SteelTech/Tria.ge-Crawler-WIP
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Intitial release

Browse source
This commit is contained in:
John husxdev 2025-04-12 01:40:13 -05:00
parent 299038fbc7
commit fa8caa5116
21 changed files with 1234 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

134
rules/dangerous.yar Normal file
View file

@ -0,0 +1,134 @@
rule Keylogging {
meta:
description = "Detects keylogging functionality"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$import1 = "import keyboard" ascii wide
$import2 = "from pynput" ascii wide
$hook1 = "keyboard.hook" ascii wide
$hook2 = "keyboard.Listener" ascii wide
$hook3 = "keyboard.on_press" ascii wide
$hook4 = "KeyboardEvent" ascii wide
$func1 = "on_press" ascii wide
$func2 = "on_release" ascii wide
condition:
1 of ($import*) and 1 of ($hook*) or 1 of ($func*)
}
rule ScreenCapture {
meta:
description = "Detects screen capture functionality"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$import1 = "import pyautogui" ascii wide
$import2 = "from PIL import ImageGrab" ascii wide
$import3 = "import mss" ascii wide
$func1 = "pyautogui.screenshot" ascii wide
$func2 = "ImageGrab.grab" ascii wide
$func3 = "mss().shot" ascii wide
$func4 = ".save(" ascii wide
condition:
1 of ($import*) and 1 of ($func*)
}
rule BrowserDataTheft {
meta:
description = "Detects browser data theft functionality"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$browser1 = "Chrome" nocase ascii wide
$browser2 = "Firefox" nocase ascii wide
$browser3 = "Edge" nocase ascii wide
$browser4 = "Opera" nocase ascii wide
$path1 = "AppData\\Local\\Google\\Chrome\\User Data" ascii wide
$path2 = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles" ascii wide
$path3 = "AppData\\Local\\Microsoft\\Edge\\User Data" ascii wide
$data1 = "Login Data" ascii wide
$data2 = "Cookies" ascii wide
$data3 = "Web Data" ascii wide
$sql1 = "SELECT" ascii wide
$sql2 = "FROM logins" ascii wide
$sql3 = "FROM cookies" ascii wide
$crypto1 = "CryptUnprotectData" ascii wide
$crypto2 = "Crypt.decrypt" ascii wide
condition:
(2 of ($browser*) or 1 of ($path*)) and
(1 of ($data*)) and
(1 of ($sql*) or 1 of ($crypto*))
}
rule SystemInformationCollection {
meta:
description = "Detects system information collection functionality"
author = "Malware Researcher"
severity = "Medium"
date = "2023-01-01"
strings:
$import1 = "import platform" ascii wide
$import2 = "import socket" ascii wide
$import3 = "import uuid" ascii wide
$import4 = "import psutil" ascii wide
$func1 = "platform.system" ascii wide
$func2 = "platform.release" ascii wide
$func3 = "socket.gethostname" ascii wide
$func4 = "uuid.getnode" ascii wide
$func5 = "psutil.cpu_count" ascii wide
$func6 = "psutil.disk_usage" ascii wide
$func7 = "os.environ" ascii wide
$func8 = "os.getlogin" ascii wide
condition:
2 of ($import*) and 2 of ($func*)
}
rule AntiVMTechniques {
meta:
description = "Detects anti-VM/sandbox evasion techniques"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$vm1 = "VMware" nocase ascii wide
$vm2 = "VirtualBox" nocase ascii wide
$vm3 = "QEMU" nocase ascii wide
$vm4 = "Xen" nocase ascii wide
$vm5 = "KVM" nocase ascii wide
$vm6 = "Parallels" nocase ascii wide
$vm7 = "Hyper-V" nocase ascii wide
$vm8 = "Virtual Machine" nocase ascii wide
$check1 = "wmic.exe" nocase ascii wide
$check2 = "systeminfo" nocase ascii wide
$check3 = "get_mac" nocase ascii wide
$check4 = "registry" nocase ascii wide
$check5 = "check_vm" nocase ascii wide
$check6 = "is_vm" nocase ascii wide
condition:
2 of ($vm*) and 1 of ($check*)
}
rule SelfDestructCode {
meta:
description = "Detects self-destructing code functionality"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$del1 = "os.remove" ascii wide
$del2 = "os.unlink" ascii wide
$del3 = "shutil.rmtree" ascii wide
$path1 = "__file__" ascii wide
$path2 = "sys.argv[0]" ascii wide
$cmd1 = "cmd.exe /c" ascii wide
$cmd2 = "del " ascii wide
$cmd3 = "rmdir" ascii wide
$bat1 = ".bat" ascii wide
$bat2 = ".cmd" ascii wide
condition:
1 of ($del*) and (1 of ($path*) or
(1 of ($cmd*) and 1 of ($bat*)))
}

136
rules/infosteal.yar Normal file
View file

@ -0,0 +1,136 @@
import "pe"
rule RayXStealer {
meta:
description = "Detects RayX Stealer malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$s1 = "rayxstealer" nocase ascii wide
$s2 = "ray-x" nocase ascii wide
$token1 = "discordwebhook" nocase ascii wide
$token2 = "getTokens" nocase ascii wide
$browser1 = "Chrome" nocase ascii wide
$browser2 = "Edge" nocase ascii wide
$browser3 = "passwords" nocase ascii wide
$browser4 = "cookies" nocase ascii wide
condition:
($s1 or $s2) and
1 of ($token*) and
2 of ($browser*)
}
rule PysilonStealer {
meta:
description = "Detects Pysilon Stealer malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id1 = "pysilon" nocase ascii wide
$id2 = "pysilonstealer" nocase ascii wide
$grab1 = "grab_discord" nocase ascii wide
$grab2 = "grab_passwords" nocase ascii wide
$grab3 = "grab_cookies" nocase ascii wide
$grab4 = "system_info" nocase ascii wide
$net1 = "webhook" nocase ascii wide
$net2 = "sendData" nocase ascii wide
condition:
1 of ($id*) and
2 of ($grab*) and
1 of ($net*)
}
rule ExelaStealer {
meta:
description = "Detects Exela Stealer malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id = "exelastealer" nocase ascii wide
$grab1 = "grab_discord" nocase ascii wide
$grab2 = "grab_browsers" nocase ascii wide
$grab3 = "grab_wallets" nocase ascii wide
$net1 = "webhook_url" nocase ascii wide
$net2 = "send_report" nocase ascii wide
condition:
$id or (2 of ($grab*) and 1 of ($net*))
}
rule BlankGrabber {
meta:
description = "Detects BlankGrabber/AmnesiaGrabber malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id1 = "blankgrabber" nocase ascii wide
$id2 = "amnesia" nocase ascii wide
$func1 = "grab_tokens" nocase ascii wide
$func2 = "grab_cookies" nocase ascii wide
$func3 = "grab_passwords" nocase ascii wide
$func4 = "screenshot" nocase ascii wide
$net1 = "webhook" nocase ascii wide
$enc1 = "encrypt" nocase ascii wide
$enc2 = "decrypt" nocase ascii wide
condition:
1 of ($id*) and
2 of ($func*) and
($net1 or 1 of ($enc*))
}
rule LunaGrabber {
meta:
description = "Detects Luna Grabber malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id = "lunagrabber" nocase ascii wide
$grab1 = "grab_tokens" nocase ascii wide
$grab2 = "grab_password" nocase ascii wide
$grab3 = "grab_cookie" nocase ascii wide
$net = "webhook" nocase ascii wide
condition:
$id or (2 of ($grab*) and $net)
}
rule UmbralStealer {
meta:
description = "Detects Umbral Stealer malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id = "umbral" nocase ascii wide
$grab1 = "get_tokens" nocase ascii wide
$grab2 = "get_passwords" nocase ascii wide
$grab3 = "get_cookies" nocase ascii wide
$grab4 = "get_wallets" nocase ascii wide
$net1 = "webhook" nocase ascii wide
$net2 = "send_data" nocase ascii wide
condition:
$id or (2 of ($grab*) and 1 of ($net*))
}
rule DiscordRatStealer {
meta:
description = "Detects Discord RAT malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id1 = "discordrat" nocase ascii wide
$id2 = "discord_rat" nocase ascii wide
$cmd1 = "command_handler" nocase ascii wide
$cmd2 = "remote_control" nocase ascii wide
$cmd3 = "remote_cmd" nocase ascii wide
$discord1 = "discord.py" nocase ascii wide
$discord2 = "discord_webhook" nocase ascii wide
$discord3 = "bot.command" nocase ascii wide
condition:
1 of ($id*) and
(1 of ($cmd*) and 1 of ($discord*))
}

102
rules/network.yar Normal file
View file

@ -0,0 +1,102 @@
rule UsesDiscordWebhook {
meta:
description = "Detects Discord webhook usage"
author = "Malware Researcher"
severity = "Medium"
date = "2023-01-01"
strings:
$webhook1 = "https://discord.com/api/webhooks/" ascii wide
$webhook2 = "https://discordapp.com/api/webhooks/" ascii wide
$webhook3 = "https://ptb.discord.com/api/webhooks/" ascii wide
$webhook4 = "https://canary.discord.com/api/webhooks/" ascii wide
$func1 = "requests.post" ascii wide
$func2 = "httpx.post" ascii wide
$func3 = "aiohttp" ascii wide
$func4 = "urllib" ascii wide
condition:
1 of ($webhook*) and 1 of ($func*)
}
rule DiscordPyFramework {
meta:
description = "Detects Discord.py bot framework usage"
author = "Malware Researcher"
severity = "Medium"
date = "2023-01-01"
strings:
$import1 = "import discord" ascii wide
$import2 = "from discord.ext import commands" ascii wide
$class1 = "discord.Client" ascii wide
$class2 = "commands.Bot" ascii wide
$func1 = "bot.run" ascii wide
$func2 = "client.run" ascii wide
$token = /['"][A-Za-z\d]{24}\.[\w-]{6}\.[\w-]{27}['"]/ ascii wide
condition:
(1 of ($import*) or 1 of ($class*)) and
(1 of ($func*) or $token)
}
rule PythonSMTPUsage {
meta:
description = "Detects Python SMTP mail sending functionality"
author = "Malware Researcher"
severity = "Medium"
date = "2023-01-01"
strings:
$import1 = "import smtplib" ascii wide
$import2 = "from email" ascii wide
$func1 = "smtplib.SMTP" ascii wide
$func2 = "smtp.send_message" ascii wide
$func3 = "smtp.sendmail" ascii wide
$auth1 = "smtp.login" ascii wide
$provider1 = "smtp.gmail.com" ascii wide
$provider2 = "smtp-mail.outlook.com" ascii wide
$provider3 = "smtp.mail.yahoo.com" ascii wide
condition:
$import1 and
(1 of ($func*)) and
($auth1 or 1 of ($provider*))
}
rule HTTPRequests {
meta:
description = "Detects HTTP request libraries usage for data exfiltration"
author = "Malware Researcher"
severity = "Low"
date = "2023-01-01"
strings:
$import1 = "import requests" ascii wide
$import2 = "import httpx" ascii wide
$import3 = "import aiohttp" ascii wide
$import4 = "from urllib" ascii wide
$func1 = ".post(" ascii wide
$func2 = ".get(" ascii wide
$func3 = "urlopen(" ascii wide
$data1 = "json=" ascii wide
$data2 = "data=" ascii wide
$data3 = "files=" ascii wide
condition:
1 of ($import*) and
1 of ($func*) and
1 of ($data*)
}
rule TelegramBotAPI {
meta:
description = "Detects Telegram Bot API usage"
author = "Malware Researcher"
severity = "Medium"
date = "2023-01-01"
strings:
$url1 = "api.telegram.org/bot" ascii wide
$token = /[0-9]{8,10}:[A-Za-z0-9_-]{35}/ ascii wide
$method1 = "/sendMessage" ascii wide
$method2 = "/sendDocument" ascii wide
$method3 = "/sendPhoto" ascii wide
$import1 = "telebot" ascii wide
$import2 = "telegram.ext" ascii wide
condition:
($url1 and 1 of ($method*)) or
($token and 1 of ($method*)) or
1 of ($import*)
}