Antivirus_Signature
YARA-2025-2240
Medium
general
Active
Detection patterns for the tool 'Antivirus Signature' taken from the ThreatHunting-Keywords github project
Antivirus_Signature.yar
Valid Syntax
rule Antivirus_Signature
{
meta:
description = "Detection patterns for the tool 'Antivirus Signature' taken from the ThreatHunting-Keywords github project"
author = "@mthcht"
reference = "https://github.com/mthcht/ThreatHunting-Keywords"
tool = "Antivirus Signature"
rule_category = "signature_keyword"
strings:
// Description: Antiviurs signature_keyword
// Reference: N/A
$string1 = /Backdoor\.ASP\.FUZZSHELL\.A/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string2 = /Backdoor\.ASP\.WEBSHELL\./ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string3 = /Backdoor\.PHP\.WebShell\./ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string4 = /Backdoor\/Win\./ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string5 = /Backdoor\:JS\// nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string6 = /Backdoor\:Linux/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string7 = /Backdoor\:MacOS/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string8 = /Backdoor\:MSIL\/AsyncRat/ nocase ascii wide
// Description: AV signature for exploitation tools for Quasar.exe
// Reference: N/A
$string9 = /Backdoor\:MSIL\/Quasar/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string10 = /Backdoor\:MSIL\/SectopRAT/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string11 = /Backdoor\:PHP\// nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string12 = /Backdoor\:Python/ nocase ascii wide
// Description: Antivirus signature - a tool used within a command-line interface on 64bit Windows computers to extract the NTLM (LanMan) hashes from LSASS.exe in memory. This tool may be used in conjunction with malware or other penetration testing tools to obtain credentials for use in Windows authentication systems
// Reference: N/A
$string13 = /Backdoor\:Python\// nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string14 = /Backdoor\:VBS\// nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string15 = /Backdoor\:Win32/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string16 = /Backdoor\:Win64/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string17 = /Backdoor\:Win64\/CobaltStrike/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string18 = /Behavior\:Win32\/CobaltStrike/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string19 = /BKDR_JSPSHELL\./ nocase ascii wide
// Description: Antivirus signature_keyword for hacktool clearing logs
// Reference: N/A
$string20 = /Clearlogs/ nocase ascii wide
// Description: windows defender antivirus signature for UAC bypass
// Reference: N/A
$string21 = /CobaltStrike\.LJ\!MTB/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string22 = /Exploit\:Python\// nocase ascii wide
// Description: Antiviurs signature_keyword observed with meterpreter exploits
// Reference: N/A
$string23 = /Exploit\:Win32\/CVE\-/ nocase ascii wide
// Description: Antiviurs signature_keyword observed with meterpreter exploits
// Reference: N/A
$string24 = /Exploit\:Win64\/CVE\-/ nocase ascii wide
// Description: hacktool keyword. a repository could be named as such. o AV signature
// Reference: N/A
$string25 = /hacktool/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string26 = /HackTool\.ASP\..{0,1000}\./ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string27 = /HackTool\.HTML\..{0,1000}\..{0,1000}/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string28 = /HackTool\.Java\..{0,1000}\./ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string29 = /Hacktool\.Linux/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string30 = /HackTool\.PHP\..{0,1000}\./ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string31 = /Hacktool\.Windows/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string32 = /Hacktool\/Win\./ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string33 = /HackTool\:Linux/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string34 = /HackTool\:MSIL/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string35 = /HackTool\:PowerShell/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string36 = /HackTool\:PowerShell\// nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string37 = /HackTool\:Python/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string38 = /HackTool\:Python\// nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string39 = /Hacktool\:Script\// nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string40 = /Hacktool\:SH/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string41 = /Hacktool\:VBA/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string42 = /HackTool\:VBS/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string43 = /HackTool\:Win32/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string44 = /HackTool\:Win32/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string45 = /HackTool\:Win64/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string46 = /HackTool\:Win64/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string47 = /HackTool\:Win64\/CobaltStrike/ nocase ascii wide
// Description: Antivirus signature_keyword for hacktool
// Reference: N/A
$string48 = /HKTL/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string49 = /HKTL_NETCAT/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string50 = /HTool/ nocase ascii wide
// Description: Generic hacktool Engine signature
// Reference: N/A
$string51 = /HTool\/WCE/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string52 = /impacket/ nocase ascii wide
// Description: Dump LSASS memory through a process snapshot (-r) avoiding interacting with it directly
// Reference: lsass dump malware signature
$string53 = /Lsass\-Mdump/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string54 = /MSFPsExeCommand/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string55 = /PowerShell\/HackTool/ nocase ascii wide
// Description: highly revelant Antivirus signature. phishing tools
// Reference: N/A
$string56 = /PShlSpy/ nocase ascii wide
// Description: highly revelant Antivirus signature. Programs classified as PSWTool can be used to view or restore forgotten often hidden passwords. They can also be used with malicious intent. even though the programs themselves have no malicious payload.
// Reference: N/A
$string57 = /PSWtool/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string58 = /PUA\:Win32\/AmmyyAdmin/ nocase ascii wide
// Description: Antivirus signature - a tool used within a command-line interface on 64bit Windows computers to extract the NTLM (LanMan) hashes from LSASS.exe in memory. This tool may be used in conjunction with malware or other penetration testing tools to obtain credentials for use in Windows authentication systems
// Reference: N/A
$string59 = /PWDump\s/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string60 = /PWS\:Win32\/Mpass/ nocase ascii wide
// Description: Antiviurs signature_keyword for ransomware
// Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver/indicators-blackcat-ransomware-deploys-new-signed-kernel-driver.txt
$string61 = /Ransom\.Win32\./ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string62 = /Ransom\:Linux\/BlackBasta/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string63 = /Ransom\:Win32/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string64 = /Ransom\:Win32/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string65 = /Ransom\:Win32\/BlackBasta/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string66 = /Ransom\:Win64/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string67 = /Ransom_Petya/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string68 = /Ransom_WCRY/ nocase ascii wide
// Description: Antiviurs signature_keyword for remote administration tools
// Reference: N/A
$string69 = /RemAdm/ nocase ascii wide
// Description: RemoteUtilities Remote Access softwares
// Reference: https://www.remoteutilities.com/
$string70 = /RemoteAdmin\.RemoteUtilities/ nocase ascii wide
// Description: Antiviurs signature_keyword for ransomware
// Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver/indicators-blackcat-ransomware-deploys-new-signed-kernel-driver.txt
$string71 = /Rootkit\.Win64\./ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string72 = /SPR\/Ammyy\.R/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string73 = /SupportScam\:Win32/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string74 = /Tojan\:Win32\/Goodkit/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string75 = /TROJ_ZIPBOMB\./ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string76 = /Trojan\.Linux/ nocase ascii wide
// Description: RemoteUtilities Remote Access softwares
// Reference: https://www.remoteutilities.com/
$string77 = /Trojan\.RemoteUtilitiesRAT/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string78 = /Trojan\.Win32\..{0,1000}\./ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string79 = /Trojan\.Win64/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string80 = /Trojan\.WinGo/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string81 = /Trojan\/Win32/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string82 = /Trojan\/Win64/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string83 = /Trojan\:MacOS/ nocase ascii wide
// Description: Antiviurs signature_keyword for xeno rat client.exe
// Reference: N/A
$string84 = /Trojan\:MSIL\/Dothetuk\./ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string85 = /Trojan\:PowerShell/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string86 = /Trojan\:PowerShell\/BatLoader/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string87 = /Trojan\:Python\/BatLoader/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string88 = /Trojan\:Win32/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string89 = /Trojan\:Win32\/Batloader/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string90 = /Trojan\:Win32\/EugenLoader/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string91 = /Trojan\:Win32\/Gozi/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string92 = /Trojan\:Win32\/IceId/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string93 = /Trojan\:Win32\/Smokeloader/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string94 = /Trojan\:Win32\/Trickbot/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string95 = /Trojan\:Win64/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string96 = /Trojan\:Win64\/IcedID/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string97 = /Trojan\:Win64\/IceId/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string98 = /Trojan\:Win64\/Lumma/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string99 = /TrojanDownloader\:PowerShell\/EugenLoader/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string100 = /TrojanDownloader\:PowerShell\/Malgent/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string101 = /TrojanDropper\:PowerShell\// nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string102 = /TrojanDropper\:Win32/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string103 = /TrojanSpy\.Win64/ nocase ascii wide
// Description: antivirus signatures
// Reference: N/A
$string104 = /TrojanSpy\:MSIL\/JSSLoader/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string105 = /TrojanSpy\:MSIL\/JSSLoader/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string106 = /VirTool.{0,1000}RemoteExec/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string107 = /VirTool\:MSIL/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string108 = /VirTool\:PowerShell\/Dipadz\./ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string109 = /VirTool\:Win32/ nocase ascii wide
// Description: AV signature often associated with C2 communications (cobaltstrike for example)
// Reference: N/A
$string110 = /VirTool\:Win32\/RemoteExec/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string111 = /Win32\.PUA\.AmmyyAdmin/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string112 = /Win32\.Trojan/ nocase ascii wide
// Description: antivirus signatures
// Reference: N/A
$string113 = /Win32\/Goodkit/ nocase ascii wide
// Description: antivirus signatures
// Reference: N/A
$string114 = /Win32\/IceId/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string115 = /Win32\/Mikatz/ nocase ascii wide
// Description: antivirus signatures
// Reference: N/A
$string116 = /Win32\/Trickbot/ nocase ascii wide
// Description: windows defender antivirus signature for UAC bypass
// Reference: N/A
$string117 = /Win32\/UACBypass/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string118 = /Win32\:Trojan/ nocase ascii wide
// Description: antivirus signatures
// Reference: N/A
$string119 = /Win64\/IceId/ nocase ascii wide
// Description: AV signature for exploitation tools
// Reference: N/A
$string120 = /Win64\/Mikatz/ nocase ascii wide
// Description: Antiviurs signature_keyword
// Reference: N/A
$string121 = /Windows\.Hacktool\./ nocase ascii wide
condition:
any of them
}
Rule Metadata
description
Detection patterns for the tool 'Antivirus Signature' taken from the ThreatHunting-Keywords github project
author
@mthcht
reference
https://github.com/mthcht/ThreatHunting-Keywords
tool
Antivirus Signature
rule_category
signature_keyword
String Definitions
{"name":"$string1","value":"\/Backdoor\\.ASP\\.FUZZSHELL\\.A\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string2","value":"\/Backdoor\\.ASP\\.WEBSHELL\\.\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string3","value":"\/Backdoor\\.PHP\\.WebShell\\.\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string4","value":"\/Backdoor\\\/Win\\.\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string5","value":"\/Backdoor\\:JS\\\/\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string6","value":"\/Backdoor\\:Linux\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string7","value":"\/Backdoor\\:MacOS\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string8","value":"\/Backdoor\\:MSIL\\\/AsyncRat\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools for Quasar.exe\n \/\/ Reference: N\/A"}
{"name":"$string9","value":"\/Backdoor\\:MSIL\\\/Quasar\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string10","value":"\/Backdoor\\:MSIL\\\/SectopRAT\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string11","value":"\/Backdoor\\:PHP\\\/\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string12","value":"\/Backdoor\\:Python\/ nocase ascii wide\n \/\/ Description: Antivirus signature - a tool used within a command-line interface on 64bit Windows computers to extract the NTLM (LanMan) hashes from LSASS.exe in memory. This tool may be used in conjunction with malware or other penetration testing tools to obtain credentials for use in Windows authentication systems\n \/\/ Reference: N\/A"}
{"name":"$string13","value":"\/Backdoor\\:Python\\\/\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string14","value":"\/Backdoor\\:VBS\\\/\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string15","value":"\/Backdoor\\:Win32\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string16","value":"\/Backdoor\\:Win64\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string17","value":"\/Backdoor\\:Win64\\\/CobaltStrike\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string18","value":"\/Behavior\\:Win32\\\/CobaltStrike\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string19","value":"\/BKDR_JSPSHELL\\.\/ nocase ascii wide\n \/\/ Description: Antivirus signature_keyword for hacktool clearing logs\n \/\/ Reference: N\/A"}
{"name":"$string20","value":"\/Clearlogs\/ nocase ascii wide\n \/\/ Description: windows defender antivirus signature for UAC bypass\n \/\/ Reference: N\/A"}
{"name":"$string21","value":"\/CobaltStrike\\.LJ\\!MTB\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string22","value":"\/Exploit\\:Python\\\/\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword observed with meterpreter exploits\n \/\/ Reference: N\/A"}
{"name":"$string23","value":"\/Exploit\\:Win32\\\/CVE\\-\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword observed with meterpreter exploits\n \/\/ Reference: N\/A"}
{"name":"$string24","value":"\/Exploit\\:Win64\\\/CVE\\-\/ nocase ascii wide\n \/\/ Description: hacktool keyword. a repository could be named as such. o AV signature\n \/\/ Reference: N\/A"}
{"name":"$string25","value":"\/hacktool\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string26","value":"\/HackTool\\.ASP\\..{0,1000}\\.\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string27","value":"\/HackTool\\.HTML\\..{0,1000}\\..{0,1000}\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string28","value":"\/HackTool\\.Java\\..{0,1000}\\.\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string29","value":"\/Hacktool\\.Linux\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string30","value":"\/HackTool\\.PHP\\..{0,1000}\\.\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string31","value":"\/Hacktool\\.Windows\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string32","value":"\/Hacktool\\\/Win\\.\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string33","value":"\/HackTool\\:Linux\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string34","value":"\/HackTool\\:MSIL\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string35","value":"\/HackTool\\:PowerShell\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string36","value":"\/HackTool\\:PowerShell\\\/\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string37","value":"\/HackTool\\:Python\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string38","value":"\/HackTool\\:Python\\\/\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string39","value":"\/Hacktool\\:Script\\\/\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string40","value":"\/Hacktool\\:SH\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string41","value":"\/Hacktool\\:VBA\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string42","value":"\/HackTool\\:VBS\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string43","value":"\/HackTool\\:Win32\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string44","value":"\/HackTool\\:Win32\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string45","value":"\/HackTool\\:Win64\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string46","value":"\/HackTool\\:Win64\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string47","value":"\/HackTool\\:Win64\\\/CobaltStrike\/ nocase ascii wide\n \/\/ Description: Antivirus signature_keyword for hacktool\n \/\/ Reference: N\/A"}
{"name":"$string48","value":"\/HKTL\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string49","value":"\/HKTL_NETCAT\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string50","value":"\/HTool\/ nocase ascii wide\n \/\/ Description: Generic hacktool Engine signature\n \/\/ Reference: N\/A"}
{"name":"$string51","value":"\/HTool\\\/WCE\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string52","value":"\/impacket\/ nocase ascii wide\n \/\/ Description: Dump LSASS memory through a process snapshot (-r) avoiding interacting with it directly\n \/\/ Reference: lsass dump malware signature"}
{"name":"$string53","value":"\/Lsass\\-Mdump\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string54","value":"\/MSFPsExeCommand\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string55","value":"\/PowerShell\\\/HackTool\/ nocase ascii wide\n \/\/ Description: highly revelant Antivirus signature. phishing tools\n \/\/ Reference: N\/A"}
{"name":"$string56","value":"\/PShlSpy\/ nocase ascii wide\n \/\/ Description: highly revelant Antivirus signature. Programs classified as PSWTool can be used to view or restore forgotten often hidden passwords. They can also be used with malicious intent. even though the programs themselves have no malicious payload.\n \/\/ Reference: N\/A"}
{"name":"$string57","value":"\/PSWtool\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string58","value":"\/PUA\\:Win32\\\/AmmyyAdmin\/ nocase ascii wide\n \/\/ Description: Antivirus signature - a tool used within a command-line interface on 64bit Windows computers to extract the NTLM (LanMan) hashes from LSASS.exe in memory. This tool may be used in conjunction with malware or other penetration testing tools to obtain credentials for use in Windows authentication systems\n \/\/ Reference: N\/A"}
{"name":"$string59","value":"\/PWDump\\s\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string60","value":"\/PWS\\:Win32\\\/Mpass\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword for ransomware\n \/\/ Reference: https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/blackcat-ransomware-deploys-new-signed-kernel-driver\/indicators-blackcat-ransomware-deploys-new-signed-kernel-driver.txt"}
{"name":"$string61","value":"\/Ransom\\.Win32\\.\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string62","value":"\/Ransom\\:Linux\\\/BlackBasta\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string63","value":"\/Ransom\\:Win32\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string64","value":"\/Ransom\\:Win32\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string65","value":"\/Ransom\\:Win32\\\/BlackBasta\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string66","value":"\/Ransom\\:Win64\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string67","value":"\/Ransom_Petya\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string68","value":"\/Ransom_WCRY\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword for remote administration tools \n \/\/ Reference: N\/A"}
{"name":"$string69","value":"\/RemAdm\/ nocase ascii wide\n \/\/ Description: RemoteUtilities Remote Access softwares\n \/\/ Reference: https:\/\/www.remoteutilities.com\/"}
{"name":"$string70","value":"\/RemoteAdmin\\.RemoteUtilities\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword for ransomware\n \/\/ Reference: https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/blackcat-ransomware-deploys-new-signed-kernel-driver\/indicators-blackcat-ransomware-deploys-new-signed-kernel-driver.txt"}
{"name":"$string71","value":"\/Rootkit\\.Win64\\.\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string72","value":"\/SPR\\\/Ammyy\\.R\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string73","value":"\/SupportScam\\:Win32\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string74","value":"\/Tojan\\:Win32\\\/Goodkit\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string75","value":"\/TROJ_ZIPBOMB\\.\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string76","value":"\/Trojan\\.Linux\/ nocase ascii wide\n \/\/ Description: RemoteUtilities Remote Access softwares\n \/\/ Reference: https:\/\/www.remoteutilities.com\/"}
{"name":"$string77","value":"\/Trojan\\.RemoteUtilitiesRAT\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string78","value":"\/Trojan\\.Win32\\..{0,1000}\\.\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string79","value":"\/Trojan\\.Win64\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string80","value":"\/Trojan\\.WinGo\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string81","value":"\/Trojan\\\/Win32\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string82","value":"\/Trojan\\\/Win64\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string83","value":"\/Trojan\\:MacOS\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword for xeno rat client.exe\n \/\/ Reference: N\/A"}
{"name":"$string84","value":"\/Trojan\\:MSIL\\\/Dothetuk\\.\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string85","value":"\/Trojan\\:PowerShell\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string86","value":"\/Trojan\\:PowerShell\\\/BatLoader\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string87","value":"\/Trojan\\:Python\\\/BatLoader\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string88","value":"\/Trojan\\:Win32\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string89","value":"\/Trojan\\:Win32\\\/Batloader\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string90","value":"\/Trojan\\:Win32\\\/EugenLoader\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string91","value":"\/Trojan\\:Win32\\\/Gozi\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string92","value":"\/Trojan\\:Win32\\\/IceId\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string93","value":"\/Trojan\\:Win32\\\/Smokeloader\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string94","value":"\/Trojan\\:Win32\\\/Trickbot\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string95","value":"\/Trojan\\:Win64\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string96","value":"\/Trojan\\:Win64\\\/IcedID\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string97","value":"\/Trojan\\:Win64\\\/IceId\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string98","value":"\/Trojan\\:Win64\\\/Lumma\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string99","value":"\/TrojanDownloader\\:PowerShell\\\/EugenLoader\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string100","value":"\/TrojanDownloader\\:PowerShell\\\/Malgent\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string101","value":"\/TrojanDropper\\:PowerShell\\\/\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string102","value":"\/TrojanDropper\\:Win32\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string103","value":"\/TrojanSpy\\.Win64\/ nocase ascii wide\n \/\/ Description: antivirus signatures\n \/\/ Reference: N\/A"}
{"name":"$string104","value":"\/TrojanSpy\\:MSIL\\\/JSSLoader\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string105","value":"\/TrojanSpy\\:MSIL\\\/JSSLoader\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string106","value":"\/VirTool.{0,1000}RemoteExec\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string107","value":"\/VirTool\\:MSIL\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string108","value":"\/VirTool\\:PowerShell\\\/Dipadz\\.\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string109","value":"\/VirTool\\:Win32\/ nocase ascii wide\n \/\/ Description: AV signature often associated with C2 communications (cobaltstrike for example)\n \/\/ Reference: N\/A"}
{"name":"$string110","value":"\/VirTool\\:Win32\\\/RemoteExec\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string111","value":"\/Win32\\.PUA\\.AmmyyAdmin\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string112","value":"\/Win32\\.Trojan\/ nocase ascii wide\n \/\/ Description: antivirus signatures\n \/\/ Reference: N\/A"}
{"name":"$string113","value":"\/Win32\\\/Goodkit\/ nocase ascii wide\n \/\/ Description: antivirus signatures\n \/\/ Reference: N\/A"}
{"name":"$string114","value":"\/Win32\\\/IceId\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string115","value":"\/Win32\\\/Mikatz\/ nocase ascii wide\n \/\/ Description: antivirus signatures\n \/\/ Reference: N\/A"}
{"name":"$string116","value":"\/Win32\\\/Trickbot\/ nocase ascii wide\n \/\/ Description: windows defender antivirus signature for UAC bypass\n \/\/ Reference: N\/A"}
{"name":"$string117","value":"\/Win32\\\/UACBypass\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string118","value":"\/Win32\\:Trojan\/ nocase ascii wide\n \/\/ Description: antivirus signatures\n \/\/ Reference: N\/A"}
{"name":"$string119","value":"\/Win64\\\/IceId\/ nocase ascii wide\n \/\/ Description: AV signature for exploitation tools\n \/\/ Reference: N\/A"}
{"name":"$string120","value":"\/Win64\\\/Mikatz\/ nocase ascii wide\n \/\/ Description: Antiviurs signature_keyword\n \/\/ Reference: N\/A"}
{"name":"$string121","value":"\/Windows\\.Hacktool\\.\/ nocase ascii wide"}
Threat Analysis
This YARA rule is designed to detect general threats.
Severity Level: Medium
The rule uses pattern matching to identify specific byte sequences, strings, or behavioral patterns associated with malicious activity.
Detection Capabilities
- File-based detection for executables and documents
- Memory scanning for running processes
- Network traffic analysis support
Command Line Usage
# Scan a single file yara Antivirus_Signature.yar /path/to/suspicious/file # Scan a directory recursively yara -r Antivirus_Signature.yar /path/to/directory/ # Scan with metadata output yara -m Antivirus_Signature.yar target_file # Scan process memory (Linux) yara Antivirus_Signature.yar /proc/[pid]/exe
Integration Examples
Python (yara-python)
import yara
rules = yara.compile(filepath='Antivirus_Signature.yar')
matches = rules.match('/path/to/file')
ClamAV Integration
clamscan --yara-rules=Antivirus_Signature.yar /path/to/scan
Rule Information
YARA ID
YARA-2025-2240
Author
Repository
Created
August 19, 2025
Last Updated
August 19, 2025
Last Imported
Never
Threat Intelligence
Risk Level
Medium
Category
general
Detection Confidence
Analysis Pending
False Positive Rate
Not Available
Last Seen in Wild
No Data
Related Rules
Export Options
Similar Rules in general
YARA-2023-0001
CRI
Detect_Mimic_Ransomware
Detect_Mimic_Ransomware
YARA-2023-0002
MED
SystemBC_malware
Detect_SystemBC
YARA-2023-0003
MED
detect_catB
detect_CatB_ransomware
YARA-2022-0001
MED
detect_Typhon_Stealer
detect_Typhon_Stealer
YARA-2023-0004
MED
Nosu_stealer
Detect_Nosu_stealer
YARA-2022-0002
MED
detect_Lumma_stealer
detect_Lumma_stealer
YARA-2022-0003
MED
detect_StrelaStealer
detect_StrelaStealer
YARA-2022-0004
MED
detect_silence_Downloader
detect_silence_Downloader