new: [stealer] from https://github.com/MalBeacon/what-is-this-stealer/

rules/stealer/ailurophile.yara

@@ -0,0 +1,16 @@
+rule Ailurophile
+{
+    meta:
+        author = "MalBeacon"
+        description = "Ailurophile system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "Allowed Extensions:" ascii
+        $x2 = "PC Type:" ascii
+        $x3 = "Folders to Search:" ascii
+        $x4 = "Screen Resolution:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/arechclientv2.yara

@@ -0,0 +1,17 @@
+rule ArechClientV2
+{
+    meta:
+        author = "MalBeacon"
+        description = "ArechClientV2 system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "FileLocation:" ascii
+        $x2 = "HWID:" ascii
+        $x3 = "Available KeyboardLayouts:" ascii
+        $x4 = "Hardwares:" ascii
+        $y1 = "MachineName:" ascii
+
+    condition:
+        ($x1 and $x2 and $x3 and $x4) and not $y1
+}

rules/stealer/astris.yara

@@ -0,0 +1,19 @@
+rule Astris
+{
+    meta:
+        author = "MalBeacon"
+        description = "Astris system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "[Network]" ascii
+        $x2 = "Public IP Address:" ascii
+        $x3 = "Internet Provider:" ascii
+        $x4 = "Product Key:" ascii
+        $x5 = "Antiviruses:" ascii
+        $x6 = "[Machine]" ascii
+        $x7 = "Build:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/atomic.yara

@@ -0,0 +1,18 @@
+rule Atomic
+{
+    meta:
+        author = "MalBeacon"
+        description = "Atomic system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "Userinfo:" ascii
+        $x2 = "MetaMask Info:" ascii
+        $x3 = "Private Keys:" ascii
+        $x4 = "Debanks:" ascii
+        $x5 = "ProductName:        macOS" ascii
+        $x6 = "BuildVersion:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/banshee.yara

@@ -0,0 +1,19 @@
+rule Banshee
+{
+    meta:
+        author = "MalBeacon"
+        description = "Banshee system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "HWID:" ascii
+        $x2 = "Log Date:" ascii
+        $x3 = "Build Name:" ascii
+        $x4 = "Country Code:" ascii
+        $x5 = "User Name:" ascii
+        $x6 = "Operation System:" ascii
+        $y1 = "Screen Resolution:" ascii
+
+    condition:
+        ($x1 and $x2 and $x3 and $x4 and $x5 and $x6) and not $y1
+}

rules/stealer/blankgrabber.yara

@@ -0,0 +1,18 @@
+rule BlankGrabber
+{
+    meta:
+        author = "MalBeacon"
+        description = "BlankGrabber system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "Host Name:" ascii
+        $x2 = "Registered Owner:" ascii
+        $x3 = "Windows Directory:" ascii
+        $x4 = "Domain:" ascii
+        $x5 = "Logon Server:" ascii
+        $x6 = "BIOS Version:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/cryptbot.yara

@@ -0,0 +1,18 @@
+rule CryptBot
+{
+    meta:
+        author = "MalBeacon"
+        description = "CryptBot system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "UserName (ComputerName):" ascii
+        $x2 = "Local Date and Time:" ascii
+        $x3 = "OS:" ascii
+        $x4 = "Display Resolution:" ascii
+        $x5 = "RAM:" ascii
+        $x6 = "GPU:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/darkcrystal.yara

@@ -0,0 +1,16 @@
+rule DarkCrystal
+{
+    meta:
+        author = "MalBeacon"
+        description = "DarkCrystal system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "Monitors:" ascii
+        $x2 = "Save Time:" ascii
+        $x3 = "LANIP:" ascii
+        $x4 = ".NET Framework Version:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/luca.yara

@@ -0,0 +1,18 @@
+rule Luca
+{
+    meta:
+        author = "MalBeacon"
+        description = "Luca system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "- IP Info -" ascii
+        $x2 = "- PC Info -" ascii
+        $x3 = "Antivirus:" ascii
+        $x4 = "- Other Info -" ascii
+        $x5 = "- Log Info -" ascii
+        $x6 = "FileLocation:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/lumma.yara

@@ -0,0 +1,18 @@
+rule Lumma
+{
+    meta:
+        author = "MalBeacon"
+        description = "Lumma system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "- LummaC2 Build:" ascii
+        $x2 = "- LID:" ascii
+        $x3 = "- Configuration: " ascii
+        $x4 = "- Display resolution:" ascii
+        $x5 = "- HWID:" ascii
+        $x6 = "- OS Version:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/lumma2.yara

@@ -0,0 +1,17 @@
+rule Lumma2
+{
+    meta:
+        author = "fabamatic"
+        description = "Lumma2 system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "LummaC2, Build:" ascii
+        $x2 = "LID (Lumma ID):" ascii
+        $x3 = "- Screen resolution:" ascii
+        $x4 = "- HWID:" ascii
+        $x5 = "- OS Version:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/meduza.yara

@@ -0,0 +1,18 @@
+rule Meduza
+{
+    meta:
+        author = "MalBeacon"
+        description = "Meduza system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "HWID:" ascii
+        $x2 = "Log Date:" ascii
+        $x3 = "Build Name:" ascii
+        $x4 = "Computer Name:" ascii
+        $x5 = "Operation System:" ascii
+        $x6 = "Execute Path:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/noxy.yara

@@ -0,0 +1,18 @@
+rule Noxy
+{
+    meta:
+        author = "MalBeacon"
+        description = "Noxy system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "User:" ascii
+        $x2 = "Process Executable Path:" ascii
+        $x3 = "Uptime:" ascii
+        $x4 = "ScreenResolution:" ascii
+        $x5 = "Operating System:" ascii
+        $x6 = "Disk Devices:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/phemedrone.yara

@@ -0,0 +1,18 @@
+rule Phemedrone
+{
+    meta:
+        author = "MalBeacon"
+        description = "Phemedrone system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "----- Geolocation Data -----" ascii
+        $x2 = "----- Hardware Info -----" ascii
+        $x3 = "----- Report Contents -----" ascii
+        $x4 = "----- Miscellaneous -----" ascii
+        $x5 = "Clipboard text:" ascii
+        $x6 = "Antivirus products:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/raccoon.yara

@@ -0,0 +1,18 @@
+rule Raccoon
+{
+    meta:
+        author = "MalBeacon"
+        description = "Raccoon system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "System Information:" ascii
+        $x2 = "Bot_ID:" ascii
+        $x3 = "Launched at:" ascii
+        $x4 = "Build compile date:" ascii
+        $x5 = "Installed Apps:" ascii
+        $x6 = "-------------" ascii
+
+    condition:
+        all of them
+}

rules/stealer/raccoon2.yara

@@ -0,0 +1,18 @@
+rule Raccoon2
+{
+    meta:
+        author = "MalBeacon"
+        description = "Raccoon2 system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "System Information: " ascii
+        $x2 = "User ID:" ascii
+        $x3 = "Last seen:" ascii
+        $x4 = "Build:" ascii
+        $x5 = "IP info:" ascii
+        $x6 = "Installed applications:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/redline.yara

@@ -0,0 +1,18 @@
+rule RedLine
+{
+    meta:
+        author = "MalBeacon"
+        description = "RedLine system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "Build ID: " ascii
+        $x2 = "FileLocation:" ascii
+        $x3 = "UserName:" ascii
+        $x4 = "MachineName:" ascii
+        $x5 = "Log date:" ascii
+        $x6 = "Hardwares:" ascii
+
+    condition:
+        all of them
+}

rules/stealer/risepro.yara

@@ -0,0 +1,18 @@
+rule RisePro
+{
+    meta:
+        author = "MalBeacon"
+        description = "RisePro system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "Build: " ascii
+        $x2 = "Version:" ascii
+        $x3 = "MachineID:" ascii
+        $x4 = "GUID:" ascii
+        $x5 = "[Hardware]" ascii
+        $x6 = "[Processes]" ascii
+
+    condition:
+        all of them
+}

rules/stealer/rlstealer.yara

@@ -0,0 +1,18 @@
+rule RLStealer
+{
+    meta:
+        author = "MalBeacon"
+        description = "RLStealer system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "==================================================" ascii
+        $x2 = "ClipBoard :" ascii
+        $x3 = "PC user :" ascii
+        $x4 = "Current time :" ascii
+        $x5 = "HWID :" ascii
+        $x6 = "BSSID :" ascii
+
+    condition:
+        all of them
+}

rules/stealer/skalka.yara

@@ -0,0 +1,17 @@
+rule Skalka
+{
+    meta:
+        author = "MalBeacon"
+        description = "Skalka system information file"
+        reference = "https://github.com/MalBeacon/what-is-this-stealer"
+
+    strings:
+        $x1 = "Operation System:" ascii
+        $x2 = "Current JarFile Path:" ascii
+        $x3 = "Width:" ascii
+        $x4 = "UserName" ascii
+        $x5 = "Language & Country:" ascii
+
+    condition:
+        all of them
+}