https://github.com/t4d/PhishingKit-Yara-Rules

Repository of Yara rules dedicated to Phishing Kits Zip files
https://github.com/t4d/PhishingKit-Yara-Rules

phishing phishing-detection phishing-kit yara

Last synced: 30 days ago
JSON representation

Repository of Yara rules dedicated to Phishing Kits Zip files

• Host: GitHub
• URL: https://github.com/t4d/PhishingKit-Yara-Rules
• Owner: t4d
• License: agpl-3.0
• Created: 2019-12-30T07:07:47.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2024-10-27T20:44:52.000Z (about 2 months ago)
• Last Synced: 2024-10-28T00:55:30.126Z (about 2 months ago)
• Topics: phishing, phishing-detection, phishing-kit, yara
• Language: YARA
• Size: 754 KB
• Stars: 205
• Watchers: 20
• Forks: 35
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - t4d/PhishingKit-Yara-Rules - Repository of Yara rules dedicated to Phishing Kits Zip files (YARA)

README

        

PhishingKit-Yara-Rules is a [StalkPhish Project](https://stalkphish.com)

## YARA repository for Phishing Kits zip files

This repository, dedicated to Phishing Kits zip files YARA rules, is based on zip raw format analysis to find directories and files names, you don't need yara-extend there.

This repository is open to all rules contribution, feel free to create pull request with your own set of rules, sharing knowledge is the better way to improve our detection and defence against Phishing threat. 

The first set of rules has been created for the project [PhishingKit-Yara-Search](https://github.com/t4d/PhishingKit-Yara-Search).

To write your own rules you can refered to [YARA's documentation](https://yara.readthedocs.org/) or the example behind.

## Phishing Kit YARA rule example

This rule detect PayPal Phishing kit, named H3ATSTR0K3, testing for some specific files and directory presence:

```yara

rule PK_PayPal_H3ATSTR0K3 : PayPal

{

    meta:

        description = "Phishing Kit impersonating PayPal"

        licence = "GPL-3.0"

        author = "Thomas 'tAd' Damonneville"

        reference = ""

        date = "2019-11-28"

        comment = "Phishing Kit - PayPal - H3ATSTR0K3"

    strings:

        // the zipfile working on

        $zip_file = { 50 4b 03 04 }

        // specific directory found in PhishingKit

        $spec_dir = "prevents"

        // specific file found in PhishingKit

        $spec_file = "mine.php" nocase

        $spec_file2 = "bcce592108d8ec029aa75f951662de2e.jpeg"

        $spec_file3 = "captured.txt"

        $spec_file4 = "H3ATSTR0K3.txt"

    condition:

        // look for the ZIP header

        uint32(0) == 0x04034b50 and

        // make sure we have a local file header

        $zip_file and

        // check for file

        $spec_file and

        $spec_file2 and

        $spec_file3 and

        $spec_file4 and

        // check for directory

        $spec_dir

}

```

## Requirements

Yara is required for most of those rules to work. The better is to use the [PhishingKit-Yara-Search](https://github.com/t4d/PhishingKit-Yara-Search) project, dedicated to Phishing Kits zip files analysis.

No need of yara-extend 'cause YARA will only check for directories and files names in raw zip file format.

## Contributing

Pull requests and issues with suggestions are welcome!

See [CONTRIBUTING.md](CONTRIBUTING.md).