{"id":26585234,"url":"https://github.com/gemesa/threat-detection-rules","last_synced_at":"2026-02-10T23:31:25.856Z","repository":{"id":282009956,"uuid":"947160853","full_name":"gemesa/threat-detection-rules","owner":"gemesa","description":"Collection of YARA, Suricata and Sigma rules for detecting various malware threats","archived":false,"fork":false,"pushed_at":"2026-02-10T19:52:10.000Z","size":77,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-10T21:48:52.143Z","etag":null,"topics":["detection","malware-analysis","malware-detection","reverse-engineering","sigma","sigma-rules","suricata","suricata-rules","threat-detection","yara","yara-rules"],"latest_commit_sha":null,"homepage":"https://shadowshell.io/","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gemesa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-03-12T08:51:01.000Z","updated_at":"2026-02-10T19:52:15.000Z","dependencies_parsed_at":"2025-03-12T10:33:00.890Z","dependency_job_id":"5be3907e-0c82-41cd-b979-c83458d8b934","html_url":"https://github.com/gemesa/threat-detection-rules","commit_stats":null,"previous_names":["gemesa/threat-detection-rules"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/gemesa/threat-detection-rules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fthreat-detection-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fthreat-detection-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fthreat-detection-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fthreat-detection-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gemesa","download_url":"https://codeload.github.com/gemesa/threat-detection-rules/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemesa%2Fthreat-detection-rules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29321332,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-10T20:44:44.282Z","status":"ssl_error","status_checked_at":"2026-02-10T20:44:43.393Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["detection","malware-analysis","malware-detection","reverse-engineering","sigma","sigma-rules","suricata","suricata-rules","threat-detection","yara","yara-rules"],"created_at":"2025-03-23T10:32:13.409Z","updated_at":"2026-02-10T23:31:25.849Z","avatar_url":"https://github.com/gemesa.png","language":"YARA","funding_links":[],"categories":[],"sub_categories":[],"readme":"# threat-detection-rules\nCollection of YARA (`.yar`), Suricata (`.rules`) and Sigma (`.yml`) rules for detecting various malware threats. Sigma rules are only implemented for Linux or Windows hosts and are verified via `sigma check file.yml` but not tested otherwise. Additionally, Sigma rules are formatted via `prettier --write file.yml`.\n\n# Qilin\n\n- [Analysis blog post](https://shadowshell.io/qilin-ransomware)\n\n- [Rules](qilin)\n\n## Usage\n\n### YARA\n\n```\n$ yara -s qilin.yar qilin-esxi.elf\nqilin qilin-esxi.elf\n0xe92b6:$1: Disables process kill\n0xe92e6:$2: Disables rename of completed files\n0xe9323:$3: Disables snapshot deletion\n0xe9358:$4: Disables VM kill\n0xebc00:$5: for I in $(esxcli storage filesystem list |grep 'VMFS-5' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk \u003e /dev/null; vmkfstools -U $I/eztDisk \u003e /dev/null; done\n0xebcc0:$6: for I in $(esxcli storage filesystem list |grep 'VMFS-5' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk; vmkfstools -U $I/eztDisk; done\n0xebd68:$7: for I in $(esxcli storage filesystem list |grep 'VMFS-6' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk \u003e /dev/null; vmkfstools -U $I/eztDisk \u003e /dev/null; done\n0xebe28:$8: for I in $(esxcli storage filesystem list |grep 'VMFS-6' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk; vmkfstools -U $I/eztDisk; done\n0xebed0:$9: esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity\n0xebf00:$10: esxcfg-advcfg -s 20000 /BufferCache/FlushInterval\n0xec032:$11: esxcli vm process list\n0xebbd8:$12: esxcli vm process kill -t force -w %llu\n0xec05b:$13: vim-cmd vmsvc/getallvms\n0xebfc0:$14: vim-cmd vmsvc/snapshot.removeall %llu \u003e /dev/null 2\u003e\u00261\n0xe9ce9:$15: dhl:p:Rrt:wy\n0xe9cda:$16: %s_RECOVER.txt\n0xe9ea9:$17: /etc/motd.template\n0xe9ebc:$18: /var/run/motd\n0xe954c:$19: /etc/motd\n0xe9ea9:$19: /etc/motd\n0xe9eca:$19: /etc/motd\n0xeb3a8:$20: -----BEGIN PUBLIC KEY-----\n0xeb3a8:$21: -----BEGIN PUBLIC KEY-----\\x0AMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3a4G68kgJX2bwWZX23Yz\\x0AzPI68Fl6eocJ+XLcPN9dvG3o/SV04F2zE7nWUhBbwsBHiX8bIquqVyVV+Y93FOCn\\x0AeJODySiy+bLZ1QfXKMjoNbhHq+aeuYCV8na3LF3hoGpST6uJpXUxbhZOBqHHbbx6\\x0AvVy1fXOUEvaEOhqkglfDUQ7/fH6sT1p/3RyCtGi3o7588oMHOVgz3jZux2dqp9Zy\\x0APs9MqZs0OtcBAXTG4EmD8yz2RgH+D9j756snWNZeknnjNO+KUARDSICKFOYtb3wz\\x0AxYFVvACB3sJuTpAJ2HuaWIEo8NljGsMkNTqy3tFY0WnUBxAgt7AMUM+Ex75DGa9H\\x0AIAXd+bTOfo+zyUGKiUFBqBZjo8T0ueTpr8BZb98fl5/LFpXmBuR/dJBfeuq3a4vK\\x0AFpxx796zUe/hoiBSvw9GzLyYa5A5Lb\n0xebb0b:$22: Detected OS: ESXi (%d)\n0xe9c10:$23: Are you sure to start encryption? (y/n)\n0xe9c88:$24: File tree traversing done. Waiting workers to complete...\n0xe9703:$25: Qilin\n0xe970d:$26: Your network/system was encrypted.\n0xe9b86:$27: o7L03e8F9J\n0xeb099:$27: o7L03e8F9J\n```\n\n# Hancitor\n\n- [Analysis blog post](https://shadowshell.io/hancitor-loader)\n\n- [Rules](hancitor)\n\n## Usage\n\n### YARA\n\n```\n$ yara -s hancitor-packed.yar hancitor.dll\nhancitor_packed hancitor.dll\n0x5d3e6:$1: Broke\n0x5d3ec:$2: Necessaryearly\n0x5ac6b:$_memcpy: 68 88 0E 00 00 68 10 75 00 10 68 18 09 06 10 E8\n0x5b526:$GetSystemDirectoryW: 68 83 05 00 00 8D 54 24 34 52 FF 15\n0x5a3ad:$GetModuleFileNameW: 68 83 05 00 00 68 20 FC 05 10 6A 00 FF 15\n0x5a401:$VirtualProtectEx: A1 20 20 07 10 8B 15 94 F0 05 10 68 14 09 06 10 6A 40 68 00 51 00 00 50 6A FF 8D 9C 16 0F 01 00 00 FF 15\n0x5a4f9:$GetCurrentDirectoryW: 2A C2 68 20 FC 05 10 02 C3 68 83 05 00 00 A2 68 F0 05 10 FF 15\n0x28e6f:$decrypt1: 8A DA 2A D8 02 D9 80 C3 19 0F B6 CB 2B CA 0F B7 D6 03 D1 89 15\n0x28e88:$decrypt2: 8B 1D B8 F0 05 10 81 C7 D0 64 08 01 8A CB 2A C8 89 7D 00 80 C1 17 83 C5 04 83 6C 24 10 01 89 3D\n```\n\n```\n$ yara -s hancitor-unpacked.yar hancitor-unpacked.dll\nhancitor_unpacked hancitor-unpacked.dll\n0x3168:$1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko\n0x31d0:$2: http://api.ipify.org\n0x31e8:$3: 0.0.0.0\n0x31f0:$4: ncdrleb\n0x31f8:$5: GUID=%I64u\u0026BUILD=%s\u0026INFO=%s\u0026EXT=%s\u0026IP=%s\u0026TYPE=1\u0026WIN=%d.%d(x64)\n0x3238:$6: GUID=%I64u\u0026BUILD=%s\u0026INFO=%s\u0026EXT=%s\u0026IP=%s\u0026TYPE=1\u0026WIN=%d.%d(x32)\n0x32c4:$7: Rundll32.exe %s, start\n0x32fa:$8: svchost.exe\n0x32a8:$9: explorer.exe\n0x32e4:$10: SystemRoot\n0x32f0:$11: \\System32\\svchost.exe\n0x33ec:$12: MASSLoader.dll\n0x33fb:$13: FCQNEAXPXCR\n0x3407:$14: GSDEAEBPVHTSM\n0x211c:$CryptCreateHash: 8D 4D FC 51 6A 00 6A 00 68 04 80 00 00 8B 55 F8 52 FF 15\n0x2157:$CryptDeriveKey: 8D 45 F4 50 8B 4D EC 51 8B 55 FC 52 68 01 68 00 00 8B 45 F8 50 FF 15\n```\n\n### Suricata\n\n```\n$ sudo suricata -c /etc/suricata/suricata.yaml -s hancitor.rules -i enp0s3\n$ sudo tail -f /var/log/suricata/fast.log\n02/24/2025-15:31:54.255497  [**] [1:1000001:2] Hancitor beacon [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.129:49929 -\u003e 192.168.56.128:80\n02/24/2025-15:31:54.275576  [**] [1:1000001:2] Hancitor beacon [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.129:49930 -\u003e 192.168.56.128:80\n02/24/2025-15:31:54.299836  [**] [1:1000001:2] Hancitor beacon [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.129:49931 -\u003e 192.168.56.128:80\n```\n\n# Mirai SORA ARM\n\n- [Analysis blog post](https://shadowshell.io/mirai-sora-botnet)\n- [Rules](mirai-sora-arm)\n\n## Usage\n\n### YARA\n\n```\n$ yara -s mirai-packed.yar mirai-packed.elf\nmirai_sora_packed_arm mirai-packed.elf\n0x98:$1: UPX!\n0x6deb:$1: UPX!\n0x6df4:$1: UPX!\n0x6670:$2: $Info: This file is packed with the UPX executable packer http://upx.sf.net $\n0x66bf:$3: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $\n0x1b1:$4: y$Qdl%\n0x2e2:$5: aym\u0026,ZYeC\n0x35a:$6: :b[;tgo\n0x440:$7: 1`Rg{z\n0x484:$8: R5\u00269Sc\n0x6f6:$9: \\ME'Tj\n0x749:$10: RSB$\u003c|R\n0x855:$11: a\u003e ~!wqgUY\n0x88e:$12: fZ{Glb\n0xa8c:$13: ld@j^]~\n0xca0:$14: 902n\\x09SP\n0xde2:$15: gP';H;\n0x1151:$16: ~-%\u0026xI\n0x13ab:$17: 0N?\u003eBH\n0x14d7:$18: 8?oVM\\3\n```\n\n```\n$ yara -s mirai-unpacked.yar mirai-unpacked.elf\nmirai_sora_unpacked_arm mirai-unpacked.elf\n0xfb94:$1: 154.7.253.207\n0x10b80:$2: AF FB DE DE\n0xfd28:$3: 07 1B 06 15 6E 74 35 24 24 38 31 20 74 3A 3B 20 74 32 3B 21 3A 30 54 00\n0xfd14:$4: 7B 36 3D 3A 7B 36 21 27 2D 36 3B 2C 74 07 1B 06 15 54 00 00\n0x107f0:$5: 17 3B 3A 3A 31 37 20 31 30 74 00 3B 74 17 1A 17 54 00 00 00\n0xfe08:$6: 7B 30 31 22 7B 23 35 20 37 3C 30 3B 33 54 00\n0xfe18:$7: 7B 30 31 22 7B 39 3D 27 37 7B 23 35 20 37 3C 30 3B 33 54 00\n0xfcf0:$8: 51 74 00 00\n0xfe38:$9: 3B 33 3D 3A 54 00\n0xfe40:$10: 31 3A 20 31 26 54 00\n0xfd00:$11: 31 3A 35 36 38 31 54 00\n0xfd08:$12: 27 2D 27 20 31 39 54 00\n0xfd10:$13: 27 3C 54 00\n0xfcf8:$14: 27 3C 31 38 38 54 00\n0xfd40:$15: 3A 37 3B 26 26 31 37 20 54 00\n0xfd78:$16: 7B 24 26 3B 37 7B 54 00\n0xfd80:$17: 7B 31 2C 31 54 00\n0xfdbc:$18: 7A 35 3A 3D 39 31 54 00\n0x7f98:$19: 00 20 A0 E3 06 30 D2 E7 54 30 23 E2 06 30 C2 E7 01 20 82 E2 02 00 57 E1 F9 FF FF 1A\n0xb1b0:$20: 00 C0 A0 E3 00 20 9E E5 02 30 DC E7 03 30 20 E0 02 30 CC E7 00 10 9E E5 01 30 DC E7 03 30 26 E0 01 30 CC E7 00 20 9E E5 02 30 DC E7 03 30 25 E0 02 30 CC E7 00 10 9E E5 01 30 DC E7 03 30 24 E0 ...\n0xb268:$20: 00 C0 A0 E3 00 20 9E E5 02 30 DC E7 03 30 20 E0 02 30 CC E7 00 10 9E E5 01 30 DC E7 03 30 26 E0 01 30 CC E7 00 20 9E E5 02 30 DC E7 03 30 25 E0 02 30 CC E7 00 10 9E E5 01 30 DC E7 03 30 24 E0 ...\n```\n\n### Suricata\n\n```\n$ sudo suricata -c /etc/suricata/suricata.yaml -s mirai.rules -i \n$ sudo tail -f /var/log/suricata/fast.log\n04/04/2025-16:15:20.435158  [**] [1:1000003:1] Mirai SORA C2 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.128:49250 -\u003e 154.7.253.207:1312\n```\n\n# Fake Chrome updater\n\n- [Analysis blog post](https://shadowshell.io/fake-chrome-updater)\n\n- [Rules](fake-chrome-updater)\n\n## Usage\n\n### YARA\n\n```\n$ unzip ChromeUpdater.apk -d chrome-updater-unzipped\n$ yara -s fake_chrome_updater_xml_android.yar fake_chrome_updater_dex_android.yar -r chrome-updater-unzipped\nfake_chrome_updater_xml_android chrome-updater-unzipped/res/layout/main.xml\n0xff:$0: Google Chrome Updater\n0x131:$1: Your Chrome version is outdated! Chrome version: 65.1 (19 years ago!)\n0xe1:$2: Download and install update\nfake_chrome_updater_dex_android chrome-updater-unzipped/classes54.dex\n0x71cad:$0: ATwvXhg0JDYNWzQ6YVkYJyEoDVc7dD9CTSd0IkhOPDcjAw==\n0x7e2aa:$1: Gh8=\n0x83e09:$2: OTshTlkhdGtO\n0x83dff:$3: OTshTlkh\n0x83e09:$3: OTshTlkh\n0x7e248:$4: GTshSl0ndCFCTHU/L0FUMDBoDWowJzJMSiE9KEoW\n0x7e294:$5: GTshSl0ndDVZVyUkI0kW\n```\n\n# Xloader (MoqHao)\n\n- [Analysis blog post](https://shadowshell.io/xloader)\n\n- [Rules](xloader)\n\n## Usage\n\n### YARA\n\n#### Loader\n\n```\n$ unzip xloader.apk -d xloader-unzipped\n$ yara -s xloader-loader-android.yar -r xloader-unzipped\nxloader_loader_android xloader-unzipped/AndroidManifest.xml\n0x45a:$package: q\\x00q\\x00f\\x00z\\x00q\\x00.\\x00o\\x00e\\x00o\\x00o\\x00p\\x00.\\x00l\\x00r\\x00.\\x00x\\x00n\\x00z\\x00c\\x00w\\x00r\\x00\n0x752:$permission0: s\\x00e\\x00d\\x00v\\x00.\\x00y\\x00f\\x00e\\x00m\\x00.\\x00n\\x00f\\x00j\\x00z\\x00i\\x00\n0x774:$permission1: p\\x00f\\x00o\\x00p\\x00h\\x00.\\x00r\\x00y\\x00x\\x00r\\x00p\\x00l\\x00q\\x00.\\x00d\\x00y\\x00e\\x00k\\x00\n0x79c:$permission2: r\\x00z\\x00c\\x00a\\x00d\\x00.\\x00q\\x00k\\x00w\\x00o\\x00o\\x00o\\x00z\\x00.\\x00u\\x00a\\x00l\\x00x\\x00q\\x00\n0x7c6:$permission3: b\\x00c\\x00e\\x00m\\x00r\\x00.\\x00f\\x00j\\x00s\\x00h\\x00n\\x00c\\x00i\\x00.\\x00x\\x00f\\x00a\\x00n\\x00v\\x00\n0x7f0:$permission4: q\\x00r\\x00z\\x00s\\x00z\\x00n\\x00k\\x00o\\x00.\\x00g\\x00s\\x00g\\x00e\\x00y\\x00z\\x00.\\x00f\\x00z\\x00t\\x00i\\x00y\\x00\n0x81e:$permission5: p\\x00p\\x00h\\x00n\\x00x\\x00s\\x00h\\x00u\\x00.\\x00b\\x00h\\x00x\\x00e\\x00.\\x00r\\x00x\\x00g\\x00k\\x00l\\x00x\\x00n\\x00y\\x00\n0xb30:$pc0: g\\x00f\\x006\\x00h\\x008\\x00y\\x008\\x00.\\x00G\\x00N\\x00u\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\n0xb74:$pc1: g\\x00f\\x006\\x00h\\x008\\x00y\\x008\\x00.\\x00C\\x00r\\x00A\\x00c\\x00t\\x00i\\x00v\\x00i\\x00t\\x00y\\x00\n0xc9a:$pc2: g\\x00f\\x006\\x00h\\x008\\x00y\\x008\\x00.\\x00U\\x00x\\x00\n0xcc6:$pc3: g\\x00f\\x006\\x00h\\x008\\x00y\\x008\\x00.\\x00R\\x00y\\x00\n0xd76:$pc4: g\\x00f\\x006\\x00h\\x008\\x00y\\x008\\x00.\\x00J\\x00z\\x00\n0xe22:$pc5: g\\x00f\\x006\\x00h\\x008\\x00y\\x008\\x00.\\x00L\\x00i\\x00\n0xf30:$pc6: g\\x00f\\x006\\x00h\\x008\\x00y\\x008\\x00.\\x00A\\x00p\\x00\n0x105c:$pc7: g\\x00f\\x006\\x00h\\x008\\x00y\\x008\\x00.\\x00Y\\x00i\\x00\n```\n\n#### Payload\n\n```\n$ yara -s xloader-payload-android.yar payload.dex\nxloader_payload_android payload.dex\n0x6d5b6:$rpc0: sendSms\n0x68601:$rpc1: setWifi\n0x6d9ce:$rpc1: setWifi\n0x6d9d7:$rpc1: setWifi\n0x6d9e7:$rpc1: setWifi\n0x6a11e:$rpc2: gcont\n0x4c906:$rpc3: lock\n0x4d11a:$rpc3: lock\n0x4df9f:$rpc3: lock\n0x4e3ea:$rpc3: lock\n0x4e6b4:$rpc3: lock\n0x4ea70:$rpc3: lock\n0x4ed7a:$rpc3: lock\n0x4f1c9:$rpc3: lock\n0x4f49a:$rpc3: lock\n0x4f868:$rpc3: lock\n0x4fb76:$rpc3: lock\n0x4ffd4:$rpc3: lock\n0x502a4:$rpc3: lock\n0x50688:$rpc3: lock\n0x50997:$rpc3: lock\n0x50d26:$rpc3: lock\n0x50ff1:$rpc3: lock\n0x513d4:$rpc3: lock\n0x51cb1:$rpc3: lock\n0x51e6d:$rpc3: lock\n0x521fc:$rpc3: lock\n0x524c3:$rpc3: lock\n0x528a5:$rpc3: lock\n0x52943:$rpc3: lock\n0x54e87:$rpc3: lock\n0x55485:$rpc3: lock\n0x56197:$rpc3: lock\n0x561d7:$rpc3: lock\n0x56653:$rpc3: lock\n0x5666f:$rpc3: lock\n0x5667b:$rpc3: lock\n0x5668c:$rpc3: lock\n0x566bf:$rpc3: lock\n0x56fa0:$rpc3: lock\n0x57027:$rpc3: lock\n0x57031:$rpc3: lock\n0x57185:$rpc3: lock\n0x57190:$rpc3: lock\n0x5719a:$rpc3: lock\n0x571ab:$rpc3: lock\n0x571d9:$rpc3: lock\n0x5812e:$rpc3: lock\n0x58154:$rpc3: lock\n0x58174:$rpc3: lock\n0x581cb:$rpc3: lock\n0x581de:$rpc3: lock\n0x58289:$rpc3: lock\n0x582ab:$rpc3: lock\n0x58312:$rpc3: lock\n0x58d17:$rpc3: lock\n0x59079:$rpc3: lock\n0x590f2:$rpc3: lock\n0x5911a:$rpc3: lock\n0x5a15c:$rpc3: lock\n0x5a167:$rpc3: lock\n0x5a177:$rpc3: lock\n0x5a188:$rpc3: lock\n0x5a3b9:$rpc3: lock\n0x5a698:$rpc3: lock\n0x5aaa1:$rpc3: lock\n0x5b4eb:$rpc3: lock\n0x5b56b:$rpc3: lock\n0x5d11d:$rpc3: lock\n0x5d381:$rpc3: lock\n0x5d696:$rpc3: lock\n0x5dee9:$rpc3: lock\n0x5e1c9:$rpc3: lock\n0x5e32e:$rpc3: lock\n0x5e504:$rpc3: lock\n0x5e64f:$rpc3: lock\n0x64855:$rpc3: lock\n0x64883:$rpc3: lock\n0x684c3:$rpc3: lock\n0x6b6c1:$rpc3: lock\n0x6be44:$rpc3: lock\n0x6be4a:$rpc3: lock\n0x6d52c:$rpc3: lock\n0x2cf7b:$rpc4: bc\n0x682cf:$rpc4: bc\n0x68c53:$rpc4: bc\n0x6b904:$rpc4: bc\n0x6e00e:$rpc4: bc\n0x6e125:$rpc4: bc\n0x6e171:$rpc4: bc\n0x6e1f4:$rpc4: bc\n0x6d78e:$rpc5: setForward\n0x6a43b:$rpc6: getForward\n0x6ab10:$rpc7: hasPkg\n0x6d928:$rpc8: setRingerMode\n0x685b1:$rpc9: setRecEnable\n0x6d8ce:$rpc9: setRecEnable\n0x6d2d4:$rpc10: reqState\n0x6da11:$rpc11: showHome\n0x6da1b:$rpc11: showHome\n0x6aa2b:$rpc12: getnpki\n0x4dae2:$rpc13: http\n0x4dbea:$rpc13: http\n0x530cc:$rpc13: http\n0x5aed0:$rpc13: http\n0x66770:$rpc13: http\n0x6ab8b:$rpc13: http\n0x6ab91:$rpc13: http\n0x6abb7:$rpc13: http\n0x6abc0:$rpc13: http\n0x6abd3:$rpc13: http\n0x6abda:$rpc13: http\n0x6abeb:$rpc13: http\n0x6abf5:$rpc13: http\n0x6ac13:$rpc13: http\n0x6ac3f:$rpc13: http\n0x6ac72:$rpc13: http\n0x6ac93:$rpc13: http\n0x6acb1:$rpc13: http\n0x6acd9:$rpc13: http\n0x6acfd:$rpc13: http\n0x6ad1c:$rpc13: http\n0x6ad44:$rpc13: http\n0x6ad6e:$rpc13: http\n0x6ad9b:$rpc13: http\n0x6adca:$rpc13: http\n0x6adf0:$rpc13: http\n0x6ae18:$rpc13: http\n0x6ae41:$rpc13: http\n0x6ae70:$rpc13: http\n0x6ae9a:$rpc13: http\n0x6aec7:$rpc13: http\n0x6b4ca:$rpc13: http\n0x6db2d:$rpc13: http\n0x6ccc9:$rpc14: onRecordAction\n0x5147b:$rpc15: call\n0x529ed:$rpc15: call\n0x531f6:$rpc15: call\n0x53cc3:$rpc15: call\n0x540e2:$rpc15: call\n0x540f9:$rpc15: call\n0x5411c:$rpc15: call\n0x54134:$rpc15: call\n0x54157:$rpc15: call\n0x542ed:$rpc15: call\n0x544e4:$rpc15: call\n0x5479b:$rpc15: call\n0x54a94:$rpc15: call\n0x54a9d:$rpc15: call\n0x54b05:$rpc15: call\n0x54b0e:$rpc15: call\n0x54b35:$rpc15: call\n0x54b3e:$rpc15: call\n0x55f16:$rpc15: call\n0x57236:$rpc15: call\n0x573b8:$rpc15: call\n0x57419:$rpc15: call\n0x57433:$rpc15: call\n0x57486:$rpc15: call\n0x57a6e:$rpc15: call\n0x5a275:$rpc15: call\n0x5ac54:$rpc15: call\n0x5adbe:$rpc15: call\n0x66550:$rpc15: call\n0x66566:$rpc15: call\n0x68d4e:$rpc15: call\n0x68d54:$rpc15: call\n0x68d5b:$rpc15: call\n0x68d65:$rpc15: call\n0x6b450:$rpc15: call\n0x6cbc4:$rpc15: call\n0x6cc57:$rpc15: call\n0x6cd31:$rpc15: call\n0x6cdb5:$rpc15: call\n0x6a9fe:$rpc16: get_apps\n0x5f91d:$rpc17: ping\n0x6cf7b:$rpc17: ping\n0x6cf81:$rpc17: ping\n0x6a744:$rpc18: getPhoneState\n0x6aa08:$rpc19: get_gallery\n0x6aa15:$rpc20: get_photo\n0x6cdb2:$rpc21: on_call_rec\n0x6b44d:$rpc22: is_call_rec_enable\n0x6d847:$rpc23: setMyInfo\n0x6d852:$rpc24: setMyVCode\n0x6cde7:$rpc25: openbrowser2\n0x6ad6e:$pinterest0: https://www.pinterest.com/emeraldquinn4090/\n0x6ae41:$pinterest1: https://www.pinterest.com/kelliemarshall9518/\n0x6ae9a:$pinterest2: https://www.pinterest.com/shonabutler10541/\n0x6ae70:$pinterest3: https://www.pinterest.com/norahspencer9/\n0x6aec7:$pinterest4: https://www.pinterest.com/singletonabigail/\n0x6ad9b:$pinterest5: https://www.pinterest.com/felicitynewman8858/\n0x6ad1c:$pinterest6: https://www.pinterest.com/abigailn674/\n0x6adca:$pinterest7: https://www.pinterest.com/gh6855786/\n0x6ad44:$pinterest8: https://www.pinterest.com/catogreggex11/\n0x6ae18:$pinterest9: https://www.pinterest.com/ingalcliffth/\n0x6adf0:$pinterest10: https://www.pinterest.com/husaincrisp/\n0x69fbd:$vk0: ffgtrrt([\\w_-]+?)ffgtrrt\n0x6a08e:$vk1: freefh([\\w_-]+?)freefh\n0x6aa64:$vk2: gfrtthnm([\\w_-]+?)gfrtthnm\n0x6cb12:$vk3: ohgftyn([\\w_-]+?)ohgftyn\n0x69fa5:$vk4: fdthjn([\\w_-]+?)fdthjn\n0x6aa80:$vk5: gftrtr([\\w_-]+?)gftrtr\n0x68c5b:$vk6: bgfrewi([\\w_-]+?)bgfrewi\n0x6aef4:$vk7: htynff([\\w_-]+?)htynff\n0x6ab42:$vk8: hfdrgf([\\w_-]+?)hfdrgf\n0x69f6a:$vk9: fdedsds([\\w_-]+?)fdedsds\n0x69df1:$vk10: dsfewdw([\\w_-]+?)dsfewdw\n0x6d35e:$vk11: retredwcd([\\w_-]+?)retredwcd\n0x5cc7a:$fs0: /NPKI\n0x5cc1d:$fs1: .rec\n0x5cc23:$fs1: .rec\n0x5cc23:$fs2: .rec.amr\n0x6b8fc:$bank0: jp.co.smbc.direct\n0x6b8bf:$bank1: jp.co.rakuten_bank.rakutenbank\n0x6b92d:$bank2: jp.mufg.bk.applisp.app\n0x6b85e:$bank3: jp.co.japannetbank.smtapp.balance\n0x6b89c:$bank4: jp.co.netbk.smartkey.SSNBSmartkey\n0x6b90f:$bank5: jp.japanpost.jp_bank.FIDOapp\n0x6b881:$bank6: jp.co.jibunbank.jibunmain\n0x6b8df:$bank7: jp.co.sevenbank.AppPassbook\n0x5e1cf:$field0: \\xEA\\xB3\\xB5\\xEC\\x9D\\xB8\\xEC\\x9D\\xB8\\xEC\\xA6\\x9D\\xEC\\x84\\x9C\n0x5d387:$field1: \\xEB\\xB9\\x84\\xEB\\xB0\\x80\\xEB\\xB2\\x88\\xED\\x98\\xB8\n0x5daad:$field1: \\xEB\\xB9\\x84\\xEB\\xB0\\x80\\xEB\\xB2\\x88\\xED\\x98\\xB8\n0x5d7b1:$field2: \\xEC\\xB9\\xB4\\xEB\\x93\\x9C\\xEB\\xB2\\x88\\xED\\x98\\xB8\n0x5d882:$field3: \\xEC\\xB9\\xB4\\xEB\\x93\\x9C\\xEC\\x86\\x8C\\xEC\\x9C\\xA0\\xEC\\x9E\\x90\\xEB\\xAA\\x85\n0x5d96d:$field4: \\xEC\\x9C\\xA0\\xED\\x9A\\xA8\\xEA\\xB8\\xB0\\xEA\\xB0\\x84\n0x5dd90:$field5: \\xEC\\x9A\\xB0\\xED\\x8E\\xB8\\xEB\\xB2\\x88\\xED\\x98\\xB8\n```\n\n# DCRat\n\n- [Analysis blog post](https://shadowshell.io/dcrat)\n\n- [Rules](dcrat)\n\n## Usage\n\n### YARA\n\n```\n$ yara dcrat.yar dcrat.exe \nDCRat_salt dcrat.exe\nDCRat_AntiProcess dcrat.exe\nDCRat_AMSI_bypass dcrat.exe\nDCRat_VM_detection dcrat.exe\nDCRat_config dcrat.exe\nDCRat_MsgPack_packets dcrat.exe\nDCRat_persistence dcrat.exe\n```\n\n### Suricata\n\n```\n$ cat dcrat.rules\nalert dns any any -\u003e any any (msg:\"DCRat C2 DNS lookup (sky01.publicvm.com)\"; dns.query; content:\"sky01.publicvm.com\"; nocase; classtype:trojan-activity; sid:1000001; rev:1;)\nalert tcp any any -\u003e any 9217 (msg:\"DCRat C2 beacon (MessagePack)\"; flow:to_server,established; content:\"Pac_ket\"; content:\"ClientInfo\"; content:\"HWID\"; content:\"Anti_virus\"; classtype:trojan-activity; sid:1000002; rev:1;)\n$ sudo tcpdump -i lo -w /tmp/dcrat.pcap\n$ sudo suricata -r /tmp/dcrat.pcap -l /tmp/suricata/ -s dcrat.rules\n$ cat /tmp/suricata/fast.log \n...\n02/10/2026-16:09:07.371704  [**] [1:1000001:1] DCRat C2 beacon (MessagePack) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:35492 -\u003e 10.0.2.15:9217\n02/10/2026-20:22:30.650742  [**] [1:1000001:1] DCRat C2 DNS lookup (sky01.publicvm.com) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 192.168.1.100:12345 -\u003e 8.8.8.8:53\n...\n```\n\n# Remcos\n\n- [Analysis blog post](https://shadowshell.io/remcos)\n\n- [Rules](remcos)\n\n## Usage\n\n### YARA\n\n```\n$ yara remcos.yar remcos.exe\nRemcos_version_agent_breakingsecurity_strings remcos.exe\nRemcos_keylogger_strings remcos.exe\nRemcos_uac_disable remcos.exe\nRemcos_audio_recording remcos.exe\nRemcos_c2_strings remcos.exe\nRemcos_combined remcos.exe\n```\n\n### Suricata\n\n```\n$ cat remcos.rules\nalert dns any any -\u003e any any (msg:\"Remcos C2 DNS lookup (gdyhjjdhbvxgsfe.gotdns.ch)\"; dns.query; content:\"gdyhjjdhbvxgsfe.gotdns.ch\"; nocase; classtype:trojan-activity; sid:1000001; rev:1;)\n$ sudo tcpdump -i lo -w /tmp/remcos.pcap\n$ sudo suricata -r /tmp/remcos.pcap -l /tmp/suricata/ -s remcos.rules\n$ cat /tmp/suricata/fast.log \n02/10/2026-20:46:37.084883  [**] [1:1000001:1] Remcos C2 DNS lookup (gdyhjjdhbvxgsfe.gotdns.ch) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 192.168.1.100:12345 -\u003e 8.8.8.8:53\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgemesa%2Fthreat-detection-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgemesa%2Fthreat-detection-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgemesa%2Fthreat-detection-rules/lists"}