diff --git a/malware/MALW_Arsenal237_ChromeElevator.yar b/malware/MALW_Arsenal237_ChromeElevator.yar new file mode 100644 index 00000000..e9908e11 --- /dev/null +++ b/malware/MALW_Arsenal237_ChromeElevator.yar @@ -0,0 +1,96 @@ +/* + Yara Rule Set + Author: The Hunters Ledger + Date: 2026-01-26 + Identifier: Arsenal-237 chromelevator.exe Browser Credential Theft Tool + Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-chromelevator-exe/ + License: https://creativecommons.org/licenses/by-nc/4.0/ +*/ + +rule Chromelevator_Browser_Credential_Extraction { + meta: + description = "Detects Arsenal-237 chromelevator.exe browser credential extraction tool targeting Chrome, Brave, and Edge via reflective DLL injection" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-chromelevator-exe/" + family = "Arsenal-237" + + strings: + $filename = "chromelevator.exe" nocase ascii + $payload = "PAYLOAD_DLL" nocase ascii + $chrome = "chrome.exe" nocase ascii + $brave = "brave.exe" nocase ascii + $edge = "msedge.exe" nocase ascii + $named_pipe = "Named pipe server created" nocase ascii + $reflective = "ReflectiveLoader" nocase ascii + $extraction = "Extracted" nocase ascii + $cookies = "cookies" nocase ascii + $passwords = "passwords" nocase ascii + $payments = "payments" nocase ascii + $verbose = "--verbose" nocase ascii + $fingerprint = "--fingerprint" nocase ascii + $output = "--output-path" nocase ascii + $create_pipe = "CreateNamedPipeW" nocase ascii + $connect_pipe = "ConnectNamedPipe" nocase ascii + $find_resource = "FindResourceW" nocase ascii + $load_resource = "LoadResource" nocase ascii + + condition: + ($filename and $payload and ($extraction or ($cookies and $passwords))) or + (3 of ($chrome, $brave, $edge) and 2 of ($extraction, $cookies, $passwords)) or + ($reflective and $named_pipe and any of ($chrome, $brave, $edge)) or + (2 of ($verbose, $fingerprint, $output) and any of ($chrome, $brave, $edge)) +} + +rule Arsenal237_Direct_Syscall_Framework { + meta: + description = "Detects Arsenal-237 direct syscall EDR bypass framework using Zw* Native API calls to avoid EDR hooking" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-chromelevator-exe/" + family = "Arsenal-237" + + strings: + $zw_alloc = "ZwAllocateVirtualMemory" nocase ascii + $zw_write = "ZwWriteVirtualMemory" nocase ascii + $zw_read = "ZwReadVirtualMemory" nocase ascii + $zw_protect = "ZwProtectVirtualMemory" nocase ascii + $zw_create_thread = "ZwCreateThreadEx" nocase ascii + $zw_open_proc = "ZwOpenProcess" nocase ascii + $zw_query_proc = "ZwQueryInformationProcess" nocase ascii + $zw_context = "ZwGetContextThread" nocase ascii + $zw_set_context = "ZwSetContextThread" nocase ascii + $zw_resume = "ZwResumeThread" nocase ascii + $zw_pattern = /Zw[A-Z][a-zA-Z]+/ + + condition: + (5 of ($zw_alloc, $zw_write, $zw_protect, $zw_create_thread, $zw_open_proc)) or + (all of them and #zw_pattern >= 10) +} + +rule Reflective_DLL_Injection_Framework { + meta: + description = "Detects reflective DLL injection implementation using ReflectiveLoader with direct syscall or Win32 API injection pattern" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-chromelevator-exe/" + family = "Arsenal-237" + + strings: + $dos_header = "MZ" at 0 + $reflective_loader = "ReflectiveLoader" nocase ascii + $reflective_export = "reflective" nocase ascii wide + $alloc = "VirtualAllocEx" nocase ascii + $write = "WriteProcessMemory" nocase ascii + $protect = "VirtualProtectEx" nocase ascii + $create_remote = "CreateRemoteThread" nocase ascii + $zw_alloc = "ZwAllocateVirtualMemory" nocase ascii + $zw_write = "ZwWriteVirtualMemory" nocase ascii + $zw_protect = "ZwProtectVirtualMemory" nocase ascii + $zw_create = "ZwCreateThreadEx" nocase ascii + + condition: + ($reflective_loader and $dos_header) or + ($reflective_loader and all of ($zw_alloc, $zw_write, $zw_protect, $zw_create)) or + ($reflective_loader and all of ($alloc, $write, $protect, $create_remote)) +} diff --git a/malware/MALW_Arsenal237_dec_fixed.yar b/malware/MALW_Arsenal237_dec_fixed.yar new file mode 100644 index 00000000..5c634537 --- /dev/null +++ b/malware/MALW_Arsenal237_dec_fixed.yar @@ -0,0 +1,102 @@ +/* + Yara Rule Set + Author: The Hunters Ledger + Date: 2026-01-26 + Identifier: Arsenal-237 dec_fixed.exe Ransomware Decryptor + Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/ + License: https://creativecommons.org/licenses/by-nc/4.0/ +*/ + +rule Arsenal237_dec_fixed_FileHash { + meta: + description = "Detects Arsenal-237 dec_fixed.exe per-victim ransomware decryptor by exact cryptographic hash - recovery tool not an attack tool" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/" + hash_sha256 = "d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802" + hash_sha1 = "29014d4d6fc42219cd9cdc130b868382cf2c14c2" + hash_md5 = "7c5493a0a5df52682a5c2ba433634601" + family = "Arsenal-237" + malware_type = "Ransomware Decryptor" + + condition: + hash.sha256(0, filesize) == "d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802" or + hash.md5(0, filesize) == "7c5493a0a5df52682a5c2ba433634601" or + hash.sha1(0, filesize) == "29014d4d6fc42219cd9cdc130b868382cf2c14c2" +} + +rule Arsenal237_Victim_Key_Decryptor { + meta: + description = "Detects Arsenal-237 dec_fixed.exe victim-specific hardcoded ChaCha20 decryption key matching new_enc.exe encryption key" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/" + family = "Arsenal-237" + malware_type = "Ransomware Decryptor" + + strings: + $key1 = "1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba" nocase ascii + $key2 = "67e6096a85ae67bb72f36e3c3af54fa57f520e518c68059babd9831f19cde05b" nocase ascii + + condition: + 1 of them +} + +rule Arsenal237_ChaCha20_Decryption { + meta: + description = "Detects Arsenal-237 dec_fixed.exe ChaCha20-Poly1305 AEAD decryption implementation with key validation error strings" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/" + family = "Arsenal-237" + malware_type = "Ransomware Decryptor" + + strings: + $constant1 = "expand 32-byte k" ascii nocase + $error1 = "Decryption failed - wrong key or corrupted file" ascii + $error2 = "File corrupted - encrypted size mismatch" ascii + + condition: + $constant1 and any of ($error1, $error2) +} + +rule Arsenal237_Decryptor_Tool { + meta: + description = "Detects Arsenal-237 dec_fixed.exe batch file decryptor with --folder-a parameter and characteristic error message strings" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/" + family = "Arsenal-237" + malware_type = "Ransomware Decryptor" + + strings: + $cmd1 = "--folder-a" ascii + $error1 = "File too small" ascii + $error2 = "Could not find filename" ascii + $error3 = "Invalid victim key hex" ascii + $cleanup = "readme.txt" ascii nocase + + condition: + $cmd1 and 2 of ($error1, $error2, $error3) and $cleanup +} + +rule Arsenal237_Rust_Compiled_Tools { + meta: + description = "Detects Arsenal-237 Rust-compiled ransomware tools (encryptors and decryptors) by ChaCha20-Poly1305 library strings and file size" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $chacha20_lib = "chacha20" ascii nocase + $poly1305_lib = "poly1305" ascii nocase + $rust_constant = "expand 32-byte k" ascii + $rust_error = "Decryption failed" ascii nocase + + condition: + filesize > 900KB and filesize < 1MB and + $chacha20_lib and $poly1305_lib and + $rust_constant +} diff --git a/malware/MALW_Arsenal237_nethost.yar b/malware/MALW_Arsenal237_nethost.yar new file mode 100644 index 00000000..f7af78a3 --- /dev/null +++ b/malware/MALW_Arsenal237_nethost.yar @@ -0,0 +1,102 @@ +/* + Yara Rule Set + Author: The Hunters Ledger + Date: 2026-01-26 + Identifier: Arsenal-237 nethost.dll DLL Hijacking C2 Communication Module + Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/ + License: https://creativecommons.org/licenses/by-nc/4.0/ +*/ + +rule Arsenal237_nethost_FileHash { + meta: + description = "Detects Arsenal-237 nethost.dll C2 communication module by file hash - Rust DLL hijacking persistence targeting .NET host library" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/" + hash_sha256 = "158f61b6d10ea2ce78769703a2ffbba9c08f0172e37013de960d9efe5e9fde14" + hash_sha1 = "622ddbacaf769aef383435162a203489c08c8468" + hash_md5 = "f91ff1bb5699524524fff0e2587af040" + family = "Arsenal-237" + malware_type = "C2 Communication Module" + + condition: + hash.sha256(0, filesize) == "158f61b6d10ea2ce78769703a2ffbba9c08f0172e37013de960d9efe5e9fde14" or + hash.md5(0, filesize) == "f91ff1bb5699524524fff0e2587af040" or + hash.sha1(0, filesize) == "622ddbacaf769aef383435162a203489c08c8468" +} + +rule Arsenal237_nethost_C2_Strings { + meta: + description = "Detects Arsenal-237 nethost.dll by hardcoded C2 target strings and environment variable discovery concatenation artifact" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/" + family = "Arsenal-237" + malware_type = "C2 Communication Module" + + strings: + $c2_targets = "8.8.8.8:53127.0.0.1ntdll.dll" ascii + $env_discovery = "COMPUTERNAMEUSERNAME" ascii + $rust_panic = "runtime error" ascii + $winsock_init = "WSAStartup" ascii + + condition: + ($c2_targets or $env_discovery) and uint16(0) == 0x5A4D +} + +rule Arsenal237_nethost_PowerShell_Templates { + meta: + description = "Detects Arsenal-237 nethost.dll embedded PowerShell command templates for service enumeration, file download, and C2 response parsing" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/" + family = "Arsenal-237" + malware_type = "C2 Communication Module" + + strings: + $ps_service = "Get-Service|?{$_.Status -eq ''}" ascii + $ps_download = "Invoke-WebRequest -Uri '' -OutFile ''" ascii + $upload_prefix = "pathB64:" ascii + $response_keywords = "resultmachine_idsuccess" ascii + + condition: + 3 of them and uint16(0) == 0x5A4D +} + +rule Arsenal237_nethost_Winsock_Init { + meta: + description = "Detects Arsenal-237 nethost.dll Winsock 2.2 initialization pattern with WSASocket and environment variable enumeration" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/" + family = "Arsenal-237" + malware_type = "C2 Communication Module" + + strings: + $ws_startup = { C7 ?? ?? 02 02 00 } + $wsa_socket = "WSASocket" ascii + $connect_api = "connect" ascii + $env_vars = "COMPUTERNAME" ascii + + condition: + all of them and uint16(0) == 0x5A4D +} + +rule Arsenal237_nethost_Rust_Indicators { + meta: + description = "Detects Arsenal-237 nethost.dll Rust compilation indicators including panic handler and standard library artifacts" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/" + family = "Arsenal-237" + malware_type = "C2 Communication Module" + + strings: + $rust_panic = "rust_panic" ascii + $rustc_artifact = ".rustc_artifact" ascii + $rust_std = "std::panic" ascii + $assertion_fail = "assertion `left right` failed" ascii + + condition: + 2 of them and uint16(0) == 0x5A4D +} diff --git a/malware/RANSOM_Arsenal237_enc_c2.yar b/malware/RANSOM_Arsenal237_enc_c2.yar new file mode 100644 index 00000000..b3fa5ba4 --- /dev/null +++ b/malware/RANSOM_Arsenal237_enc_c2.yar @@ -0,0 +1,141 @@ +/* + Yara Rule Set + Author: The Hunters Ledger + Date: 2026-01-26 + Identifier: Arsenal-237 enc_c2.exe Rust Ransomware with Tor C2 + Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-enc_c2-exe/ + License: https://creativecommons.org/licenses/by-nc/4.0/ +*/ + +rule Arsenal237_enc_c2_FileHash { + meta: + description = "Detects Arsenal-237 enc_c2.exe Rust-compiled ransomware by file hash - Tor C2 with ChaCha20 encryption" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-enc_c2-exe/" + hash_sha256 = "613d4d0f1612686742889e834ebc9ebff6ae021cf81a4c50f66369195ca01899" + hash_md5 = "32a3497e57604e1037f1ff9993a8fdaa" + hash_sha1 = "34d3c75e79633eb3bf47e751fb31274760aeae09" + family = "Arsenal-237" + malware_type = "Ransomware" + + condition: + hash.sha256(0, filesize) == "613d4d0f1612686742889e834ebc9ebff6ae021cf81a4c50f66369195ca01899" or + hash.md5(0, filesize) == "32a3497e57604e1037f1ff9993a8fdaa" or + hash.sha1(0, filesize) == "34d3c75e79633eb3bf47e751fb31274760aeae09" +} + +rule Arsenal237_ChaCha20_Encryption_Constants { + meta: + description = "Detects ChaCha20 cipher implementation used by Arsenal-237 enc_c2.exe ransomware for file encryption" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-enc_c2-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $chacha_constant_1 = "expand 32-byte k" ascii + $chacha_constant_2 = "Chacha_256_constant" ascii + $chacha_library = "aead-0.5.2" ascii + $chacha_function = "chacha20" ascii nocase + + condition: + any of them +} + +rule Arsenal237_Tor_C2_Infrastructure { + meta: + description = "Detects Arsenal-237 enc_c2.exe Tor hidden service C2 domain and beacon endpoint strings" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-enc_c2-exe/" + family = "Arsenal-237" + malware_type = "Ransomware C2" + + strings: + $c2_domain = "rustydl5ak6p6ajqnja6qzkxvp5huhe4olpdsq5oy75ea4o34aalpkqd.onion" ascii + $c2_endpoint = "/c2/beacon.php" ascii + $c2_protocol = "POST /c2/beacon.php" ascii + $onion_tld = ".onion" ascii + + condition: + any of them +} + +rule Arsenal237_Ransomware_Operations { + meta: + description = "Detects Arsenal-237 enc_c2.exe ransomware operational strings including encryption markers and ransom note generation" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-enc_c2-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $ransom_msg = "YOUR FILES HAVE BEEN ENCRYPTED!" ascii + $ransom_note = "README.txt" ascii + $encrypted_extension = ".locked" ascii + $enc_c2_executable = "enc_c2.exe" ascii + $http_client = "ureq" ascii + + condition: + 3 of them +} + +rule Arsenal237_TEB_AntiDebug { + meta: + description = "Detects TEB-based anti-debugging technique used by Arsenal-237 enc_c2.exe with sleep-based sandbox evasion" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-enc_c2-exe/" + family = "Arsenal-237" + + strings: + $teb_api = "NtCurrentTeb" ascii + $stack_base = "StackBase" ascii + $sleep_loop = { 68 88 13 00 00 FF 15 } + $sleep_1000 = { 68 E8 03 00 00 FF 15 } + + condition: + ($teb_api and ($sleep_loop or $sleep_1000)) +} + +rule Arsenal237_Rust_Compilation_Artifacts { + meta: + description = "Detects Rust compiler and Cargo registry artifacts in Arsenal-237 malware binaries" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-enc_c2-exe/" + family = "Arsenal-237" + + strings: + $rust_lib_path = "/root/.cargo/registry/src/" ascii + $crates_io = "index.crates.io" ascii + $rustc = "rustc" ascii + $rust_std = "std" ascii + + condition: + 2 of them +} + +rule Arsenal237_RaaS_Builder_Tracking { + meta: + description = "Detects Arsenal-237 RaaS builder ID strings and affiliate tracking markers in ransomware samples" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-enc_c2-exe/" + family = "Arsenal-237" + malware_type = "RaaS" + + strings: + $builder_id_default = "TEST_BUILD_001" ascii + $builder_id_generic = "builder_id" ascii + $victim_id = "victim_id" ascii + $encryption_key = "encryption_key" ascii + $machine_info = "machine_info" ascii + + condition: + (($builder_id_default and $builder_id_generic) or + ($builder_id_generic and $encryption_key and $victim_id and $machine_info)) +} diff --git a/malware/RANSOM_Arsenal237_full_test_enc.yar b/malware/RANSOM_Arsenal237_full_test_enc.yar new file mode 100644 index 00000000..848416bc --- /dev/null +++ b/malware/RANSOM_Arsenal237_full_test_enc.yar @@ -0,0 +1,148 @@ +/* + Yara Rule Set + Author: The Hunters Ledger + Date: 2026-01-27 + Identifier: Arsenal-237 full_test_enc.exe Advanced Rust Ransomware + Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-full_test_enc-exe/ + License: https://creativecommons.org/licenses/by-nc/4.0/ +*/ + +rule Arsenal237_FullTestEnc_FileHash { + meta: + description = "Detects Arsenal-237 full_test_enc.exe by exact cryptographic hash - advanced Rust ransomware with ChaCha20+RSA and parallel encryption" + author = "The Hunters Ledger" + date = "2026-01-27" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-full_test_enc-exe/" + hash_sha256 = "4d1fe7b54a0ce9ce2082c167b662ec138b890e3f305e67bdc13a5e9a24708518" + hash_sha1 = "bc0788a36b6b839fc917be0577cd14e584c71fd8" + hash_md5 = "1fe8b9a14f9f8435c5fb5156bcbc174e" + family = "Arsenal-237" + malware_type = "Ransomware" + + condition: + hash.sha256(0, filesize) == "4d1fe7b54a0ce9ce2082c167b662ec138b890e3f305e67bdc13a5e9a24708518" or + hash.md5(0, filesize) == "1fe8b9a14f9f8435c5fb5156bcbc174e" or + hash.sha1(0, filesize) == "bc0788a36b6b839fc917be0577cd14e584c71fd8" +} + +rule Arsenal237_RustCrypto_ChaCha20_RSA { + meta: + description = "Detects Arsenal-237 full_test_enc.exe Rust ChaCha20 + RSA cryptographic library combination used for file encryption" + author = "The Hunters Ledger" + date = "2026-01-27" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-full_test_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $chacha20 = "/chacha20-0.9.1/src/lib.rs" ascii + $rsa = "/rsa-0.9.9/src/algorithms/" ascii + $aead = "/aead-0.5.2/src/lib.rs" ascii + $cipher = "/cipher-0.4.4/" ascii + $digest = "/digest-0.10.7/" ascii + $rand = "/rand-0.8.5/" ascii + + condition: + uint16(0) == 0x5A4D and + filesize > 10MB and + 3 of them +} + +rule Arsenal237_Ransomware_Lockbox_Strings { + meta: + description = "Detects Arsenal-237 full_test_enc.exe ransom messaging, .lockbox file extension, and encryption operation log strings" + author = "The Hunters Ledger" + date = "2026-01-27" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-full_test_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $ransom1 = "YOUR FILES HAVE BEEN ENCRYPTED!" ascii wide + $ransom2 = "Ransom ID:" ascii wide + $lockbox = ".lockbox" ascii wide + $log1 = "[*] Encryptor starting..." ascii + $log2 = "[*] Encrypting all drives..." ascii + $log3 = "[+] Encryption complete!" ascii + + condition: + uint16(0) == 0x5A4D and + filesize > 10MB and filesize < 20MB and + (2 of ($ransom1, $ransom2) and $lockbox) or + (all of ($log1, $log2, $log3)) +} + +rule Arsenal237_Rayon_AntiAnalysis { + meta: + description = "Detects Arsenal-237 full_test_enc.exe Rayon parallel processing library and anti-analysis techniques including VM detection" + author = "The Hunters Ledger" + date = "2026-01-27" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-full_test_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $rayon = "/rayon-1.11.0/src/" ascii + $walkdir = "/walkdir-2.5.0/" ascii + $sysinfo = "/sysinfo-0.29.11/" ascii + $vm_detect = "VMware" ascii nocase + $vbox_detect = "VirtualBox" ascii nocase + $encrypt_error1 = "Failed to encrypt nonce" ascii + $encrypt_error2 = "Failed to encrypt key" ascii + $encrypt_error3 = "Block encryption failed" ascii + + condition: + uint16(0) == 0x5A4D and + filesize > 10MB and + (all of ($rayon, $walkdir, $sysinfo)) or + (2 of ($vm_detect, $vbox_detect, $encrypt_error1, $encrypt_error2, $encrypt_error3)) +} + +rule Arsenal237_NetworkShare_Enumeration { + meta: + description = "Detects Arsenal-237 full_test_enc.exe network share enumeration via net use for lateral movement and network drive encryption" + author = "The Hunters Ledger" + date = "2026-01-27" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-full_test_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $netuse = "net use" ascii + $smb = "SMB" ascii nocase + $netuse_error = "Failed to execute net use" ascii + $folder_option = "--folder" ascii + + condition: + uint16(0) == 0x5A4D and + filesize > 10MB and + ($netuse or $netuse_error) and + ($folder_option or $smb) +} + +rule Arsenal237_FullTestEnc_Comprehensive { + meta: + description = "Comprehensive detection for Arsenal-237 full_test_enc.exe combining Rust crypto libraries, ransom strings, and parallel encryption indicators" + author = "The Hunters Ledger" + date = "2026-01-27" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-full_test_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $chacha = "/chacha20-" ascii + $rsa_lib = "/rsa-" ascii + $ransom = "YOUR FILES HAVE BEEN ENCRYPTED!" ascii wide + $rayon = "/rayon-" ascii + $walkdir = "/walkdir-" ascii + $sysinfo = "/sysinfo-" ascii + $lockbox = ".lockbox" ascii + $netuse = "net use" ascii + + condition: + uint16(0) == 0x5A4D and + filesize > 10MB and filesize < 20MB and + $chacha and $rsa_lib and $ransom and + (1 of ($rayon, $walkdir, $sysinfo)) and + ($lockbox or $netuse or "Ransom ID" ascii) +} diff --git a/malware/RANSOM_Arsenal237_new_enc.yar b/malware/RANSOM_Arsenal237_new_enc.yar new file mode 100644 index 00000000..5ac738e2 --- /dev/null +++ b/malware/RANSOM_Arsenal237_new_enc.yar @@ -0,0 +1,140 @@ +/* + Yara Rule Set + Author: The Hunters Ledger + Date: 2026-01-26 + Identifier: Arsenal-237 new_enc.exe Human-Operated Rust Ransomware + Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-new_enc-exe/ + License: https://creativecommons.org/licenses/by-nc/4.0/ +*/ + +rule Arsenal237_new_enc_FileHash { + meta: + description = "Detects Arsenal-237 new_enc.exe Rust ransomware by exact file hash - human-operated ransomware with hardcoded ChaCha20 key" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-new_enc-exe/" + hash_sha256 = "90d223b70448d68f7f48397df6a9e57de3a6b389d5d8dc0896be633ca95720f2" + hash_sha1 = "2c01cefba27c4d3fcb3b450cb8e625e89bc54363" + hash_md5 = "a16ba61114fa5a40afce54459bbff21e" + family = "Arsenal-237" + malware_type = "Ransomware" + + condition: + hash.sha256(0, filesize) == "90d223b70448d68f7f48397df6a9e57de3a6b389d5d8dc0896be633ca95720f2" or + hash.md5(0, filesize) == "a16ba61114fa5a40afce54459bbff21e" or + hash.sha1(0, filesize) == "2c01cefba27c4d3fcb3b450cb8e625e89bc54363" +} + +rule Arsenal237_ChaCha20_Key { + meta: + description = "Detects Arsenal-237 hardcoded ChaCha20 encryption key shared between new_enc.exe and dec_fixed.exe" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-new_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $key_hex = "67e6096a85ae67bb72f36e3c3af54fa57f520e518c68059babd9831f19cde05b" nocase ascii wide + $key_partial = "67e60" nocase + + condition: + $key_hex or $key_partial +} + +rule Arsenal237_Campaign_Identifiers { + meta: + description = "Detects Arsenal-237 new_enc.exe campaign ID, version string v0.5-beta, and RustRansomNoteTask scheduled task name" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-new_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $campaign_id = "ICIIXGD1X8ZJ4T1MTQ6TLQIDJEMDE7U4" ascii wide + $version = "v0.5-beta" ascii wide + $ransom_task = "RustRansomNoteTask" ascii wide + + condition: + any of them +} + +rule Arsenal237_Veritas_Backup_Targeting { + meta: + description = "Detects Arsenal-237 new_enc.exe enterprise targeting of Veritas Backup Exec and Veeam backup service processes for pre-encryption termination" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-new_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $gxvss = "GxVss" ascii wide + $gxblr = "GxBlr" ascii wide + $gxfwd = "GxFWD" ascii wide + $gxcvd = "GxCVD" ascii wide + $gxcimgr = "GxCIMgr" ascii wide + $veeam = "veeam" ascii wide nocase + + condition: + (3 of ($gxvss, $gxblr, $gxfwd, $gxcvd, $gxcimgr)) or $veeam +} + +rule Arsenal237_AntiRecovery_VSS { + meta: + description = "Detects Arsenal-237 new_enc.exe Volume Shadow Copy deletion commands to prevent ransomware recovery" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-new_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $vss_delete = "vssadmin delete shadows /all /quiet" ascii wide nocase + $vss_pattern = "vssadmin" ascii wide nocase + $delete_shadows = "delete shadows" ascii wide nocase + + condition: + ($vss_delete) or ($vss_pattern and $delete_shadows) +} + +rule Arsenal237_AntiAnalysis_VM_Detection { + meta: + description = "Detects Arsenal-237 new_enc.exe anti-analysis strings targeting VM environments, sandboxes, and analysis tools" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-new_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $vm_vbox = "VBOX" ascii wide nocase + $vm_vmware = "VMWARE" ascii wide nocase + $vm_qemu = "QEMU" ascii wide nocase + $vm_xen = "XEN" ascii wide nocase + $vm_hyperv = "HYPERV" ascii wide nocase + $sandbox_cuckoo = "cuckoo" ascii wide nocase + $bios_registry = "HARDWARE\\DESCRIPTION\\System\\BIOS" ascii wide nocase + $debugger_check = "IsDebuggerPresent" ascii wide + + condition: + (3 of ($vm_vbox, $vm_vmware, $vm_qemu, $vm_xen, $vm_hyperv)) or + $sandbox_cuckoo or $bios_registry or $debugger_check +} + +rule Arsenal237_HexEncoded_RansomNote { + meta: + description = "Detects Arsenal-237 new_enc.exe hex-encoded ransom note header containing v0.5-beta version and Ransom-ID marker" + author = "The Hunters Ledger" + date = "2026-01-26" + reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-new_enc-exe/" + family = "Arsenal-237" + malware_type = "Ransomware" + + strings: + $hex_header = "76302e352d626574610d0a0d0a52616e736f6d2d4944" ascii wide + + condition: + $hex_header +}