Small Compiler fix

BLUESPAWN-win-client/external/CustomBackdoor.yar

@@ -0,0 +1,10 @@
+rule Joe_Sandbox_Rule_Id_871884_6FBB1657
+{
+	meta:
+		author = "Joe Sandbox Cloud Basic 37.1.0 Beryl"
+		description = "Opcode Rule for Process IMG001.exe, Function 6FBB1657"
+	strings:
+		$opcodes = {558B??83????83??????53568B??????????57FF??????????6A??5B53FF??FF??????????89????53FF??FF??????????8B??5389????FF??FF??????????89????53FF??FF??????????8B??6A??89????FF??33??8B??5233??52FF??????????89????FF??????????89????89????8B????89????89????A1????????89????8B????68????????C7????????????89????????????89????89????89????89????89????89????89????FF??????????8B??89????85??0F84????????83??????8D????508D????506A??53C7????????????FF??????????8B??????????33??4185??74??F6??????74??83??????6A??8D????506A??5389????FF??83????????????76??6A??68????????6A??53FF??89????83????????????76??6A??68????????6A??53FF??68????????FF??????????85??0F84????????68????????50FF??????????A3????????E9????????68????????FF??????????FF??????????85??0F84????????68????????E8????????85??0F85????????68????????FF??????????FF??????????85??0F84????????8B????8B????33??33??4289??????????88??8B????88??5188??8B????5288??68????????FF????88??89??????????89??????????FF??????????83????????????75??8A??????????33??33??84??0F95??525283????5052BA????????84??6A??B8????????0F45??5068????????FF??????????8B??89????83????75??C7??????????????????E9????????8B????80????????????A1????????89????89????89????89????89????74??6A??51FF??????????A3????????8D????506A??6A??FF??????????FF??????????85??0F84????????80????74??8B????80????74??505668????????68????????FF??????????83????B8????????68????????5050FF??????????50E8????????83????C6????????????FF????57FF??????????FF??????????A3????????80????????????8B????74??83????75??83????????????74??33??505050FF????A3????????FF??????????8B????A1????????89????33??6A??83????BA????????0F44??5033??6A??42583B??0F44??50FF????C7??????????????????FF??????????33??85??0F4F????5156FF??????????33??85??0F4F??51FF????FF????53FF??????????8B??85??0F84????????33??40C7??????????????????5739????75??53E8????????5959EB??FF????53E8????????83????83????????????8B??74??85??0F84????????56FF??????????33??85??0F84????????80????????????0F84????????6A??8D????5068????????6A??56C7????????????FF??????????85??74??8B??????????85??74??8B??????????33??3B??????????73??3B????73??8A??????????88????8B??????????424189??????????3B??????????73??8B??????????EB??6A??8D????50FF????68????????FF????FF??????????83????????????E9????????68????????FF????FF??????????6A??6A??68????????68????????FF????8B??FF??????????83????????????B8????????B9????????0F45??5168????????FF????FF??????????50FF??????????83????????????B9????????B8????????0F45??5068????????FF????FF??????????50FF??????????83????????????6A??5775??FF??????????83????EB??FF??????????83????506A??57FF??????????33??83????????????6A??0F94??5068????????68????????FF????FF??????????56FF????E8????????80????????????595974??33??4039????74??33??50505056FF??????????5689????E8????????5956FF??????????8B????53FF??????????8B????33??43E9????????33??43C7??????????????????39????75??8D????5068????????8D????50C7????????????FF??????????85??74??68????????68????????E8????????595985??74??68????????68????????E8????????59596A??50A1????????C1????05????????50FF??????????EB??FF??????????89????3D????????74??3D????????75??0FB6??????????80????????????0F44??A2????????80????????????74??39????75??A1????????3B????76??A1????????83????75??8B??????????6A??68????????FF??85??75??5068????????C7??????????????????FF??8B????85??0F84????????A1????????80????????????0F84????????85??0F84????????83????0F84????????83????0F84????????8B??????????6A??FF????FF??83????74??80????????????6A??B9????????B8????????0F44??5068????????FF????FF??????????50FF??????????83????75??6A??5833??38??????????A3????????0F45??50FF????FF??85??75??5068????????FF??????????8B????85??0F84????????EB??C7??????????????????EB??8B????FF????FF??????????80????????????75??83????????????74??83????????????74??FF??????????E8????????85??0F84????????EB??68????????FF??????????89????53FF??????????68????????FF??????????FF??????????85??75??FF??????????E8????????EB??C7??????????????????FF????8B??????????FF??57FF??FF????FF??FF????FF??FF????FF??FF????FF??????????5F5E5B85??74??6A??68????????68????????FF????FF??????????A1????????C9C2????}
+	condition:
+		any of them
+}

BLUESPAWN-win-client/external/DridexLoader.yar

@@ -0,0 +1,11 @@
+rule DridexLoader
+{
+    meta:
+        author = "kevoreilly"
+        description = "DridexLoader API Spam Bypass"
+        cape_options = "bp0=$trap-13,action0=ret,count=0"
+    strings:
+        $trap = {6A 50 6A 14 6A 03 5A 8D 4C 24 ?? E8 [4] 68 [4] 68 [4] E8 [4] 85 C0 74 05}
+    condition:
+        uint16(0) == 0x5A4D and $trap
+}

BLUESPAWN-win-client/external/DridexLoader_C2Parse.yar

@@ -0,0 +1,17 @@
+rule DridexLoader
+{
+    meta:
+        author = "kevoreilly"
+        description = "Dridex v4 dropper C2 parsing function"
+        cape_type = "DridexLoader Payload"
+
+    strings:
+        $c2parse_1 = {57 0F 95 C0 89 35 [4] 88 46 04 33 FF 80 3D [4] 00 76 54 8B 04 FD [4] 8D 4D EC 83 65 F4 00 89 45 EC 66 8B 04 FD [4] 66 89 45 F0 8D 45 F8 50}
+        $c2parse_2 = {89 45 00 0F B7 53 04 89 10 0F B6 4B 0C 83 F9 0A 7F 03 8A 53 0C 0F B6 53 0C 85 D2 7E B7 8D 74 24 0C C7 44 24 08 00 00 00 00 8D 04 7F 8D 8C 00}
+        $c2parse_3 = {89 08 66 39 1D [4] A1 [4] 0F 95 C1 88 48 04 80 3D [4] 0A 77 05 A0 [4] 80 3D [4] 00 56 8B F3 76 4E 66 8B 04 F5}
+        $c2parse_4 = {0F B7 C0 89 01 A0 [4] 3C 0A 77 ?? A0 [4] A0 [4] 57 33 FF 84 C0 74 ?? 56 BE}
+        $c2parse_5 = {0F B7 05 [4] 89 02 89 15 [4] 0F B6 15 [4] 83 FA 0A 7F 07 0F B6 05 [4] 0F B6 05 [4] 85 C0}
+        $c2parse_6 = {0F B7 53 ?? 89 10 0F B6 4B ?? 83 F9 0A 7F 03 8A 53 ?? 0F B6 53 ?? 85 D2 7E B9}
+    condition:
+        uint16(0) == 0x5A4D and any of them
+}

BLUESPAWN-win-client/external/Dridex_thread_inject_routine.yar

@@ -0,0 +1,10 @@
+rule Joe_Sandbox_Rule_Id_595302_00007FFFEF98BAE0
+{
+	meta:
+		author = "Joe Sandbox Cloud Basic 34.0.0 Boulder Opal"
+		description = "Opcode Rule for Process msra.exe, Function 00007FFFEF98BAE0"
+	strings:
+		$opcodes = {????????????????????555657??????????????????????????????????????????????????????????????????????????BA????????B9????????????????????????????E8??????????????????33??E8??????????????????33????????????????????E8????????????????????????????E8??????????????????????85??0F8E????????33????????908B????????E8????????????????????????E8??????????????????8D????E8??????????????????????????E8??????????????????8D????E8????????8B??????????????E8??????????????????8B??E8??????????????????8D????E8??????????????????E8??????????????????8D????E8????????83??????????89??0F85????????8B??????????????????33??E8??????????????????33??E8??????????????????????????????????????????E8??????????????????????E8??????????????????????E8????????????????E8??????????????????8B??E8??????????????????33??E8????????????????33????????E8????????????????????E8??????????????????E8????????B9????????8D????89??????????E8??????????????A8??74????????????????75??BA????????B9????????E8??????????????A8??74????????????????75????????0F84??????????????0F84????????????????33??????????????E8??????????????????????33??89??????????E8??????????????????????????????????????????????????????E8????????????????????????????????????E8??????????????89????????????????????????????????E8????????BA????????89??????????????????B9??????????????????????E8????????BA????????B9??????????????E8??????????????74????????????????????????????????????????????????????????????????FF??BA????????B9??????????????????????E8????????BA????????B9????????????????E8????????BA????????B9????????????????E8????????BA????????B9????????????????E8????????BA????????B9????????????????E8????????BA????????B9????????????????E8????????BA????????B9????????????????E8????????BA????????B9????????????????E8??????????????BA??????????????????????E8??????????????????????????????33??E8????????????????????75??0F1F??????83????74??B9????????E8????????????????????????FF??E8????????????????????74??EB??????????????????0F84??????????????0F85????????????????????E8??????????????BA??????????????E8??????????????75??90????????????????33??E8????????????????????75??83????74??B9????????E8????????????????????????FF??E8????????????????????74??EB??????????????????0F84????????????????????E8??????????????BA??????????????E8??????????????74??0F1F??BA????????B9????????E8????????BA????????B9??????????????E8??????????????0F84??????????????????????????????????????????????????FF??85??0F84????????????????????????33??E8????????????????????75??83????74??B9????????E8????????????????????????FF??E8????????????????????74??EB??????????????????0F85????????????????E8????????????????E8??????????????????E8????????????????E8??????????????????E8??????????????????E8????????32????????????????????????????????????????????????5F5E5DC3??????????????????????????C7??????????????E8????????84??75??????????????????????????????33??E8????????????????????75??83????74??B9????????E8????????????????????????FF??E8????????????????????74??EB??????????????????0F84??????????????????????????????????C7??????????????E8????????84??74????????????????BA????????B9????????C7??????????????????????????????E8??????????????74????????????????????????????????????????????????????????FF??85??0F85????????0F1F??????BA????????B9????????E8????????BA????????B9??????????????E8??????????????74????????????????????????????????????FF??85??74??????????????????33??E8????????????????????75??83????74??B9????????E8????????????????????????FF??E8????????????????????74??EB??????????????????0F85????????E9??????????????????E8??????????????????33??8B??E8????????????????????????????????89??????E8??????????????84??0F85????????????????????????????????????????????????????E8????????????????????75??83????74??B9????????E8????????????????????????FF??E8????????????????????74??EB??????????????????0F84??????????????????E8??????????????????33??8B??E8????????????????????????????????89??????E8????????84??74??BA????????B9????????E8??????????????74??????????????????????????????????????????????????????FF??85??0F85????????????????33??E8??????????????????????????????????????????C6????????????E8??????????????????????????????????????????????????????????????????????E8????????BA????????B9????????????????????????????????E8??????????????74????????????????????????????????????????????????????????FF??????????E8????????????????33??8B??E8????????????????????????????????89??????E8????????84??0F85????????????????????????????????????????????????????????E8????????????????????75??83????74??B9????????E8????????????????????????FF??E8????????????????????74??EB??????????????????????????0F84????????E8????????????????33??8B??E8????????????????????????????????89??????E8????????84??74??0F1F??BA????????B9????????E8??????????????74????????????????????????????????????FF??85??74????????????????????????E8????????????????????75??83????74??B9????????E8????????????????????????FF??E8????????????????????74??EB??????????????????75??????????E8????????E9??????????????????????????????BA????????E8????????????????85??0F94??E8????????????????E8????????????????E8??????????????????E8????????????????E8??????????????????E8??????????????????E8????????0FB6??E9????????}
+	condition:
+		any of them
+}

BLUESPAWN-win-client/external/EternalRomance.yar

@@ -0,0 +1,33 @@
+rule EternalRomance
+{
+    meta:
+        author = "kevoreilly"
+        description = "EternalRomance Exploit"
+        cape_type = "EternalRomance Exploit"
+    strings:
+        $SMB1 = "Frag"
+        $SMB2 = "Free"
+        $session7_32_1 = {2A 02 1C 00}
+        $session7_64_1 = {2A 02 28 00}
+        $session8_32_1 = {2A 02 24 00}
+        $session8_64_1 = {2A 02 38 00}
+        $session7_32_2 = {D5 FD E3 FF}
+        $session7_64_2 = {D5 FD D7 FF}
+        $session8_32_2 = {D5 FD DB FF}
+        $session8_64_2 = {D5 FD C7 FF}
+        $ipc = "IPC$"
+        $pipe1 = "atsvc"
+        $pipe2 = "browser"
+        $pipe3 = "eventlog"
+        $pipe4 = "lsarpc"
+        $pipe5 = "netlogon"
+        $pipe6 = "ntsvcs"
+        $pipe7 = "spoolss"
+        $pipe8 = "samr"
+        $pipe9 = "srvsvc"
+        $pipe10 = "scerpc"
+        $pipe11 = "svcctl"
+        $pipe12 = "wkssvc"
+    condition:
+        uint16(0) == 0x5A4D and (all of ($SMB*)) and $ipc and (any of ($session*)) and (any of ($pipe*))
+}

BLUESPAWN-win-client/external/HeavensGate.yar

@@ -0,0 +1,15 @@
+rule HeavensGate
+{
+    meta:
+        author = "kevoreilly"
+        description = "Heaven's Gate: Switch from 32-bit to 64-mode"
+        cape_type = "Heaven's Gate"
+
+    strings:
+        $gate_v1 = {6A 33 E8 00 00 00 00 83 04 24 05 CB}
+        $gate_v2 = {9A 00 00 00 00 33 00 89 EC 5D C3 48 83 EC 20 E8 00 00 00 00 48 83 C4 20 CB}
+        $gate_v3 = {5A 66 BB 33 00 66 53 50 89 E0 83 C4 06 FF 28}
+
+    condition:
+        ($gate_v1 or $gate_v2 or $gate_v3)
+}

BLUESPAWN-win-client/external/IcedID.yar

@@ -0,0 +1,18 @@
+rule IcedID
+{
+    meta:
+        author = "kevoreilly, threathive"
+        description = "IcedID Payload"
+        cape_type = "IcedID Payload"
+    strings:
+        $crypt1 = {8A 04 ?? D1 C? F7 D? D1 C? 81 E? 20 01 00 00 D1 C? F7 D? 81 E? 01 91 00 00 32 C? 88}
+        $crypt2 = {8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3}
+        $crypt3 = {41 00 8B C8 C1 E1 08 0F B6 C4 66 33 C8 66 89 4? 24 A1 ?? ?? 41 00 89 4? 20 A0 ?? ?? 41 00 D0 E8 32 4? 32}
+        $download1 = {8D 44 24 40 50 8D 84 24 44 03 00 00 68 04 21 40 00 50 FF D5 8D 84 24 4C 01 00 00 C7 44 24 28 01 00 00 00 89 44 24 1C 8D 4C 24 1C 8D 84 24 4C 03 00 00 83 C4 0C 89 44 24 14 8B D3 B8 BB 01 00 00 66 89 44 24 18 57}
+        $download2 = {8B 75 ?? 8D 4D ?? 8B 7D ?? 8B D6 57 89 1E 89 1F E8 [4] 59 3D C8 00 00 00 75 05 33 C0 40 EB}
+        $major_ver = {0F B6 05 ?? ?? ?? ?? 6A ?? 6A 72 FF 75 0C 6A 70 50 FF 35 ?? ?? ?? ?? 8D 45 80 FF 35 ?? ?? ?? ?? 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 ?? ?? ?? ?? 83 C4 38 8B E5 5D C3}
+        $stage_2_request_binary = "id="
+        $stage_2_request_img = ".png"
+    condition:
+        any of ($crypt*, $download*, $major_ver) and all of ($stage_2_request_*)
+}

BLUESPAWN-win-client/external/MALW_emotet.yar

@@ -0,0 +1,32 @@
+rule MALW_emotet
+{
+    meta:
+
+        description = "Rule to detect unpacked Emotet"
+        author = "Marc Rivero | McAfee ATR Team"
+        date = "2020-07-21"
+        rule_version = "v1"
+        malware_type = "financial"
+        malware_family = "Backdoor:W32/Emotet"
+        actor_type = "Cybercrime"
+        hash1 = "a6621c093047446e0e8ae104769af93a5a8ed147ab8865afaafbbd22adbd052d"
+        actor_type = "Cybercrime"
+        actor_group = "Unknown"
+
+    strings:
+
+        $pattern_0 = { 8b45fc 8be5 5d c3 55 8bec }
+        $pattern_1 = { 3c39 7e13 3c61 7c04 3c7a 7e0b 3c41 }
+        $pattern_2 = { 7c04 3c39 7e13 3c61 7c04 3c7a 7e0b }
+        $pattern_3 = { 5f 8bc6 5e 5b 8be5 }
+        $pattern_4 = { 5f 668906 5e 5b }
+        $pattern_5 = { 3c30 7c04 3c39 7e13 3c61 7c04 }
+        $pattern_6 = { 53 56 57 8bfa 8bf1 }
+        $pattern_7 = { 3c39 7e13 3c61 7c04 3c7a 7e0b }
+        $pattern_8 = { 55 8bec 83ec14 53 }
+        $pattern_9 = { 5e 8be5 5d c3 55 8bec }
+
+    condition:
+
+        7 of them and filesize < 180224
+}

BLUESPAWN-win-client/external/Qakbot_Payload.yar

@@ -0,0 +1,20 @@
+rule QakBot
+{
+    meta:
+        author = "kevoreilly"
+        description = "QakBot Payload"
+        cape_type = "QakBot Payload"
+
+    strings:
+        $crypto1 = {8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 C9 00 FF FF FF 41}
+        $sha1_1 = {5? 33 F? [0-9] 89 7? 24 ?? 89 7? 24 ?? 8? [1-3] 24 [1-4] C7 44 24 ?0 01 23 45 67 C7 44 24 ?4 89 AB CD EF C7 44 24 ?8 FE DC BA 98 C7 44 24 ?C 76 54 32 10 C7 44 24 ?0 F0 E1 D2 C3}
+        $sha1_2 = {33 C0 C7 01 01 23 45 67 89 41 14 89 41 18 89 41 5C C7 41 04 89 AB CD EF C7 41 08 FE DC BA 98 C7 41 0C 76 54 32 10 C7 41 10 F0 E1 D2 C3 89 41 60 89 41 64 C3}
+        $anti_sandbox1 = {8D 4? FC [0-1] E8 [4-7] E8 [4] 85 C0 7E (04|07) [4-7] 33 (C0|D2) 74 02 EB FA}
+        $anti_sandbox2 = {8D 45 ?? 50 E8 [2] 00 00 59 68 [4] FF 15 [4] 89 45 ?? 83 7D ?? 0F 76 0C}
+        $decrypt_config1 = {FF 37 83 C3 EC 53 8B 5D 0C 8D 43 14 50 6A 14 53 E8 ?? ?? ?? ?? 83 C4 14 85 C0 ?? 26 ?? ?? 86 20 02 00 00 66 85 C0 ?? ?? FF 37 FF 75 10 53}
+        $decrypt_config2 = {8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C 08 00 00}
+        $decrypt_config3 = {6A 13 8B CE 8B C3 5A 8A 18 3A 19 75 05 40 41 4A 75 F5 0F B6 00 0F B6 09 2B C1 74 05 83 C8 FF EB 0E}
+        $call_decrypt = {83 7D ?? 00 56 74 0B FF 75 10 8B F3 E8 [4] 59 8B 45 0C 83 F8 28 72 19 8B 55 08 8B 37 8D 48 EC 6A 14 8D 42 14 52 E8}
+    condition:
+        uint16(0) == 0x5A4D and any of ($*)
+}