/*
YARA Rule Set
Author: yarGen Rule Generator
Date: 2022-08-08
Identifier: dbs
Reference: https://github.com/Neo23x0/yarGen
*/
/* Rule Set ----------------------------------------------------------------- */
rule Zeppelin_0 {
meta:
description = "Zeppelin - from files 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d, 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9, 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d"
hash2 = "6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9"
hash3 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash4 = "d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c"
hash5 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash6 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash7 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash8 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash9 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash10 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash11 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash12 = "894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072"
hash13 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash14 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash15 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash16 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash17 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash18 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash19 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash20 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash21 = "6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc"
hash22 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash23 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash24 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash25 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash26 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash27 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash28 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash29 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash30 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash31 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash32 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash33 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash34 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash35 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash36 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash37 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
hash38 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash39 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash40 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
hash41 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = "TRegExpr(comp): *+ Operand Could Be Empty" fullword ascii
$s2 = "ShellExecuteW" fullword ascii
$s3 = "TRegExpr(exec): GetInputString Without InputString" fullword ascii
$s4 = "TRegExpr(dump): Corrupted Opcode" fullword ascii
$s5 = "TRegExpr(exec): ExecNext Without Exec[Pos]" fullword ascii
$s6 = "CreateProcessW" fullword ascii
$s7 = "OpenProcess" fullword ascii
$s8 = "TerminateProcess" fullword ascii
$s9 = "CreateProcessA" fullword ascii
$s10 = "TRegExpr(exec): Corrupted Program" fullword ascii
$s11 = "TRegExpr(exec): MatchPrim Memory Corruption" fullword ascii
$s12 = "TRegExpr(exec): MatchPrim Corrupted Pointers" fullword ascii
$s13 = "TRegExpr(comp): If you want take part in beta-testing BRACES '{min,max}' and non-greedy ops '*?', '+?', '??' for complex cases -" ascii
$s14 = "GetExitCodeThread" fullword ascii
$s15 = "GetSystemMetrics" fullword ascii
$s16 = "GetKeyboardType" fullword ascii
$s17 = "GetCommandLineW" fullword ascii
$s18 = "GetVersionExA" fullword ascii
$s19 = "TRegExpr(exec): Not Assigned Expression Property" fullword ascii
$s20 = "TRegExpr(exec): No Input String Specified" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_1 {
meta:
description = "Zeppelin - from files cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash2 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash3 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash4 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash5 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
strings:
$s1 = "6 6$6(6,6064686<6" fullword ascii /* hex encoded string 'ff`dhf' */
$s2 = "=\"=3=D=~=" fullword ascii /* hex encoded string '=' */
$s3 = "TThreadList," fullword ascii
$s4 = "EVariantUnexpectedError\\" fullword ascii
$s5 = ":!:%:M:W:\\:b:g:" fullword ascii
$s6 = "TCustomVariantType8" fullword ascii
$s7 = "TStringList8" fullword ascii
$s8 = "TCustomMemoryStream<" fullword ascii
$s9 = "TStringStream@" fullword ascii
$s10 = "TPersistent," fullword ascii
$s11 = "2\"252M2^2i2u2" fullword ascii
$s12 = "4T4e4v4" fullword ascii
$s13 = "8D8U8f8w8" fullword ascii
$s14 = "; ;$;(;,;0;4;`;n;|;" fullword ascii
$s15 = ".090C0" fullword ascii
$s16 = ";T;e;v;" fullword ascii
$s17 = "0,1I1}1" fullword ascii
$s18 = "384=4d4l4{4" fullword ascii
$s19 = ";&;+;8;X;r;w;H<" fullword ascii
$s20 = ";+;8;G;T;c;p;" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_2 {
meta:
description = "Zeppelin - from files 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash2 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
strings:
$s1 = "2.262>2F2}2" fullword ascii /* hex encoded string '"b/"' */
$s2 = "TThreadListD" fullword ascii
$s3 = "EFilerError " fullword ascii
$s4 = "EVariantUnexpectedErrort" fullword ascii
$s5 = "TCustomMemoryStreamT" fullword ascii
$s6 = "TStringListP" fullword ascii
$s7 = "TCustomVariantTypeP" fullword ascii
$s8 = "TPersistentD" fullword ascii
$s9 = "TStringStreamX" fullword ascii
$s10 = "8(8c8r8~8" fullword ascii
$s11 = "7\"7X7d7R9" fullword ascii
$s12 = "4,44484<4@4D4H4L4P4T4" fullword ascii
$s13 = ";.<V<h<" fullword ascii
$s14 = "9*9;9u9" fullword ascii
$s15 = "9/9l9}9" fullword ascii
$s16 = "8P8@9^9,:d:" fullword ascii
$s17 = "> >$>(>,>0>4>8>F>" fullword ascii
$s18 = "5.5E5p5" fullword ascii
$s19 = ":);:;K;\\;" fullword ascii
$s20 = "?%?4?K?Z?n?}?" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_3 {
meta:
description = "Zeppelin - from files 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d, cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d"
hash2 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
strings:
$x1 = "C:\\Windows\\system32\\cmd.exe" fullword wide
$s2 = "C:\\Windows\\system32\\netstat.exe" fullword wide
$s3 = "c:\\serenity\\tools\\windows.exe" fullword wide
$s4 = "c:\\serenity\\tools\\wnd\\WND_x64_release\\WNDHooker.exe" fullword wide
$s5 = "AUTHUI.DLL: Shutdown Choices Message Window" fullword ascii
$s6 = "SHELLDLL_DefView" fullword ascii
$s7 = "MCI command handling window" fullword wide
$s8 = "SysHeader32" fullword ascii
$s9 = "CicLoaderWndClass" fullword ascii
$s10 = "DV2ControlHost" fullword ascii
$s11 = "_SearchEditBoxFakeWindow" fullword ascii
$s12 = "Shell_TrayWnd" fullword ascii
$s13 = "Desktop OpenBox Host" fullword ascii
$s14 = "'MSCTFIME Composition" fullword ascii
$s15 = "DesktopLogoffPane" fullword ascii
$s16 = "MSCTFIME Composition" fullword ascii
$s17 = "Desktop NSCHost" fullword ascii
$s18 = "Task Host Window" fullword wide
$s19 = "ComboBoxEx32" fullword ascii
$s20 = "WPDShServiceObject" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 1 of ($x*) and 4 of them )
) or ( all of them )
}
rule Zeppelin_4 {
meta:
description = "Zeppelin - from files 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash2 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash3 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
strings:
$s1 = "TImposterU" fullword ascii
$s2 = "=\"=&=*=.=2=6=:=" fullword ascii /* hex encoded string '&' */
$s3 = "EFOpenErrorH" fullword ascii
$s4 = "EWriteErrorP" fullword ascii
$s5 = "EThread," fullword ascii
$s6 = ": :@:H:L:P:T:X:\\:`:d:h:x:" fullword ascii
$s7 = "EVariantInvalidArgError," fullword ascii
$s8 = "TStreamX" fullword ascii
$s9 = "TStringListx" fullword ascii
$s10 = "AAOri4" fullword ascii
$s11 = "> >4><>@>D>H>L>P>T>X>\\>`>d>r>" fullword ascii
$s12 = "? ?$?(?,?:?B?X?j?n?" fullword ascii
$s13 = "Z=+&HFk" fullword ascii
$s14 = "1\"2>2B2F2J2N2R2V2Z2^2b2f2j2n2r2v2z2~2" fullword ascii
$s15 = "1I2g2}2" fullword ascii
$s16 = "<\"<*<<<J<N<`<y<" fullword ascii
$s17 = "=*=4=>=H=W=a=s= >9>`>l>p>" fullword ascii
$s18 = "0F1s1 2d2r2" fullword ascii
$s19 = "?,?4?8?<?@?D?H?L?P?T?X?\\?`?d?h?l?p?" fullword ascii
$s20 = "232=2B2N2d2" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_5 {
meta:
description = "Zeppelin - from files 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash2 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash3 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash4 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash5 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash6 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash7 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash8 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash9 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash10 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash11 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash12 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash13 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash14 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash15 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash16 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash17 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash18 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash19 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash20 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash21 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash22 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash23 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash24 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash25 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash26 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash27 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
hash28 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash29 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = ";\";7;$<8<" fullword ascii /* hex encoded string 'x' */
$s2 = ":8:@:D:H:L:P:T:X:\\:`:t:" fullword ascii
$s3 = ":*:W:\\:v:" fullword ascii
$s4 = "3)4<4K4Z4" fullword ascii
$s5 = "060N0W0k0y0" fullword ascii
$s6 = ";7;S;r;" fullword ascii
$s7 = ";8;l;u;" fullword ascii
$s8 = "4#4,43494O4j4y4~4" fullword ascii
$s9 = "3@3Z3l3" fullword ascii
$s10 = ">'?,?4?^?o?x?" fullword ascii
$s11 = "5N5f5x5" fullword ascii
$s12 = "?$?(?,?0?4?8?<?@?D?X?x?" fullword ascii
$s13 = "1/1>1N1V1k1s1" fullword ascii
$s14 = "6*:c:k:|:" fullword ascii
$s15 = "?7?E?`?i?" fullword ascii
$s16 = "6.7=7L7h7" fullword ascii
$s17 = "=(=b=s=" fullword ascii
$s18 = "748E8V8g8" fullword ascii
$s19 = "2 2(2,2024282<2@2D2H2V2h2v2z2" fullword ascii
$s20 = "3@4D4H4L4P4T4X4p4|4" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_6 {
meta:
description = "Zeppelin - from files 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash2 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash3 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash4 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash5 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash6 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash7 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash8 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash9 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash10 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash11 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash12 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash13 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash14 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash15 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash16 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash17 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash18 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash19 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash20 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash21 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash22 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash23 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash24 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash25 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
strings:
$s1 = ": :$:(:4:T:\\:`:d:h:l:p:t:x:|:" fullword ascii
$s2 = "< <$<(<,<0<4<8<<<@<" fullword ascii
$s3 = "2$2)2G2Q2V2b2x2" fullword ascii
$s4 = "<,=D=0>i>" fullword ascii
$s5 = "8.9H9}9" fullword ascii
$s6 = "<2=6=:=>=B=F=J=N=" fullword ascii
$s7 = "5,515?5Q5e5~5" fullword ascii
$s8 = ";*;W;t;" fullword ascii
$s9 = "1 1$1(1,1014181<1X1x1" fullword ascii
$s10 = "8\"8T8c8z8" fullword ascii
$s11 = "0$080@0D0H0L0P0T0X0\\0`0d0h0l0p0t0x0|0" fullword ascii
$s12 = "6W6c6j6u6" fullword ascii
$s13 = "? ?$?(?,?0?4?8?<?@?N?V?l?~?" fullword ascii
$s14 = ">5?K?^?t?" fullword ascii
$s15 = ";#;9;v;" fullword ascii
$s16 = "<%=(>4>H>P>T>X>\\>`>d>h>l>p>t>x>" fullword ascii
$s17 = "=4>M>t>" fullword ascii
$s18 = "< <$<(<6<><P<^<b<t<" fullword ascii
$s19 = "6\"6.6:6a6g6p6|6" fullword ascii
$s20 = "4\"4,414=4G4L4X4b4g4s4}4" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_7 {
meta:
description = "Zeppelin - from files 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash2 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash3 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash4 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash5 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
strings:
$s1 = "ShellExecuteA" fullword ascii
$s2 = "GetTempPathA" fullword ascii
$s3 = "ReleaseMutex" fullword ascii
$s4 = "CreateMutexA" fullword ascii
$s5 = "GetLogicalDriveStringsA" fullword ascii
$s6 = "GetShortPathNameA" fullword ascii
$s7 = "GetWindowsDirectoryA" fullword ascii
$s8 = "Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. " fullword ascii
$s9 = "<)<2<><E<" fullword ascii /* hex encoded string '.' */
$s10 = "GetIconInfo" fullword ascii
$s11 = "GetFileSize" fullword ascii
$s12 = "IVXLCDMT" fullword ascii
$s13 = "YXZQRPR" fullword ascii
$s14 = "HBITMAP" fullword ascii
$s15 = "QQQQQQSV" fullword ascii
$s16 = "\\PROGRA~1\\" fullword ascii
$s17 = "QQQQQQS3" fullword ascii
$s18 = "SetFileAttributesA" fullword ascii
$s19 = "! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]" fullword ascii
$s20 = "StretchDIBits" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_8 {
meta:
description = "Zeppelin - from files 8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6, 42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9, 7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6"
hash2 = "42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9"
hash3 = "7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
strings:
$s1 = "D\"<D*,D*<D )D 9D()D(9D -D =D(-D(=D\")D\"9D*)D*9D\"-D\"=D*-D*=D (D " fullword ascii
$s2 = " P@* @" fullword ascii
$s3 = "PQRVW;M" fullword ascii
$s4 = "\\T ]T HT" fullword ascii
$s5 = "\\U*n@\"a" fullword ascii
$s6 = "(3P\"rA" fullword ascii
$s7 = "U\"0D dT\"" fullword ascii
$s8 = "#E*>D\"HA" fullword ascii
$s9 = "(>P*$D(>P" fullword ascii
$s10 = "}D(8D " fullword ascii
$s11 = "[U +Q*" fullword ascii
$s12 = "*PP*pP" fullword ascii
$s13 = "@\"kA 1@" fullword ascii
$s14 = ")T\"-T (T " fullword ascii
$s15 = "wA +Q*" fullword ascii
$s16 = "KU \"A\"" fullword ascii
$s17 = " =@*jU" fullword ascii
$s18 = "(T*8T*<T" fullword ascii
$s19 = "T*&D(," fullword ascii
$s20 = "F_^ZYX" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 3000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_9 {
meta:
description = "Zeppelin - from files 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d, d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d"
hash2 = "d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c"
strings:
$s1 = "EFilerErrort" fullword ascii
$s2 = "EWriteError$" fullword ascii
$s3 = "TThread\\" fullword ascii
$s4 = "EVariantBadVarTypeErrord" fullword ascii
$s5 = "TStringListL" fullword ascii
$s6 = "TStringsl" fullword ascii
$s7 = "TStream," fullword ascii
$s8 = "EInvalidPointer" fullword ascii
$s9 = "EZeroDivide" fullword ascii
$s10 = ": :$:(:,:0:4:H:h:p:t:x:|:" fullword ascii
$s11 = "?4?=?X?k?~?" fullword ascii
$s12 = ">)><>H>h>" fullword ascii
$s13 = "?2?C?L?" fullword ascii
$s14 = "3'3G3V3^3" fullword ascii
$s15 = "=!=+=5=?=I=S=]=h=r=}=" fullword ascii
$s16 = "4\"41484V4" fullword ascii
$s17 = "=4=<=@=D=H=L=P=T=X=\\=l=" fullword ascii
$s18 = "; ;$;,;0;8;<;D;H;P;T;\\;`;h;l;t;x;" fullword ascii
$s19 = "4\"5:5L5d5" fullword ascii
$s20 = "3!3/3S3" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_10 {
meta:
description = "Zeppelin - from files 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d, 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9, 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d"
hash2 = "6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9"
hash3 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash4 = "d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c"
hash5 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash6 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash7 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash8 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash9 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash10 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash11 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash12 = "894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072"
hash13 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash14 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash15 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash16 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash17 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash18 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash19 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash20 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash21 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash22 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash23 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash24 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash25 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash26 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash27 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash28 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash29 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash30 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash31 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash32 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash33 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash34 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash35 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash36 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
hash37 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash38 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash39 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
hash40 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = "OpenProcessToken" fullword ascii
$s2 = "WriteProcessMemory" fullword ascii
$s3 = "RegOpenKeyExW" fullword ascii
$s4 = "RegCreateKeyExA" fullword ascii
$s5 = "GetUserDefaultLangID" fullword ascii
$s6 = "RegCreateKeyExW" fullword ascii
$s7 = "RegEnumKeyExA" fullword ascii
$s8 = "HttpAddRequestHeadersA" fullword ascii
$s9 = "LookupPrivilegeValueA" fullword ascii
$s10 = "CreateRemoteThread" fullword ascii
$s11 = "!!! D !!!" fullword ascii
$s12 = "-Portions Copyright (c) 1999 by Hagen Reddmann" fullword ascii
$s13 = "GetEnvironmentVariableW" fullword ascii
$s14 = "TUnlockAndEncryptU" fullword ascii
$s15 = "GetFileAttributesA" fullword ascii
$s16 = "GetFileAttributesW" fullword ascii
$s17 = "HttpOpenRequestA" fullword ascii
$s18 = "CompareStringW" fullword ascii
$s19 = "TReadme" fullword ascii
$s20 = "TerminateThread" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_11 {
meta:
description = "Zeppelin - from files 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash2 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
strings:
$s1 = "TempPath" fullword ascii
$s2 = "Runtime e" fullword ascii
$s3 = "HBITMAPY" fullword ascii
$s4 = "_LogicalD" fullword ascii
$s5 = "\\PROGRA~" fullword ascii
$s6 = "ASnion=~){\\" fullword ascii
$s7 = "ctory#Re" fullword ascii
$s8 = "Qsiu6d)" fullword ascii
$s9 = "ds 2 Tommy S" fullword ascii
$s10 = "-the best. Fuco#" fullword ascii
$s11 = "LtPm]<)a" fullword ascii
$s12 = "]9Gkdows-" fullword ascii
$s13 = "Apanas]" fullword ascii
$s14 = "dXZH4L~" fullword ascii
$s15 = "+t_$WZ^~xtZXtU0>'hUx" fullword ascii
$s16 = "OFTWARE\\Borla" fullword ascii
$s17 = "nOAtt,bu" fullword ascii
$s18 = "nd\\Delphi\\RTL" fullword ascii
$s19 = "k off all " fullword ascii
$s20 = "Bufff4" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 800KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_12 {
meta:
description = "Zeppelin - from files cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash2 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash3 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash4 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash5 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash6 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash7 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
strings:
$s1 = ": :(:,:0:4:8:<:@:D:H:\\:|:" fullword ascii
$s2 = "EInvalidPointer0" fullword ascii
$s3 = "7 7$7(7,7074787<7@7D7H7L7P7T7X7\\7`7" fullword ascii
$s4 = ":6<K<V=" fullword ascii
$s5 = "=(=H=P=T=X=\\=`=d=h=l=p=" fullword ascii
$s6 = "9$9,949<9H9\\9d9h9l9p9t9x9|9" fullword ascii
$s7 = ">+?<?R?" fullword ascii
$s8 = ":?:D:^:" fullword ascii
$s9 = "> >$>0>P>X>\\>`>d>h>l>p>t>x>|>" fullword ascii
$s10 = "2 2@2H2L2P2T2X2\\2`2d2h2|2" fullword ascii
$s11 = "3(4,4044484<4@4X4d4h4" fullword ascii
$s12 = "3;3[3j3r3" fullword ascii
$s13 = ">0F0N0V0^0f0n0v0~0" fullword ascii
$s14 = "7.7E7W7" fullword ascii
$s15 = ";,;4;8;<;@;D;H;L;P;T;l;" fullword ascii
$s16 = "5$525?5M5" fullword ascii
$s17 = "3155595=5A5E5I5M5Q5U5Y5]5a5e5i5m5q5u5A6H6" fullword ascii
$s18 = "=9=R=b={=" fullword ascii
$s19 = ";@;~;Z<" fullword ascii
$s20 = "96:]:q:" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_13 {
meta:
description = "Zeppelin - from files 42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9, 7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9"
hash2 = "7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
strings:
$s1 = "GetCurrentThread" fullword ascii
$s2 = "PA<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">" fullword ascii
$s3 = "PQRVW;]" fullword ascii
$s4 = "9D\"9D*9D" fullword ascii
$s5 = "\"S@*}U" fullword ascii
$s6 = "(VE*uU" fullword ascii
$s7 = " V@*]U" fullword ascii
$s8 = "*WQ*WU" fullword ascii
$s9 = " FD*UU" fullword ascii
$s10 = "*GP*wU" fullword ascii
$s11 = "\"CP*]U" fullword ascii
$s12 = "*FP*wU" fullword ascii
$s13 = "-D (D " fullword ascii
$s14 = " GU*UU" fullword ascii
$s15 = "-D*}D 8D" fullword ascii
$s16 = "\"CU*wU" fullword ascii
$s17 = " WP*wU" fullword ascii
$s18 = "8D\"xD*(D" fullword ascii
$s19 = "T(|T*8T" fullword ascii
$s20 = "]D\"ID\"" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 3000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_14 {
meta:
description = "Zeppelin - from files 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash2 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
strings:
$s1 = "5QjNk03HyzM2et9qHr8ZTHougWPSFyxuTF0qxEsTWH9lWO2qmZd1dDNYE1wxQzBrEBagnNBk8o7NSlOoBnAtwLiV8nt8M58t7OdbDRRSMw2YvdGL6z4k+VK1/9yNXZNG" ascii
$s2 = "9rcTzUSkqWgdnfIVTX2J1CoPyg3+LS5R0jK4R0QkO6hcJpNQyNZqHrMmDajol+GWoEFi5TskdZD9EZSvuDfQzqmX+PiEDpFIVXaqK7gCdU5nsdmjlr1VSyXDYQHCEK9/" ascii
$s3 = "bYmmMqb1Kdl+D9v+iTxmSfgk6HQknFP8InWpvAnZh4/RuYgX5ndmosfJruD2Ln3kLElx1cga4fSQXmfc0hIILQK9KLSp64KfbtnV9RuaCDo3ZzwNgOPZructcKqozH9p" ascii
$s4 = "bs73QFYm9f4XP+ALKKpAqPgFNhg5v2qR/XKSpQ1S92rpFsYWaTe3SG/6HNIIFC/z+SF9JRzFxV4s7rd59X4vfP4ruhL1ybXHZyotxBeDM7T5Mz8x1N+nvhsIW2yvCgDn" ascii
$s5 = "IUeoKEkBZiCBGOZD3/eoVSW2XRLAM01hbuZB2rPV8U8jho83FDQJBmLhL8A8UF7hJquMibKt5WwlOYMagbW/xmmLCglENsiHVC1yuicGVJ3MTOcvz5RWnzVvps5/GEUN" ascii
$s6 = "pg8le4yoQ80a8hZ0kw4eaD0EA210GFN4boHgSZW1PFQoaWvHtSSXudyUj8MY+V9+G1dNnov0C6P7mv/JVDmV9jAr3tzThfrkipNYHVfp3MTVVRce06BaLoUpWs6gnWKM" ascii
$s7 = "0ffldkDRAq50EKe6WVxy5ZjbAOUcToLg27iB15texcRDiU9fzwvAn+pwRQflCDlNqgsuHD5EGBh8BwwrMdtrMfPMYP7FooiA3yqJrYCscIY7xa5KosRfBHFRcKGXsm9o" ascii
$s8 = "HIL8CifFBXDbhqXGFugjZ/BDqHkzn2RSjOIJPHGoiI3SqKZ/d0kd5l5peCp8udEHGTldXuNx6fMZK/Vkghnnyi9eUTwkHZ1c2V65TsGGewkkbAPpAMLBifamNhlsgN+5" ascii
$s9 = "Og3GkgGQaQv85FAEBFAoh+hpVAWWKgSQtewGaWSlRIBSAftsU0ISTECgZu+rRRfRksgVeiBu7Yg9TBSyL8dfyYEyTJ5zq9zKc08xVkKso2lN/fUrrFHyCyVL9UL/dsay" ascii
$s10 = "ptd8vN2uubsBEj1RedKSMXNSBwnc/Nk6NAvzLov5MP51/SdUUE+1TMEx9KvDbovxYI5QYq0Fuut+RjGpSpAWMl5FWTMDAbsQ4A7MHvmoB5T73ElnvpPUXqR0y/V5qAQG" ascii
$s11 = "AGP8HroUQyhBF87ioIeX7rJdqvvd4YHy1kbOQXSqFqqlm0WpW34M/xG5IyJ6tiB0KSV11JSNgijQnBi3Ed3PHCJLzan+cLhXaXQ0w68Ist8EO+los6QlDNDzFn62k9ht" ascii
$s12 = "21K8jhHaED9mVbDNRuirDxORoYqNjNNxnlL45jRFM/d7ZkOg9AIHZjj/DRbuCUfoUanmsFFYNd4fBYRQke6If5bbG+fngGD3aLhIn003YIIkbWLTlUqNlBRx6wMoX9zh" ascii
$s13 = "2w+58UeK+kRC5GJQtsT6ZO7AeDdCKu5u+ywu3/sJg32arC5G/eLA7oOWHqTy7fusPjLIeJjNFSIXch80/EXqZNr1pk7vZ17M8Okt/Lv8RhKrNeRMHiqC7BfVB++kApO+" ascii
$s14 = "ptd8vN2uubsBEj1RedKSMXNSBwnc/Nk6NAvzLov5MP51/SdUUE+1TMEx9KvDbovxYI5QYq0Fuut+RjGpSpAWMl5FWTMDAbsQ4A7MHvmoB5T73ElnvpPUXqR0y/V5qAQG" ascii
$s15 = "Vdxy9DPHwpxpkmw7IznbRSqy9WuZFMSZ+skFt8D0KSxPATWBhoY/c1SiRlVyLG8zV8ftR94ynrzjQ4OBNjZ6G3yc/3XXK4PpHohaXC2b/+spHlGp56hrDkxCiu+H31PU" ascii
$s16 = "4YnPPVrgrig+Pig1bxYK7Q2ik7uo607NCaicQJelXefmYp3qzm0BzCGV7axJVy2Htaz7ZxBn8MF3gMuOBi9s+iSvO9Gbz0STA0y1tjzHYuXzkCSZj7Jef67WhOosyN2u" ascii
$s17 = "Uf/Ncyp3FgdjNWSmF908WB1iFaG7BarRv7ZVaVLXKzMXbysc0pCZoRPM0LIUPJubPvvLK9C8N6dCof7Isb6BA3l9TP7OS0n0LGT6msAdn0pqsGU0ifFLkwvNXas1yCaV" ascii
$s18 = "Uf/Ncyp3FgdjNWSmF908WB1iFaG7BarRv7ZVaVLXKzMXbysc0pCZoRPM0LIUPJubPvvLK9C8N6dCof7Isb6BA3l9TP7OS0n0LGT6msAdn0pqsGU0ifFLkwvNXas1yCaV" ascii
$s19 = "UEXhah/L" fullword ascii
$s20 = "0Q8icB1REGRiI7cpCT1QDUQ=" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 800KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_15 {
meta:
description = "Zeppelin - from files dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f"
hash2 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
strings:
$s1 = "formdce" fullword ascii
$s2 = "!PrJAddress" fullword ascii
$s3 = "DkedDec" fullword ascii
$s4 = "( `.iJn" fullword ascii
$s5 = "WidZharTo" fullword ascii
$s6 = "eJBsr&G!" fullword ascii
$s7 = "Libr yExA" fullword ascii
$s8 = "VirtuGFr" fullword ascii
$s9 = "1K*7h<E>" fullword ascii
$s10 = "?5 WV/" fullword ascii
$s11 = "Rb[W$[p" fullword ascii
$s12 = "Pzc%dV" fullword ascii
$s13 = "pS]Yqu}A" fullword ascii
$s14 = "TlsSet" fullword ascii
$s15 = "'B*G09" fullword ascii
$s16 = "!!GrH;" fullword ascii
$s17 = "wMa4+0he" fullword ascii
$s18 = "FnslE)" fullword ascii
$s19 = "6Q1tJ;" fullword ascii
$s20 = "=lPath" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_16 {
meta:
description = "Zeppelin - from files 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash2 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
strings:
$s1 = "lfvZMd2kvoH9q9r/cYjT6oB2yFwHNRNio2Oe/WicdPY8WgGGfM+hmfsA8HqRybYjXNbhYS3wu8yaFof45qXEvjC1GW4HvpDThpN4I/iFzsGnbof/YYbOqd23cILlyXSj" ascii
$s2 = "tQgaI9hIQ6Ldc6Jn41146UPcg6BlgbtqWbsJxGtZnRRJCumy/AtdjoSkBBd7JhorLw7VTbphAWShuPxf9/a9OZ97/wBgln+L5b1E7IF4YJyteOJY+6I+TvRccNit9rpH" ascii
$s3 = "Ir4moTR79KgQznxvINcjnzIQE+NUuWIG23huCETYAFjfqyZkNSfoiHUwox+HtH66XYLw1jnWRpJAEY03IfbkOQMaB+KOG0U3kBrY78hC32szQCzfI05LBoutycE4lPpB" ascii
$s4 = "4ktTPKaHynK09+ZrcO9fYnUm0ryPqzQ1hv8P04CjOtaikyYiMAQbbR61vlwsepY5SSAvSg4BNA+ppCnXC7awXh4Cxo4hUa9imSkPQHU4RVVIl1zqVsl9imMOT2f+W19u" ascii
$s5 = "ZnEvr6+fZV8ar7TWGogIqUYIEZN5b6Pq4/CMbG6jWv5Rvc/eavFCdkXkhft7AhrEX5+QJ+U40Qak5oHUQfuixyJCzHeduACKOAVNzCYRJ0Gthvh0griOe3T47D6/xPZz" ascii
$s6 = "wVlwr8WjsYQjMcK1jT00U7liBLyAFLSQnrQYzEDkS6TEe00yPLzj+JHv1ar3VKf/x4mMy/anTG0BT17It7Wv9E5L7EsPkx4nSaGRGM9GokKko5jjUk8NwUdJpyJ1TTTF" ascii
$s7 = "WMy/ZACXZPIs+SNruik3e5LkU6o1QitRv+nCm7C1Zkj65O+mk1XvVfv5udFfLVOUoopgOzry8Lfsmu7ECiXDZewiYtpWlmpvd0cN6Jr1yPRitKFlreHSRPbR6M8lboL3" ascii
$s8 = "Edy2rQXjwC0CuUP/bqPvf29FSLSdICJCLkGE8/wvtGR0GIzmJ3bldoqgNy6Ept8btXmbtZOkjuerNM9/WIaBcDbi15OZI08OVxQIMUBWz3Wz1fjs/dE+WAv/IzHFQSxH" ascii
$s9 = "I/J159HKEdrFj5wElt06n5GtCgUFl8OwapRRXQEk2437aS4Qhcz1oFzVVAZ1bRnigAKPclR09TK3kI34CmGrRpbIekluvG7AQyKLBRm8NUJ/1ZLOQoKDEo6k9ukgrLYn" ascii
$s10 = "gwDJY2UTEOEp4xKKRTM8YoBEbLUY6xpernYNptOJeL7HNZoMF1czENR2brrufjBzhYHjdPnKUYnWpqh3ad/99A7ZGVq6ce7YJuDthWoKVZ+mhdbpgmyiV74o/s0bOOTk" ascii
$s11 = "al+Sv/nf9x5Q5Mvsz/hUYa+W4n8TMKJ93VgtQHWUCS3gQLppnHToo+UpDaL+0jxP616fI8pNafR5IySC/wBerhIWBOJjjitxXbbvMUCVksjA+oXtgS+0xcGWsXlXRWTZ" ascii
$s12 = "Q+K7KSFXdfX7pwuCoI3VOBcWq+l2LVkM61ChwjZI0stlNL4q90Nt8WTxa1L2XdqwvPnrOkBmzmFhCX4hZYxV9J3RL590MkUFCtX4M4ONsDpJzD1RExsUM271jv+iI85c" ascii
$s13 = "Q3trfV2UhrGmq/9alMdJl7mrZlp9VI8Ag+6+xPpHkYXM/xipAooMYwmFqgj4VYLHlish+8Qes+H4JOTjnvYIl52BSrBsUhjhoNimirQIoEjafIc53EZ6/MDk+/WAhTZC" ascii
$s14 = "upgEIQu1lx88trDEftVAE1F1l1ZOqK5mwisVA6y7y2S6kDkQ27CNuHF9fzJ2UIf11b63cFTabIj8KxB8DxcYH/B02yhfpW1/C4IuHAcVOESf5vldxNWCiXAHs6nWj8rm" ascii
$s15 = "2uXoT03xTfbq14dT0b9F29ShG44/8W7tbdnN0X0VCoqLSM4PZwDYoUxWYEuj4Ube1OAOy5GeqgnxzX4IKSoyHT9q065QxR7KtitQsLrAw0PiODUZeFkmuRrrRslg9dQF" ascii
$s16 = "Edy2rQXjwC0CuUP/bqPvf29FSLSdICJCLkGE8/wvtGR0GIzmJ3bldoqgNy6Ept8btXmbtZOkjuerNM9/WIaBcDbi15OZI08OVxQIMUBWz3Wz1fjs/dE+WAv/IzHFQSxH" ascii
$s17 = "wVlwr8WjsYQjMcK1jT00U7liBLyAFLSQnrQYzEDkS6TEe00yPLzj+JHv1ar3VKf/x4mMy/anTG0BT17It7Wv9E5L7EsPkx4nSaGRGM9GokKko5jjUk8NwUdJpyJ1TTTF" ascii
$s18 = "fdCazCvhNGOhi2SDHy/IJ4tF7S2bVT8+BfaLGyfgJXtHqQ5ejDLnyI/s5UMR/2nnlLSbnIASR6ydValxBLgr5BDVhatt8ntLa93fPdjqIAFYoimSRo01G/HIvfd1skBU" ascii
$s19 = "VKR6UfynUHXuij8v9w4IlV4d" fullword ascii
$s20 = "#2J&5~" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 800KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_17 {
meta:
description = "Zeppelin - from files 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash2 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash3 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash4 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash5 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
strings:
$s1 = "r0BJ5G8ZCEaFzvyLdnfq+g4ANDxaUaBF6UunJ+VIl6ogA3y+mUYNMo7Y0cuL429kMP9wallogHah/X2n5GYeBS/IyswdttYPOYNewDO7Bt5WOQO3K8tjE5XWV+QwtsNr" ascii
$s2 = "r0BJ5G8ZCEaFzvyLdnfq+g4ANDxaUaBF6UunJ+VIl6ogA3y+mUYNMo7Y0cuL429kMP9wallogHah/X2n5GYeBS/IyswdttYPOYNewDO7Bt5WOQO3K8tjE5XWV+QwtsNr" ascii
$s3 = "P5hFWBZuz9iPOcK7YRlFly6FJx7ioyFwqiJR9x2dZBkRMwUVpWmuG3PMPNRtqncNW96/GG6Zw2wX8byOE3q6Kr2dBtAVvDwKn1rJNP8VkqVNh2e0Vnwxdn8wYmpuMINw" ascii
$s4 = "ZXFjL5I/XLuVOZoW10sUQ8Qwxzrodf45iJ0PvviyZNrHT5glpiUX4WIZ5w/1O8cgWOMZQLrAf+WTV7YE8vLD/zF1g+JeRb9LnAnT6x0gsWFh3y5A7zFXSfnvYaIGqTdI" ascii
$s5 = "Um+dOulCgcUUNpM3XGRs5XR7m1/fUslO+aniokZq68ydCfJ3rv9euFqqIDnwu+y+iRHgD6i9aBnTwioWBx+8TXEYJj+Wj+NJIwyutpsbgGQjtlz1aDT4n5rwCfCq04El" ascii
$s6 = "72woqMgistNxWyKlQBa6KLyHqkaJQ5lzpoasscsXS4MIoOJvFaSaNFXntedlwyOtOimE9PR1iP2UWMyNo/6XdBzpDtwc909R4opBfkF3z+wzZTHEcFauPhi9a7va3wp9" ascii
$s7 = "ZgYs3lTOet10NkSUUA+mGZJLai5YTywBu+EE+F8BnfNqpQgefbMA7d0CTlQtD/xjvQuQNhvDO4HXgo6H/nMjEdCV43xTiNm/lGkIpLMZ5+m/BjFI34j9NL+cFhuCTF+k" ascii
$s8 = "uL0Y+nDdyvprRRKWkmNwuXzlDL4V5l1dW4gtTsNdGrjjy5ey9UXIRbYL/f8F3sGY6FkpFk9UrkYx0a/+JXBX/PNrQDKIjxEVPCgGWNk7Nb6FQrFL7adWGgKCX6srIzkt" ascii
$s9 = "QusLdCRf+UgZso1uJNmMEbLqv+kL4Tb0Q742L946g4S/WB+vMLLJwVAVs4Clc4e6+AIwYKUOpn1zF9nGwE9+ISseQhg/dyJUxJdFHD7eGTTQNpja01tFna9zlM5ALB8v" ascii
$s10 = "yi1OnhhYgThMOhD0unrmj1oki7c9jXt1nQBLRn3NgjTrCs3oEyXY+IlICjFi/+wgD/6vB9X61MihWT7LTnWlxXSadWqWG0v7AgX9ejz1kp+biEnZRhdfAv1ABPncD/aQ" ascii
$s11 = "cTUUkjNEx8QtHyObKu5UJ9x1ki/5EQU8WQh0gUjx7k7RBB0wkMlYmgSRD2W8yncNkKT9GILvwxIIKKGe5nBssW0NH9nVC5PmawwZUyAu2zWkmhI6qjA9+bxbxRR0kXza" ascii
$s12 = "YhrTbx/4+FQmOftILtcJEs3joheCe1eKvmP1WfGpdr4cS40TWQEpQOVHq+SDoE/R3GL1hjOvB3ghwUqgHHpFnZPpwmEBmVDBnx/vGTgcthxIsc4aPpm+4A+5gvpqJXVw" ascii
$s13 = "feqVLvoVAMx6sKTyCyiIoyi2yx92O1UF6X5tGYdY55YWUUE5pQHQ8Bms0teFYwuPkw1zpac5GQP8BNn+qYnrgabc6O+/GHz4f5jWCPp7VNRQBKE1ryas4wr5dpBBcwyR" ascii
$s14 = "0bpx4/QyrbJdwAiZB8kiTowuyIpH7PPB1zjazKpLoLBv2dzFmhKrbc5NNh32iSBmf5ffHPBj+9QUbWjaryFPg49DTXPCrf99llJp/4XdiJcBwFdcdwcuAKbQA3inBU19" ascii
$s15 = "wqBA5M3TokuN3RFSUb7PkgMYrrfBkpORgEoTjpZ2dCEZay59EmE63mDAdlEsk2f8tMlt88jdXSAik+y1kYoJi9J6fnV896GiuBoNGhQDL8cbxJ4xcJa3D1ptskGXEaKa" ascii
$s16 = "5R\":t:\\" fullword ascii
$s17 = "VDb2ITEpnTCJwDMKPAodbCfUJn6vePDXaYxvf9LAIOPv6EffcP1Y/Gn60NU/DAUV8NPUy6dDHfa5iUgrgCLJEFd2b90A3nkWBwCAPWAl+LKkmASGfR2TTKIk9dihMrE+" ascii
$s18 = "ODfxx6dwC0jNJretV12YWIcaKRUwOE5sUg5P2X3wPGUi4T0CzqqZLrAe+Ly970tXpoW1jIOpeV+Dl5AtcT2Gd6R9iqL68WsoD/NPD5hZLduLg3WXhEuDrmQtf1IwXqEr" ascii
$s19 = "ODfxx6dwC0jNJretV12YWIcaKRUwOE5sUg5P2X3wPGUi4T0CzqqZLrAe+Ly970tXpoW1jIOpeV+Dl5AtcT2Gd6R9iqL68WsoD/NPD5hZLduLg3WXhEuDrmQtf1IwXqEr" ascii
$s20 = "yIc8f+iuP6jvlL8k0CDwMQ==" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_18 {
meta:
description = "Zeppelin - from files 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d, 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9, 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d"
hash2 = "6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9"
hash3 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash4 = "d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c"
hash5 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash6 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash7 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash8 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash9 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash10 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash11 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash12 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash13 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash14 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash15 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash16 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash17 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash18 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash19 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash20 = "6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc"
hash21 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash22 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash23 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash24 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash25 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash26 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash27 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash28 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash29 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash30 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash31 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash32 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash33 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash34 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash35 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash36 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
hash37 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash38 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash39 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
hash40 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = "6 7&7,777" fullword ascii /* hex encoded string 'gww' */
$s2 = "=!=%=5=:=_=" fullword ascii
$s3 = ">&?;?H?h?" fullword ascii
$s4 = ">2>N>o>" fullword ascii
$s5 = "7-898x8" fullword ascii
$s6 = "< <5<A<^<g<" fullword ascii
$s7 = ";*;e;o;" fullword ascii
$s8 = "-0T0X0\\0`0d0h0l0p0t0#2\\2" fullword ascii
$s9 = "0_1o1\"2+2=2I2T2" fullword ascii
$s10 = ": :*:A:V:i:v:" fullword ascii
$s11 = "0)1-111I1X1\\1x1" fullword ascii
$s12 = "7F9U9\\9" fullword ascii
$s13 = "3&3*5@5Q5t5" fullword ascii
$s14 = "5)5<5W5]5u5" fullword ascii
$s15 = "5 5$5(5,5054585<5@5D5H5L5P5T5X5\\5`5d5h5l5p5t5x5|5" fullword ascii
$s16 = "2\"2*222:2B2J2R2Z2b2j2r2z2" fullword ascii
$s17 = "0,0H0T0d0" fullword ascii
$s18 = "6E6M6R6w6" fullword ascii
$s19 = "6 6$6(6,6064686<6@6D6H6L6P6T6X6\\6`6d6h6l6p6t6x6|6" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_19 {
meta:
description = "Zeppelin - from files 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d, 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9, 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d"
hash2 = "6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9"
hash3 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash4 = "d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c"
hash5 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash6 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash7 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash8 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash9 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash10 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash11 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash12 = "894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072"
hash13 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash14 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash15 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash16 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash17 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash18 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash19 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash20 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash21 = "6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc"
hash22 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash23 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash24 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash25 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash26 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash27 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash28 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash29 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash30 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash31 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash32 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash33 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash34 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash35 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash36 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash37 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash38 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash39 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
hash40 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = "Toolhelp32ReadProcessMemory" fullword ascii
$s2 = "Process32First" fullword ascii
$s3 = "Process32FirstW" fullword ascii
$s4 = "Process32Next" fullword ascii
$s5 = "Process32NextW" fullword ascii
$s6 = "Thread32Next" fullword ascii
$s7 = "Thread32First" fullword ascii
$s8 = "Heap32ListNext" fullword ascii
$s9 = "Heap32First" fullword ascii
$s10 = "Heap32ListFirst" fullword ascii
$s11 = "TFileName" fullword ascii
$s12 = "Heap32Next" fullword ascii
$s13 = "Module32FirstW" fullword ascii
$s14 = "Module32NextW" fullword ascii
$s15 = "Module32First" fullword ascii
$s16 = "TSearchRecp" fullword ascii
$s17 = "CreateToolhelp32Snapshot" fullword ascii
$s18 = "Module32Next" fullword ascii
$s19 = "tUI|RVS" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_20 {
meta:
description = "Zeppelin - from files c080d7228471422cbd230849cd523292b2b0553a3f347677ca66f3e502591eb1, 8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6, 42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9, 7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "c080d7228471422cbd230849cd523292b2b0553a3f347677ca66f3e502591eb1"
hash2 = "8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6"
hash3 = "42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9"
hash4 = "7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
strings:
$s1 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii
$s2 = "lstrcmpA" fullword ascii
$s3 = "PQRVW;m" fullword ascii
$s4 = " </trustInfo>" fullword ascii
$s5 = "!This program cannot be run in DOS mode." fullword ascii
$s6 = " <requestedPrivileges>" fullword ascii
$s7 = " </requestedPrivileges>" fullword ascii
$s8 = "PQRVW9" fullword ascii
$s9 = "@_^ZYX" fullword ascii
$s10 = "zE((D\"H" fullword ascii
$s11 = "PQRVW=" fullword ascii
$s12 = "PQRVW;" fullword ascii
$s13 = "[A #Q*" fullword ascii
$s14 = "`.rdata" fullword ascii
$s15 = "QA #Q*" fullword ascii
$s16 = "@@ +A*" fullword ascii
$s17 = "</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 3000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_21 {
meta:
description = "Zeppelin - from files 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d, 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9, 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d"
hash2 = "6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9"
hash3 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash4 = "d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c"
hash5 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash6 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash7 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash8 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash9 = "dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f"
hash10 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash11 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash12 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash13 = "894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072"
hash14 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash15 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash16 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash17 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash18 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash19 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash20 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash21 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash22 = "6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc"
hash23 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash24 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash25 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash26 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash27 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash28 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash29 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash30 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash31 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash32 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash33 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash34 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash35 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash36 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash37 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash38 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
hash39 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash40 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash41 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
hash42 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = "GetLongPathNameA" fullword ascii
$s2 = "TUnitHashArray" fullword ascii
$s3 = "System" fullword ascii
$s4 = "Dispatch" fullword ascii
$s5 = "TObject" fullword ascii
$s6 = "stringX" fullword ascii
$s7 = "EDivByZero" fullword ascii
$s8 = "TDigits" fullword ascii
$s9 = "INFNAN" fullword ascii
$s10 = "L&&jl66Z~??A" fullword ascii
$s11 = "uB!!c " fullword ascii
$s12 = ";d22Vt::N" fullword ascii
$s13 = "~KxI[)" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_22 {
meta:
description = "Zeppelin - from files 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d, 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d"
hash2 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash3 = "d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c"
hash4 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash5 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash6 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash7 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash8 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash9 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash10 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash11 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash12 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash13 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash14 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash15 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash16 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash17 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash18 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash19 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash20 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash21 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash22 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash23 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash24 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash25 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash26 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash27 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash28 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash29 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash30 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash31 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash32 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash33 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash34 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
hash35 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash36 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash37 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
hash38 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = ": :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:|:" fullword ascii
$s2 = "848B8G8`8p8" fullword ascii
$s3 = "0R4[4b5k5o<" fullword ascii
$s4 = "6b7o7{7" fullword ascii
$s5 = "2&22292Z5" fullword ascii
$s6 = "1,1<1C1" fullword ascii
$s7 = "5!5+53595G5b5w5" fullword ascii
$s8 = "9 9$9(9,909l9t9|9" fullword ascii
$s9 = "717<7y8" fullword ascii
$s10 = "044484<4@4D4H4L4P4T4X4\\4`4d4h4l4p4t4x4|4" fullword ascii
$s11 = "1(1H1,7074787<7@7D8L8P8t8x8" fullword ascii
$s12 = "6M6V6[6}6" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_23 {
meta:
description = "Zeppelin - from files a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash2 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
strings:
$s1 = "Eralhd" fullword ascii
$s2 = "v6=*)^Z" fullword ascii
$s3 = "S8nqt}v?" fullword ascii
$s4 = "[nK6]H" fullword ascii
$s5 = "FVt%'<(" fullword ascii
$s6 = "=Qop67" fullword ascii
$s7 = "QgB)|9:xC" fullword ascii
$s8 = "M~sqJs" fullword ascii
$s9 = "v%1Am[K" fullword ascii
$s10 = "R:h`KE" fullword ascii
$s11 = "2gn1'x" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( 8 of them )
) or ( all of them )
}
rule Zeppelin_24 {
meta:
description = "Zeppelin - from files 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, 6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash2 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash3 = "6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc"
hash4 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash5 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash6 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
strings:
$s1 = "WinExec" fullword ascii
$s2 = "GetSysColor" fullword ascii
$s3 = "GetObjectA" fullword ascii
$s4 = "GetDIBits" fullword ascii
$s5 = "DeleteFileA" fullword ascii
$s6 = "ReleaseDC" fullword ascii
$s7 = "DeleteObject" fullword ascii
$s8 = "CreateDIBSection" fullword ascii
$s9 = "DeleteDC" fullword ascii
$s10 = "FillRect" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_25 {
meta:
description = "Zeppelin - from files a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash2 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
strings:
$s1 = "V)%uvm" fullword ascii
$s2 = ">q,(+I" fullword ascii
$s3 = "Ps s*Y" fullword ascii
$s4 = "@}4{X%" fullword ascii
$s5 = "AMi8YA" fullword ascii
$s6 = "j|&4G@" fullword ascii
$s7 = "yjAK8|" fullword ascii
$s8 = "_0C?%*" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_26 {
meta:
description = "Zeppelin - from files c080d7228471422cbd230849cd523292b2b0553a3f347677ca66f3e502591eb1, 7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "c080d7228471422cbd230849cd523292b2b0553a3f347677ca66f3e502591eb1"
hash2 = "7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
strings:
$s1 = "imagehlp.dll" fullword ascii
$s2 = "GetCursorPos" fullword ascii
$s3 = "GetCursorInfo" fullword ascii
$s4 = "PQRVW=L" fullword ascii
$s5 = "PQRVW;e" fullword ascii
$s6 = "SymFromName" fullword ascii
$s7 = "Delete" fullword wide
$s8 = "N_^ZYX" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_27 {
meta:
description = "Zeppelin - from files 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash2 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash3 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
strings:
$s1 = "JEkHF\"" fullword ascii
$s2 = "|^&X^y" fullword ascii
$s3 = "7!7&7+70757;7@7E7K7R7X7_7e7l7r7y7" fullword ascii
$s4 = "p@7?\" " fullword ascii
$s5 = "u($! \"" fullword ascii
$s6 = "MR,6`EpZi" fullword ascii
$s7 = "6=6Z6d6t6" fullword ascii
$s8 = "0M9Gyt4X" fullword ascii
$s9 = "8'848F8V8^8k8" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_28 {
meta:
description = "Zeppelin - from files 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072"
hash2 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
strings:
$s1 = "ezX#PfS:>+" fullword ascii
$s2 = "$Nz<3D" fullword ascii
$s3 = "i<q=:u" fullword ascii
$s4 = "JJ95na" fullword ascii
$s5 = "ZVc+T%" fullword ascii
$s6 = "n,U\"Z,I" fullword ascii
$s7 = "Yw&5gLe" fullword ascii
$s8 = "]u7y$9G" fullword ascii
$s9 = "p]_qMx" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_29 {
meta:
description = "Zeppelin - from files 8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6, 42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6"
hash2 = "42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9"
strings:
$s1 = "comdlg32.dll" fullword ascii
$s2 = "comctl32.dll" fullword ascii
$s3 = "winspool.drv" fullword ascii
$s4 = "FindTextA" fullword ascii
$s5 = "AlphaBlend" fullword ascii
$s6 = "StartDocPrinterW" fullword ascii
$s7 = "DllRegisterServer" fullword ascii
$s8 = "H_^ZYX" fullword ascii
$s9 = "G_^ZYX" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 3000KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_30 {
meta:
description = "Zeppelin - from files 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d, 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9, 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, 5ec7bc8bfa892ce6a127441003213eed8bb2ac230bce1fa1f51aff1fb7ac8e64, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d"
hash2 = "6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9"
hash3 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash4 = "d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c"
hash5 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash6 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash7 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash8 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash9 = "dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f"
hash10 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash11 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash12 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash13 = "894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072"
hash14 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash15 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash16 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash17 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash18 = "5ec7bc8bfa892ce6a127441003213eed8bb2ac230bce1fa1f51aff1fb7ac8e64"
hash19 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash20 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash21 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash22 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash23 = "6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc"
hash24 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash25 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash26 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash27 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash28 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash29 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash30 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash31 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash32 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash33 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash34 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash35 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash36 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash37 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash38 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash39 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
hash40 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash41 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash42 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
hash43 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = "ExitProcess" fullword ascii
$s2 = "SHGetMalloc" fullword ascii
$s3 = "This program must be run under Win32" fullword ascii
$s4 = "RegCloseKey" fullword ascii
$s5 = "VariantCopy" fullword ascii
$s6 = "CharNextA" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_31 {
meta:
description = "Zeppelin - from files 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9"
hash2 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash3 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash4 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
strings:
$s1 = "07\\6T:" fullword ascii
$s2 = "[D|i\"vt" fullword ascii
$s3 = "9VN{iS" fullword ascii
$s4 = "P.J9Uj" fullword ascii
$s5 = "C.N')%" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 700KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_32 {
meta:
description = "Zeppelin - from files 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash2 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash3 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash4 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash5 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash6 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash7 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash8 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash9 = "894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072"
hash10 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash11 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash12 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash13 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash14 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash15 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash16 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash17 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash18 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash19 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash20 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash21 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash22 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash23 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash24 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash25 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash26 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash27 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash28 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
hash29 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash30 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = "EInvalidPointerH" fullword ascii
$s2 = "TIntegerLbA" fullword ascii
$s3 = "TFileStreampo@" fullword ascii
$s4 = "EZeroDivide<~@" fullword ascii
$s5 = "DigitsLbA" fullword ascii
$s6 = "%.*d$x@" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_33 {
meta:
description = "Zeppelin - from files c080d7228471422cbd230849cd523292b2b0553a3f347677ca66f3e502591eb1, 42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9, 7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "c080d7228471422cbd230849cd523292b2b0553a3f347677ca66f3e502591eb1"
hash2 = "42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9"
hash3 = "7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
strings:
$s1 = "MS Shell Dlg" fullword wide
$s2 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
$s3 = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD" ascii
$s4 = "@.data" fullword ascii
$s5 = "O_^ZYX" fullword ascii
$s6 = "lstrcatA" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 3000KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_34 {
meta:
description = "Zeppelin - from files 8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6, 7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6"
hash2 = "7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b"
strings:
$s1 = "GetUserDefaultUILanguage" fullword ascii
$s2 = "GetTextCharacterExtra" fullword ascii
$s3 = "LsaSetSecret" fullword ascii
$s4 = "GetCaretBlinkTime" fullword ascii
$s5 = "GetCapture" fullword ascii
$s6 = "SetCalendarInfoA" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_35 {
meta:
description = "Zeppelin - from files cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash2 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
strings:
$s1 = "!N,0u]" fullword ascii
$s2 = "\"}=`)L" fullword ascii
$s3 = "aaVQt+" fullword ascii
$s4 = "I.1M$<" fullword ascii
$s5 = ":kK9#u6" fullword ascii
$s6 = "ZD>9pa(" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_36 {
meta:
description = "Zeppelin - from files 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash2 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
strings:
$s1 = "svzc}m]?=" fullword ascii
$s2 = "cvCuv'" fullword ascii
$s3 = "\"p^3GVXq" fullword ascii
$s4 = "cwO!1u[C" fullword ascii
$s5 = "\"'CsB!" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_37 {
meta:
description = "Zeppelin - from files 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2, 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878, 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55, ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b, 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash2 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash3 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash4 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash5 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash6 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash7 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash8 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash9 = "79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c"
hash10 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash11 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash12 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash13 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash14 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash15 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash16 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash17 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash18 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash19 = "cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2"
hash20 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash21 = "bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509"
hash22 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash23 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash24 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash25 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash26 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash27 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash28 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash29 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash30 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash31 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash32 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
hash33 = "4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933"
hash34 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
hash35 = "ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b"
hash36 = "9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b"
strings:
$s1 = "9 9*949>9H9R9\\9f9p9z9" fullword ascii
$s2 = "<$<(<0<4<<<@<H<L<T<X<`<d<l<p<x<|<" fullword ascii
$s3 = "8$8,848<8D8L8T8\\8d8l8t8|8" fullword ascii
$s4 = "; ;(;,;4;8;@;D;L;P;X;\\;d;h;p;t;|;" fullword ascii
$s5 = "7$7,747<7D7L7T7\\7d7l7t7|7" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_38 {
meta:
description = "Zeppelin - from files 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080, a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b, 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea, 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2, ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e, 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e, bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d, 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910, 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072, 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57, 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d, f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396, ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75, f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d, a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037, fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039, 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b, faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6, c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911, 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e, 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1, aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe, 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94, 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846, 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e, e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080"
hash2 = "a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b"
hash3 = "7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea"
hash4 = "8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2"
hash5 = "ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e"
hash6 = "55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e"
hash7 = "bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d"
hash8 = "961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910"
hash9 = "894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072"
hash10 = "2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57"
hash11 = "001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d"
hash12 = "f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396"
hash13 = "ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75"
hash14 = "f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d"
hash15 = "a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037"
hash16 = "fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039"
hash17 = "6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b"
hash18 = "faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6"
hash19 = "c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911"
hash20 = "37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e"
hash21 = "54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1"
hash22 = "aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe"
hash23 = "4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94"
hash24 = "9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846"
hash25 = "307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e"
hash26 = "e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878"
strings:
$s1 = "EVariantInvalidArgError@" fullword ascii
$s2 = "EFOpenError\\" fullword ascii
$s3 = "EThread@" fullword ascii
$s4 = "EWriteErrord" fullword ascii
$s5 = "TStreaml" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( all of them )
) or ( all of them )
}
rule Zeppelin_39 {
meta:
description = "Zeppelin - from files 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499, e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9, a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0, 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0, 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-08-08"
hash1 = "0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499"
hash2 = "e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9"
hash3 = "a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0"
hash4 = "22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0"
hash5 = "7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55"
strings:
$s1 = "EZeroDivide$~@" fullword ascii
$s2 = "TFileStreamho@" fullword ascii
$s3 = "TStream|n@" fullword ascii
$s4 = "t~hDzC" fullword ascii
$s5 = "tEh|zC" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( all of them )
) or ( all of them )
}