From 4933c4d4488d15533af9aa6262885568dbbfb172 Mon Sep 17 00:00:00 2001 From: Yung Binary <93540406+YungBinary@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:12:25 -0600 Subject: [PATCH 1/2] Add DarkCloud, ChaosBot yara rules --- data/yara/CAPE/ChaosBot.yar | 24 ++++++++++++++++++++++ data/yara/CAPE/DarkCloud.yar | 39 ++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 data/yara/CAPE/ChaosBot.yar create mode 100644 data/yara/CAPE/DarkCloud.yar diff --git a/data/yara/CAPE/ChaosBot.yar b/data/yara/CAPE/ChaosBot.yar new file mode 100644 index 00000000000..1a2e472a2b7 --- /dev/null +++ b/data/yara/CAPE/ChaosBot.yar @@ -0,0 +1,24 @@ +rule ChaosBot +{ + meta: + author = "YungBinary" + description = "https://x.com/YungBinary/status/1976580501508182269" + cape_type = "ChaosBot Payload" + strings: + $s1 = { 48 6f 73 74 20 20 63 6f 6e 6e 65 63 74 65 64 2c 20 63 68 61 6e 6e 65 6c 20 63 72 65 61 74 65 64 3a 20 3c } + $s2 = { 73 68 65 6c 6c 20 64 6f 77 6e 6c 6f 61 64 20 63 64 20 46 61 69 6c 65 64 20 74 6f 20 63 68 61 6e 67 65 20 64 69 72 65 63 74 6f 72 79 3a } + $s3 = { 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74 41 6d 73 69 53 63 61 6e 42 75 66 66 65 72 45 74 77 45 76 65 6e 74 57 72 69 74 65 43 4f 4d 50 55 54 45 52 4e 41 4d 45 } + $s4 = { 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 6d 65 73 73 61 67 65 5f 2e 74 78 74 } + $bypass = { + 74 ?? + 66 C7 03 31 C0 + C6 43 02 C3 + } + $antivm = { + 48 ?? 30 30 3A 30 43 3A 32 39 + 49 39 ?? 00 + } + condition: + uint16(0) == 0x5a4d and (1 of ($s*) or ($antivm and $bypass)) + +} diff --git a/data/yara/CAPE/DarkCloud.yar b/data/yara/CAPE/DarkCloud.yar new file mode 100644 index 00000000000..3577d694fcd --- /dev/null +++ b/data/yara/CAPE/DarkCloud.yar @@ -0,0 +1,39 @@ +rule DarkCloud { + meta: + author = "YungBinary" + description = "https://x.com/YungBinary/status/1971585972912689643" + cape_type = "DartCloud Payload" + strings: + $darkcloud1 = "===============DARKCLOUD===============" fullword wide + $creds1 = "@GateUrl" wide + $creds2 = "@StrFtpUser" wide + $creds3 = "@StrFtpPass" wide + $creds4 = "@StrFtpServer" wide + $creds5 = "@StrReceiver" wide + $creds6 = "@StrSmtpUser" wide + $creds7 = "@StrSmtpPass" wide + $sql1 = "SELECT item1 FROM metadata" wide + $sql2 = "SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards" wide + $sql3 = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins" wide + $sql4 = "SELECT address FROM ConversationRecipients" wide + $sql5 = "SELECT address FROM ConversationSenders" wide + $app1 = "Application : Pidgin" wide + $app2 = "Application: CoreFTP" wide + $app3 = "Application: WinSCP" wide + $app4 = "Application: Outlook" wide + $app5 = "Application : FileZilla" fullword wide + $fingerprint1 = "Computer Name: " fullword wide + $fingerprint2 = "OS FullName: " fullword wide + $fingerprint3 = "CPU: " fullword wide + $fingerprint4 = "SELECT * FROM Win32_Processor" fullword wide + $fingerprint5 = "SELECT * FROM Win32_OperatingSystem" fullword wide + condition: + uint16(0) == 0x5a4d and + ( + $darkcloud1 and 1 of ($creds*) or + (3 of ($creds*) and 1 of ($sql*)) or + (2 of ($sql*) and 2 of ($app*)) or + (2 of ($creds*) and 2 of ($fingerprint*)) or + (2 of ($app*) and 2 of ($fingerprint*) and 1 of ($sql*)) + ) +} From d371f371f909aceb49be0c221e2c7808f2d40497 Mon Sep 17 00:00:00 2001 From: Yung Binary <93540406+YungBinary@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:14:23 -0600 Subject: [PATCH 2/2] Fix typo --- data/yara/CAPE/DarkCloud.yar | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/yara/CAPE/DarkCloud.yar b/data/yara/CAPE/DarkCloud.yar index 3577d694fcd..bfca023665c 100644 --- a/data/yara/CAPE/DarkCloud.yar +++ b/data/yara/CAPE/DarkCloud.yar @@ -2,7 +2,7 @@ rule DarkCloud { meta: author = "YungBinary" description = "https://x.com/YungBinary/status/1971585972912689643" - cape_type = "DartCloud Payload" + cape_type = "DarkCloud Payload" strings: $darkcloud1 = "===============DARKCLOUD===============" fullword wide $creds1 = "@GateUrl" wide