 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword wide\r\n $s4 = \"c:\\\\Projects\\\\VS2005\\\\BulletsPassView\\\\x64\\\\Release\\\\BulletsPassView.pdb\" fullword ascii\r\n $s5 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"am\" ascii\r\n $s6 = \"Process Description\" fullword wide\r\n $s7 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword wide\r\n $s8 = \"Process Path\" fullword wide\r\n $s9 = \"ScanIEPasswords\" fullword wide\r\n $s10 = \"ScanWindowsPasswords\" fullword wide\r\n $s11 = \"Scan Internet Explorer Passwords\" fullword wide\r\n $s12 = \"Scan Standard Password Text-Boxes\" fullword wide\r\n $s13 = \"AddExportHeaderLine\" fullword wide\r\n $s14 = \"<html><head>%s<title>%s</title></head>\" fullword wide\r\n $s15 = \"UnmaskPasswordBox\" fullword wide\r\n $s16 = \"BeepOnNewPassword\" fullword wide\r\n $s17 = \"&Clear Passwords List\" fullword wide\r\n $s18 = \"Copy Selected &Password\" fullword wide\r\n $s19 = \"&Unmask Password Text Box\" fullword wide\r\n $s20 = \"Beep On New Password\" fullword wide\r\n\r\n $op0 = { 48 8b 08 66 44 89 34 91 66 85 ff 0f 85 f9 01 00 }\r\n $op1 = { 48 c7 c6 ff ff ff ff 89 0d 06 04 01 00 c7 05 00 }\r\n $op2 = { 48 8b d8 74 34 48 83 25 e6 fb }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 300KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708329534",
"to_ids": false,
"type": "text",
"uuid": "d09d2a12-2cf8-45ff-87c7-2e8ffe7d2c8d",
"value": "Phobos_BulletsPassView64"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708329564",
"uuid": "d6a95537-2cc0-479f-a822-c275666d87c3",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708329564",
"to_ids": false,
"type": "text",
"uuid": "01c383ff-fcde-4ac5-8f7c-4f0379f6291c",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708329564",
"to_ids": true,
"type": "yara",
"uuid": "d6fe7b68-9633-4c7b-93ca-bbda36f4a54e",
"value": "rule Phobos_SniffPass64 {\r\n meta:\r\n description = \"SniffPass64.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"c92580318be4effdb37aa67145748826f6a9e285bc2426410dc280e61e3c7620\"\r\n strings:\r\n $x1 = \"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"amd64\\\" publicKeyToken=\\\"6595b641\" ascii\r\n $x2 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><dependency><dependentAssembly><assemblyIdentity ty\" ascii\r\n $s3 = \"c:\\\\Projects\\\\VS2005\\\\SniffPass\\\\x64\\\\Release\\\\SniffPass.pdb\" fullword ascii\r\n $s4 = \"npptools.dll\" fullword ascii\r\n $s5 = \"NmApi.dll\" fullword ascii\r\n $s6 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword ascii\r\n $s7 = \"nmwifi.exe\" fullword ascii\r\n $s8 = \"Pwpcap.dll\" fullword ascii\r\n $s9 = \"Sniffed PasswordsCFailed to start capturing packets from the current network adapter.9Do you want to stop the capture and exit f\" wide\r\n $s10 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword ascii\r\n $s11 = \"login \" fullword ascii\r\n $s12 = \"AddExportHeaderLine\" fullword ascii\r\n $s13 = \"NirSoft SniffPass\" fullword ascii\r\n $s14 = \"NmGetFrame\" fullword ascii\r\n $s15 = \"NmGetRawFrame\" fullword ascii\r\n $s16 = \"NmGetFrameCount\" fullword ascii\r\n $s17 = \"NmGetRawFrameLength\" fullword ascii\r\n $s18 = \"Software\\\\NirSoft\\\\SniffPass\" fullword ascii\r\n $s19 = \"BeepOnNewPassword\" fullword ascii\r\n $s20 = \"<html><head>%s<title>%s</title></head>\" fullword ascii\r\n\r\n $op0 = { 48 8b 08 66 44 89 34 91 66 85 ff 0f 85 f9 01 00 }\r\n $op1 = { 48 8d 4c 24 20 41 83 c8 ff c7 44 24 34 00 01 00 }\r\n $op2 = { 48 8d 91 24 01 00 00 4c 8d 0d 34 00 01 00 45 33 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 300KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708329564",
"to_ids": false,
"type": "text",
"uuid": "28cc795c-1d08-4828-81ed-c759999b5218",
"value": "Phobos_SniffPass64"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708329594",
"uuid": "f639e786-fcfa-4a94-a65c-df78bb109d00",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708329594",
"to_ids": false,
"type": "text",
"uuid": "9033aff3-a49b-4feb-9793-e7acf902253c",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708329594",
"to_ids": true,
"type": "yara",
"uuid": "853228a8-74b2-428e-9523-8d7fa48cb033",
"value": "rule Phobos_mimikatz {\r\n meta:\r\n description = \"mimik.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc\"\r\n strings:\r\n $x1 = \"ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)\" fullword wide\r\n $x2 = \"ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx user (%s)\" fullword wide\r\n $x3 = \"ERROR kuhl_m_lsadump_update_dc_password ; A /target argument is needed\" fullword wide\r\n $x4 = \"ERROR kuhl_m_lsadump_getComputerAndSyskey ; kull_m_registry_RegOpenKeyEx LSA KO\" fullword wide\r\n $x5 = \"ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO\" fullword wide\r\n $x6 = \"ERROR kuhl_m_lsadump_lsa ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)\" fullword wide\r\n $x7 = \"ERROR kuhl_m_lsadump_lsa_getHandle ; OpenProcess (0x%08x)\" fullword wide\r\n $x8 = \"ERROR kuhl_m_lsadump_trust ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)\" fullword wide\r\n $x9 = \"ERROR kuhl_m_lsadump_dcsync ; kull_m_rpc_drsr_ProcessGetNCChangesReply\" fullword wide\r\n $x10 = \"ERROR kuhl_m_dpapi_chrome ; Input 'Login Data' file needed (/in:\\\"%%localappdata%%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Da\" wide\r\n $x11 = \"ERROR kuhl_m_kernel_processProtect ; Argument /process:program.exe or /pid:processid needed\" fullword wide\r\n $x12 = \"ERROR kuhl_m_lsadump_netsync ; I_NetServerTrustPasswordsGet (0x%08x)\" fullword wide\r\n $x13 = \"ERROR kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt ; Checksums don't match (C:0x%08x - R:0x%08x)\" fullword wide\r\n $x14 = \"ERROR kuhl_m_lsadump_sam ; kull_m_registry_RegOpenKeyEx (SAM) (0x%08x)\" fullword wide\r\n $x15 = \"ERROR kuhl_m_lsadump_getHash ; Unknow SAM_HASH revision (%hu)\" fullword wide\r\n $x16 = \"ERROR kuhl_m_lsadump_changentlm ; Argument /oldpassword: or /oldntlm: is needed\" fullword wide\r\n $x17 = \"ERROR kuhl_m_lsadump_enumdomains_users ; /user or /rid is needed\" fullword wide\r\n $x18 = \"ERROR kuhl_m_lsadump_zerologon ; Missing /account argument, usually a DC$ account\" fullword wide\r\n $x19 = \"ERROR kuhl_m_lsadump_update_dc_password ; A /account argument is needed\" fullword wide\r\n $x20 = \"livessp.dll\" fullword wide /* reversed goodware string 'lld.pssevil' */\r\n\r\n $op0 = { 45 3b c8 72 34 4c 8d 4c 24 30 48 8b d7 4c 89 7c }\r\n $op1 = { e8 1b 18 0c 00 8b 4b 30 4c 8d 5f 34 4c 89 5b 34 }\r\n $op2 = { 48 89 44 24 28 4c 89 64 24 20 ff 15 34 6b 0c 00 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 4000KB and\r\n ( 1 of ($x*) and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708329594",
"to_ids": false,
"type": "text",
"uuid": "e9019960-9b7e-4716-9111-0d36ea02a669",
"value": "Phobos_mimikatz"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708329623",
"uuid": "d7ffa2f6-7d3e-44ef-b179-c0a49309c607",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708329623",
"to_ids": false,
"type": "text",
"uuid": "8ce7ef1b-3000-4a41-8ad0-f6713b840336",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708329623",
"to_ids": true,
"type": "yara",
"uuid": "33092846-bf41-463f-9645-b5e773053f46",
"value": "rule Phobos_mimikatzlib {\r\n meta:\r\n description = \"mimilib.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"59756c8f4c760f1b29311a5732cb3fdd41d4b5bc9c88cd77c560e27b6e59780c\"\r\n strings:\r\n $x1 = \"0: kd> !process 0 0 lsass.exe\" fullword ascii\r\n $s2 = \"$http://blog.gentilkiwi.com/mimikatz 0\" fullword ascii\r\n $s3 = \"0: kd> .process /r /p <EPROCESS address>\" fullword ascii\r\n $s4 = \"mimilib.dll\" fullword wide\r\n $s5 = \"# Search for LSASS process\" fullword ascii\r\n $s6 = \" '## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo)\" fullword ascii\r\n $s7 = \"%p - lsasrv!LogonSessionList\" fullword ascii\r\n $s8 = \"%p - lsasrv!LogonSessionListCount\" fullword ascii\r\n $s9 = \"kiwidns.log\" fullword wide\r\n $s10 = \"kiwifilter.log\" fullword wide\r\n $s11 = \"kiwinp.log\" fullword wide\r\n $s12 = \"kiwissp.log\" fullword wide\r\n $s13 = \"kiwisub.log\" fullword wide\r\n $s14 = \"masterkey\" fullword ascii\r\n $s15 = \" * Password : \" fullword ascii\r\n $s16 = \"%p - lsasrv!h3DesKey\" fullword ascii\r\n $s17 = \"Unknown version in Kerberos credentials structure\" fullword ascii\r\n $s18 = \"lsasrv!g_fSystemCredsInitialized\" fullword ascii\r\n $s19 = \"dpapisrv!g_fSystemCredsInitialized\" fullword ascii\r\n $s20 = \"%p - lsasrv!hAesKey\" fullword ascii\r\n\r\n $op0 = { b8 79 ff ff ff 3b c8 7f 5e 74 54 81 f9 6b ff ff }\r\n $op1 = { 4c 3b f3 48 8d 3d 34 5c 00 00 48 8d 05 b5 3f 00 }\r\n $op2 = { 8b 4d 28 e8 a0 fc ff ff 89 45 34 eb 07 c7 45 34 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 100KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708329623",
"to_ids": false,
"type": "text",
"uuid": "a740f8fe-e40e-4433-977f-ab0f8e352314",
"value": "Phobos_mimikatzlib"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708329650",
"uuid": "5053b6ae-ebc0-4a47-a6d6-63c1461cab65",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708329650",
"to_ids": false,
"type": "text",
"uuid": "775adb8a-0802-4a10-8126-e723da1736af",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708329650",
"to_ids": true,
"type": "yara",
"uuid": "f0754bdf-4e56-400a-98d1-d9eec76b7d02",
"value": "rule Phobos_WirelessKeyView64 {\r\n meta:\r\n description = \"WirelessKeyView64.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"48b77c1efbc3197128391a35d0e1ed0b5cc3a05b96dd12c98ac73ffc6a886fc8\"\r\n strings:\r\n $x1 = \"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"amd64\\\" publicKeyToken=\\\"6595b641\" ascii\r\n $x2 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><dependency><dependentAssembly><assemblyIdentity ty\" ascii\r\n $x3 = \"Windows Protect folder for getting the encryption keys, For example: G:\\\\windows\\\\system32\\\\Microsoft\\\\Protect\" fullword wide\r\n $s4 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword ascii\r\n $s5 = \"Windows Registry hives folder, for example: k:\\\\windows\\\\system32\\\\config\" fullword wide\r\n $s6 = \"SYSTEM\\\\%s\\\\Control\\\\Network\\\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\\\%s\\\\Connection\" fullword ascii\r\n $s7 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword ascii\r\n $s8 = \"system32\\\\config\\\\Software\" fullword ascii\r\n $s9 = \"system32\\\\config\" fullword ascii\r\n $s10 = \"Load the wireless keys of the current logged-on user\" fullword wide\r\n $s11 = \"/Running WirelessKeyView as SYSTEM user (Faster)%Directly decrypting the wireless keys\" fullword wide\r\n $s12 = \"SYSTEM\\\\%s\\\\Enum\\\\%s\" fullword ascii\r\n $s13 = \"AddExportHeaderLine\" fullword ascii\r\n $s14 = \"<html><head>%s<title>%s</title></head>\" fullword ascii\r\n $s15 = \"/GetKeys\" fullword ascii\r\n $s16 = \"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\" fullword ascii\r\n $s17 = \"report.html\" fullword ascii\r\n $s18 = \" Type Descriptor'\" fullword ascii\r\n $s19 = \"Load wireless keys from remote system (Windows Vista or later, requires full admin rights)\" fullword wide\r\n $s20 = \"Windows Directory: (For example: K:\\\\Windows )\" fullword wide\r\n\r\n $op0 = { 48 8b 08 66 44 89 34 91 66 85 ff 0f 85 f9 01 00 }\r\n $op1 = { 48 8d 4c 24 20 41 83 c8 ff c7 44 24 34 00 01 00 }\r\n $op2 = { 49 89 83 28 ff ff ff 49 89 83 30 ff ff ff c7 84 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 700KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708329650",
"to_ids": false,
"type": "text",
"uuid": "819dcae1-84a4-4793-a297-978ae4d49c4a",
"value": "Phobos_WirelessKeyView64"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330468",
"uuid": "11d49f49-bddd-4b8d-8bac-c590284d0856",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330468",
"to_ids": false,
"type": "text",
"uuid": "60501332-bee0-4fa9-b4c7-358d68c1c496",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330468",
"to_ids": true,
"type": "yara",
"uuid": "c3b0dd13-d9a1-4256-966c-6dde9e3d1a19",
"value": "rule Phobos_netpass64 {\r\n meta:\r\n description = \"netpass64.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"6a87226ed5cca8e072507d6c24289c57757dd96177f329a00b00e40427a1d473\"\r\n strings:\r\n $x1 = \"Windows Protect folder for getting the encryption keys, For example: F:\\\\Users\\\\Nir\\\\AppData\\\\Roaming\\\\Microsoft\\\\Protect\" fullword wide\r\n $x2 = \"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"amd64\\\" publicKeyToken=\\\"6595b641\" ascii\r\n $x3 = \"Windows Credentials folder: (For exmaple: C:\\\\Users\\\\admin\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials )\" fullword wide\r\n $x4 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><dependency><dependentAssembly><assemblyIdentity ty\" ascii\r\n $s5 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword ascii\r\n $s6 = \"c:\\\\Projects\\\\VS2005\\\\netpass\\\\x64\\\\Release\\\\netpass.pdb\" fullword ascii\r\n $s7 = \"User Profile Folder: (For example: K:\\\\users\\\\admin )\" fullword wide\r\n $s8 = \"Bad file structure !UFailed to decrypt the key file. It's possible that the supplied password is incorrect\" fullword wide\r\n $s9 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword ascii\r\n $s10 = \"Failed to load the executable file !\" fullword ascii\r\n $s11 = \"Export Raw Passwords Data\" fullword wide\r\n $s12 = \"Windows Login Password:\" fullword wide\r\n $s13 = \"+Failed to find the encryption key filename.-The structure of the key filename is invalid./The structure of the protected data i\" wide\r\n $s14 = \"AppData\\\\Roaming\" fullword ascii\r\n $s15 = \"AppData\\\\Roaming\\\\Microsoft\\\\Protect\" fullword ascii\r\n $s16 = \" Network Password Recovery\" fullword wide\r\n $s17 = \" Network Password Recovery\" fullword wide\r\n $s18 = \"AddExportHeaderLine\" fullword ascii\r\n $s19 = \"<html><head>%s<title>%s</title></head>\" fullword ascii\r\n $s20 = \"Domain Password\" fullword wide\r\n\r\n $op0 = { 48 8b 08 66 44 89 34 91 66 85 ff 0f 85 f9 01 00 }\r\n $op1 = { 48 8d 4c 24 20 41 83 c8 ff c7 44 24 34 00 01 00 }\r\n $op2 = { 04 45 88 ab 21 ff ff ff 45 88 ab 22 ff ff ff 45 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330468",
"to_ids": false,
"type": "text",
"uuid": "f410c21d-a3bb-4f40-b861-475f75bbc5ed",
"value": "Phobos_netpass64"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330495",
"uuid": "6be18ce6-1757-46fa-813b-03297fef36a5",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330495",
"to_ids": false,
"type": "text",
"uuid": "320b253d-aa37-4158-8901-baf1aaac0618",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330495",
"to_ids": true,
"type": "yara",
"uuid": "8c728a5f-33f2-4e42-9aee-a5ca90148c80",
"value": "rule Phobos_PasswordFox64 {\r\n meta:\r\n description = \"PasswordFox64.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"7fee96ae0ed1972a80abbd4529dc81ec033083857455bbf3c803c4f47e1ac31c\"\r\n strings:\r\n $s1 = \"SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, \" ascii\r\n $s2 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"am\" ascii\r\n $s3 = \"c:\\\\Projects\\\\VS2005\\\\PasswordFox\\\\x64\\\\Release\\\\PasswordFox.pdb\" fullword ascii\r\n $s4 = \"SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, \" ascii\r\n $s5 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword wide\r\n $s6 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"am\" ascii\r\n $s7 = \"\\\\sqlite3.dll\" fullword wide\r\n $s8 = \"\\\\mozsqlite3.dll\" fullword wide\r\n $s9 = \"\\\"Account\\\",\\\"Login Name\\\",\\\"Password\\\",\\\"Web Site\\\",\\\"Comments\\\"\" fullword ascii\r\n $s10 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\firefox.exe\" fullword wide\r\n $s11 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\Waterfox.exe\" fullword wide\r\n $s12 = \"encryptedPassword\" fullword wide\r\n $s13 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword wide\r\n $s14 = \"xpwwwx\" fullword ascii /* reversed goodware string 'xwwwpx' */\r\n $s15 = \"timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins\" fullword ascii\r\n $s16 = \"Password Use Count\" fullword wide\r\n $s17 = \"%programfiles%\\\\Mozilla Firefox\" fullword wide\r\n $s18 = \"AddExportHeaderLine\" fullword wide\r\n $s19 = \"<html><head>%s<title>%s</title></head>\" fullword wide\r\n $s20 = \"Password Field\" fullword wide\r\n\r\n $op0 = { 48 8b cf ff 15 4d 5c 01 00 ba ec ff ff ff 48 8b }\r\n $op1 = { f2 41 0f 58 fa eb 34 41 83 fb 06 7c 14 41 83 fb }\r\n $op2 = { e9 39 01 00 00 48 8b 05 85 b7 01 00 83 b8 34 0c }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330495",
"to_ids": false,
"type": "text",
"uuid": "4e10af01-92d7-4ee8-a4a8-56a19f9070a4",
"value": "Phobos_PasswordFox64"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330539",
"uuid": "bc1d9989-4e33-47bc-b2de-a55515b5352b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330539",
"to_ids": false,
"type": "text",
"uuid": "979f4a09-b696-49d7-af69-2b677888fdee",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330539",
"to_ids": true,
"type": "yara",
"uuid": "6cc8c143-41fa-4387-911c-03899fc742fc",
"value": "rule Phobos_mimikatzlib_32 {\r\n meta:\r\n description = \"mimilib_32.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"a6527183e3cbf81602de16f3448a8754f6cecd05dc3568fa2795de534b366da4\"\r\n strings:\r\n $x1 = \"0: kd> !process 0 0 lsass.exe\" fullword ascii\r\n $s2 = \"$http://blog.gentilkiwi.com/mimikatz 0\" fullword ascii\r\n $s3 = \"0: kd> .process /r /p <EPROCESS address>\" fullword ascii\r\n $s4 = \"mimilib.dll\" fullword wide\r\n $s5 = \"# Search for LSASS process\" fullword ascii\r\n $s6 = \" '## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo)\" fullword ascii\r\n $s7 = \"%p - lsasrv!LogonSessionList\" fullword ascii\r\n $s8 = \"%p - lsasrv!LogonSessionListCount\" fullword ascii\r\n $s9 = \"kiwidns.log\" fullword wide\r\n $s10 = \"kiwifilter.log\" fullword wide\r\n $s11 = \"kiwinp.log\" fullword wide\r\n $s12 = \"kiwissp.log\" fullword wide\r\n $s13 = \"kiwisub.log\" fullword wide\r\n $s14 = \"masterkey\" fullword ascii\r\n $s15 = \" * Password : \" fullword ascii\r\n $s16 = \"%p - lsasrv!h3DesKey\" fullword ascii\r\n $s17 = \"Unknown version in Kerberos credentials structure\" fullword ascii\r\n $s18 = \"lsasrv!g_fSystemCredsInitialized\" fullword ascii\r\n $s19 = \"dpapisrv!g_fSystemCredsInitialized\" fullword ascii\r\n $s20 = \"%p - lsasrv!hAesKey\" fullword ascii\r\n\r\n $op0 = { 6a 34 5b ff 75 e4 6a 40 8b 3d 54 50 00 10 ff d7 }\r\n $op1 = { 8b be 44 54 00 10 0f af 7c 24 34 57 6a 40 ff d3 }\r\n $op2 = { 8b 59 04 8b 3d 34 50 00 10 89 45 0c 50 be 38 88 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 100KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330539",
"to_ids": false,
"type": "text",
"uuid": "f43e2e1e-9b15-4f9e-8ade-54454d65fbd2",
"value": "Phobos_mimikatzlib_32"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330577",
"uuid": "6e02b0a9-3b58-492e-90eb-02cad7e9ca85",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330577",
"to_ids": false,
"type": "text",
"uuid": "785c4ab1-0f53-4c07-b6cd-458012a5bd55",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330577",
"to_ids": true,
"type": "yara",
"uuid": "24ef87ef-84e0-4080-97d2-33cbcca8a8a4",
"value": "rule Phobos_mimilove_32 {\r\n meta:\r\n description = \"mimilove_32.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"b42725211240828ccc505d193d8ea5915e395c9f43e71496ff0ece4f72e3e4ab\"\r\n strings:\r\n $s1 = \"$http://blog.gentilkiwi.com/mimikatz 0\" fullword ascii\r\n $s2 = \"mimilove.exe\" fullword wide\r\n $s3 = \" '## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo)\" fullword wide\r\n $s4 = \"ERROR wmain ; OpenProcess (0x%08x)\" fullword wide\r\n $s5 = \"ERROR mimilove_lsasrv ; kull_m_memory_copy / KIWI_MSV1_0_LOGON_SESSION_TABLE_50 (0x%08x)\" fullword wide\r\n $s6 = \"ERROR mimilove_lsasrv ; LogonSessionTable is NULL\" fullword wide\r\n $s7 = \"ERROR mimilove_kerberos ; kull_m_memory_copy / KERB_HASHPASSWORD_5 (0x%08x)\" fullword wide\r\n $s8 = \"ERROR mimilove_kerberos ; kull_m_memory_copy / KIWI_KERBEROS_LOGON_SESSION_50 (0x%08x)\" fullword wide\r\n $s9 = \"ERROR mimilove_kerberos ; KerbLogonSessionList is NULL\" fullword wide\r\n $s10 = \"ERROR mimilove_kerberos ; kull_m_memory_copy / KIWI_KERBEROS_KEYS_LIST_5 (0x%08x)\" fullword wide\r\n $s11 = \"Copyright (c) 2007 - 2020 gentilkiwi (Benjamin DELPY)\" fullword wide\r\n $s12 = \"ERROR kull_m_kernel_ioctl_handle ; DeviceIoControl (0x%08x) : 0x%08x\" fullword wide\r\n $s13 = \"UndefinedLogonType\" fullword wide\r\n $s14 = \"ERROR wmain ; GetVersionEx (0x%08x)\" fullword wide\r\n $s15 = \"ERROR mimilove_lsasrv ; kull_m_memory_copy / KIWI_MSV1_0_PRIMARY_CREDENTIALS (0x%08x)\" fullword wide\r\n $s16 = \"ERROR mimilove_lsasrv ; kull_m_memory_copy / KIWI_MSV1_0_CREDENTIALS (0x%08x)\" fullword wide\r\n $s17 = \"KERBEROS Credentials (no tickets, sorry)\" fullword wide\r\n $s18 = \"benjamin@gentilkiwi.com0\" fullword ascii\r\n $s19 = \" * Username : %wZ\" fullword wide\r\n $s20 = \"http://subca.ocsp-certum.com01\" fullword ascii\r\n\r\n $op0 = { 89 45 cc 6a 34 8d 45 cc 50 8d 45 c4 8d 4d 80 50 }\r\n $op1 = { 89 45 b8 c7 45 bc f7 ff ff ff 89 5d d4 89 5d f4 }\r\n $op2 = { 89 45 d4 c7 45 d8 f8 ff ff ff 89 7d f0 89 7d f4 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 100KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330578",
"to_ids": false,
"type": "text",
"uuid": "317012d9-a3ec-4600-9f25-8eeec1f0704e",
"value": "Phobos_mimilove_32"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330618",
"uuid": "0eea6683-fb8a-4c9c-8d22-091569725955",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330618",
"to_ids": false,
"type": "text",
"uuid": "73ef8fd2-1e04-46e7-81a2-f054451ea06d",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330618",
"to_ids": true,
"type": "yara",
"uuid": "381937fa-30e6-4437-8649-bb8faf7fda8a",
"value": "rule Phobos_mimik_32 {\r\n meta:\r\n description = \"mimik_32.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a\"\r\n strings:\r\n $x1 = \"ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)\" fullword wide\r\n $x2 = \"ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx user (%s)\" fullword wide\r\n $x3 = \"ERROR kuhl_m_lsadump_update_dc_password ; A /target argument is needed\" fullword wide\r\n $x4 = \"ERROR kuhl_m_lsadump_getComputerAndSyskey ; kull_m_registry_RegOpenKeyEx LSA KO\" fullword wide\r\n $x5 = \"ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO\" fullword wide\r\n $x6 = \"ERROR kuhl_m_lsadump_lsa ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)\" fullword wide\r\n $x7 = \"ERROR kuhl_m_lsadump_lsa_getHandle ; OpenProcess (0x%08x)\" fullword wide\r\n $x8 = \"ERROR kuhl_m_lsadump_trust ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)\" fullword wide\r\n $x9 = \"ERROR kuhl_m_lsadump_dcsync ; kull_m_rpc_drsr_ProcessGetNCChangesReply\" fullword wide\r\n $x10 = \"ERROR kuhl_m_dpapi_chrome ; Input 'Login Data' file needed (/in:\\\"%%localappdata%%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Da\" wide\r\n $x11 = \"ERROR kuhl_m_kernel_processProtect ; Argument /process:program.exe or /pid:processid needed\" fullword wide\r\n $x12 = \"ERROR kuhl_m_lsadump_netsync ; I_NetServerTrustPasswordsGet (0x%08x)\" fullword wide\r\n $x13 = \"ERROR kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt ; Checksums don't match (C:0x%08x - R:0x%08x)\" fullword wide\r\n $x14 = \"ERROR kuhl_m_lsadump_sam ; kull_m_registry_RegOpenKeyEx (SAM) (0x%08x)\" fullword wide\r\n $x15 = \"ERROR kuhl_m_lsadump_getHash ; Unknow SAM_HASH revision (%hu)\" fullword wide\r\n $x16 = \"ERROR kuhl_m_lsadump_changentlm ; Argument /oldpassword: or /oldntlm: is needed\" fullword wide\r\n $x17 = \"ERROR kuhl_m_lsadump_enumdomains_users ; /user or /rid is needed\" fullword wide\r\n $x18 = \"ERROR kuhl_m_lsadump_zerologon ; Missing /account argument, usually a DC$ account\" fullword wide\r\n $x19 = \"ERROR kuhl_m_lsadump_update_dc_password ; A /account argument is needed\" fullword wide\r\n $x20 = \"livessp.dll\" fullword wide /* reversed goodware string 'lld.pssevil' */\r\n\r\n $op0 = { 8b 55 0c 6a 01 8d 85 00 ff ff ff 50 ff 75 08 8d }\r\n $op1 = { 8b 45 08 8b f0 83 c0 34 6a 0d 59 8b fb f3 a5 8b }\r\n $op2 = { 89 74 24 0c 39 73 34 76 66 89 74 24 10 6a 20 6a }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 3000KB and\r\n ( 1 of ($x*) and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330618",
"to_ids": false,
"type": "text",
"uuid": "6402795f-f99e-4668-b958-74bfe7a4b27e",
"value": "Phobos_mimik_32"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330649",
"uuid": "814924f5-788e-4fdb-9ecb-8b98084822b4",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330649",
"to_ids": false,
"type": "text",
"uuid": "1c8b1072-9ec2-4b93-a121-729f45457dba",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330649",
"to_ids": true,
"type": "yara",
"uuid": "6a484892-2c0d-44a5-b684-12dccfc10737",
"value": "rule Phobos_pspv {\r\n meta:\r\n description = \"pspv.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"64788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c\"\r\n strings:\r\n $s1 = \"SMTP Password\" fullword ascii\r\n $s2 = \"pspv.exe\" fullword wide\r\n $s3 = \"xwwwwwpwwww\" fullword ascii /* reversed goodware string 'wwwwpwwwwwx' */\r\n $s4 = \"SMTP User\" fullword ascii\r\n $s5 = \"inetcomm server passwords\" fullword ascii\r\n $s6 = \"POP3 Password\" fullword ascii\r\n $s7 = \"<tr><td nowrap>&nbsp;<a href=\\\"%s\\\" target=\\\"new1\\\">%s</a> <td nowrap>&nbsp;%s<td nowrap>&nbsp;%s <td nowrap>&nbsp;%s\" fullword ascii\r\n $s8 = \"IMAP Password\" fullword ascii\r\n $s9 = \"ms ie ftp Passwords\" fullword ascii\r\n $s10 = \"HTTP User\" fullword ascii\r\n $s11 = \"HTTP Password\" fullword ascii\r\n $s12 = \"&AutoComplete Passwords\" fullword wide\r\n $s13 = \"AutoComplete Passwords\" fullword wide\r\n $s14 = \"Protected Storage Raw Data2Select a filename for exporting the passwords list2Select a filename for importing the passwords list\" wide\r\n $s15 = \"4Select a text filename for saving the passwords listBSelect a filename for saving the raw data of the Protected Storage Protect\" wide\r\n $s16 = \"wininetcachecredentials\" fullword ascii\r\n $s17 = \"IMAP User\" fullword ascii\r\n $s18 = \"Outlook Account Manager Passwords\" fullword ascii\r\n $s19 = \"<html><head><title>%s</title>%s</head>\" fullword ascii\r\n $s20 = \"ShowPasswordProtected\" fullword ascii\r\n\r\n $op0 = { ff 75 10 e8 7d ff ff ff 85 c0 59 0f 85 83 }\r\n $op1 = { 8d 85 f8 fe ff ff 50 e8 75 ff ff ff 59 59 5f c9 }\r\n $op2 = { ff 15 70 80 40 00 83 bd 6c ff ff ff 01 75 07 68 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330649",
"to_ids": false,
"type": "text",
"uuid": "2f472e76-0dca-42b1-80c3-710475242d9e",
"value": "Phobos_pspv"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330683",
"uuid": "100552f6-82ce-45ae-a442-639d0133d261",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330683",
"to_ids": false,
"type": "text",
"uuid": "de236a25-3d5a-4fb6-a9a6-db7b90d679dd",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330683",
"to_ids": true,
"type": "yara",
"uuid": "e752fe13-a36e-4997-95ff-3349f67b5a45",
"value": "rule Phobos_mailpv {\r\n meta:\r\n description = \"mailpv.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"16c6af4ae2d8ca8e7a3f2051b913fa1cb7e1fbd0110b0736614a1e02bbbbceaf\"\r\n strings:\r\n $s1 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s2 = \"www.google.com/Please log in to your Gmail account\" fullword wide\r\n $s3 = \"www.google.com:443/Please log in to your Gmail account\" fullword wide\r\n $s4 = \"www.google.com/Please log in to your Google Account\" fullword wide\r\n $s5 = \"www.google.com:443/Please log in to your Google Account\" fullword wide\r\n $s6 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword ascii\r\n $s7 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s8 = \"\\\"Account\\\",\\\"Login Name\\\",\\\"Password\\\",\\\"Web Site\\\",\\\"Comments\\\"\" fullword ascii\r\n $s9 = \"%s@yahoo.com\" fullword ascii\r\n $s10 = \"logins.json\" fullword ascii\r\n $s11 = \"%s@gmail.com\" fullword ascii\r\n $s12 = \"smtpserver\" fullword ascii\r\n $s13 = \"SMTPAccount\" fullword ascii\r\n $s14 = \"ESMTPPassword\" fullword ascii\r\n $s15 = \"SMTP User\" fullword ascii\r\n $s16 = \"PopPassword\" fullword ascii\r\n $s17 = \"SMTP USer Name\" fullword ascii\r\n $s18 = \"Passport.Net\\\\*\" fullword ascii\r\n $s19 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword ascii\r\n $s20 = \"Failed to load the executable file !\" fullword ascii\r\n\r\n $op0 = { 89 46 2c 89 46 34 89 46 14 e8 33 fd ff ff 8b 46 }\r\n $op1 = { e9 4a ff ff ff 83 7e 24 05 75 23 80 fb 20 76 0f }\r\n $op2 = { e9 00 ff ff ff e8 79 fb ff ff c7 46 24 05 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 1000KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330683",
"to_ids": false,
"type": "text",
"uuid": "2baca4a3-0855-4129-bdd5-171c9e37a528",
"value": "Phobos_mailpv"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330721",
"uuid": "9c208c78-88f0-47fa-8578-e332d27c49f5",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330721",
"to_ids": false,
"type": "text",
"uuid": "37cf5aa1-0c6b-432f-ba4e-65d8b79e3363",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330721",
"to_ids": true,
"type": "yara",
"uuid": "c60b667b-50aa-49f5-bfa5-1ffbcc051df2",
"value": "rule Phobos_WirelessKeyView {\r\n meta:\r\n description = \"WirelessKeyView.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"12f13d129579c68ec3cc05bef69880b6a891296fa9fce69b979b1c04998f125c\"\r\n strings:\r\n $x1 = \"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X86\\\" publicKeyToken=\\\"6595b64144\" ascii\r\n $x2 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><dependency><dependentAssembly><assemblyIdentity ty\" ascii\r\n $x3 = \"Windows Protect folder for getting the encryption keys, For example: G:\\\\windows\\\\system32\\\\Microsoft\\\\Protect\" fullword wide\r\n $s4 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword ascii\r\n $s5 = \"Windows Registry hives folder, for example: k:\\\\windows\\\\system32\\\\config\" fullword wide\r\n $s6 = \"SYSTEM\\\\%s\\\\Control\\\\Network\\\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\\\%s\\\\Connection\" fullword ascii\r\n $s7 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword ascii\r\n $s8 = \"system32\\\\config\\\\Software\" fullword ascii\r\n $s9 = \"system32\\\\config\" fullword ascii\r\n $s10 = \"Load the wireless keys of the current logged-on user\" fullword wide\r\n $s11 = \"/Running WirelessKeyView as SYSTEM user (Faster)%Directly decrypting the wireless keys\" fullword wide\r\n $s12 = \"SYSTEM\\\\%s\\\\Enum\\\\%s\" fullword ascii\r\n $s13 = \"AddExportHeaderLine\" fullword ascii\r\n $s14 = \"<html><head>%s<title>%s</title></head>\" fullword ascii\r\n $s15 = \"/GetKeys\" fullword ascii\r\n $s16 = \"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\" fullword ascii\r\n $s17 = \"report.html\" fullword ascii\r\n $s18 = \" Type Descriptor'\" fullword ascii\r\n $s19 = \"Load wireless keys from remote system (Windows Vista or later, requires full admin rights)\" fullword wide\r\n $s20 = \"Windows Directory: (For example: K:\\\\Windows )\" fullword wide\r\n\r\n $op0 = { 56 8d 85 01 ff ff ff 53 50 88 9d 00 ff ff ff e8 }\r\n $op1 = { 57 8d 85 70 ff ff ff 50 53 8d 45 f0 50 6a 01 be }\r\n $op2 = { 8b c6 50 e8 41 ff ff ff 83 c4 10 5e c9 c3 55 8b }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 500KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330721",
"to_ids": false,
"type": "text",
"uuid": "426ad786-c968-492f-ba1a-f0d60a6c76c6",
"value": "Phobos_WirelessKeyView"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330784",
"uuid": "7042f4e9-d8fb-4cbe-b167-a9cb4ef2d43c",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330785",
"to_ids": false,
"type": "text",
"uuid": "4203d0b6-7e3a-4de9-ae55-a48beac95b74",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330785",
"to_ids": true,
"type": "yara",
"uuid": "5480b7c2-b78f-41e3-b8bb-0abc407b3037",
"value": "rule Phobos_ChromePass {\r\n meta:\r\n description = \"ChromePass.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"c4304f7bb6ef66c0676c6b94d25d3f15404883baa773e94f325d8126908e1677\"\r\n strings:\r\n $x1 = \"Windows Protect folder for getting the encryption keys, For example: F:\\\\Users\\\\Nir\\\\AppData\\\\Roaming\\\\Microsoft\\\\Protect\" fullword wide\r\n $s2 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s3 = \"Chrome User Data folder where the password file is stored , for example: G:\\\\Users\\\\Nir\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Da\" wide\r\n $s4 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword wide\r\n $s5 = \"<entries ext=\\\"Password Exporter\\\" extxmlversion=\\\"1.1\\\" type=\\\"saved\\\" encrypt=\\\"false\\\">\" fullword ascii\r\n $s6 = \"<entry host=\\\"%s\\\" user=\\\"%s\\\" password=\\\"%s\\\" formSubmitURL=\\\"%s\\\" httpRealm=\\\"%s\\\" userFieldName=\\\"%s\\\" passFieldName=\\\"%s\\\"/>\" wide\r\n $s7 = \"c:\\\\Projects\\\\VS2005\\\\ChromePass\\\\Release\\\\ChromePass.pdb\" fullword ascii\r\n $s8 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s9 = \"Windows User Profile Path, For example: K:\\\\Users\\\\Admin \" fullword wide\r\n $s10 = \"@netmsg.dll\" fullword wide\r\n $s11 = \"Opera Software\\\\Opera Stable\\\\Login Data\" fullword wide\r\n $s12 = \"@crypt32.dll\" fullword wide\r\n $s13 = \"\\\"Account\\\",\\\"Login Name\\\",\\\"Password\\\",\\\"Web Site\\\",\\\"Comments\\\"\" fullword ascii\r\n $s14 = \"om logins \" fullword ascii\r\n $s15 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword wide\r\n $s16 = \"Windows Login Password:\" fullword wide\r\n $s17 = \"SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created fr\" ascii\r\n $s18 = \"Yandex\\\\YandexBrowser\\\\User Data\\\\Default\\\\Login Data\" fullword wide\r\n $s19 = \"Vivaldi\\\\User Data\\\\Default\\\\Login Data\" fullword wide\r\n $s20 = \"KeePass csv file,Password Exporter Firefox Extension XML File\" fullword wide\r\n\r\n $op0 = { 55 8b ec 51 56 33 f6 66 89 33 8a 07 eb 29 34 42 }\r\n $op1 = { c7 46 54 ff ff ff 00 e8 ae fd ff ff 5f 5e 5b c9 }\r\n $op2 = { 56 8d 85 01 ff ff ff 53 50 88 9d 00 ff ff ff e8 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 700KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330785",
"to_ids": false,
"type": "text",
"uuid": "017a03d4-f5eb-47a0-a5b2-a6ff01bef00c",
"value": "Phobos_ChromePass"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708330866",
"uuid": "973d83b5-94db-48cc-a568-c4bb3045d9d6",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708330866",
"to_ids": false,
"type": "text",
"uuid": "7946a188-7f3b-4804-9bb4-712fdbcd5d87",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708330866",
"to_ids": true,
"type": "yara",
"uuid": "73f54551-b1e0-4f8f-a671-a55a8bbce197",
"value": "rule Phobos_SniffPass {\r\n meta:\r\n description = \"SniffPass.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"1e13fd79ad54fe98e08d9ffca2c287a470c50c2876608edce2fe38e07c245266\"\r\n strings:\r\n $x1 = \"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X86\\\" publicKeyToken=\\\"6595b64144\" ascii\r\n $x2 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><dependency><dependentAssembly><assemblyIdentity ty\" ascii\r\n $s3 = \"c:\\\\Projects\\\\VS2005\\\\SniffPass\\\\Release\\\\SniffPass.pdb\" fullword ascii\r\n $s4 = \"npptools.dll\" fullword ascii\r\n $s5 = \"NmApi.dll\" fullword ascii\r\n $s6 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword ascii\r\n $s7 = \"nmwifi.exe\" fullword ascii\r\n $s8 = \"Pwpcap.dll\" fullword ascii\r\n $s9 = \"Sniffed PasswordsCFailed to start capturing packets from the current network adapter.9Do you want to stop the capture and exit f\" wide\r\n $s10 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword ascii\r\n $s11 = \"login \" fullword ascii\r\n $s12 = \"AddExportHeaderLine\" fullword ascii\r\n $s13 = \"NirSoft SniffPass\" fullword ascii\r\n $s14 = \"NmGetFrame\" fullword ascii\r\n $s15 = \"NmGetRawFrame\" fullword ascii\r\n $s16 = \"NmGetFrameCount\" fullword ascii\r\n $s17 = \"NmGetRawFrameLength\" fullword ascii\r\n $s18 = \"Software\\\\NirSoft\\\\SniffPass\" fullword ascii\r\n $s19 = \"BeepOnNewPassword\" fullword ascii\r\n $s20 = \"<html><head>%s<title>%s</title></head>\" fullword ascii\r\n\r\n $op0 = { 56 8d 85 01 ff ff ff 53 50 88 9d 00 ff ff ff e8 }\r\n $op1 = { c7 45 f8 fe ff ff ff 29 5d f8 8d 53 02 8a 42 ff }\r\n $op2 = { ff 15 9c c0 40 00 8b c6 5e c3 e8 d7 ff ff ff 33 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708330866",
"to_ids": false,
"type": "text",
"uuid": "55396491-4904-4246-b1ed-82986c5216b8",
"value": "Phobos_SniffPass"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708331175",
"uuid": "360d1d16-070d-465a-b76f-6e5a1e5b7857",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708331175",
"to_ids": false,
"type": "text",
"uuid": "cd5913bb-52a5-4086-9b79-e9867081477a",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708331175",
"to_ids": true,
"type": "yara",
"uuid": "a8fe47c3-1325-4df6-ba51-e1b40d86acf7",
"value": "rule Phobos_WebBrowserPassView {\r\n meta:\r\n description = \"WebBrowserPassView.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"b556d90b30f217d5ef20ebe3f15cce6382c4199e900b5ad2262a751909da1b34\"\r\n strings:\r\n $x1 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\" xmlns:asmv3=\\\"urn:schemas-microsoft-com:asm.v3\\\"><d\" ascii\r\n $x2 = \"https://www.google.com/accounts/servicelogin\" fullword wide\r\n $s3 = \"https://login.yahoo.com/config/login\" fullword wide\r\n $s4 = \"ncy><dependentAssembly><assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processor\" ascii\r\n $s5 = \"Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of \" wide\r\n $s6 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword wide\r\n $s7 = \"com.apple.WebKit2WebProcess\" fullword ascii\r\n $s8 = \"Opera Login file:\" fullword wide\r\n $s9 = \"http://www.facebook.com/\" fullword wide\r\n $s10 = \"Opera Password File\" fullword wide\r\n $s11 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword wide\r\n $s12 = \"Ghistory.dat\" fullword wide\r\n $s13 = \"<html><head>%s<title>%s</title></head>\" fullword wide\r\n $s14 = \"ASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWU\" ascii\r\n $s15 = \" <asmv3:windowsSettings xmlns=\\\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\\\">\" fullword ascii\r\n $s16 = \"Mozilla\\\\SeaMonkey\\\\Profiles\" fullword wide\r\n $s17 = \"Mozilla\\\\SeaMonkey\" fullword wide\r\n $s19 = \"%d Passwords\" fullword wide\r\n $s20 = \"Internet Explorer 4.0 - 6.0\" fullword wide\r\n\r\n $op0 = { 8d 4c 24 20 51 8d 54 24 1c 52 50 8b 44 24 34 50 }\r\n $op1 = { 89 74 24 34 89 74 24 40 89 74 24 38 89 74 24 44 }\r\n $op2 = { 89 4c 24 3c 89 7c 24 30 89 4c 24 34 ff d5 85 c0 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 2000KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708331175",
"to_ids": false,
"type": "text",
"uuid": "c092c402-451e-427a-8892-860e8776032b",
"value": "Phobos_WebBrowserPassView"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708331511",
"uuid": "5efeccb1-e047-40b6-9604-ce42eec27f6a",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708331511",
"to_ids": false,
"type": "text",
"uuid": "bf49aa97-fdea-4d18-9aee-e10672540d6e",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708331511",
"to_ids": true,
"type": "yara",
"uuid": "442a2df8-b280-40ac-9648-821fb9912cdf",
"value": "rule Phobos_Dialupass {\r\n meta:\r\n description = \"Dialupass.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a\"\r\n strings:\r\n $x1 = \"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X86\\\" publicKeyToken=\\\"6595b64144\" ascii\r\n $x2 = \"Profiles base folder or phonebook folder: (For example: f:\\\\Documents and Settings, f:\\\\users , K:\\\\users\\\\admin\\\\AppData\\\\Roa\" wide\r\n $x3 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><dependency><dependentAssembly><assemblyIdentity ty\" ascii\r\n $s4 = \"ycomctl32.dll\" fullword wide\r\n $s5 = \"Dialupass.exe /setpass \\\"%s\\\" \\\"%s\\\" \\\"%s\\\" \\\"%s\\\" \\\"%s\\\"\" fullword wide\r\n $s6 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword wide\r\n $s7 = \"Copy /setpass Command-Line\" fullword wide\r\n $s8 = \"Windows Directory or Registry hives folder (SYSTEM and SECURITY hives are needed), For example: E:\\\\Windows or E:\\\\Windows\\\\Sys\" wide\r\n $s9 = \"@advapi32.dll\" fullword wide\r\n $s10 = \"@netmsg.dll\" fullword wide\r\n $s11 = \"\\\"Account\\\",\\\"Login Name\\\",\\\"Password\\\",\\\"Web Site\\\",\\\"Comments\\\"\" fullword ascii\r\n $s12 = \"AppData\\\\Roaming\\\\Microsoft\\\\Network\\\\Connections\\\\Pbk\" fullword wide\r\n $s13 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword wide\r\n $s14 = \"system32\\\\ras\\\\rasphone.pbk\" fullword wide\r\n $s15 = \" Failed to load the executable file ! \" fullword wide\r\n $s16 = \"Extract the dialup passwords list from your local system\" fullword wide\r\n $s17 = \"ShowItemsNoPassword\" fullword wide\r\n $s18 = \"AddExportHeaderLine\" fullword wide\r\n $s19 = \"L$_RasConnectionCredentials#0\" fullword wide\r\n $s20 = \"<html><head>%s<title>%s</title></head>\" fullword wide\r\n\r\n $op0 = { 55 8b ec 51 56 33 f6 66 89 33 8a 07 eb 29 34 42 }\r\n $op1 = { eb 34 8d 85 8c f1 ff ff 50 e8 79 f8 ff ff 89 45 }\r\n $op2 = { 53 56 8d 5f 34 8b 45 fc 8d 4f 24 e8 c7 ea ff ff }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708331511",
"to_ids": false,
"type": "text",
"uuid": "b8db195a-8ff8-4aca-9af0-d161025e106b",
"value": "Phobos_Dialupass"
}
]
},
{
"comment": "A complex set of YARA rules have been published on DNSC website",
"deleted": false,
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
"meta-category": "misc",
"name": "script",
"template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",
"template_version": "7",
"timestamp": "1708334626",
"uuid": "9432c344-e8e5-4fab-8531-5ddc7ee998ba",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"data": "UEsDBBQAAAAAAFVUUFgAAAAAAAAAAAAAAAATAAAAWUFSQS1TY2FuX0ROU0MvQmluL1BLAwQUAAAACAB2eU9YWzvM25FmDAAAXhkAHQAAAFlBUkEtU2Nhbl9ETlNDL0Jpbi95YXJhMzIuZXhl7L1/fBTV1TA+m50kCyzMAhtYZIGoUaOgRoKQuAlufuxuVAIbQnbRmAQr0nVrLcJsgjYJoZuFTK6DtLWtWm3l0b7a1ud57avS+AsTglkQRESqUWjFlurETWvUCAumzHvOvTOb3RCf+ryf75/f6DB37o9zzz333PPj/trKW3ZwRo7jeHhUleO6OPbn5P79n8XAcVPmvTSFe37Cmxd2GZa9eeGqwJ0bs9dv+MF3N9z2/ezbb7v77h+I2d+5I3tD6O7sO+/OLl9Rnf39H6y946rJkyfmaDBuTPsic8rtj67Sn8zZwqoZ8L62+LEaM7x39NauMtPvX9cY6fvhmjn0/RD9fhjePLx/NvGhms+/8+iq1+C7AL7fedS/ykhhPrbq7O0Y/2DNRHg/Wnz7KoF+/6oG3yvvvD2A9ept8ro4bpkhg8u8+cAdetwJLs0wyTCF4+IWjvu5icZN+hLCFiTCVI5SC8NpHJehldHf3IlZjLjwZ+ScW2hGzJt4J1707+TKmdwOA5azcScM3Pl/QzbO8neOW7NiJlcwTrL+9xCkO5MjAM9njN+QGf6uEu/YJML76lMWhhC2lU/Nkw3VXrVh7W3ibRy3zp/B2r4a3iOWlHxO+P8qlo07WQ2NWD8TCsN71cyx+bqv+u66O9dupLA57rCN0pATbefD27Bxw+0QPqHRhuZrHC/fHXf9ADIijZBW3Mfw3nRevlLu//+jf11r9qzmeg8m/mrIYPhkXHZZvEFODZnVkEl5X4W/9byap2aZp1dx4b028ve63pT8VT4SMgUNatbxaZiBlyvNVUHO51UeO69sfVLh8+sLqljjd6EQMUG58H5DlZpVhCX3q+G99ki3UNGTAgDKV4WLV3eu5rhqn383BuT70sQlxGeKHBFzyR55taHT5GzfHzozv7eTL2jvFvmi4pCw0q9mraXImhxRcWq4Lzu8lAvtb6jP767FChpIX31tKqqJ+qqxtVHXCNLPT85ETokZUTreSYOdrLA43g+ZG+q7kEEpBJIZ7j4XjhuFbTJEqTkR8zQnR1aY2wo54cHuDoPqsed3N7DaAOc5QU52jXhXqlnK1CrMJxmIayS819xWwInlANioA4bMQ4nM3DQts1TFxw5FjoQmNtTLpTzDwGMOnzG0pkvWh2JpkoUhjAMpuep1OzZNdXIPwPMKPO/Bo/fPoK36Zcwt1Qzm7+9CEkuVwz6/4x1heza0ktSYSNEjUstI2/VXCpE45Oz0GOQmQxF8lcBX2+Y0Tmi/GkLkPWXZOejaocgpob0IigaLoRsCrBuirjjSELq4/U2kZatdrjAQn8VxVmhXsHCGTsbHGRlNWUDG5WaoPkFJt51UDg80Q+7IfkbIuLdKI+RyM9AQaRlHQjZQMg68zdGsXySyUjJqWYGSLHfoCIMMVQ3Mo8CF9psQJbc5fNbQOhXiJXOXVvs5pJRptMA/sTFuu8NtEdqXJrWjaRq0wcbakNoALIV6GAjY/lt4twNJdsJb/qFBLnpJ43baD6LQOeW6Cl68MNydHQY8v+zCfiItIxXhOC9sm2OghMqFStxtwN7ZZKZcOVRF9inX/kuF8cSHW4Y4kS8LR/lId2hf7CpSYde6wVFhEUPEFO45Fz5DUZWLEFWvue06QLWnY6LqtANIIfJ9HKsU51imVNRZAqxR5qgbFO5XoAqKpIawOF2Y5+SiTjOCl50U388b6kkP5b4u1DUDpQCMDpyBAgzRLroGQzT1skTqHAxhUwemQ8gfeHKpn4vN9QdewfcMf+Aovqf4A9z18M7wB3LhHUxLiCevkvU1tt+MIqsZ4tbteA3GZD88xulO7lp4wvA8amXP/4JnLzwH4TkKz3F4TsJzFTxnprGnw5oYL1sG7wfMdlqh0fmvSzB0E+JJaP8XpOxeA58vrweUhHmcHNkELQh44curfHYWaBmHsdDpHgFBZRd276uSZcxgfCuwCrJUKQfPUsRjM1hBYzSwmhZ9nsabjPG21hFOnAPCTFySyLKGZvmxnoVkRLrFWd5E8lqavIFBhmR3PBxPFycCj4rpwEehS9RGCwDsugtRLu8dLSjSgoW0oEVtNLMEb3B+oBlSlBNnIAEE615LuDUOrGKhrDICMvbNWsX7gYX7BvmqEcxHpbmY6yfFduwjYV45x4WXpocmw7iDFmR41feQh5no/riBahYqryzVcqkqVcZ9+cck17AfRMr2J4HwyH+kxQSKZtGv1SwLEzsA6NLgdTQmkIixtm0y3CqvN4iT+mA4Ff0ahFtsIln0a03oB9qheT41a41eIGT2JpgrJgQ6WLKTajwTifsiqni1Ghrxq6G4ct8C1BpDapaJJlsjpzYvgBEzLNy/BujzrEETx4H7x/LsbXHaQQ31C7tHNZMmn/O7pRoQycBtkmuwML37tdUgcp+HsbIbg8FidbGa9cpUio7kGkIZ2wyJ0Dh5k4FkLDwGoltyxUlUcLmGoN2dGUVXic3AgpswFDK1Hwvd/ZwhNlXY3Q0NbaaIg8gQb6Zi5Vj7MXEFqRuOHBPngDwfRGkbilf92Z7jq1ZumgedttcCmMWMEEvqTJFjQns/DF4tq5av+io938BuVBrXX0lOC67QENYgNkLntyPlOWF3RgoGt1IMBljt8wDkMKsdUh9e6U2tPwP06CgKqxkKw5QqWua5o0gUQvKLR6EPSLTTct3U0AXtR8RpnV7DdVWG0JRwd1q4J639SOhkfncsfXZ3eJ8BcPnei8f/R/kdxDUM+EDI4gdb6UKKqZlRCjBlaP4BGu0H1N65Uk8d+BXKeNpg97fBcD/UuB8sKagqvxtU14Pd2NT8OYnakukilnchyE7hOhMA3A8AVxiuq0CA0TSACXbUKMAkaK4FY3AfLAsXPYa8x0l1g/IiGhQiG0En6Pz9zFj+3vIVlU8JgyTB32gfWql9aNFMUvdX39ZADLSBfRtNfwX+xb9oercWUrNE6PkgF0CvNwj/qVmrIOKJLkiHAT1RzboLPiF0kZ7HmcjzEMuToV6CefK7U+1ZH+ZrB5RIpQkaNn+feNedPQroMq96LUJXs9ZDqeI0YDBxJcUPskPMTkTNQVEN8fmnYjPIosgJ+HixBNB1Pnz6jJSFObQSmyj2oMCufYh+NyPf99XX9eZ31ydJVaQOcnhcFTOftojGZw29C8fgu2VwbVqyvgJFRXrIB97A824/J0Wehj7LPyVHhsByC/CAtFf57jkq8eXIs5DmZUkwKpdBRVLkGTQt4qrQ3onGTjHKSDlyHDOqLyAsDdIrAFwDZ6PgrKcoOIsQOYH8/epB+CCTFwDfkJ8dhrDjrc1Ld+bCZzPv2NOUH9nffPVmlACXV3n9KzUcAvvcY5hqwZcI2z5wAGFuNOldg/0yJLS/C7F39ml981Bq3wjtaIMl9U+inSL27WTsJwAj8TJ2klxieJh21OkztIiU9cqYbupKdBP0bXnbDw2cWMgIEzB5QI+iMkPdk6NFmpMjBfKOLGP1yk3UgA6fu0C8UKO/+gKSXM0qp/wqThzYBll2X4A8rqU4kTcqR0gfU71/OjKqen1+YG/IagoaAU0jBttWks/VrAIsEw+jP8Zs5fpev095czFHVdoQ2u2QA92kFBVO9ZEdWAhUb028OtAGJYPG6qCBfE5h+6TQIAOOllFcDeX4AhbPmE5r+pxqOrnMqImCIFAia1ECo6t9gUVjy5SxMqBlGWZdS6A6vTgfwDkN2WNAKZJVgYD2gaEa2Y+g1o4FFR8aA8owCir/FOjyS9FdGPKS6Pw+r8xP8dKcXkb+gDE0BPaw4/SGD2TXSW/gFYAOg/BW9CtaQC2ZmfczE3UcaLZZpE/2JjzUPW3NeerkEN+xLE/1jY5cF4zcEvIeOaRUjkDv9w+8hJ0bGgw8NBb14rGoJ1EBfJkgRzaZRkdAHCRTdHzuT5FMvv8PeP5YLP1l5EkgQoIu2Bm3UtSBKu
"deleted": false,
"disable_correlation": false,
"object_relation": "script-as-attachment",
"timestamp": "1708334626",
"to_ids": false,
"type": "attachment",
"uuid": "a67cf480-0cba-4daf-9a81-29ca934a9495",
"value": "yara-scan-dnsc-v101.zip"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "comment",
"timestamp": "1708334626",
"to_ids": false,
"type": "text",
"uuid": "9dc2121e-99af-4b32-bf46-e074c947f187",
"value": "https://www.dnsc.ro/vezi/document/yara-scan-dnsc-v101"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1708334626",
"to_ids": false,
"type": "text",
"uuid": "26cee097-b64c-479a-a483-9651b7ffc397",
"value": "Trusted"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708335978",
"uuid": "16f545f9-5023-4dfe-9a0d-41d9d2a78ff3",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708335978",
"to_ids": false,
"type": "text",
"uuid": "940a1a31-ee50-4d28-9e01-bf8acff739d3",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708335978",
"to_ids": true,
"type": "yara",
"uuid": "d3c77626-f778-4a8c-8789-7f6880fdbc31",
"value": "rule Phobos_BulletsPassView {\r\n meta:\r\n description = \"BulletsPassView.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"b19dfe440e515c39928b475a946656a12b1051e98e0df36c016586b34a766d5c\"\r\n strings:\r\n $s1 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s2 = \"BulletsPassView.exe\" fullword wide\r\n $s3 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword wide\r\n $s4 = \"c:\\\\Projects\\\\VS2005\\\\BulletsPassView\\\\Release\\\\BulletsPassView.pdb\" fullword ascii\r\n $s5 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s6 = \"@netmsg.dll\" fullword wide\r\n $s7 = \"Process Description\" fullword wide\r\n $s8 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword wide\r\n $s9 = \"Process Path\" fullword wide\r\n $s10 = \"ScanIEPasswords\" fullword wide\r\n $s11 = \"ScanWindowsPasswords\" fullword wide\r\n $s12 = \"Scan Internet Explorer Passwords\" fullword wide\r\n $s13 = \"Scan Standard Password Text-Boxes\" fullword wide\r\n $s14 = \"AddExportHeaderLine\" fullword wide\r\n $s15 = \"<html><head>%s<title>%s</title></head>\" fullword wide\r\n $s16 = \"UnmaskPasswordBox\" fullword wide\r\n $s17 = \"BeepOnNewPassword\" fullword wide\r\n $s18 = \"&Clear Passwords List\" fullword wide\r\n $s19 = \"Copy Selected &Password\" fullword wide\r\n $s20 = \"&Unmask Password Text Box\" fullword wide\r\n\r\n $op0 = { 55 8b ec 51 56 33 f6 66 89 33 8a 07 eb 29 34 42 }\r\n $op1 = { 56 8d 85 01 ff ff ff 53 50 88 9d 00 ff ff ff e8 }\r\n $op2 = { 43 3b 5c 24 14 0f 82 47 ff ff ff e9 c8 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708335978",
"to_ids": false,
"type": "text",
"uuid": "323cc091-d5d1-4748-b334-9d6f81a2ae7a",
"value": "Phobos_BulletsPassView"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336004",
"uuid": "c3cfd925-ee2f-4d38-be22-855a027e7b82",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336004",
"to_ids": false,
"type": "text",
"uuid": "6b182f89-709b-43f8-81ad-22a0c3a24d91",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336004",
"to_ids": true,
"type": "yara",
"uuid": "611c4ea4-b0c1-4a38-a8b3-8307eea37954",
"value": "rule Phobos_rdpv {\r\n meta:\r\n description = \"rdpv.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964\"\r\n strings:\r\n $s1 = \"rdpv.exe\" fullword wide\r\n $s2 = \"Password Recovery for Remote Desktop\" fullword wide\r\n $s3 = \"<description>NirSoft</description> \" fullword ascii\r\n $s4 = \"Remote Desktop PassView\" fullword wide\r\n $s5 = \" 2006 - 2014 Nir Sofer\" fullword wide\r\n $s6 = \"-~W:\\\\P\" fullword ascii\r\n $s7 = \"Desktop PassVieww\" fullword ascii\r\n $s8 = \"hars5=%s'>?=bl\" fullword ascii\r\n $s9 = \"<meta http-e\" fullword ascii\r\n $s10 = \"zcr*t3$dll\" fullword ascii\r\n $s11 = \"name=\\\"NirSoft\\\" \" fullword ascii\r\n $s12 = \"quiv='con5\" fullword ascii\r\n $s13 = \"lobalAl\" fullword ascii\r\n $s14 = \"v%HmsgivX\" fullword ascii\r\n $s15 = \".QhF(z\" fullword ascii\r\n $s16 = \"mZCo)lsEx\" fullword ascii\r\n $s17 = \"RSDSK&^\" fullword ascii\r\n $s18 = \"STATIC;0T\" fullword ascii\r\n $s19 = \"Lemote \" fullword ascii\r\n $s20 = \"CTYPE HTMLWUBLB \\\"-v\" fullword ascii\r\n\r\n $op0 = { ff ff ff ff 55 8b ec 51 53 33 db 88 1f 8a 06 eb }\r\n $op1 = { ff 60 be 00 b0 40 00 8d be 00 60 ff ff 57 83 cd }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 90KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336004",
"to_ids": false,
"type": "text",
"uuid": "29cbdfca-2042-4224-9a9a-dce22602b08a",
"value": "Phobos_rdpv"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336040",
"uuid": "99977901-24dd-4c78-8943-7c42685f4d40",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336043",
"to_ids": false,
"type": "text",
"uuid": "5d828ce7-2bdb-4876-8934-90e047120df3",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336043",
"to_ids": true,
"type": "yara",
"uuid": "098ca740-8637-4feb-833d-d98a7adf65c6",
"value": "rule Phobos_netpass {\r\n meta:\r\n description = \"netpass.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"de374c1b9a05c2203e66917202c42d11eac4368f635ccaaadf02346035e82562\"\r\n strings:\r\n $x1 = \"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X86\\\" publicKeyToken=\\\"6595b64144\" ascii\r\n $x2 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><dependency><dependentAssembly><assemblyIdentity ty\" ascii\r\n $s3 = \" Network Password Recovery\" fullword wide\r\n $s4 = \" Network Password Recovery\" fullword wide\r\n $s5 = \"vapi3ydll\" fullword ascii\r\n $s6 = \" 2005 - 2016 Nir Sofer\" fullword wide\r\n $s7 = \"requestedPrivileges>\" fullword ascii\r\n $s8 = \"support@nirsoft.net0\" fullword ascii\r\n $s9 = \"5 Hashoshanim st.1\" fullword ascii\r\n $s10 = \"K6Network Pass\" fullword ascii\r\n $s11 = \"a http-equiv='\" fullword ascii\r\n $s12 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><dependency><dependentAssembly><assemblyIdentity ty\" ascii\r\n $s13 = \"SpofResou0\" fullword ascii\r\n $s14 = \"Gush Dan1\" fullword ascii\r\n $s15 = \"Ramat Gan1\" fullword ascii\r\n $s16 = \"yzRRzRK\" fullword ascii\r\n $s17 = \"=%s'>?=ble dir=\\\"\" fullword ascii\r\n $s18 = \"!DOCTYPE HTML\" fullword ascii\r\n $s19 = \"HlobalUn\" fullword ascii\r\n $s20 = \"ewPEfw;\" fullword ascii\r\n\r\n $op0 = { ff ff ff ff 55 8b ec 51 53 33 db 88 1f 8a 06 eb }\r\n $op1 = { db dc cd 5c 8a 00 1b 85 1e 49 35 10 78 fb 3f ec }\r\n $op2 = { 60 be 00 00 41 00 8d be 00 10 ff ff 57 83 cd ff }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336043",
"to_ids": false,
"type": "text",
"uuid": "b6ba8847-1e69-4fe9-ba0f-a80b6848b673",
"value": "Phobos_netpass"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336072",
"uuid": "fbb60c57-2478-4c8f-a091-2ae50d051892",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336072",
"to_ids": false,
"type": "text",
"uuid": "c4f9d8a0-cc61-4c2a-a7e8-77b8cecbcd2c",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336072",
"to_ids": true,
"type": "yara",
"uuid": "6ddd82b9-f2b0-43ae-a83c-37b09ec62ee8",
"value": "rule Phobos_RouterPassView {\r\n meta:\r\n description = \"RouterPassView.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"ae474417854ac1b6190e15cc514728433a26cc815fdc6d12150ef55e92d643ea\"\r\n strings:\r\n $s1 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s2 = \"RouterPassView.exe\" fullword wide\r\n $s3 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s4 = \"$)7622/%$#\" fullword ascii /* hex encoded string 'v\"' */\r\n $s5 = \"d[5DlLIE@???2!6:Bqib\" fullword ascii\r\n $s6 = \" 2010 - 2019 Nir Sofer\" fullword wide\r\n $s7 = \".pdb/p@\" fullword ascii\r\n $s8 = \"ohttp_Gd\" fullword ascii\r\n $s9 = \"P-CONFIGWLB[bZX\" fullword ascii\r\n $s10 = \"RouterPassView\" fullword wide\r\n $s11 = \"icKeyToken=\\\"6595b64144ccf1df\\\" language=\\\"*\\\"></assemblyIdentity>\" fullword ascii\r\n $s12 = \"Decrypts Router files.\" fullword wide\r\n $s13 = \"WuruxK5\" fullword ascii\r\n $s14 = \"jjgeba\" fullword ascii\r\n $s15 = \"\u001fGetAdapters\" fullword ascii\r\n $s16 = \"password\" fullword ascii /* Goodware String - occured 519 times */\r\n $s17 = \"IK@0STzKpB%\" fullword ascii\r\n $s18 = \"-Iartup|\" fullword ascii\r\n $s19 = \"!/FpvvtpnkTk^`fh\" fullword ascii\r\n $s20 = \"eYdhLPX&\" fullword ascii\r\n\r\n $op0 = { 5f fe ff ff 55 8b ec 51 56 33 f6 66 89 33 8a 07 }\r\n $op1 = { 60 be 00 c0 41 00 8d be 00 50 fe ff 57 83 cd ff }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336072",
"to_ids": false,
"type": "text",
"uuid": "f5b34e94-640c-43c3-bfa4-722ab2d1b962",
"value": "Phobos_RouterPassView"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336102",
"uuid": "0bb58107-02a7-445d-a201-f6fe4b9f8ee9",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336102",
"to_ids": false,
"type": "text",
"uuid": "4461a9d0-d48c-4950-ba18-f8737cd82f50",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336102",
"to_ids": true,
"type": "yara",
"uuid": "9c510412-0467-4fdd-a4f6-f3bd973c49ad",
"value": "rule Phobos_PstPassword {\r\n meta:\r\n description = \"PstPassword.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6\"\r\n strings:\r\n $s1 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s2 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s3 = \"PstPasswordf\" fullword ascii\r\n $s4 = \"PST Password Recovery\" fullword wide\r\n $s5 = \"PstPassword\" fullword wide\r\n $s6 = \" PstPassword\" fullword wide\r\n $s7 = \" 2006 - 2017 Nir Sofer\" fullword wide\r\n $s8 = \"ReadMemoq\" fullword ascii\r\n $s9 = \"fTs[G:\\\"\" fullword ascii\r\n $s10 = \"icKeyToken=\\\"6595b64144ccf1df\\\" language=\\\"*\\\"></assemblyIdentity>\" fullword ascii\r\n $s11 = \"\\\\Microsoft\\\\Outbn\" fullword ascii\r\n $s12 = \"!DOCTYPE HTML\" fullword ascii\r\n $s13 = \"ysdaopmck/,p\" fullword ascii\r\n $s14 = \"-BruI%+F\" fullword ascii\r\n $s15 = \"FGTQgfl\" fullword ascii\r\n $s16 = \"gUSPo0irJx{\" fullword ascii\r\n $s17 = \"<meta \\\\tp-equiv='conZ\" fullword ascii\r\n $s18 = \"lGlobchk Plc\" fullword ascii\r\n $s19 = \"atYhx6n\" fullword ascii\r\n $s20 = \"HKiTGt>h\" fullword ascii\r\n\r\n $op0 = { ff ff ff ff 55 8b ec 51 53 33 db 88 1f 8a 06 eb }\r\n $op1 = { 60 be 00 b0 40 00 8d be 00 60 ff ff 57 83 cd ff }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 100KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336102",
"to_ids": false,
"type": "text",
"uuid": "2a202cb4-adad-45c3-b05b-bceb1b022e44",
"value": "Phobos_PstPassword"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336134",
"uuid": "d12f516c-45f6-4a49-9713-b8c079e95e9b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336134",
"to_ids": false,
"type": "text",
"uuid": "d4c86c00-8577-465c-9612-cd8203f07538",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336134",
"to_ids": true,
"type": "yara",
"uuid": "af814d99-5c66-4c05-8107-41a8619062fc",
"value": "rule Phobos_OperaPassView {\r\n meta:\r\n description = \"OperaPassView.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"8e4b218bdbd8e098fff749fe5e5bbf00275d21f398b34216a573224e192094b8\"\r\n strings:\r\n $s1 = \"OperaPassView.exe\" fullword wide\r\n $s2 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s3 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s4 = \"ccount\\\",\\\"Login Name\" fullword ascii\r\n $s5 = \"OperaPassView\" fullword wide\r\n $s6 = \"Nex\u001fProcess \" fullword ascii\r\n $s7 = \"36333222(\\\"\" fullword ascii /* hex encoded string '632\"' */\r\n $s8 = \"MGetFBase`7t\" fullword ascii\r\n $s9 = \"55553333(\" fullword ascii /* hex encoded string 'UU33' */\r\n $s10 = \" 2010 - 2013 Nir Sofer\" fullword wide\r\n $s11 = \"RRRRRRRRRPPPPOOONN\" fullword ascii\r\n $s12 = \"TTTSTSSSRRRRRR\" fullword ascii\r\n $s13 = \"icKeyToken=\\\"6595b64144ccf1df\\\" language=\\\"*\\\"></assemblyIdentity>\" fullword ascii\r\n $s14 = \"Lartuprmi\" fullword ascii\r\n $s15 = \"Password\" fullword ascii /* Goodware String - occured 715 times */\r\n $s16 = \"8eLibrKyA\" fullword ascii\r\n $s17 = \"Cddd|xp\" fullword ascii\r\n $s18 = \"JLLOOQQRRTTWWXX[[]]^^aabbddgghhk\" fullword ascii\r\n $s19 = \"nnpppuuvvyyzz||\" fullword ascii\r\n $s20 = \"@DDDCCC?\" fullword ascii\r\n\r\n $op0 = { 5f fe ff ff 55 8b ec 51 56 33 f6 66 89 33 8a 07 }\r\n $op1 = { 60 be 00 e0 40 00 8d be 00 30 ff ff 57 83 cd ff }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 100KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336134",
"to_ids": false,
"type": "text",
"uuid": "537bf350-8ac0-47ae-9f37-4644f28edf4c",
"value": "Phobos_OperaPassView"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336154",
"uuid": "8046d036-ec35-4157-ac9d-7465f5d3e8e6",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336154",
"to_ids": false,
"type": "text",
"uuid": "328fd74c-604a-4200-814a-2c94f0ff11ff",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336154",
"to_ids": true,
"type": "yara",
"uuid": "5c99ef9b-6181-46d7-b80f-938671a94012",
"value": "rule Phobos_mspass {\r\n meta:\r\n description = \"mspass.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26\"\r\n strings:\r\n $x1 = \"lyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X86\\\" publicKey\" ascii\r\n $x2 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><assemblyIdentity version=\\\"1.0.0.0\\\" processorArch\" ascii\r\n $s3 = \"mspass.exe\" fullword wide\r\n $s4 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><assemblyIdentity version=\\\"1.0.0.0\\\" processorArch\" ascii\r\n $s5 = \"IM Password Recovery\" fullword wide\r\n $s6 = \" 2004 - 2014 Nir Sofer\" fullword wide\r\n $s7 = \"oftware\" fullword wide\r\n $s8 = \"mspass\" fullword wide\r\n $s9 = \"TalKeySt\" fullword ascii\r\n $s10 = \" MessenPass\" fullword wide\r\n $s11 = \"re=\\\"X86\\\" name=\\\"NirSoft\\\" type=\\\"win32\\\"></assemblyIdentity><description>NirSoft</description><dependency><dependentAssembly><\" ascii\r\n $s12 = \"Gbrvbar\" fullword ascii\r\n $s13 = \"~,\\\"Log8 Name\" fullword ascii\r\n $s14 = \"iiethn\" fullword ascii\r\n $s15 = \"\\\\Digsby\\\\d\" fullword ascii\r\n $s16 = \"aaaarr\" fullword ascii\r\n $s17 = \"fddptx\" fullword ascii\r\n $s18 = \"8>qg(= \" fullword ascii /* Goodware String - occured 1 times */\r\n $s19 = \"ilterIndex\" fullword ascii\r\n $s20 = \"fmaj]b0\" fullword ascii\r\n\r\n $op0 = { ff ff ff ff 55 8b ec 51 53 33 db 88 1f 8a 06 eb }\r\n $op1 = { 60 be 00 40 41 00 8d be 00 d0 fe ff 57 83 cd ff }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336154",
"to_ids": false,
"type": "text",
"uuid": "031f87e7-c81f-4807-abf2-7e2979246c28",
"value": "Phobos_mspass"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336188",
"uuid": "b217a2e2-21d8-4a68-8420-27ca6c50fabd",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336188",
"to_ids": false,
"type": "text",
"uuid": "cc141f3e-ecdf-4016-acba-118cfec906a0",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336188",
"to_ids": true,
"type": "yara",
"uuid": "32a2cc2f-82d3-49a4-a2d4-19263c180c67",
"value": "rule Phobos_NetRouteView {\r\n meta:\r\n description = \"NetRouteView.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"91041b616969e1526ee6dce23f8d18afdd353786ac6afa0b6611903263ee6f63\"\r\n strings:\r\n $s1 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s2 = \"NetRouteView.exe\" fullword wide\r\n $s3 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s4 = \" 2010 - 2015 Nir Sofer\" fullword wide\r\n $s5 = \"AetIpForwardE\" fullword ascii\r\n $s6 = \"support@nirsoft.net0\" fullword ascii\r\n $s7 = \"5 Hashoshanim st.1\" fullword ascii\r\n $s8 = \"Read8[U\" fullword ascii\r\n $s9 = \"icKeyToken=\\\"6595b64144ccf1df\\\" language=\\\"*\\\"></assemblyIdentity>\" fullword ascii\r\n $s10 = \"Laseoize\" fullword ascii\r\n $s11 = \"urrent\" fullword ascii\r\n $s12 = \"xce /Y\" fullword ascii\r\n $s13 = \"jKXEAT1\" fullword ascii\r\n $s14 = \"Gush Dan1\" fullword ascii\r\n $s15 = \"Ramat Gan1\" fullword ascii\r\n $s16 = \"kFBaseNameW\" fullword ascii\r\n $s17 = \"XAnImAi;\" fullword ascii\r\n $s18 = \"ctfWz7b\" fullword ascii\r\n $s19 = \"reaGCTab_\" fullword ascii\r\n $s20 = \"View\\\\R|\" fullword ascii\r\n\r\n $op0 = { 5f fe ff ff 55 8b ec 51 56 33 f6 66 89 33 8a 07 }\r\n $op1 = { 60 be 00 f0 40 00 8d be 00 20 ff ff 57 83 cd ff }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 100KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336188",
"to_ids": false,
"type": "text",
"uuid": "bba83c68-9da0-48c8-97a4-e7738d23d005",
"value": "Phobos_NetRouteView"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336215",
"uuid": "de2a83ed-41e1-4885-9a60-84fe57171a36",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336215",
"to_ids": false,
"type": "text",
"uuid": "ede44c44-859a-45ad-9a82-7211975b55c0",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336215",
"to_ids": true,
"type": "yara",
"uuid": "68282800-9783-42a2-9052-1e72a6c2cbef",
"value": "rule Phobos_iepv {\r\n meta:\r\n description = \"iepv.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"dbe98193aced7285a01c18b7da8e4540fb4e5b0625debcfbabcab7ea90f5685d\"\r\n strings:\r\n $x1 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\" xmlns:asmv3=\\\"urn:schemas-microsoft-com:asm.v3\\\"><d\" ascii\r\n $s2 = \"ncy><dependentAssembly><assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processor\" ascii\r\n $s3 = \"iepv.exe\" fullword wide\r\n $s4 = \" <asmv3:windowsSettings xmlns=\\\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\\\">\" fullword ascii\r\n $s5 = \"IE Passwords Viewer\" fullword wide\r\n $s6 = \"ecture=\\\"X86\\\" publicKeyToken=\\\"6595b64144ccf1df\\\" language=\\\"*\\\"></assemblyIdentity></dependentAssembly></dependency><asmv3:app\" ascii\r\n $s7 = \"CredentialsFi\" fullword ascii\r\n $s8 = \" 2006 - 2016 Nir Sofer\" fullword wide\r\n $s9 = \"A$TempaU\" fullword ascii\r\n $s10 = \"support@nirsoft.net0\" fullword ascii\r\n $s11 = \"5 Hashoshanim st.1\" fullword ascii\r\n $s12 = \"/'ml;chars5=%s'>?\" fullword ascii\r\n $s13 = \"E http-equiv='\" fullword ascii\r\n $s14 = \"IE Pass View\" fullword wide\r\n $s15 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\" xmlns:asmv3=\\\"urn:schemas-microsoft-com:asm.v3\\\"><d\" ascii\r\n $s16 = \"Gush Dan1\" fullword ascii\r\n $s17 = \"Ramat Gan1\" fullword ascii\r\n $s18 = \"008deee3d3f0\" ascii\r\n $s19 = \"PdHP~(z@\" fullword ascii\r\n $s20 = \"UUUUU\\\\@\" fullword ascii\r\n\r\n $op0 = { ff ff ff ff 55 8b ec 51 53 33 db 88 1f 8a 06 eb }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336215",
"to_ids": false,
"type": "text",
"uuid": "edba33cc-46d0-4b1a-adb2-9f396d5590b8",
"value": "Phobos_iepv"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336249",
"uuid": "0bbb0fdf-21a7-4599-a2f8-aa9edaac7708",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336249",
"to_ids": false,
"type": "text",
"uuid": "e4f8b205-82dd-4826-921d-0d61c84b4c58",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336249",
"to_ids": true,
"type": "yara",
"uuid": "04e86dd1-86e6-4f13-8c54-3c2375a288c1",
"value": "rule Phobos_PasswordFox {\r\n meta:\r\n description = \"PasswordFox.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"e01b0e7feadd08a7ea87c1cde44e7b97daf9632eaee8311ef6967f33258d03c1\"\r\n strings:\r\n $s1 = \"SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, \" ascii\r\n $s2 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s3 = \"c:\\\\Projects\\\\VS2005\\\\PasswordFox\\\\Release\\\\PasswordFox.pdb\" fullword ascii\r\n $s4 = \"SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, \" ascii\r\n $s5 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword wide\r\n $s6 = \" <assemblyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X8\" ascii\r\n $s7 = \"\\\\sqlite3.dll\" fullword wide\r\n $s8 = \"\\\\mozsqlite3.dll\" fullword wide\r\n $s9 = \"@netmsg.dll\" fullword wide\r\n $s10 = \"\\\"Account\\\",\\\"Login Name\\\",\\\"Password\\\",\\\"Web Site\\\",\\\"Comments\\\"\" fullword ascii\r\n $s11 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\firefox.exe\" fullword wide\r\n $s12 = \"@nss3.dll\" fullword wide\r\n $s13 = \"encryptedPassword\" fullword wide\r\n $s14 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword wide\r\n $s15 = \"xpwwwx\" fullword ascii /* reversed goodware string 'xwwwpx' */\r\n $s16 = \"timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins\" fullword ascii\r\n $s17 = \"Password Use Count\" fullword wide\r\n $s18 = \"%programfiles%\\\\Mozilla Firefox\" fullword wide\r\n $s19 = \"AddExportHeaderLine\" fullword wide\r\n $s20 = \"<html><head>%s<title>%s</title></head>\" fullword wide\r\n\r\n $op0 = { 89 4c 24 3c 89 7c 24 30 89 4c 24 34 ff d5 85 c0 }\r\n $op1 = { 89 44 24 34 c7 44 24 38 06 08 08 00 89 4c 24 40 }\r\n $op2 = { 89 7c 24 24 89 7c 24 28 c7 44 24 34 00 40 00 00 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 300KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336249",
"to_ids": false,
"type": "text",
"uuid": "fb7ea7bd-ea51-47b5-8621-1b959108d974",
"value": "Phobos_PasswordFox"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336276",
"uuid": "ef260f72-f5a2-45e1-8939-558e8d748dce",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336277",
"to_ids": false,
"type": "text",
"uuid": "e03e9219-db95-4feb-a871-d22f62c647ee",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336277",
"to_ids": true,
"type": "yara",
"uuid": "7bdc83d1-99b6-4f5f-acbc-76e6070d498e",
"value": "rule Phobos_VNCPassView {\r\n meta:\r\n description = \"VNCPassView.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019\"\r\n strings:\r\n $x1 = \"lyIdentity type=\\\"Win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"X86\\\" publicKey\" ascii\r\n $x2 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><assemblyIdentity version=\\\"1.0.0.0\\\" processorArch\" ascii\r\n $s3 = \"VNCPassView.exe\" fullword wide\r\n $s4 = \"<br><h4>%s <a href=\\\"http://www.nirsoft.net/\\\" target=\\\"newwin\\\">%s</a></h4><p>\" fullword ascii\r\n $s5 = \"<assembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"><assemblyIdentity version=\\\"1.0.0.0\\\" processorArch\" ascii\r\n $s6 = \"c:\\\\Projects\\\\VS2005\\\\VNCPassView\\\\Release\\\\VNCPassView.pdb\" fullword ascii\r\n $s7 = \"<meta http-equiv='content-type' content='text/html;charset=%s'>\" fullword ascii\r\n $s8 = \"BasicProg.cfg\" fullword ascii\r\n $s9 = \"ultravnc\" fullword ascii\r\n $s10 = \"<html><head>%s<title>%s</title></head>\" fullword ascii\r\n $s11 = \"VNC Passwords\" fullword wide\r\n $s12 = \"Password Type\" fullword wide\r\n $s13 = \"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\" fullword ascii\r\n $s14 = \"report.html\" fullword ascii\r\n $s15 = \"ultravnc.ini\" fullword ascii\r\n $s16 = \"dialog_%d\" fullword ascii\r\n $s17 = \" 2007 - 2014 Nir Sofer\" fullword wide\r\n $s18 = \"xpwwwwwwwwwwwx\" fullword ascii\r\n $s19 = \"<th%s>%s%s%s\" fullword ascii\r\n $s20 = \"<td bgcolor=#%s nowrap>%s\" fullword ascii\r\n\r\n $op0 = { 56 8d 85 01 ff ff ff 53 50 88 9d 00 ff ff ff e8 }\r\n $op1 = { 8b c6 50 e8 41 ff ff ff 83 c4 10 5e c9 c3 55 8b }\r\n $op2 = { 56 8d 85 01 ff ff ff 6a 00 50 8b f9 c6 85 00 ff }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336277",
"to_ids": false,
"type": "text",
"uuid": "48624459-e3be-4d26-8bf9-e3083a67ed54",
"value": "Phobos_VNCPassView"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336301",
"uuid": "bae192e9-1685-452c-80a1-f09fae36cf13",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336301",
"to_ids": false,
"type": "text",
"uuid": "3f92de9d-9bd5-4bea-9114-9410d8420359",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336301",
"to_ids": true,
"type": "yara",
"uuid": "e2976683-8f43-49de-a994-23ad71d11b12",
"value": "rule Phobos_pars {\r\n meta:\r\n description = \"pars.vbs\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"04cc60eba7041e0cef2deb1bec9a087432344737dd2e5141c9cda981506ca1a5\"\r\n strings:\r\n $s1 = \"str_SavePath = Replace(obj_FSO.GetFile(str_LogFile), obj_FSO.GetFileName(str_LogFile), \\\"\\\", 1, -1, vbTextCompare)\" fullword ascii\r\n $s2 = \"Gl_WorkDir = Replace(WScript.ScriptFullName, WScript.ScriptName, \\\"\\\", 1, -1, vbTextCompare)\" fullword ascii\r\n $s3 = \"SaveReportToSMB str_SavePath, \\\"Users.txt\\\", Join(ListUsers, vbCrLf)\" fullword ascii\r\n $s4 = \"SaveReportToSMB str_SavePath, \\\"Passwords.txt\\\", Join(ListPasswords, vbCrLf)\" fullword ascii\r\n $s5 = \"Str = Replace(Replace(Replace(Str, \\\" * password : \\\", \\\"\\\"), \\\" * Password : \\\", \\\"\\\"), \\\" * PASSWORD : \\\", \\\"\\\")\" fullword ascii\r\n $s6 = \"If (InStr(1, Str, \\\"password :\\\", vbTextCompare) <> 0) Then\" fullword ascii\r\n $s7 = \"If (InStr(1, ListUsers(IndUsers2), Str, vbTextCompare) <> 0) Then\" fullword ascii\r\n $s8 = \"If (InStr(1, ListPasswords(IndPass2), Str, vbBinaryCompare) <> 0) Then\" fullword ascii\r\n $s9 = \"If (InStr(1, Str, \\\"cur/text:\\\", vbTextCompare) <> 0) Or (InStr(1, Str, \\\"old/text:\\\", vbTextCompare) <> 0) Then\" fullword ascii\r\n $s10 = \"SaveReportToSMB str_SavePath, \\\"NewPassTest.txt\\\", Join(Listtext, vbCrLf)\" fullword ascii\r\n $s11 = \"SaveReportToSMB str_SavePath, \\\"HASHES.txt\\\", Join(ListNTLM, vbCrLf)\" fullword ascii\r\n $s12 = \"For IndUsers2=0 To IndUsers1\" fullword ascii\r\n $s13 = \"Str = Replace(Replace(Replace(Str, \\\" password : \\\", \\\"\\\"), \\\" Password : \\\", \\\"\\\"), \\\" PASSWORD : \\\", \\\"\\\")\" fullword ascii\r\n $s14 = \"Dim IndUsers1: IndUsers1=-1\" fullword ascii\r\n $s15 = \"Str = Replace(Replace(Replace(Str, \\\"password : \\\", \\\"\\\"), \\\"Password : \\\", \\\"\\\"), \\\"PASSWORD : \\\", \\\"\\\")\" fullword ascii\r\n $s16 = \"Dim ListPasswords(): ReDim ListPasswords(0)\" fullword ascii\r\n $s17 = \"Redim Preserve rdirs(ubound(rdirs) - 1)\" fullword ascii\r\n $s18 = \"ReDim Preserve ListPasswords(IndPass1)\" fullword ascii\r\n $s19 = \"ReDim Preserve ListUsers(IndUsers1)\" fullword ascii\r\n $s20 = \"If (IndUsers1 < 0) or NeedAdd Then\" fullword ascii\r\n condition:\r\n uint16(0) == 0x6944 and filesize < 30KB and\r\n 8 of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336301",
"to_ids": false,
"type": "text",
"uuid": "c7c71b38-6a76-490a-aad6-546408815c42",
"value": "Phobos_pars"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336332",
"uuid": "2425f8ac-f5bc-4a2c-a197-e571f9fc1beb",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336332",
"to_ids": false,
"type": "text",
"uuid": "23f7c332-0584-4f6c-9a43-2a497596752a",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336332",
"to_ids": true,
"type": "yara",
"uuid": "161c61c3-01f5-48c9-895a-5fc661dfd2c2",
"value": "rule Phobos_ToolStatus {\r\n meta:\r\n description = \"ToolStatus.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\ToolStatus.pdb\" fullword ascii\r\n $s2 = \"ToolStatus.dll\" fullword wide\r\n $s3 = \"ProcessHacker.ToolStatus.Config\" fullword wide\r\n $s4 = \"ProcessHacker.ToolStatus.RebarConfig\" fullword wide\r\n $s5 = \"ProcessHacker.ToolStatus.ToolbarConfig\" fullword wide\r\n $s6 = \"ProcessHacker.ToolStatus.StatusbarConfig\" fullword wide\r\n $s7 = \"Modern Toolbar icons by http://www.icons8.com\" fullword wide\r\n $s8 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1119\" fullword wide\r\n $s9 = \"PhGetFilterSupportProcessTreeList\" fullword ascii\r\n $s10 = \"ProcessHacker.ToolStatus.ToolbarDisplayStyle\" fullword wide\r\n $s11 = \"ProcessHacker.ToolStatus.SearchBoxDisplayMode\" fullword wide\r\n $s12 = \"ProcessHacker.ToolStatus.ToolbarTheme\" fullword wide\r\n $s13 = \"ProcessHacker.ToolStatus\" fullword wide\r\n $s14 = \"PhGetProcessPriorityClassString\" fullword ascii\r\n $s15 = \"PhCreateProcessPropContext\" fullword ascii\r\n $s16 = \"PhFindProcessNode\" fullword ascii\r\n $s17 = \"PhSetSelectThreadIdProcessPropContext\" fullword ascii\r\n $s18 = \"PhExpandAllProcessNodes\" fullword ascii\r\n $s19 = \"PhUiTerminateProcesses\" fullword ascii\r\n $s20 = \"PhReferenceProcessItem\" fullword ascii\r\n\r\n $op0 = { 24 04 89 4c 24 24 c7 44 24 20 ff ff ff ff 41 0f }\r\n $op1 = { 33 d2 ff 15 dc ea 00 00 8b 46 34 41 b9 05 }\r\n $op2 = { 83 e8 10 74 76 83 f8 03 0f 85 6b ff ff ff 80 3d }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 700KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336332",
"to_ids": false,
"type": "text",
"uuid": "0d6a50ad-a631-4c44-95fc-9644a8f3af20",
"value": "Phobos_ToolStatus"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336356",
"uuid": "2c667c6b-eb17-4758-ad7f-2d083b5d9791",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336356",
"to_ids": false,
"type": "text",
"uuid": "e8063888-6cc5-4301-84e3-23bb46f4c9cd",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336356",
"to_ids": true,
"type": "yara",
"uuid": "ba13cea3-3f1f-41c0-afe7-9c5c70902874",
"value": "rule Phobos_ProcessHacker {\r\n meta:\r\n description = \"ProcessHacker.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\ProcessHacker.pdb\" fullword ascii\r\n $x2 = \"ProcessHacker.exe\" fullword wide\r\n $x3 = \"kprocesshacker.sys\" fullword wide\r\n $x4 = \"ntdll.dll!NtDelayExecution\" fullword wide\r\n $x5 = \"ntdll.dll!ZwDelayExecution\" fullword wide\r\n $s6 = \"PhUiInjectDllProcess\" fullword ascii\r\n $s7 = \"PhInjectDllProcess\" fullword ascii\r\n $s8 = \"Executable files (*.exe;*.dll;*.ocx;*.sys;*.scr;*.cpl)\" fullword wide\r\n $s9 = \"The process is 32-bit, but the 32-bit version of Process Hacker could not be located. A 64-bit dump will be created instead. Do \" wide\r\n $s10 = \"PhExecuteRunAsCommand2\" fullword ascii\r\n $s11 = \"\\\\x86\\\\ProcessHacker.exe\" fullword wide\r\n $s12 = \"user32.dll!NtUserGetMessage\" fullword wide\r\n $s13 = \"ntdll.dll!NtWaitForKeyedEvent\" fullword wide\r\n $s14 = \"ntdll.dll!ZwWaitForKeyedEvent\" fullword wide\r\n $s15 = \"ntdll.dll!NtReleaseKeyedEvent\" fullword wide\r\n $s16 = \"ntdll.dll!ZwReleaseKeyedEvent\" fullword wide\r\n $s17 = \"\\\\kprocesshacker.sys\" fullword wide\r\n $s18 = \"\\\\SystemRoot\\\\system32\\\\drivers\\\\ntfs.sys\" fullword wide\r\n $s19 = \"PhShellExecuteUserString\" fullword ascii\r\n $s20 = \"The process will be restarted with the same command line and working directory, but if it is running under a different user it w\" wide\r\n\r\n $op0 = { 48 8b d9 33 d2 48 8d 4c 24 34 41 b8 9c }\r\n $op1 = { 8b 41 08 89 44 24 34 0f b7 41 18 66 c1 c8 08 0f }\r\n $op2 = { 48 8b 0d 34 9c 15 00 48 85 c9 75 37 bb 37 00 00 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 5000KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336356",
"to_ids": false,
"type": "text",
"uuid": "7088086f-32d9-4c3a-b91a-0e1f4ef92b50",
"value": "Phobos_ProcessHacker"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336518",
"uuid": "c3119f60-b725-4c39-934f-f3fdb45002dc",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336518",
"to_ids": false,
"type": "text",
"uuid": "e3b407d5-af0f-4312-86e2-83b31ccacc7d",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336518",
"to_ids": true,
"type": "yara",
"uuid": "b9847164-48ad-42f4-9c01-c6f7d9aa3d4e",
"value": "rule Phobos_OnlineChecks {\r\n meta:\r\n description = \"OnlineChecks.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\OnlineChecks.pdb\" fullword ascii\r\n $s2 = \"OnlineChecks.dll\" fullword wide\r\n $s3 = \"virustotal.com\" fullword wide\r\n $s4 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1118\" fullword wide\r\n $s5 = \"http://www.virustotal.com/file/%s/analysis/\" fullword wide\r\n $s6 = \"PhShellExecute\" fullword ascii\r\n $s7 = \"ProcessHacker.OnlineChecks\" fullword wide\r\n $s8 = \"camas.comodo.com\" fullword wide\r\n $s9 = \"ProcessHacker_\" fullword wide\r\n $s10 = \"Online Checks plugin for Process Hacker\" fullword wide\r\n $s11 = \"http://camas.comodo.com%.*S\" fullword wide\r\n $s12 = \"http://camas.comodo.com/cgi-bin/submit?file=%s\" fullword wide\r\n $s13 = \"PhGetPhVersion\" fullword ascii\r\n $s14 = \"virusscan.jotti.org\" fullword wide\r\n $s15 = \"Content-Type: application/x-msdownload\" fullword wide\r\n $s16 = \"http://virusscan.jotti.org%hs\" fullword wide\r\n $s17 = \"PhGetBaseName\" fullword ascii\r\n $s18 = \"PhGetFileSize\" fullword ascii\r\n $s19 = \"Content-Disposition: form-data; name=\\\"MAX_FILE_SIZE\\\"\" fullword wide\r\n $s20 = \"Unable to add request headers\" fullword wide\r\n\r\n $op0 = { eb 1f 44 39 7e 18 75 34 44 39 7e 14 74 2e 48 8b }\r\n $op1 = { e9 46 ff ff ff cc 45 33 d2 4c 8b ca 66 44 39 11 }\r\n $op2 = { 49 8b f0 48 8b fa 48 8b d9 e8 c8 ff ff ff 4c 89 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 700KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336518",
"to_ids": false,
"type": "text",
"uuid": "6e595245-aeac-411b-b423-024ff5b2a593",
"value": "Phobos_OnlineChecks"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336546",
"uuid": "04f1b563-36e1-4bd2-b1f1-72ef76215f36",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336546",
"to_ids": false,
"type": "text",
"uuid": "39fab91e-f23b-47f3-ad73-13cd02d590c1",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336546",
"to_ids": true,
"type": "yara",
"uuid": "ff7abf7c-18ff-45cd-8634-223bc3e0ed3e",
"value": "rule Phobos_Updater {\r\n meta:\r\n description = \"Updater.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\Updater.pdb\" fullword ascii\r\n $s2 = \"%s%s\\\\processhacker-%lu.%lu-setup.exe\" fullword wide\r\n $s3 = \"http://processhacker.sourceforge.net/downloads.php\" fullword wide\r\n $s4 = \"Updater.dll\" fullword wide\r\n $s5 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1121\" fullword wide\r\n $s6 = \"processhacker.sourceforge.net\" fullword wide\r\n $s7 = \"PhShellExecute\" fullword ascii\r\n $s8 = \"ProcessHacker.UpdateChecker.PromptStart\" fullword wide\r\n $s9 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Process_Hacker2_is1\" fullword wide\r\n $s10 = \"ProcessHacker.UpdateChecker.LastUpdateCheckTime\" fullword wide\r\n $s11 = \"ProcessHacker.UpdateChecker\" fullword wide\r\n $s12 = \"/processhacker/update.php\" fullword wide\r\n $s13 = \"Plugin for checking new Process Hacker releases via the Help menu.\" fullword wide\r\n $s14 = \"ProcessHacker-Build: \" fullword wide\r\n $s15 = \"ProcessHacker-OsBuild: \" fullword wide\r\n $s16 = \"Process Hacker %lu.%lu.%lu\" fullword wide\r\n $s17 = \"Update checker plugin for Process Hacker\" fullword wide\r\n $s18 = \"Process Hacker Updater\" fullword wide\r\n $s19 = \"PhGetOwnTokenAttributes\" fullword ascii\r\n $s20 = \"PhGetPhVersionNumbers\" fullword ascii\r\n\r\n $op0 = { e8 34 ee ff ff eb b7 48 8d 59 08 40 32 f6 40 88 }\r\n $op1 = { 48 8b d8 e8 34 e2 ff ff 48 3b c3 74 c1 8b cf e8 }\r\n $op2 = { 48 85 c0 0f 84 11 03 00 00 4c 8d 05 11 34 01 00 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 300KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336546",
"to_ids": false,
"type": "text",
"uuid": "d279c175-79fa-4ba4-8e6d-7a491753bec6",
"value": "Phobos_Updater"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336577",
"uuid": "ea13725d-7a98-4a0b-abe5-ff18cf367006",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336577",
"to_ids": false,
"type": "text",
"uuid": "7e1c6d0c-df63-40e5-8547-257760085c8b",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336577",
"to_ids": true,
"type": "yara",
"uuid": "68b4f63b-8ade-4d76-a8cf-2c807a9a440f",
"value": "rule Phobos_ExtendedServices {\r\n meta:\r\n description = \"ExtendedServices.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\ExtendedServices.pdb\" fullword ascii\r\n $s2 = \"Executable files (*.exe;*.cmd;*.bat)\" fullword wide\r\n $s3 = \"ExtendedServices.dll\" fullword wide\r\n $s4 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1113\" fullword wide\r\n $s5 = \"ProcessHacker.ExtendedServices.EnableServicesMenu\" fullword wide\r\n $s6 = \"ProcessHacker.ExtendedServices\" fullword wide\r\n $s7 = \"*.exe;*.cmd;*.bat\" fullword wide\r\n $s8 = \"PhGetListViewItemParam\" fullword ascii\r\n $s9 = \"PhGetSelectedListViewItemParam\" fullword ascii\r\n $s10 = \"PhGetServiceConfig\" fullword ascii\r\n $s11 = \"Extended Services for Process Hacker\" fullword wide\r\n $s12 = \"Enable Services submenu for processes\" fullword wide\r\n $s13 = \"PhGetFileDialogFileName\" fullword ascii\r\n $s14 = \"Append /fail=%1% to pass the fail count to the program.\" fullword wide\r\n $s15 = \"The service has %lu failure actions configured, but this program only supports editing 3. If you save the recovery information u\" wide\r\n $s16 = \"PhGetOwnTokenAttributes\" fullword ascii\r\n $s17 = \"PhGetComboBoxString\" fullword ascii\r\n $s18 = \"PhLookupPrivilegeDisplayName\" fullword ascii\r\n $s19 = \"Service (%s)\" fullword wide\r\n $s20 = \"The selected privilege has already been added.\" fullword wide\r\n\r\n $op0 = { 48 8b f8 48 8b cd 48 8d 44 24 34 4c 8b c7 48 89 }\r\n $op1 = { 48 8b 05 34 a6 01 00 48 33 c4 48 89 45 1f 4c 89 }\r\n $op2 = { 48 8d 44 24 34 41 8b d1 48 89 44 24 20 4c 8d 44 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336577",
"to_ids": false,
"type": "text",
"uuid": "c02a52f6-6c84-43ff-8998-a7cd6c4e008b",
"value": "Phobos_ExtendedServices"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336604",
"uuid": "e10f50ee-8a50-4fe5-a3bf-631178457a52",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336604",
"to_ids": false,
"type": "text",
"uuid": "32cddd4e-b968-4a03-97b4-86aefc3eb849",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336604",
"to_ids": true,
"type": "yara",
"uuid": "7e304cc6-4046-4bae-99b3-a21e401e9d85",
"value": "rule Phobos_DotNetTools {\r\n meta:\r\n description = \"DotNetTools.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\DotNetTools.pdb\" fullword ascii\r\n $s2 = \"\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\mscordacwks.dll\" fullword wide\r\n $s3 = \"\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\mscordacwks.dll\" fullword wide\r\n $s4 = \"DotNetTools.dll\" fullword wide\r\n $s5 = \"# of Filters Executed\" fullword wide\r\n $s6 = \"# of Finallys Executed\" fullword wide\r\n $s7 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1111\" fullword wide\r\n $s8 = \"PhGetProcessIsDotNet\" fullword ascii\r\n $s9 = \"PhGetProcessIsSuspended\" fullword ascii\r\n $s10 = \"PhGetProcessIsDotNetEx\" fullword ascii\r\n $s11 = \"ProcessHacker.DotNetTools.AsmTreeListColumns\" fullword wide\r\n $s12 = \"ProcessHacker.DotNetTools.DotNetListColumns\" fullword wide\r\n $s13 = \"ProcessHacker.DotNetTools.DotNetShowByteSizes\" fullword wide\r\n $s14 = \"ProcessHacker.DotNetTools\" fullword wide\r\n $s15 = \".NET tools plugin for Process Hacker\" fullword wide\r\n $s16 = \"PhGetSystemRoot\" fullword ascii\r\n $s17 = \"PhEnumProcessModules32\" fullword ascii\r\n $s18 = \"PhOpenProcess\" fullword ascii\r\n $s19 = \"ProcessQueryAccess\" fullword ascii\r\n $s20 = \"PhFindProcessInformation\" fullword ascii\r\n\r\n $op0 = { 48 8b d8 e8 34 e2 ff ff 48 3b c3 74 c1 8b cf e8 }\r\n $op1 = { c7 45 f7 fe ff ff ff 44 89 7d fb ff 15 ff ea 00 }\r\n $op2 = { 48 8b 4e 18 45 33 c9 ba ff ff ff 7f 4e 8b 04 03 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336604",
"to_ids": false,
"type": "text",
"uuid": "50c9a4dd-f3e1-4ac9-ac60-2e7b308f79bb",
"value": "Phobos_DotNetTools"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336637",
"uuid": "2b877e85-da50-4283-afd5-4f6896b267c6",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336637",
"to_ids": false,
"type": "text",
"uuid": "097869e9-b46b-4d73-b60f-68eb60418c76",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336637",
"to_ids": true,
"type": "yara",
"uuid": "4b2d1204-f006-4667-b629-f1447d8a5dfb",
"value": "rule Phobos_HardwareDevices {\r\n meta:\r\n description = \"HardwareDevices.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\HardwareDevices.pdb\" fullword ascii\r\n $s2 = \"Count of reallocated sectors. When the hard drive finds a read/write/verification error, it marks that sector as \\\"reallocated\\\"\" wide\r\n $s3 = \"HardwareDevices.dll\" fullword wide\r\n $s4 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1820\" fullword wide\r\n $s5 = \"ProcessHacker.HardwareDevices.EnableNDIS\" fullword wide\r\n $s6 = \"ProcessHacker.HardwareDevices.DiskList\" fullword wide\r\n $s7 = \"ProcessHacker.HardwareDevices.NetworkList\" fullword wide\r\n $s8 = \"ProcessHacker.HardwareDevices\" fullword wide\r\n $s9 = \"Uncorrected read errors reported to the operating system.\" fullword wide\r\n $s10 = \"PhGetListViewItemParam\" fullword ascii\r\n $s11 = \"PhGetSelectedListViewItemParam\" fullword ascii\r\n $s12 = \"PhProcessesUpdatedEvent\" fullword ascii\r\n $s13 = \"This attribute stores a total count of the spin start attempts to reach the fully operational speed (under the condition that th\" wide\r\n $s14 = \"Hardware Devices plugin for Process Hacker\" fullword wide\r\n $s15 = \"Average performance of seek operations of the magnetic heads.\" fullword wide\r\n $s16 = \"PhGetOwnTokenAttributes\" fullword ascii\r\n $s17 = \"LogFile reads\" fullword wide\r\n $s18 = \"LogFile read bytes\" fullword wide\r\n $s19 = \"%I64u - %I64u\" fullword wide\r\n $s20 = \"Command Timeout\" fullword wide\r\n\r\n $op0 = { b2 01 ff 15 15 4d 01 00 48 8b c8 ff 15 34 4d 01 }\r\n $op1 = { b2 01 ff 15 15 4b 01 00 48 8b c8 ff 15 34 4b 01 }\r\n $op2 = { 48 8b 47 08 4c 8b 34 d8 49 63 0e 4c 8b c9 e8 6d }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 500KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336637",
"to_ids": false,
"type": "text",
"uuid": "0384189d-5694-485b-bdb3-53bc40b71628",
"value": "Phobos_HardwareDevices"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336673",
"uuid": "3a423431-606b-40ca-b40b-3991e71a9d44",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336675",
"to_ids": false,
"type": "text",
"uuid": "fca4b079-cbe8-4d9d-8e8d-7a3dc20cd6f7",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336676",
"to_ids": true,
"type": "yara",
"uuid": "7eb7c76c-0062-4379-ace5-4aa008ff26ab",
"value": "rule Phobos_WindowExplorer {\r\n meta:\r\n description = \"WindowExplorer.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a\"\r\n strings:\r\n $x1 = \"ProcessHacker.exe\" fullword wide\r\n $x2 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\WindowExplorer.pdb\" fullword ascii\r\n $s3 = \"WindowExplorer.dll\" fullword wide\r\n $s4 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1116\" fullword wide\r\n $s5 = \"(%d, %d) - (%d, %d) [%dx%d]\" fullword wide\r\n $s6 = \"ProcessHacker.WindowExplorer\" fullword wide\r\n $s7 = \"ProcessHacker.WindowExplorer.ShowDesktopWindows\" fullword wide\r\n $s8 = \"ProcessHacker.WindowExplorer.WindowTreeListColumns\" fullword wide\r\n $s9 = \"ProcessHacker.WindowExplorer.WindowsWindowPosition\" fullword wide\r\n $s10 = \"ProcessHacker.WindowExplorer.WindowsWindowSize\" fullword wide\r\n $s11 = \"PhCreateProcessPropContext\" fullword ascii\r\n $s12 = \"PhSetSelectThreadIdProcessPropContext\" fullword ascii\r\n $s13 = \"PhReferenceProcessItem\" fullword ascii\r\n $s14 = \"PhShowProcessProperties\" fullword ascii\r\n $s15 = \"PhOpenProcess\" fullword ascii\r\n $s16 = \"ProcessQueryAccess\" fullword ascii\r\n $s17 = \"The process does not exist.\" fullword wide\r\n $s18 = \"Windows - Thread %lu\" fullword wide\r\n $s19 = \"Windows - Desktop \\\"%s\\\"\" fullword wide\r\n $s20 = \"Window Explorer plugin for Process Hacker\" fullword wide\r\n\r\n $op0 = { ff 15 1a fb 00 00 ba e8 ff ff ff 48 8b cb 85 ff }\r\n $op1 = { ff 15 34 c0 01 00 41 b8 c8 }\r\n $op2 = { ff 15 f7 e2 00 00 83 63 34 fd 4c 8b cb 48 8b 0f }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336677",
"to_ids": false,
"type": "text",
"uuid": "bc5c4958-ae67-4471-87c3-329fd8727d28",
"value": "Phobos_WindowExplorer"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336700",
"uuid": "06a285d1-511a-4d17-b633-a9ee8235f2ff",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336700",
"to_ids": false,
"type": "text",
"uuid": "02133dd8-4aa5-402b-a6da-ff4ab733cdc9",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336700",
"to_ids": true,
"type": "yara",
"uuid": "c75ccfbc-3290-470e-a20e-6d6db2af3375",
"value": "rule Phobos_ExtendedTools {\r\n meta:\r\n description = \"ExtendedTools.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\ExtendedTools.pdb\" fullword ascii\r\n $s2 = \"ExtendedTools.dll\" fullword wide\r\n $s3 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1114\" fullword wide\r\n $s4 = \"PhEtKernelLogger\" fullword wide\r\n $s5 = \"ProcessHacker.ToolStatus\" fullword wide\r\n $s6 = \"ProcessHacker.ExtendedTools.DiskTreeListColumns\" fullword wide\r\n $s7 = \"ProcessHacker.ExtendedTools.DiskTreeListSort\" fullword wide\r\n $s8 = \"ProcessHacker.ExtendedTools.EnableEtwMonitor\" fullword wide\r\n $s9 = \"ProcessHacker.ExtendedTools.EnableGpuMonitor\" fullword wide\r\n $s10 = \"ProcessHacker.ExtendedTools.GpuNodeBitmap\" fullword wide\r\n $s11 = \"ProcessHacker.ExtendedTools.GpuLastNodeCount\" fullword wide\r\n $s12 = \"ProcessHacker.ExtendedTools\" fullword wide\r\n $s13 = \"Disk monitoring requires Process Hacker to be restarted with administrative privileges.\" fullword wide\r\n $s14 = \"PhShellProcessHacker\" fullword ascii\r\n $s15 = \"PhEtRundownLogger\" fullword wide\r\n $s16 = \"PhFindProcessNode\" fullword ascii\r\n $s17 = \"PhReferenceProcessItem\" fullword ascii\r\n $s18 = \"PhFindProcessRecord\" fullword ascii\r\n $s19 = \"PhShowProcessRecordDialog\" fullword ascii\r\n\r\n $op0 = { c7 44 24 40 ff ff ff 7f 48 89 44 24 30 45 33 c0 }\r\n $op1 = { e8 03 00 00 48 8d 0d 3d 34 02 00 ff 15 f7 a6 01 }\r\n $op2 = { 8b c1 49 8b 14 c1 f6 02 02 0f 85 3c ff ff ff ff }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 600KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336700",
"to_ids": false,
"type": "text",
"uuid": "5b203baf-74a9-41b2-9990-155ceb0d681e",
"value": "Phobos_ExtendedTools"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336732",
"uuid": "2c749d62-9849-4312-9f7d-58ed688e85d5",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336733",
"to_ids": false,
"type": "text",
"uuid": "650bddc6-a2f6-4d60-8cba-0e38aae7d948",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336733",
"to_ids": true,
"type": "yara",
"uuid": "8c28802c-bc3f-413d-84eb-9d1befb47679",
"value": "rule Phobos_ExtendedNotifications {\r\n meta:\r\n description = \"ExtendedNotifications.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795\"\r\n strings:\r\n $x1 = \"C:\\\\Windows\\\\system32\\\\cmd.exe\" fullword wide\r\n $s2 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\ExtendedNotifications.pdb\" fullword ascii\r\n $s3 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1112\" fullword wide\r\n $s4 = \"ExtendedNotifications.dll\" fullword wide\r\n $s5 = \"note*.exe\" fullword wide\r\n $s6 = \"ProcessHacker.ExtendedNotifications.LogFileName\" fullword wide\r\n $s7 = \"The process %s (%lu) was started by %s.\" fullword wide\r\n $s8 = \"The process %s (%lu) was terminated.\" fullword wide\r\n $s9 = \"an unknown process\" fullword wide\r\n $s10 = \"Log files (*.txt;*.log)\" fullword wide\r\n $s11 = \"PhReferenceProcessItemForParent\" fullword ascii\r\n $s12 = \"Process Created\" fullword ascii\r\n $s13 = \"Process Hacker\" fullword ascii\r\n $s14 = \"Process Terminated\" fullword ascii\r\n $s15 = \"Changes will require a restart of Process Hacker.\" fullword wide\r\n $s16 = \"PhGetFileDialogFileName\" fullword ascii\r\n $s17 = \"dProcessHacker.ExtendedNotifications\" fullword wide\r\n $s18 = \"ProcessHacker.ExtendedNotifications.EnableGrowl\" fullword wide\r\n $s19 = \"ProcessHacker.ExtendedNotifications.ProcessList\" fullword wide\r\n $s20 = \"ProcessHacker.ExtendedNotifications.ServiceList\" fullword wide\r\n\r\n $op0 = { 48 8d 4c 24 28 48 8b 34 e8 b8 65 }\r\n $op1 = { 48 8b 47 08 41 b0 01 8b cb 48 8b d5 4c 8b 34 c8 }\r\n $op2 = { 81 7d 10 36 ff ff ff 0f 85 80 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336733",
"to_ids": false,
"type": "text",
"uuid": "ce2b784d-1422-4eba-95cb-27c605384131",
"value": "Phobos_ExtendedNotifications"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336758",
"uuid": "0c15880c-5032-4de6-ae24-e07d12d2eb24",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336759",
"to_ids": false,
"type": "text",
"uuid": "f180d5d2-7d4b-4803-8afe-9d81c09ced64",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336759",
"to_ids": true,
"type": "yara",
"uuid": "5d0c59b7-11d2-4b88-8eff-e5d813aaa555",
"value": "rule Phobos_peview {\r\n meta:\r\n description = \"peview.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"4259e53d48a3fed947f561ff04c7f94446bedd64c87f52400b2cb47a77666aaa\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\peview.pdb\" fullword ascii\r\n $s2 = \"peview.exe\" fullword wide\r\n $s3 = \"mscorlib.ni.dll\" fullword wide\r\n $s4 = \"Supported files (*.exe;*.dll;*.ocx;*.sys;*.scr;*.cpl;*.ax;*.acm;*.lib;*.winmd;*.efi)\" fullword wide\r\n $s5 = \"Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\KnownFunctionTableDlls\" fullword wide\r\n $s6 = \"*.exe;*.dll;*.ocx;*.sys;*.scr;*.cpl;*.ax;*.acm;*.lib;*.winmd;*.efi\" fullword wide\r\n $s7 = \"Executable, \" fullword wide\r\n $s8 = \" <requestedExecutionLevel level=\\\"asInvoker\\\" uiAccess=\\\"false\\\"/>\" fullword ascii\r\n $s9 = \"Process Hacker\" fullword wide\r\n $s10 = \"Uni-processor only, \" fullword wide\r\n $s11 = \"Process affinity mask\" fullword wide\r\n $s12 = \"Process heap flags\" fullword wide\r\n $s13 = \"Target machine:\" fullword wide\r\n $s14 = \" <asmv3:windowsSettings xmlns=\\\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\\\">\" fullword ascii\r\n $s15 = \"\\\\Microsoft.NET\\\\Framework\\\\\" fullword wide\r\n $s16 = \"\\\\Microsoft.NET\\\\Framework64\\\\\" fullword wide\r\n $s17 = \" processorArchitecture=\\\"*\\\"\" fullword ascii\r\n $s18 = \" processorArchitecture=\\\"*\\\"\" fullword ascii\r\n $s19 = \" <description>PE Viewer</description>\" fullword ascii\r\n $s20 = \"EFI Boot Service Driver\" fullword wide\r\n\r\n $op0 = { 85 ff 74 51 49 8b 10 8b df 48 8d 34 1b 48 03 d6 }\r\n $op1 = { e9 48 ff ff ff 8b df 48 d1 eb 74 4c 49 8b 10 48 }\r\n $op2 = { 48 8b fe 0f b7 c0 48 8b ca 66 f3 ab 48 8d 34 56 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 700KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336759",
"to_ids": false,
"type": "text",
"uuid": "adf0ba50-d7d5-41ac-b7be-bdddaf32a2a6",
"value": "Phobos_peview"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336857",
"uuid": "101d4eba-12b0-47bb-ab8a-83b9ca18da94",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336857",
"to_ids": false,
"type": "text",
"uuid": "26f439c6-d790-452d-b0d2-44463db18552",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336858",
"to_ids": true,
"type": "yara",
"uuid": "f6ce8134-b9d4-404b-9fe0-73f2b1ef112c",
"value": "rule Phobos_dControl {\r\n meta:\r\n description = \"dControl.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b\"\r\n strings:\r\n $s1 = \"/AutoIt3ExecuteScript\" fullword wide\r\n $s2 = \"/AutoIt3ExecuteLine\" fullword wide\r\n $s3 = \"WINGETPROCESS\" fullword wide\r\n $s4 = \"PROCESSGETSTATS\" fullword wide\r\n $s5 = \"SCRIPTNAME\" fullword wide /* base64 encoded string 'H$H=3@0' */\r\n $s6 = \"dControl.exe\" fullword wide\r\n $s7 = \"SHELLEXECUTEWAIT\" fullword wide\r\n $s8 = \"SHELLEXECUTE\" fullword wide\r\n $s9 = \"#NoAutoIt3Execute\" fullword wide\r\n $s10 = \"PROCESSWAITCLOSE\" fullword wide\r\n $s11 = \"PROCESSWAIT\" fullword wide\r\n $s12 = \"PROCESSSETPRIORITY\" fullword wide\r\n $s13 = \"PROCESSLIST\" fullword wide\r\n $s14 = \"PROCESSEXISTS\" fullword wide\r\n $s15 = \"PROCESSCLOSE\" fullword wide\r\n $s16 = \"HTTPSETUSERAGENT\" fullword wide\r\n $s17 = \"PROCESSORARCH\" fullword wide\r\n $s18 = \"LASTDLLERROR\" fullword wide\r\n $s19 = \"CMDLINERAW\" fullword wide\r\n $s20 = \"FTPSETPROXY\" fullword wide\r\n\r\n $op0 = { e8 c5 ff ff ff 8d 8e bc }\r\n $op1 = { e8 34 13 01 00 8d 44 24 30 50 8d 8c 24 4c 01 00 }\r\n $op2 = { e9 25 ff ff ff 33 c0 89 06 eb a5 8b c1 33 c9 c7 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 2000KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336858",
"to_ids": false,
"type": "text",
"uuid": "39ed1ce6-964c-48ce-84bd-62d7e8ae4755",
"value": "Phobos_dControl"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336879",
"uuid": "32f842af-7517-4f47-b428-2c99fad67147",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336879",
"to_ids": false,
"type": "text",
"uuid": "7d70a01a-6a90-4162-9cfe-d1ffd8938f88",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336879",
"to_ids": true,
"type": "yara",
"uuid": "de41dad1-992e-4e0b-b4b7-693430c69bb6",
"value": "rule Phobos_SbieSupport {\r\n meta:\r\n description = \"SbieSupport.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\SbieSupport.pdb\" fullword ascii\r\n $s2 = \"C:\\\\Program Files\\\\Sandboxie\\\\SbieDll.dll\" fullword wide\r\n $s3 = \"SbieSupport.dll\" fullword wide\r\n $s4 = \"ProcessHacker.SbieSupport.SbieDllPath\" fullword wide\r\n $s5 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1115\" fullword wide\r\n $s6 = \"SbieDll.dll path:\" fullword wide\r\n $s7 = \"ProcessHacker.SbieSupport\" fullword wide\r\n $s8 = \"lall sandboxed processes\" fullword wide\r\n $s9 = \"PhFindProcessNode\" fullword ascii\r\n $s10 = \"PhOpenProcess\" fullword ascii\r\n $s11 = \"PhUpdateProcessNode\" fullword ascii\r\n $s12 = \"PhTerminateProcess\" fullword ascii\r\n $s13 = \"Provides functionality for sandboxed processes.\" fullword wide\r\n $s14 = \"Terminate sandboxed processes\" fullword wide\r\n $s15 = \"Sandboxie Support for Process Hacker\" fullword wide\r\n $s16 = \"PhGetFileDialogFileName\" fullword ascii\r\n $s17 = \"PhGetWindowText\" fullword ascii\r\n $s18 = \"PhSetFileDialogFileName\" fullword ascii\r\n $s19 = \"PhFreeFileDialog\" fullword ascii\r\n $s20 = \"PhShowFileDialog\" fullword ascii\r\n\r\n $op0 = { 4c 8d 05 be ff ff ff 48 8d 15 a7 ff ff ff 41 8d }\r\n $op1 = { f0 48 0f b1 3d 34 52 01 00 74 0d 48 8d 0d 2b 52 }\r\n $op2 = { 48 0f a3 c3 73 0b 41 83 c8 01 44 89 05 48 34 01 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 300KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336879",
"to_ids": false,
"type": "text",
"uuid": "e77c536e-4e79-4cde-8698-3fd160ead5c2",
"value": "Phobos_SbieSupport"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336929",
"uuid": "df719ce5-6a86-4b71-947b-dee445af46e7",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336929",
"to_ids": false,
"type": "text",
"uuid": "9a1c96bb-071d-4db0-b178-528b3364ece2",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336929",
"to_ids": true,
"type": "yara",
"uuid": "f0a4797b-b8e0-4b4f-b43e-f3172ed9035b",
"value": "rule Phobos_NetworkTools {\r\n meta:\r\n description = \"NetworkTools.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\NetworkTools.pdb\" fullword ascii\r\n $s2 = \"%s\\\\system32\\\\tracert.exe -d %s\" fullword wide\r\n $s3 = \"%s\\\\system32\\\\pathping.exe -n %s\" fullword wide\r\n $s4 = \"NetworkTools.dll\" fullword wide\r\n $s5 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1117\" fullword wide\r\n $s6 = \"%s\\\\system32\\\\tracert.exe %s\" fullword wide\r\n $s7 = \"%s\\\\system32\\\\pathping.exe %s\" fullword wide\r\n $s8 = \"PhShellExecute\" fullword ascii\r\n $s9 = \"processhacker_%S_0x0D06F00D_x1\" fullword ascii\r\n $s10 = \"ProcessHacker.NetworkTools.WindowPosition\" fullword wide\r\n $s11 = \"ProcessHacker.NetworkTools.WindowSize\" fullword wide\r\n $s12 = \"ProcessHacker.NetworkTools.PingWindowPosition\" fullword wide\r\n $s13 = \"ProcessHacker.NetworkTools.PingWindowSize\" fullword wide\r\n $s14 = \"ProcessHacker.NetworkTools.PingMaxTimeout\" fullword wide\r\n $s15 = \"ProcessHacker.NetworkTools\" fullword wide\r\n $s16 = \"PhProcessesUpdatedEvent\" fullword ascii\r\n $s17 = \"PhCreateProcessWin32Ex\" fullword ascii\r\n $s18 = \"PhTerminateProcess\" fullword ascii\r\n $s19 = \"Process Hacker \" fullword wide\r\n $s20 = \"Network Tools plugin for Process Hacker\" fullword wide\r\n\r\n $op0 = { ff 15 34 17 01 00 e9 b5 05 00 00 41 0f b7 c6 ff }\r\n $op1 = { ba 00 10 00 00 48 8d 4d c0 ff 15 34 17 01 00 45 }\r\n $op2 = { 48 8b c8 ff 15 d6 0f 01 00 b9 f1 ff ff ff 8b d0 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336929",
"to_ids": false,
"type": "text",
"uuid": "1449e5eb-3588-4ce4-ac3a-7ed30bb3cc18",
"value": "Phobos_NetworkTools"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336956",
"uuid": "6d371a44-95a9-4a96-b2af-b1c48c4c60fc",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336956",
"to_ids": false,
"type": "text",
"uuid": "dab4d7ad-450f-4334-bd8d-1eb83d6e3cf4",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336956",
"to_ids": true,
"type": "yara",
"uuid": "4b23d057-0ff6-4fd6-b375-77701c5d0f4d",
"value": "rule Phobos_UserNotes {\r\n meta:\r\n description = \"UserNotes.dll\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52\"\r\n strings:\r\n $x1 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release64\\\\plugins\\\\UserNotes.pdb\" fullword ascii\r\n $x2 = \"%APPDATA%\\\\Process Hacker 2\\\\usernotesdb.xml\" fullword wide\r\n $s3 = \"UserNotes.dll\" fullword wide\r\n $s4 = \"ProcessHacker.UserNotes.DatabasePath\" fullword wide\r\n $s5 = \"Only for processes with the same command line\" fullword wide\r\n $s6 = \"ProcessHacker.UserNotes.ColorCustomList\" fullword wide\r\n $s7 = \"ProcessHacker.UserNotes\" fullword wide\r\n $s8 = \"Allows the user to add comments for processes and services. Also allows the user to save process priority. Also allows the user \" wide\r\n $s9 = \"https://wj32.org/processhacker/forums/viewtopic.php?t=1120\" fullword wide\r\n $s10 = \"PhGetSelectedProcessItems\" fullword ascii\r\n $s11 = \"PhGetSelectedProcessItem\" fullword ascii\r\n $s12 = \"ProcessHacker.ToolStatus\" fullword wide\r\n $s13 = \"User Notes plugin for Process Hacker\" fullword wide\r\n $s14 = \"PhInvalidateAllProcessNodes\" fullword ascii\r\n $s15 = \"PhOpenProcess\" fullword ascii\r\n $s16 = \"PhProcessesUpdatedEvent\" fullword ascii\r\n $s17 = \"ProcessQueryAccess\" fullword ascii\r\n $s18 = \"PhAddProcessPropPage\" fullword ascii\r\n $s19 = \"PhCreateProcessPropPageContextEx\" fullword ascii\r\n $s20 = \"PhProcessModifiedEvent\" fullword ascii\r\n\r\n $op0 = { 49 8b cd 0f 95 c0 88 46 34 ff 15 f2 d9 00 00 eb }\r\n $op1 = { e8 34 fa ff ff 48 8b c8 ff 15 6b cd 00 00 48 8b }\r\n $op2 = { e8 43 ec ff ff 48 85 c0 74 30 80 78 34 00 74 2a }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 300KB and\r\n ( 1 of ($x*) and 4 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336956",
"to_ids": false,
"type": "text",
"uuid": "9734af42-4e77-4c91-bd90-43331bc7ba64",
"value": "Phobos_UserNotes"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708336986",
"uuid": "3be977a5-8ec4-42a0-bc62-b5af20ee33bb",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708336986",
"to_ids": false,
"type": "text",
"uuid": "27141a72-0094-4276-84ba-74479379dc75",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708336986",
"to_ids": true,
"type": "yara",
"uuid": "3cb5cfad-1429-408a-a331-2168e39d6ec1",
"value": "rule Phobos_pw_inspector {\r\n meta:\r\n description = \"pw-inspector.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"8bae7326cb8456ce4c9409045264ca965e30f6381ddcaa6c87ba3ac5e7683555\"\r\n strings:\r\n $s1 = \" -m MINLEN minimum length of a valid password\" fullword ascii\r\n $s2 = \"cyggcj-16.dll\" fullword ascii\r\n $s3 = \" -i FILE file to read passwords from (default: stdin)\" fullword ascii\r\n $s4 = \" -M MAXLEN maximum length of a valid password\" fullword ascii\r\n $s5 = \"Error: -c MINSETS is larger than the sets defined\" fullword ascii\r\n $s6 = \" -o FILE file to write valid passwords to (default: stdout)\" fullword ascii\r\n $s7 = \"Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s\" fullword ascii\r\n $s8 = \" <requestedExecutionLevel level=\\\"asInvoker\\\"/>\" fullword ascii\r\n $s9 = \"Error: -m MINLEN is greater than -M MAXLEN\" fullword ascii\r\n $s10 = \"%s reads passwords in and prints those which meet the requirements.\" fullword ascii\r\n $s11 = \"Use for hacking: trim your dictionary file to the pw requirements of the target.\" fullword ascii\r\n $s12 = \" -c MINSETS the minimum number of sets required (default: all given)\" fullword ascii\r\n $s13 = \"Use for security: check passwords, if 0 is returned, reject password choice.\" fullword ascii\r\n $s14 = \"The return code is the number of valid passwords found, 0 if none was found.\" fullword ascii\r\n $s15 = \" -s special characters - all others not withint the sets above\" fullword ascii\r\n $s16 = \"http://www.thc.org\" fullword ascii\r\n $s17 = \"%s %s (c) 2005 by van Hauser / THC %s [%s]\" fullword ascii\r\n $s18 = \"Usage only allowed for legal purposes.\" fullword ascii\r\n $s19 = \" </compatibility>\" fullword ascii\r\n $s20 = \" <compatibility xmlns=\\\"urn:schemas-microsoft-com:compatibility.v1\\\">\" fullword ascii\r\n\r\n $op0 = { c7 04 24 04 34 40 00 e8 95 }\r\n $op1 = { c7 04 24 54 34 40 00 e8 89 }\r\n $op2 = { c7 04 24 a8 34 40 00 e8 7d }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 200KB and\r\n ( 8 of them and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708336986",
"to_ids": false,
"type": "text",
"uuid": "042d9c5c-4fba-49ae-9ce4-53cbca0b8868",
"value": "Phobos_pw_inspector"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1708337007",
"uuid": "393e2b93-b344-489c-a998-0967713e3e2e",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1708337007",
"to_ids": false,
"type": "text",
"uuid": "2e9df49a-7630-46ae-bb14-342663701f0b",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1708337007",
"to_ids": true,
"type": "yara",
"uuid": "b24fe70a-efe6-452d-8470-32da2cc8564b",
"value": "rule Phobos_hydra {\r\n meta:\r\n description = \"hydra.exe\"\r\n author = \"Directoratul National de Securitate Cibernetica (DNSC)\"\r\n date = \"2024-02-15\"\r\n hash1 = \"85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce\"\r\n strings:\r\n $x1 = \"[ATTEMPT-ERROR] target %s - login \\\"%s\\\" - pass \\\"%s\\\" - child %d - %lu of %lu\" fullword ascii\r\n $x2 = \" \\\"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F<target>%%2Fexchange&flags=0&username=<domain>%%5C^USER^&password=^\" ascii\r\n $x3 = \"[%sATTEMPT] target %s - login \\\"%s\\\" - pass \\\"%s\\\" - %lu of %lu [child %d] (%d/%d)\" fullword ascii\r\n $x4 = \" \\\"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F<target>%%2Fexchange&flags=0&username=<domain>%%5C^USER^&password=^\" ascii\r\n $x5 = \" hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login foo, password bar)\" fullword ascii\r\n $x6 = \"[COMPLETED] target %s - login \\\"%s\\\" - pass \\\"%s\\\" - child %d - %lu of %lu\" fullword ascii\r\n $x7 = \"[DEBUG] Target %d - target %s ip %s login_no %lu pass_no %lu sent %lu pass_state %d redo_state %d (%d redos) use_count %d\" ascii\r\n $x8 = \"Example%s:%s hydra -l user -P passlist.txt ftp://192.168.0.1\" fullword ascii\r\n $x9 = \" hydra -P pass.txt -m cisco target cisco-enable (Logon password cisco)\" fullword ascii\r\n $x10 = \"[DEBUG] Target %d - target %s ip %s login_no %lu pass_no %lu sent %lu pass_state %d redo_state %d (%d redos) use_count %d\" ascii\r\n $x11 = \" hydra -L logins.txt -P pws.txt -M targets.txt ssh\" fullword ascii\r\n $x12 = \"(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))\" fullword ascii\r\n $x13 = \"[ERROR] target ssh://%s:%d/ does not support password authentication.\" fullword ascii\r\n $x14 = \" hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp\" fullword ascii\r\n $x15 = \" hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum user:pass\" fullword ascii\r\n $x16 = \"[DEBUG] TEMP head %d: pass == %s, login == %s\" fullword ascii\r\n $x17 = \"%d of %d target%s%scompleted, %lu valid password\" fullword ascii\r\n $x18 = \"[DEBUG] we will redo the following combination: target %s child %d login \\\"%s\\\" pass \\\"%s\\\"\" fullword ascii\r\n $x19 = \"[DEBUG] send_next_pair_init target %d, head %d, redo %d, redo_state %d, pass_state %d. loop_mode %d, curlogin %s, curpass %s, tl\" ascii\r\n $x20 = \"[DEBUG] send_next_pair_init target %d, head %d, redo %d, redo_state %d, pass_state %d. loop_mode %d, curlogin %s, curpass %s, tl\" ascii\r\n\r\n $op0 = { 89 4c 24 34 8b 4c 24 64 89 74 24 04 89 7c 24 10 }\r\n $op1 = { a1 50 f2 46 00 c7 05 28 e3 44 00 ff ff ff ff 8b }\r\n $op2 = { f3 a6 74 33 c7 04 24 ff ff ff ff e8 45 4b 04 00 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 1000KB and\r\n ( 1 of ($x*) and all of ($op*) )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1708337007",
"to_ids": false,
"type": "text",
"uuid": "9ce7c815-0e6c-499f-9341-b7804bf42a72",
"value": "Phobos_hydra"
}
]
}
],
"EventReport": [
{
"name": "Backmydata Ransomware Indicators of Compromise (IOCs) UPDATE",
"content": "# Backmydata Ransomware Indicators of Compromise (IOCs) UPDATE\r\n\r\n## Summary \r\n\r\nDuring the night of 11 to 12 February 2024 there was a ransomware cyber-attack on the\r\nRomanian Soft Company (RSC) www.rsc.ro, which develops, manages and markets the\r\nHippocrates computer system (a.k.a. HIS). According to DNSC data, the attack disrupted the\r\nactivity of 26 Romanian hospitals using the Hippocrates IT system.\r\nThe malware used in the attack is Backmydata ransomware application that is part of the\r\nPhobos malware family, known for propagating through Remote Desktop Protocol (RDP)\r\nconnections. Backmydata is designed to encrypt target files using a complex algorithm.\r\nEncrypted files are renamed with .backmydata extension. After encryption, the malware\r\nprovides two ransom notes (info.hta and info.txt), with details of the steps to be taken for\r\ncontacting the attackers and how to pay the ransom.\r\nThe Directorate recommends to all healthcare entities, whether or not they have been affected\r\nby the Backmydata ransomware attack, to scan their IT &C infrastructure using the YARA\r\nscanning script.\r\n\r\n## IOC\r\n\r\nIOCs validated with hospitals at 16.02.2024\r\n\r\nDNSC is currently in the process of validating a new series of IOCs which will be published soon.\r\nHashes\r\n\r\n396a2f2dd09c936e93d250e8467ac7a9c0a923ea7f9a395e63c375b877a399a6 AntiRecuvaDB.exe\r\n70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4 kprocesshacker.sys\r\n6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b dControl.exe\r\nb4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9 DotNetTools.dll\r\n61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795 ExtendedNotifications.dll\r\n5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60 ExtendedServices.dll\r\nf2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87 ExtendedTools.dll\r\nacd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00 HardwareDevices.dll\r\n85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce hydra.exe\r\n476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e NetworkTools.dll\r\n7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de OnlineChecks.dll\r\n4259e53d48a3fed947f561ff04c7f94446bedd64c87f52400b2cb47a77666aaa peview.exe\r\nbd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 ProcessHacker.exe\r\n8bae7326cb8456ce4c9409045264ca965e30f6381ddcaa6c87ba3ac5e7683555 pw-inspector.exe\r\n57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b SbieSupport.dll\r\n5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab ToolStatus.dll\r\n0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e Updater.dll\r\nfc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52 UserNotes.dll\r\n282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a WindowExplorer.dll\r\ne71cda5e7c018f18aefcdfbce171cfeee7b8d556e5036d8b8f0864efc5f2156b BulletsPassView64.exe\r\nb19dfe440e515c39928b475a946656a12b1051e98e0df36c016586b34a766d5c BulletsPassView.exe\r\nc4304f7bb6ef66c0676c6b94d25d3f15404883baa773e94f325d8126908e1677 ChromePass.exe\r\n598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a Dialupass.exe\r\ndbe98193aced7285a01c18b7da8e4540fb4e5b0625debcfbabcab7ea90f5685d iepv.exe\r\n16c6af4ae2d8ca8e7a3f2051b913fa1cb7e1fbd0110b0736614a1e02bbbbceaf mailpv.exe\r\nd032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f mimidrv_32.sys\r\nd43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96 mimidrv.sys\r\n66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a mimik_32.exe\r\nUNCLASSIFIED / NECLASIFICAT Pagina 2 / 2 Page\r\n31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc mimik.exe\r\na6527183e3cbf81602de16f3448a8754f6cecd05dc3568fa2795de534b366da4 mimilib_32.dll\r\n59756c8f4c760f1b29311a5732cb3fdd41d4b5bc9c88cd77c560e27b6e59780c mimilib.dll\r\nb42725211240828ccc505d193d8ea5915e395c9f43e71496ff0ece4f72e3e4ab mimilove_32.exe\r\n7a313840d25adf94c7bf1d17393
"id": "397",
"event_id": "207778",
"timestamp": "1708337089",
"uuid": "a693449f-cd63-4c9e-b3a1-cb6488d5f8f7",
"deleted": false
}
]
}
}