diff --git a/yara/certificate/blocklist.yara b/yara/certificate/blocklist.yara index d84450e..cd4f454 100644 --- a/yara/certificate/blocklist.yara +++ b/yara/certificate/blocklist.yara @@ -6934,3 +6934,5377 @@ rule cert_blocklist_4c8def294478b7d59ee95c61fae3d965 { 1592961292 <= pe.signatures[i].not_after ) } + +rule cert_blocklist_7d36cbb64bc9add17ba71737d3ecceca { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LTD SERVICES LIMITED" and + pe.signatures[i].serial == "7d:36:cb:b6:4b:c9:ad:d1:7b:a7:17:37:d3:ec:ce:ca" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ad255d4ebefa751f3782587396c08629 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Ornitek" and ( + pe.signatures[i].serial == "00:ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29" or + pe.signatures[i].serial == "ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_262ca7ae19d688138e75932832b18f9d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Bisoyetutu Ltd Ltd" and + pe.signatures[i].serial == "26:2c:a7:ae:19:d6:88:13:8e:75:93:28:32:b1:8f:9d" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_59a57e8ba3dcf2b6f59981fda14b03 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Medium LLC" and + pe.signatures[i].serial == "59:a5:7e:8b:a3:dc:f2:b6:f5:99:81:fd:a1:4b:03" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aebe117a13b8bca21685df48c74f584d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NANAX d.o.o." and ( + pe.signatures[i].serial == "00:ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d" or + pe.signatures[i].serial == "ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7dcd19a94535f034ee36af4676740633 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Toko Saya ApS" and + pe.signatures[i].serial == "7d:cd:19:a9:45:35:f0:34:ee:36:af:46:76:74:06:33" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ca4822e6905aa4fca9e28523f04f14a3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ELISTREID, OOO" and ( + pe.signatures[i].serial == "00:ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3" or + pe.signatures[i].serial == "ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_24c1ef800f275ab2780280c595de3464 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HOLGAN LIMITED" and + pe.signatures[i].serial == "24:c1:ef:80:0f:27:5a:b2:78:02:80:c5:95:de:34:64" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6401831b46588b9d872b02076c3a7b00 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ACTIV GROUP ApS" and + pe.signatures[i].serial == "64:01:83:1b:46:58:8b:9d:87:2b:02:07:6c:3a:7b:00" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a01a91cce63ede5eaa3dac4883aea05 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Seacloud Technologies Pte. Ltd." and + pe.signatures[i].serial == "0a:01:a9:1c:ce:63:ed:e5:ea:a3:da:c4:88:3a:ea:05" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_54cd7ae1c27f1421136ed25088f4979a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ABBYMAJUTA LTD LIMITED" and + pe.signatures[i].serial == "54:cd:7a:e1:c2:7f:14:21:13:6e:d2:50:88:f4:97:9a" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f2d693aad63e6920782a0027dfc97d91 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EKO-KHIM TOV" and ( + pe.signatures[i].serial == "00:f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91" or + pe.signatures[i].serial == "f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f8e8f6c92ba666b0688a8cacce9acccf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "5 th Dimension LTD Oy" and ( + pe.signatures[i].serial == "00:f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf" or + pe.signatures[i].serial == "f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e3d5089d4b8f01aadce2731062fb0cce { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DEVELOP - Residence s. r. o." and ( + pe.signatures[i].serial == "00:e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce" or + pe.signatures[i].serial == "e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7ed801843fa001b8add52d3a97b25931 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AM El-Teknik ApS" and + pe.signatures[i].serial == "7e:d8:01:84:3f:a0:01:b8:ad:d5:2d:3a:97:b2:59:31" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d9e834182dec62c654e775e809ac1d1b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FoodLehto Oy" and ( + pe.signatures[i].serial == "00:d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b" or + pe.signatures[i].serial == "d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_801689896ed339237464a41a2900a969 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GLG Rental ApS" and ( + pe.signatures[i].serial == "00:80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69" or + pe.signatures[i].serial == "80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3fd3661533eef209153c9afec3ba4d8a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SFB Regnskabsservice ApS" and + pe.signatures[i].serial == "3f:d3:66:15:33:ee:f2:09:15:3c:9a:fe:c3:ba:4d:8a" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0ced87bd70b092cb93b182fac32655f6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Creator Soft Limited" and + pe.signatures[i].serial == "0c:ed:87:bd:70:b0:92:cb:93:b1:82:fa:c3:26:55:f6" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_047801d5b55c800b48411fd8c320ca5b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LICHFIELD STUDIO GLASS LIMITED" and + pe.signatures[i].serial == "04:78:01:d5:b5:5c:80:0b:48:41:1f:d8:c3:20:ca:5b" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f0ed5318848703405d40f7c62d0f39a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SIES UPRAVLENIE PROTSESSAMI, OOO" and + pe.signatures[i].serial == "0f:0e:d5:31:88:48:70:34:05:d4:0f:7c:62:d0:f3:9a" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4e7545c9fc5938f5198ab9f1749ca31c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "For M d.o.o." and + pe.signatures[i].serial == "4e:75:45:c9:fc:59:38:f5:19:8a:b9:f1:74:9c:a3:1c" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7ddd3796a427b42f2e52d7c7af0ca54f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Fobos" and + pe.signatures[i].serial == "7d:dd:37:96:a4:27:b4:2f:2e:52:d7:c7:af:0c:a5:4f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_03b27d7f4ee21a462a064a17eef70d6c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CCL TRADING LIMITED" and + pe.signatures[i].serial == "03:b2:7d:7f:4e:e2:1a:46:2a:06:4a:17:ee:f7:0d:6c" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b0a308fc2e71ac4ac40677b9c27ccbad { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Volpayk LLC" and ( + pe.signatures[i].serial == "00:b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad" or + pe.signatures[i].serial == "b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_61b11ef9726ab2e78132e01bd791b336 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Skalari" and + pe.signatures[i].serial == "61:b1:1e:f9:72:6a:b2:e7:81:32:e0:1b:d7:91:b3:36" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8fe807310d98357a59382090634b93f0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MAVE MEDIA" and ( + pe.signatures[i].serial == "00:8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0" or + pe.signatures[i].serial == "8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b97f66bb221772dc07ef1d4bed8f6085 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "S-PRO d.o.o." and ( + pe.signatures[i].serial == "00:b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85" or + pe.signatures[i].serial == "b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fed006fbf85cd1c6ba6b4345b198e1e6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LoL d.o.o." and ( + pe.signatures[i].serial == "00:fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6" or + pe.signatures[i].serial == "fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aa28c9bd16d9d304f18af223b27bfa1e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Tecno trade d.o.o." and ( + pe.signatures[i].serial == "00:aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e" or + pe.signatures[i].serial == "aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_19beff8a6c129663e5e8c18953dc1f67 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CULNADY LTD LTD" and + pe.signatures[i].serial == "19:be:ff:8a:6c:12:96:63:e5:e8:c1:89:53:dc:1f:67" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_029685cda1c8233d2409a31206f78f9f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KOTO TRADE, dru\\xC5\\xBEba za posredovanje, d.o.o." and + pe.signatures[i].serial == "02:96:85:cd:a1:c8:23:3d:24:09:a3:12:06:f7:8f:9f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d609b6c95428954a999a8a99d4f198af { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Fudl" and ( + pe.signatures[i].serial == "00:d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af" or + pe.signatures[i].serial == "d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d3356318924c8c42959bf1d1574e6482 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ADV TOURS d.o.o." and ( + pe.signatures[i].serial == "00:d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82" or + pe.signatures[i].serial == "d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_31d852f5fca1a5966b5ed08a14825c54 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BBT KLA d.o.o." and + pe.signatures[i].serial == "31:d8:52:f5:fc:a1:a5:96:6b:5e:d0:8a:14:82:5c:54" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_17d99cc2f5b29522d422332e681f3e18 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PKV Trading ApS" and + pe.signatures[i].serial == "17:d9:9c:c2:f5:b2:95:22:d4:22:33:2e:68:1f:3e:18" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6a568f85de2061f67ded98707d4988df { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Apladis" and + pe.signatures[i].serial == "6a:56:8f:85:de:20:61:f6:7d:ed:98:70:7d:49:88:df" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_038fc745523b41b40d653b83aa381b80 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Optima" and + pe.signatures[i].serial == "03:8f:c7:45:52:3b:41:b4:0d:65:3b:83:aa:38:1b:80" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_30af0d0e6d8201a5369664c5ebbb010f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "3N-\\xC5\\xA0PORT podjetje za in\\xC5\\xBEeniring, storitve in trgovino d.o.o." and + pe.signatures[i].serial == "30:af:0d:0e:6d:82:01:a5:36:96:64:c5:eb:bb:01:0f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ac0a7b9420b369af3ddb748385b981 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Tochka" and ( + pe.signatures[i].serial == "00:ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81" or + pe.signatures[i].serial == "ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c167f04b338b1e8747b92c2197403c43 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORTUNE STAR TRADING, INC." and ( + pe.signatures[i].serial == "00:c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43" or + pe.signatures[i].serial == "c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9272607cfc982b782a5d36c4b78f5e7b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rada SP Z o o" and ( + pe.signatures[i].serial == "00:92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b" or + pe.signatures[i].serial == "92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_45eb9187a2505d8e6c842e6d366ad0c8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BAKERA s.r.o." and + pe.signatures[i].serial == "45:eb:91:87:a2:50:5d:8e:6c:84:2e:6d:36:6a:d0:c8" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_56fff139df5ae7e788e5d72196dd563a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Cifromatika LLC" and + pe.signatures[i].serial == "56:ff:f1:39:df:5a:e7:e7:88:e5:d7:21:96:dd:56:3a" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e161f76da3b5e4623892c8e6fda1ea3d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TGN Nedelica d.o.o." and ( + pe.signatures[i].serial == "00:e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d" or + pe.signatures[i].serial == "e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9ae5b177ac3a7ce2aadf1c891b574924 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Kolorit" and ( + pe.signatures[i].serial == "00:9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24" or + pe.signatures[i].serial == "9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a03ea3a4fa772b17037a0b80f1f968aa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DREVOKAPITAL, s.r.o." and ( + pe.signatures[i].serial == "00:a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa" or + pe.signatures[i].serial == "a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_333ca7d100b139b0d9c1a97cb458e226 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FSE, d.o.o." and + pe.signatures[i].serial == "33:3c:a7:d1:00:b1:39:b0:d9:c1:a9:7c:b4:58:e2:26" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9245d1511923f541844faa3c6bfebcbe { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LEHTEH d.o.o., Ljubljana" and ( + pe.signatures[i].serial == "00:92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be" or + pe.signatures[i].serial == "92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2888cf0f953a4a3640ee4cfc6304d9d4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Lotte Schmidt" and + pe.signatures[i].serial == "28:88:cf:0f:95:3a:4a:36:40:ee:4c:fc:63:04:d9:d4" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c8edcfe8be174c2f204d858c5b91dea5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Paarcopy Oy" and ( + pe.signatures[i].serial == "00:c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5" or + pe.signatures[i].serial == "c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9faf8705a3eaef9340800cc4fd38597c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Tekhnokod LLC" and ( + pe.signatures[i].serial == "00:9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c" or + pe.signatures[i].serial == "9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0940fa9a4080f35052b2077333769c2f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PROFF LAIN, OOO" and + pe.signatures[i].serial == "09:40:fa:9a:40:80:f3:50:52:b2:07:73:33:76:9c:2f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ea720222d92dc8d48e3b3c3b0fc360a6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CAVANAGH NETS LIMITED" and ( + pe.signatures[i].serial == "00:ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6" or + pe.signatures[i].serial == "ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4743e140c05b33f0449023946bd05acb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "STROI RENOV SARL" and + pe.signatures[i].serial == "47:43:e1:40:c0:5b:33:f0:44:90:23:94:6b:d0:5a:cb" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a496bc774575c31abec861b68c36dcb6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ORGLE DVORSAK, d.o.o" and ( + pe.signatures[i].serial == "00:a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6" or + pe.signatures[i].serial == "a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a55c15f733bf1633e9ffae8a6e3b37d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Osnova OOO" and + pe.signatures[i].serial == "0a:55:c1:5f:73:3b:f1:63:3e:9f:fa:e8:a6:e3:b3:7d" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c650ae531100a91389a7f030228b3095 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "POKEROWA STRUNA SP Z O O" and ( + pe.signatures[i].serial == "00:c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95" or + pe.signatures[i].serial == "c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3990362c34015ce4c23ecc3377fd3c06 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RZOH ApS" and + pe.signatures[i].serial == "39:90:36:2c:34:01:5c:e4:c2:3e:cc:33:77:fd:3c:06" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_121fca3cfa4bd011669f5cc4e053aa3f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kymijoen Projektipalvelut Oy" and + pe.signatures[i].serial == "12:1f:ca:3c:fa:4b:d0:11:66:9f:5c:c4:e0:53:aa:3f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d338f8a490e37e6c2be80a0e349929fa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAGUARO ApS" and ( + pe.signatures[i].serial == "00:d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa" or + pe.signatures[i].serial == "d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2c1ee9b583310b5e34a1ee6945a34b26 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Artmarket" and + pe.signatures[i].serial == "2c:1e:e9:b5:83:31:0b:5e:34:a1:ee:69:45:a3:4b:26" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d875b3e3f2db6c3eb426e24946066111 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kubit LLC" and ( + pe.signatures[i].serial == "00:d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11" or + pe.signatures[i].serial == "d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ad0a958cdf188bed43154a54bf23afba { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RHM Ltd" and ( + pe.signatures[i].serial == "00:ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba" or + pe.signatures[i].serial == "ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3cee26c125b8c188f316c3fa78d9c2f1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Bitubit LLC" and + pe.signatures[i].serial == "3c:ee:26:c1:25:b8:c1:88:f3:16:c3:fa:78:d9:c2:f1" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4c687a0022c36f89e253f91d1f6954e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HETCO ApS" and + pe.signatures[i].serial == "4c:68:7a:00:22:c3:6f:89:e2:53:f9:1d:1f:69:54:e2" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ca646b4275406df639cf603756f63d77 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SHOECORP LIMITED" and ( + pe.signatures[i].serial == "00:ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77" or + pe.signatures[i].serial == "ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_addbec454b5479cabd940a72df4500af { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SHAT LIMITED" and ( + pe.signatures[i].serial == "00:ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af" or + pe.signatures[i].serial == "ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ac307e5257bb814b818d3633b630326f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Aqua Direct s.r.o." and ( + pe.signatures[i].serial == "00:ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f" or + pe.signatures[i].serial == "ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0d83e7f47189cdbfc7fa3e5f58882329 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THE WIZARD GIFT CORPORATION" and + pe.signatures[i].serial == "0d:83:e7:f4:71:89:cd:bf:c7:fa:3e:5f:58:88:23:29" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_58aa64564a50e8b2d6e31d5cd6250fde { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Foreground" and + pe.signatures[i].serial == "58:aa:64:56:4a:50:e8:b2:d6:e3:1d:5c:d6:25:0f:de" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2aa0ae245b487c8926c88ee6d736d1ca { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PILOTE SPRL" and + pe.signatures[i].serial == "2a:a0:ae:24:5b:48:7c:89:26:c8:8e:e6:d7:36:d1:ca" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1aec3d3f752a38617c1d7a677d0b5591 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SILVER d.o.o." and + pe.signatures[i].serial == "1a:ec:3d:3f:75:2a:38:61:7c:1d:7a:67:7d:0b:55:91" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a7e1dc5352c3852c5523030f57f2425c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Pushka LLC" and ( + pe.signatures[i].serial == "00:a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c" or + pe.signatures[i].serial == "a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bbd4dc3768a51aa2b3059c1bad569276 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "JJ ELECTRICAL SERVICES LIMITED" and ( + pe.signatures[i].serial == "00:bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76" or + pe.signatures[i].serial == "bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08622b9dd9d78e67678ecc21e026522e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kayak Republic af 2015 APS" and + pe.signatures[i].serial == "08:62:2b:9d:d9:d7:8e:67:67:8e:cc:21:e0:26:52:2e" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e69a6de0074ece38c2f30f0d4a808456 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Semantic" and ( + pe.signatures[i].serial == "00:e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56" or + pe.signatures[i].serial == "e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8385684419ab26a3f2640b1496e1fe94 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CAUSE FOR CHANGE LTD" and ( + pe.signatures[i].serial == "00:83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94" or + pe.signatures[i].serial == "83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_21e3cae5b77c41528658ada08509c392 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Network Design International Holdings Limited" and + pe.signatures[i].serial == "21:e3:ca:e5:b7:7c:41:52:86:58:ad:a0:85:09:c3:92" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2abd2eef14d480dfea9ca9fdd823cf03 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BE SOL d.o.o." and + pe.signatures[i].serial == "2a:bd:2e:ef:14:d4:80:df:ea:9c:a9:fd:d8:23:cf:03" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_86909b91f07f9316984d888d1e28ab76 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Dantherm Intelligent Monitoring A/S" and ( + pe.signatures[i].serial == "00:86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76" or + pe.signatures[i].serial == "86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d1b8f1fe56381befdb2e73ffef2a4b28 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sein\\xC3\\xA4joen Squash ja Bowling Oy" and ( + pe.signatures[i].serial == "00:d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28" or + pe.signatures[i].serial == "d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d4ef1ab6ab5d3cb35e4efb7984def7a2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "REIGN BROS ApS" and ( + pe.signatures[i].serial == "00:d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2" or + pe.signatures[i].serial == "d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_066276af2f2c7e246d3b1cab1b4aa42e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "IQ Trade ApS" and + pe.signatures[i].serial == "06:62:76:af:2f:2c:7e:24:6d:3b:1c:ab:1b:4a:a4:2e" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_65cd323c2483668b90a44a711d2a6b98 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Giperion" and + pe.signatures[i].serial == "65:cd:32:3c:24:83:66:8b:90:a4:4a:71:1d:2a:6b:98" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5a17d5de74fd8f09df596df3123139bb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ACTA FIS d.o.o." and + pe.signatures[i].serial == "5a:17:d5:de:74:fd:8f:09:df:59:6d:f3:12:31:39:bb" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_15da61d7e1a631803431561674fb9b90 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "JAY DANCE STUDIO d.o.o." and + pe.signatures[i].serial == "15:da:61:d7:e1:a6:31:80:34:31:56:16:74:fb:9b:90" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7ab21306b11ff280a93fc445876988ab { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ABC BIOS d.o.o." and + pe.signatures[i].serial == "7a:b2:13:06:b1:1f:f2:80:a9:3f:c4:45:87:69:88:ab" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_634e16e38f12e9a71aca08e4c6b2dbb9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AUTO RESPONSE LTD CYF" and + pe.signatures[i].serial == "63:4e:16:e3:8f:12:e9:a7:1a:ca:08:e4:c6:b2:db:b9" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_289051a83f350a2c600187c99b6c0a73 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HALL HAULAGE LTD LTD" and + pe.signatures[i].serial == "28:90:51:a8:3f:35:0a:2c:60:01:87:c9:9b:6c:0a:73" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_818631110b5d14331dac7e6ad998b902 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "2 TOY GUYS LLC" and ( + pe.signatures[i].serial == "00:81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02" or + pe.signatures[i].serial == "81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_277cd16de5d61b9398b645afe41c09c7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THE SIGN COMPANY LIMITED" and + pe.signatures[i].serial == "27:7c:d1:6d:e5:d6:1b:93:98:b6:45:af:e4:1c:09:c7" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d0eda76c13d30c97015708790bb94214 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LAEN ApS" and ( + pe.signatures[i].serial == "00:d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14" or + pe.signatures[i].serial == "d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6333ed618f88a05b4d82ad7bf66cb0fa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RHM LIMITED" and + pe.signatures[i].serial == "63:33:ed:61:8f:88:a0:5b:4d:82:ad:7b:f6:6c:b0:fa" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3b777165b125bccc181d0bac3f5b55b3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "STAND ALONE MUSIC LTD" and + pe.signatures[i].serial == "3b:77:71:65:b1:25:bc:cc:18:1d:0b:ac:3f:5b:55:b3" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5b37ac3479283b6f9d75ddf0f8742d06 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ART BOOK PHOTO s.r.o." and + pe.signatures[i].serial == "5b:37:ac:34:79:28:3b:6f:9d:75:dd:f0:f8:74:2d:06" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3112c69d460c781fd649c71e61bfec82 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KREATURHANDLER BJARNE ANDERSEN ApS" and + pe.signatures[i].serial == "31:12:c6:9d:46:0c:78:1f:d6:49:c7:1e:61:bf:ec:82" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a5b4f67ad8b22afc2debe6ce5f8f679 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Farad LLC" and + pe.signatures[i].serial == "0a:5b:4f:67:ad:8b:22:af:c2:de:be:6c:e5:f8:f6:79" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_df45b36c9d0bd248c3f9494e7ca822 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MPO STORITVE d.o.o." and ( + pe.signatures[i].serial == "00:df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22" or + pe.signatures[i].serial == "df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1ae3c4eccecda2127d43be390a850dda { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PARTYNET LIMITED" and + pe.signatures[i].serial == "1a:e3:c4:ec:ce:cd:a2:12:7d:43:be:39:0a:85:0d:da" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2e36360538624c9b1afd78a2fb756028 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ts Trade ApS" and + pe.signatures[i].serial == "2e:36:36:05:38:62:4c:9b:1a:fd:78:a2:fb:75:60:28" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_addb899f8229fd53e6435e08bbd3a733 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "U.K. STEEL EXPORTS LIMITED" and ( + pe.signatures[i].serial == "00:ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33" or + pe.signatures[i].serial == "ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c1a1db95d7bf80290aa6e82d8f8f996a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Software Two Pty Ltd" and ( + pe.signatures[i].serial == "00:c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a" or + pe.signatures[i].serial == "c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c667ffe3a5b0a5ae7cf3a9e41682e91b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NAILS UNLIMITED LIMITED" and ( + pe.signatures[i].serial == "00:c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b" or + pe.signatures[i].serial == "c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e0a83917660d05cf476374659d3c7b85 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PIK MOTEL S.R.L." and ( + pe.signatures[i].serial == "00:e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85" or + pe.signatures[i].serial == "e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_afc5522898143aafaab7fd52304cf00c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "YAN CHING LIMITED" and ( + pe.signatures[i].serial == "00:af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c" or + pe.signatures[i].serial == "af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8b3333d32b2c2a1d33b41ba5db9d4d2d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BOOK CAF\\xC3\\x89, s.r.o." and ( + pe.signatures[i].serial == "00:8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d" or + pe.signatures[i].serial == "8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fbb1198bd8bddb0d693eb72a8613fe3f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Trade Hunters, s. r. o." and ( + pe.signatures[i].serial == "00:fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f" or + pe.signatures[i].serial == "fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_846f77d9919fc4405aefe1701309bd67 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "IPM Skupina d.o.o." and ( + pe.signatures[i].serial == "00:84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67" or + pe.signatures[i].serial == "84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0939c2bad859c0432e8e98a6c0162c02 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Activ Expeditions ApS" and + pe.signatures[i].serial == "09:39:c2:ba:d8:59:c0:43:2e:8e:98:a6:c0:16:2c:02" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7fba0e19919ac50d700ba60250d02c8b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Diamartis" and + pe.signatures[i].serial == "7f:ba:0e:19:91:9a:c5:0d:70:0b:a6:02:50:d0:2c:8b" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a758504e7971869d0aec2775fffa03d5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Amcert LLC" and ( + pe.signatures[i].serial == "00:a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5" or + pe.signatures[i].serial == "a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_37a67cf754ee5ae284b4cf8b9d651604 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORTH PROPERTY LTD" and + pe.signatures[i].serial == "37:a6:7c:f7:54:ee:5a:e2:84:b4:cf:8b:9d:65:16:04" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_119acead668bad57a48b4f42f294f8f0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PB03 TRANSPORT LTD." and + pe.signatures[i].serial == "11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7a6d30a6eb2fa0c3369283725704ac4c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Trade By International ApS" and + pe.signatures[i].serial == "7a:6d:30:a6:eb:2f:a0:c3:36:92:83:72:57:04:ac:4c" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_670c3494206b9f0c18714fdcffaaa42f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ADRIATIK PORT SERVIS, d.o.o." and + pe.signatures[i].serial == "67:0c:34:94:20:6b:9f:0c:18:71:4f:dc:ff:aa:a4:2f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0e8aa328af207ce8bcae1dc15c626188 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PRO SAT SRL" and + pe.signatures[i].serial == "0e:8a:a3:28:af:20:7c:e8:bc:ae:1d:c1:5c:62:61:88" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cfad6be1d823b4eacb803b720f525a7d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sistema LLC" and ( + pe.signatures[i].serial == "00:cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d" or + pe.signatures[i].serial == "cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7ebcb54b7e0e6410b28610de0743d4dd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SIA \"MWorx\"" and + pe.signatures[i].serial == "7e:bc:b5:4b:7e:0e:64:10:b2:86:10:de:07:43:d4:dd" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_01106cc293772ca905a2b6eff02bf0f5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DMR Consulting Ltd." and + pe.signatures[i].serial == "01:10:6c:c2:93:77:2c:a9:05:a2:b6:ef:f0:2b:f0:f5" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_05bb162f6efe852b7bd4712fd737a61e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Wellpro Impact Solutions Oy" and + pe.signatures[i].serial == "05:bb:16:2f:6e:fe:85:2b:7b:d4:71:2f:d7:37:a6:1e" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6171990ba1c8e71049ebb296a35bd160 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OWLNET LIMITED" and + pe.signatures[i].serial == "61:71:99:0b:a1:c8:e7:10:49:eb:b2:96:a3:5b:d1:60" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2114ca3bd2afd63d7fa29d744992b043 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MATCH CONSULTANTS LTD" and + pe.signatures[i].serial == "21:14:ca:3b:d2:af:d6:3d:7f:a2:9d:74:49:92:b0:43" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6aaa62208a3a78bfac1443007d031e61 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Solar LLC" and + pe.signatures[i].serial == "6a:aa:62:20:8a:3a:78:bf:ac:14:43:00:7d:03:1e:61" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_09450b8f73ea43e39d2cdd56049dbe40 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE4\\xB9\\x9D\\xE6\\xB1\\x9F\\xE5\\xAE\\x8F\\xE5\\x9B\\xBE\\xE6\\x97\\xA0\\xE5\\xBF\\xA7\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "09:45:0b:8f:73:ea:43:e3:9d:2c:dd:56:04:9d:be:40" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0efd9bd4b4281c6522d96011df46c9c4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "0e:fd:9b:d4:b4:28:1c:65:22:d9:60:11:df:46:c9:c4" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0dd7d4a785990584d8c0837659173272 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "0d:d7:d4:a7:85:99:05:84:d8:c0:83:76:59:17:32:72" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c59d46580f039af2c4ab6ba0ffed197 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "0c:59:d4:65:80:f0:39:af:2c:4a:b6:ba:0f:fe:d1:97" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0448ec8d26597f99912138500cc41c1b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "04:48:ec:8d:26:59:7f:99:91:21:38:50:0c:c4:1c:1b" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0108cbaee60728f5bf06e45a56d6f170 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE4\\xB8\\x9C\\xE6\\xB9\\x96\\xE6\\x96\\xB0\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE5\\xBC\\x80\\xE5\\x8F\\x91\\xE5\\x8C\\xBA" and + pe.signatures[i].serial == "01:08:cb:ae:e6:07:28:f5:bf:06:e4:5a:56:d6:f1:70" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_038d56a12153e8b5c74c69bff65cbe3f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE4\\xB8\\x9C\\xE6\\xB9\\x96\\xE6\\x96\\xB0\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE5\\xBC\\x80\\xE5\\x8F\\x91\\xE5\\x8C\\xBA" and + pe.signatures[i].serial == "03:8d:56:a1:21:53:e8:b5:c7:4c:69:bf:f6:5c:be:3f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_060d94e2ccae84536654d9daf39fef1e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HasCred ApS" and + pe.signatures[i].serial == "06:0d:94:e2:cc:ae:84:53:66:54:d9:da:f3:9f:ef:1e" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0bc9b800f480691bd6b60963466b0c75 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HasCred ApS" and + pe.signatures[i].serial == "0b:c9:b8:00:f4:80:69:1b:d6:b6:09:63:46:6b:0c:75" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c4324ff41f0a7b16ffcc93dffa8fa99 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE7\\xA6\\x8F\\xE5\\xBB\\xBA\\xE7\\x9C\\x81\\xE4\\xBA\\x94\\xE6\\x98\\x9F\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "0c:43:24:ff:41:f0:a7:b1:6f:fc:c9:3d:ff:a8:fa:99" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0b980fc8783e4f158e41829ab21bab81 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Idris Kanchwala Holding Corp." and + pe.signatures[i].serial == "0b:98:0f:c8:78:3e:4f:15:8e:41:82:9a:b2:1b:ab:81" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d8f515715aeffef0a0e4e37f16c254fa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HOLDING LA LTD" and ( + pe.signatures[i].serial == "00:d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa" or + pe.signatures[i].serial == "d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d79739187c585e453c00afc11d77b523 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAN MARINO INVESTMENTS PTY LTD" and ( + pe.signatures[i].serial == "00:d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23" or + pe.signatures[i].serial == "d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_961cecb0227845317549e9343a980e91 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AmiraCo Oy" and ( + pe.signatures[i].serial == "00:96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91" or + pe.signatures[i].serial == "96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1ef6392b2993a6f67578299659467ea8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ALUSEN d. o. o." and + pe.signatures[i].serial == "1e:f6:39:2b:29:93:a6:f6:75:78:29:96:59:46:7e:a8" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a918455c0d4da7ca474f41f11a7cf38c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MIDDRA INTERNATIONAL CORP." and ( + pe.signatures[i].serial == "00:a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c" or + pe.signatures[i].serial == "a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_936bc256d2057ca9b9ec3034c3ed0ee6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SALES & MAINTENANCE LIMITED" and ( + pe.signatures[i].serial == "00:93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6" or + pe.signatures[i].serial == "93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_afe8fee94b41422e01e4897bcd52d0a4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TLGM ApS" and ( + pe.signatures[i].serial == "00:af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4" or + pe.signatures[i].serial == "af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_718e89ddb33257ea77ba74be7f2baf1d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Trap Capital ApS" and + pe.signatures[i].serial == "71:8e:89:dd:b3:32:57:ea:77:ba:74:be:7f:2b:af:1d" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4d3e38f4aebbc32257450726b29be117 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "POLE & AERIAL FITNESS LIMITED" and + pe.signatures[i].serial == "4d:3e:38:f4:ae:bb:c3:22:57:45:07:26:b2:9b:e1:17" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8f4c49dae1f1ff0ebe9104c6f73242bd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Contact Merger Holding ApS" and ( + pe.signatures[i].serial == "00:8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd" or + pe.signatures[i].serial == "8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ac3c05f1cb9453de8e7110f589fb32c0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TRAIN BUILDING TEAM s.r.o." and ( + pe.signatures[i].serial == "00:ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0" or + pe.signatures[i].serial == "ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fbb96a90b6718810311767ca25ab1e48 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rakurs LLC" and ( + pe.signatures[i].serial == "00:fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48" or + pe.signatures[i].serial == "fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cfd38423aef875a10b16644d058297e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TRUST DANMARK ApS" and ( + pe.signatures[i].serial == "00:cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2" or + pe.signatures[i].serial == "cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e6c05c5a2222bf92818324a3a7374ad3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ANAQA EVENTS LTD" and ( + pe.signatures[i].serial == "00:e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3" or + pe.signatures[i].serial == "e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_75ce08bdbad44123299dbe9d7c1d20de { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rose Holm International ApS" and + pe.signatures[i].serial == "75:ce:08:bd:ba:d4:41:23:29:9d:be:9d:7c:1d:20:de" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_333705c20b56e57f60b5eb191eef0d90 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TASK Holding ApS" and + pe.signatures[i].serial == "33:37:05:c2:0b:56:e5:7f:60:b5:eb:19:1e:ef:0d:90" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a2a0ba281262acce7a00119e25564386 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sopiteks LLC" and ( + pe.signatures[i].serial == "00:a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86" or + pe.signatures[i].serial == "a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_338483cc174c16ebc454a3803ffd4217 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Lpr:n Laatu-Ravintolat Oy" and + pe.signatures[i].serial == "33:84:83:cc:17:4c:16:eb:c4:54:a3:80:3f:fd:42:17" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_be89936c26cd0d845074f6b7b47f480c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Argus Security Maintenance Systems Inc." and ( + pe.signatures[i].serial == "00:be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c" or + pe.signatures[i].serial == "be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f20a5155e53ce20bb644f646ed6a2fd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CB CAM SP Z O O" and + pe.signatures[i].serial == "0f:20:a5:15:5e:53:ce:20:bb:64:4f:64:6e:d6:a2:fd" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ea734e1dfb6e69ed2bc55e513bf95b5e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Postmarket LLC" and ( + pe.signatures[i].serial == "00:ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e" or + pe.signatures[i].serial == "ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ba67b0de51ebb9b1179804e75357ab26 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Fjordland Bike Wear ApS" and ( + pe.signatures[i].serial == "00:ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26" or + pe.signatures[i].serial == "ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cff2b275ba8a1dde83ac7ff858399a62 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "XL-FORCE ApS" and ( + pe.signatures[i].serial == "00:cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62" or + pe.signatures[i].serial == "cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d22e026c5b5966f1cf6ef00a7c06682e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMCERT, LLC" and ( + pe.signatures[i].serial == "00:d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e" or + pe.signatures[i].serial == "d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3054f940c931bad7b238a24376c6a5cc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "POLE CLEAN LTD" and + pe.signatures[i].serial == "30:54:f9:40:c9:31:ba:d7:b2:38:a2:43:76:c6:a5:cc" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a617e23d6ca8f34e2f7413cd299fc72b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EXPRESS BOOKS LTD" and ( + pe.signatures[i].serial == "00:a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b" or + pe.signatures[i].serial == "a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_387eeb89b8bf626bbf4c7c9f5b998b40 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ULTRA ACADEMY LTD" and + pe.signatures[i].serial == "38:7e:eb:89:b8:bf:62:6b:bf:4c:7c:9f:5b:99:8b:40" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_292eb1133507f42e6f36c5549c189d5e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Affairs-case s.r.o." and + pe.signatures[i].serial == "29:2e:b1:13:35:07:f4:2e:6f:36:c5:54:9c:18:9d:5e" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5fbf16a33d26390a15f046c310030cf0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MACHINES SATU MARE SRL" and + pe.signatures[i].serial == "5f:bf:16:a3:3d:26:39:0a:15:f0:46:c3:10:03:0c:f0" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f007898afcba5f8af8ae65d01803617 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TechnoElek s.r.o." and + pe.signatures[i].serial == "0f:00:78:98:af:cb:a5:f8:af:8a:e6:5d:01:80:36:17" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e55be88ddbd93c423220468d430905dd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VALVE ACTUATION LTD" and ( + pe.signatures[i].serial == "00:e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd" or + pe.signatures[i].serial == "e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06bcb74291d96096577bdb1e165dce85 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Revo Security SRL" and + pe.signatures[i].serial == "06:bc:b7:42:91:d9:60:96:57:7b:db:1e:16:5d:ce:85" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c8442a8185082ef1ed7dc3fff2176aa7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ambidekstr LLC" and ( + pe.signatures[i].serial == "00:c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7" or + pe.signatures[i].serial == "c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0406c4a1521a38c8d0c4aa214388e4dc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Venezia Design SRL" and + pe.signatures[i].serial == "04:06:c4:a1:52:1a:38:c8:d0:c4:aa:21:43:88:e4:dc" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_12705fb66bc22c68372a1c4e5fa662e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "APRIL BROTHERS LTD" and + pe.signatures[i].serial == "12:70:5f:b6:6b:c2:2c:68:37:2a:1c:4e:5f:a6:62:e2" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3b0914e2982be8980aa23f49848555e5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Office Rat s.r.o." and + pe.signatures[i].serial == "3b:09:14:e2:98:2b:e8:98:0a:a2:3f:49:84:85:55:e5" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_029bf7e1cb09fe277564bd27c267de5a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAMOYAJ LIMITED" and + pe.signatures[i].serial == "02:9b:f7:e1:cb:09:fe:27:75:64:bd:27:c2:67:de:5a" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d3aee8abb9948844a3ac1c04cc7e6bdf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HOUSE 9A s.r.o" and ( + pe.signatures[i].serial == "00:d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df" or + pe.signatures[i].serial == "d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_734819463c1195bd6e135ce4d5bf49bc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "videoalarm s. r. o." and + pe.signatures[i].serial == "73:48:19:46:3c:11:95:bd:6e:13:5c:e4:d5:bf:49:bc" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_db95b22362d46a73c39e0ac924883c5b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SPSLTD PLYMOUTH LTD" and ( + pe.signatures[i].serial == "00:db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b" or + pe.signatures[i].serial == "db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c48732873ac8ccebaf8f0e1e8329cec { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Hermetica Digital Ltd" and + pe.signatures[i].serial == "0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c51f4cf4d82bc920421e1ad93e39d490 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CUT AHEAD LTD" and ( + pe.signatures[i].serial == "00:c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90" or + pe.signatures[i].serial == "c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c96086f1894e6420d2b4bdeea834c4d7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THE FAITH SP Z O O" and ( + pe.signatures[i].serial == "00:c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7" or + pe.signatures[i].serial == "c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06fa27a121cc82230c3013ee634b6c62 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Zimmi Consulting Inc" and + pe.signatures[i].serial == "06:fa:27:a1:21:cc:82:23:0c:30:13:ee:63:4b:6c:62" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9dd3b2f7957ba99f4b04fcdbe03b7aac { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DOD MEDIA LIMITED" and ( + pe.signatures[i].serial == "00:9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac" or + pe.signatures[i].serial == "9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_061051ff2a8afab10347a6f1ff08ecb6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TACHOPARTS SP Z O O" and + pe.signatures[i].serial == "06:10:51:ff:2a:8a:fa:b1:03:47:a6:f1:ff:08:ec:b6" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_eda2429083bfafb04e6e7bdda1b08834 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OWLNET LIMITED" and ( + pe.signatures[i].serial == "00:ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34" or + pe.signatures[i].serial == "ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a590154b5980e566314122987dea548 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Maya logistika d.o.o." and + pe.signatures[i].serial == "0a:59:01:54:b5:98:0e:56:63:14:12:29:87:de:a5:48" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_69a72f5591ad78a0825fbb9402ab9543 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PUSH BANK LIMITED" and + pe.signatures[i].serial == "69:a7:2f:55:91:ad:78:a0:82:5f:bb:94:02:ab:95:43" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0883db137021b51f3a2a08a76a4bc066 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Divertida Creative Limited" and + pe.signatures[i].serial == "08:83:db:13:70:21:b5:1f:3a:2a:08:a7:6a:4b:c0:66" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2b921aaaba777b5a99507196c6f1c46c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Python Software Foundation" and + pe.signatures[i].serial == "2b:92:1a:aa:ba:77:7b:5a:99:50:71:96:c6:f1:c4:6c" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0332d5c942869bdcabf5a8266197cd14 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "JAWRO SP Z O O" and + pe.signatures[i].serial == "03:32:d5:c9:42:86:9b:dc:ab:f5:a8:26:61:97:cd:14" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4679c5398a279318365fd77a84445699 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HURT GROUP HOLDINGS LIMITED" and + pe.signatures[i].serial == "46:79:c5:39:8a:27:93:18:36:5f:d7:7a:84:44:56:99" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_101d6a5a29d9a77807553ceac669d853 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIC GROUP LIMITED" and + pe.signatures[i].serial == "10:1d:6a:5a:29:d9:a7:78:07:55:3c:ea:c6:69:d8:53" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6000f8c02b0a15b1e53b8399845faddf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAY LIMITED" and + pe.signatures[i].serial == "60:00:f8:c0:2b:0a:15:b1:e5:3b:83:99:84:5f:ad:df" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_121070be1e782f206985543bc7bc58b6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Prod Can Holdings Inc." and + pe.signatures[i].serial == "12:10:70:be:1e:78:2f:20:69:85:54:3b:c7:bc:58:b6" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5226a724cfa0b4bc0164ecda3f02a3dc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VALENTE SP Z O O" and + pe.signatures[i].serial == "52:26:a7:24:cf:a0:b4:bc:01:64:ec:da:3f:02:a3:dc" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a7be7722b65a866ebcd3bd7f8f10825 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rebound Infotech Limited" and + pe.signatures[i].serial == "0a:7b:e7:72:2b:65:a8:66:eb:cd:3b:d7:f8:f1:08:25" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_05634456dbedb3556ca8415e64815c5d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Walden Intertech Inc." and + pe.signatures[i].serial == "05:63:44:56:db:ed:b3:55:6c:a8:41:5e:64:81:5c:5d" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2e07a8d6e3b25ae010c8ed2c4ab0fb37 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Emurasoft, Inc." and + pe.signatures[i].serial == "2e:07:a8:d6:e3:b2:5a:e0:10:c8:ed:2c:4a:b0:fb:37" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_30b4eeebd88fd205acc8577bbaed8655 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Enforcer Srl" and + pe.signatures[i].serial == "30:b4:ee:eb:d8:8f:d2:05:ac:c8:57:7b:ba:ed:86:55" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b3391a6c1b3c6836533959e2384ab4ca { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VERIFIED SOFTWARE LLC" and ( + pe.signatures[i].serial == "00:b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca" or + pe.signatures[i].serial == "b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_05d50a0e09bb9a836ffb90a3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Toliz Info Tech Solutions INC." and + pe.signatures[i].serial == "05:d5:0a:0e:09:bb:9a:83:6f:fb:90:a3" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a2787fbb4627c91611573e323584113 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "exxon.com" and + pe.signatures[i].serial == "0a:27:87:fb:b4:62:7c:91:61:15:73:e3:23:58:41:13" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1d36c4f439d651503589318f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "REDWOOD MARKETING SOLUTIONS INC." and + pe.signatures[i].serial == "1d:36:c4:f4:39:d6:51:50:35:89:31:8f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_26f855a25890b749578f13e4b9459768 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Boo\\xE2\\x80\\x99s Q & Sweets Corporation" and + pe.signatures[i].serial == "26:f8:55:a2:58:90:b7:49:57:8f:13:e4:b9:45:97:68" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f1ae2239bb96c5aef49d0ae50266912 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Aarav Consulting Inc." and + pe.signatures[i].serial == "0f:1a:e2:23:9b:b9:6c:5a:ef:49:d0:ae:50:26:69:12" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1deea179f5757fe529043577762419df { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SPIRIT CONSULTING s. r. o." and + pe.signatures[i].serial == "1d:ee:a1:79:f5:75:7f:e5:29:04:35:77:76:24:19:df" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5b1f9ec88d185631ab032dbfd5166c0d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TOPFLIGHT GROUP LIMITED" and + pe.signatures[i].serial == "5b:1f:9e:c8:8d:18:56:31:ab:03:2d:bf:d5:16:6c:0d" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_58af00ce542760fc116b41fa92e18589 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DICKIE MUSDALE WINDFARM LIMITED" and + pe.signatures[i].serial == "58:af:00:ce:54:27:60:fc:11:6b:41:fa:92:e1:85:89" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_25ba18a267d6d8e08ebc6e2457d58d1e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "5Y TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "25:ba:18:a2:67:d6:d8:e0:8e:bc:6e:24:57:d5:8d:1e" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_12df5ff3460979cec1288d874a9fbf83 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORWARD MUSIC AGENCY SRL" and + pe.signatures[i].serial == "12:df:5f:f3:46:09:79:ce:c1:28:8d:87:4a:9f:bf:83" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_df2547b2cab5689a81d61de80eaaa3a2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORWARD MUSIC AGENCY SRL" and ( + pe.signatures[i].serial == "00:df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2" or + pe.signatures[i].serial == "df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_28b691272719b1ee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "2021945 Ontario Inc." and + pe.signatures[i].serial == "28:b6:91:27:27:19:b1:ee" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1c897216e58e83cbe74ad03284e1fb82 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "M-Trans Maciej Caban" and + pe.signatures[i].serial == "1c:89:72:16:e5:8e:83:cb:e7:4a:d0:32:84:e1:fb:82" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5a364c4957d93406f76321c2316f42f0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Board Game Bucket Ltd" and + pe.signatures[i].serial == "5a:36:4c:49:57:d9:34:06:f7:63:21:c2:31:6f:42:f0" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e7e7f7180666546ce7a8da32119f5ce1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "C\\xC3\\x94NG TY TNHH PDF SOFTWARE" and ( + pe.signatures[i].serial == "00:e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1" or + pe.signatures[i].serial == "e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_062b2827500c5df35a83f661b3af5dd3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "*.eos.com" and + pe.signatures[i].serial == "06:2b:28:27:50:0c:5d:f3:5a:83:f6:61:b3:af:5d:d3" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7bf27695fd20b588f2b2f173b6caf2ba { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Game Warriors Limited" and + pe.signatures[i].serial == "7b:f2:76:95:fd:20:b5:88:f2:b2:f1:73:b6:ca:f2:ba" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1b248c8508042d36bbd5d92d189c61d8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Digital Robin Limited" and + pe.signatures[i].serial == "1b:24:8c:85:08:04:2d:36:bb:d5:d9:2d:18:9c:61:d8" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_032660ee1d49ad35086027473e2614e5e724 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "sunshine.com" and + pe.signatures[i].serial == "03:26:60:ee:1d:49:ad:35:08:60:27:47:3e:26:14:e5:e7:24" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_043052956e1e6dbd5f6ae3d8b82cad2a2ed8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ok.com" and + pe.signatures[i].serial == "04:30:52:95:6e:1e:6d:bd:5f:6a:e3:d8:b8:2c:ad:2a:2e:d8" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_dbc03ca7e6ae6db6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SPIDER DEVELOPMENTS PTY LTD" and ( + pe.signatures[i].serial == "00:db:c0:3c:a7:e6:ae:6d:b6" or + pe.signatures[i].serial == "db:c0:3c:a7:e6:ae:6d:b6" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7d27332c3cb3a382a4fd232c5c66a2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MALVINA RECRUITMENT LIMITED" and + pe.signatures[i].serial == "7d:27:33:2c:3c:b3:a3:82:a4:fd:23:2c:5c:66:a2" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_82d224323efa65060b641f51fadfef02 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAVAS INVESTMENTS PTY LTD" and ( + pe.signatures[i].serial == "00:82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02" or + pe.signatures[i].serial == "82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_890570b6b0e2868a53be3f8f904a88ee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "JESEN LESS d.o.o." and ( + pe.signatures[i].serial == "00:89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee" or + pe.signatures[i].serial == "89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2642fe865f7566ce3123a5142c207094 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "C.W.D. INSTAL LTD" and + pe.signatures[i].serial == "26:42:fe:86:5f:75:66:ce:31:23:a5:14:2c:20:70:94" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4a2e337fff23e5b2a1321ffde56d1759 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Karolina Klimowska" and + pe.signatures[i].serial == "4a:2e:33:7f:ff:23:e5:b2:a1:32:1f:fd:e5:6d:17:59" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_92d9b92f8cf7a1ba8b2c025be730c300 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "UPLagga Systems s.r.o." and ( + pe.signatures[i].serial == "00:92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00" or + pe.signatures[i].serial == "92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b8164f7143e1a313003ab0c834562f1f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ekitai Data Inc." and ( + pe.signatures[i].serial == "00:b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f" or + pe.signatures[i].serial == "b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_24e4a2b3db6be1007b9ddc91995bc0c8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FLY BETTER s.r.o." and + pe.signatures[i].serial == "24:e4:a2:b3:db:6b:e1:00:7b:9d:dc:91:99:5b:c0:c8" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_881573fc67ff7395dde5bccfbce5b088 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Trade in Brasil s.r.o." and ( + pe.signatures[i].serial == "00:88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88" or + pe.signatures[i].serial == "88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_53e1f226cb77574f8fbeb5682da091bb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OdyLab Inc" and + pe.signatures[i].serial == "53:e1:f2:26:cb:77:57:4f:8f:be:b5:68:2d:a0:91:bb" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0772b4d1d63233d2b8771997bc8da5c4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Maya logistika d.o.o." and + pe.signatures[i].serial == "07:72:b4:d1:d6:32:33:d2:b8:77:19:97:bc:8d:a5:c4" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_02b6656292310b84022db5541bc48faf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DILA d.o.o." and + pe.signatures[i].serial == "02:b6:65:62:92:31:0b:84:02:2d:b5:54:1b:c4:8f:af" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_64c2505c7306639fc8eae544b0305338 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MANILA Solution as" and + pe.signatures[i].serial == "64:c2:50:5c:73:06:63:9f:c8:ea:e5:44:b0:30:53:38" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2f96a89bfec6e44dd224e8fd7e72d9bb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NAILS UNLIMITED LIMITED" and + pe.signatures[i].serial == "2f:96:a8:9b:fe:c6:e4:4d:d2:24:e8:fd:7e:72:d9:bb" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b649a966410f62999c939384af553919 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "F.A.T. SARL" and ( + pe.signatures[i].serial == "00:b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19" or + pe.signatures[i].serial == "b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_45245eef53fcf38169c715cf68f44452 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PAPER AND CORE SUPPLIES LTD" and + pe.signatures[i].serial == "45:24:5e:ef:53:fc:f3:81:69:c7:15:cf:68:f4:44:52" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1895433ee9e2bd48619d75132262616f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Evetrans Ltd" and + pe.signatures[i].serial == "18:95:43:3e:e9:e2:bd:48:61:9d:75:13:22:62:61:6f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1ffc9825644caf5b1f521780c5c7f42c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ACTIVUS LIMITED" and + pe.signatures[i].serial == "1f:fc:98:25:64:4c:af:5b:1f:52:17:80:c5:c7:f4:2c" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8d52fb12a2511e86bbb0ba75c517eab0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VThink Software Consulting Inc." and ( + pe.signatures[i].serial == "00:8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0" or + pe.signatures[i].serial == "8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_332bd5801e8415585e72c87e0e2ec71d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Elite Marketing Strategies, Inc." and + pe.signatures[i].serial == "33:2b:d5:80:1e:84:15:58:5e:72:c8:7e:0e:2e:c7:1d" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e3b80c0932b52a708477939b0d32186f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BISOYETUTU LTD LIMITED" and ( + pe.signatures[i].serial == "00:e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f" or + pe.signatures[i].serial == "e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c79f817f082986bef3209f6723c8da97 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Al-Faris group d.o.o." and ( + pe.signatures[i].serial == "00:c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97" or + pe.signatures[i].serial == "c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1e5efa53a14599cc82f56f0790e20b17 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Storeks LLC" and + pe.signatures[i].serial == "1e:5e:fa:53:a1:45:99:cc:82:f5:6f:07:90:e2:0b:17" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0cf2d0b5bfdd68cf777a0c12f806a569 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PROTIP d.o.o. - v ste\\xC4\\x8Daju" and + pe.signatures[i].serial == "0c:f2:d0:b5:bf:dd:68:cf:77:7a:0c:12:f8:06:a5:69" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f675139ea68b897a865a98f8e4611f00 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BS TEHNIK d.o.o." and ( + pe.signatures[i].serial == "00:f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00" or + pe.signatures[i].serial == "f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4728189fa0f57793484cdf764f5e283d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Power Save Systems s.r.o." and + pe.signatures[i].serial == "47:28:18:9f:a0:f5:77:93:48:4c:df:76:4f:5e:28:3d" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9bd81a9adaf71f1ff081c1f4a05d7fd7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SMART TOYS AND GAMES, INC" and ( + pe.signatures[i].serial == "00:9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7" or + pe.signatures[i].serial == "9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c81319d20c6f1f1aec3398522189d90c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMCERT,LLC" and ( + pe.signatures[i].serial == "00:c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c" or + pe.signatures[i].serial == "c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c318d876768258a696ab9dd825e27acd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Genezis" and ( + pe.signatures[i].serial == "00:c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd" or + pe.signatures[i].serial == "c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06df5c318759d6ea9d090bfb2faf1d94 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SpiffyTech Inc." and + pe.signatures[i].serial == "06:df:5c:31:87:59:d6:ea:9d:09:0b:fb:2f:af:1d:94" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_02de1cc6c487954592f1bf574ca2b000 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Orca System" and + pe.signatures[i].serial == "02:de:1c:c6:c4:87:95:45:92:f1:bf:57:4c:a2:b0:00" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a32b8b4f1be43c23eb2848ab4ef06bb2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Pak El AB" and ( + pe.signatures[i].serial == "00:a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2" or + pe.signatures[i].serial == "a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_626735ed30e50e3e0553986d806bfc54 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FISH ACCOUNTING & TRANSLATING LIMITED" and + pe.signatures[i].serial == "62:67:35:ed:30:e5:0e:3e:05:53:98:6d:80:6b:fc:54" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_34d42e871ddb1c92fa20b55b384e1259 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VENS CORP" and + pe.signatures[i].serial == "34:d4:2e:87:1d:db:1c:92:fa:20:b5:5b:38:4e:12:59" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08d4dc90047b8470ccaf3924dfbd8b5f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Dibies" and + pe.signatures[i].serial == "08:d4:dc:90:04:7b:84:70:cc:af:39:24:df:bd:8b:5f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c2fc83d458e653837fcfc132c9b03062 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Vertical" and ( + pe.signatures[i].serial == "00:c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62" or + pe.signatures[i].serial == "c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_54c793d2224bdd6ca527bb2b7b9dfe9d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CODE - HANDLE, s. r. o." and + pe.signatures[i].serial == "54:c7:93:d2:22:4b:dd:6c:a5:27:bb:2b:7b:9d:fe:9d" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8cece6df54cf6ad63596546d77ba3581 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Mikael LLC" and ( + pe.signatures[i].serial == "00:8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81" or + pe.signatures[i].serial == "8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_984e84cfe362e278f558e2c70aaafac2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Arctic Nights \\xC3\\x84k\\xC3\\xA4slompolo Oy" and ( + pe.signatures[i].serial == "00:98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2" or + pe.signatures[i].serial == "98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ff52eb011bb748fee75153cbe1e50dd6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TASK ANNA LIMITED" and ( + pe.signatures[i].serial == "00:ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6" or + pe.signatures[i].serial == "ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_84a4a0d0657e217b176b455e2465aee0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AATB ApS" and ( + pe.signatures[i].serial == "00:84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0" or + pe.signatures[i].serial == "84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b8f726508cf1d7b7913bf4bbd1e5c19c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Merkuri LLC" and ( + pe.signatures[i].serial == "00:b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c" or + pe.signatures[i].serial == "b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6a241ffe96a6349df608d22c02942268 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HELP, d.o.o." and + pe.signatures[i].serial == "6a:24:1f:fe:96:a6:34:9d:f6:08:d2:2c:02:94:22:68" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aa1d84779792b57f91fe7a4bde041942 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AXIUM NORTHWESTERN HYDRO INC." and ( + pe.signatures[i].serial == "00:aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42" or + pe.signatures[i].serial == "aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3c98b6872fbb1f4ae37a4caa749d24c2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO SMART" and + pe.signatures[i].serial == "3c:98:b6:87:2f:bb:1f:4a:e3:7a:4c:aa:74:9d:24:c2" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e4e795fd1fd25595b869ce22aa7dc49f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OASIS COURT LIMITED" and ( + pe.signatures[i].serial == "00:e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f" or + pe.signatures[i].serial == "e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e953ada7e8f1438e5f7680ff599ae43e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KULBYT LLC" and ( + pe.signatures[i].serial == "00:e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e" or + pe.signatures[i].serial == "e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_28c57df09ce7cc3fde2243beb4d00101 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "WATER, s.r.o." and + pe.signatures[i].serial == "28:c5:7d:f0:9c:e7:cc:3f:de:22:43:be:b4:d0:01:01" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2d8cfcf04209dc7f771d8d18e462c35a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AA PLUS INVEST d.o.o." and + pe.signatures[i].serial == "2d:8c:fc:f0:42:09:dc:7f:77:1d:8d:18:e4:62:c3:5a" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_016836311fc39fbb8e6f308bb03cc2b3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SERVICE STREAM LIMITED" and + pe.signatures[i].serial == "01:68:36:31:1f:c3:9f:bb:8e:6f:30:8b:b0:3c:c2:b3" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_435abf46053a0a445c54217a8c233a7f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Kodemika" and + pe.signatures[i].serial == "43:5a:bf:46:05:3a:0a:44:5c:54:21:7a:8c:23:3a:7f" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b2f9c693a2e6634565f63c79b01dd8f8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PHL E STATE ApS" and ( + pe.signatures[i].serial == "00:b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8" or + pe.signatures[i].serial == "b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_54a6d33f73129e0ef059ccf51be0c35e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "STAFFORD MEAT COMPANY, INC." and + pe.signatures[i].serial == "54:a6:d3:3f:73:12:9e:0e:f0:59:cc:f5:1b:e0:c3:5e" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_142aac4217e22b525c8587589773ba9b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "A.B. gostinstvo trgovina posredni\\xC5\\xA1tvo in druge storitve, d.o.o." and + pe.signatures[i].serial == "14:2a:ac:42:17:e2:2b:52:5c:85:87:58:97:73:ba:9b" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_239664c12baeb5a6d787912888051392 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORTH PROPERTY LTD" and + pe.signatures[i].serial == "23:96:64:c1:2b:ae:b5:a6:d7:87:91:28:88:05:13:92" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0218ebfd5a9bfd55d2f661f0d18d1d71 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "REI LUX UK LIMITED" and + pe.signatures[i].serial == "02:18:eb:fd:5a:9b:fd:55:d2:f6:61:f0:d1:8d:1d:71" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_35590ebe4a02dc23317d8ce47a947a9b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Largos" and + pe.signatures[i].serial == "35:59:0e:be:4a:02:dc:23:31:7d:8c:e4:7a:94:7a:9b" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aa07d4f2857119cee514a0bd412f8201 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HANGA GIP d.o.o." and ( + pe.signatures[i].serial == "00:aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01" or + pe.signatures[i].serial == "aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_40f5660a90301e7a8a8c3b42 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Booz Allen Hamilton Inc." and + pe.signatures[i].serial == "40:f5:66:0a:90:30:1e:7a:8a:8c:3b:42" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0400c7614f86d75fe4ee3f6192b6feda { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "StackUp ApS" and + pe.signatures[i].serial == "04:00:c7:61:4f:86:d7:5f:e4:ee:3f:61:92:b6:fe:da" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e573d9c8b403c41bd59ffa0a8efd4168 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\"VERONIKA 2\" OOO" and ( + pe.signatures[i].serial == "00:e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68" or + pe.signatures[i].serial == "e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b06bc166fc765dacd2f7448c8cdd9205 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GAS Avto, d.o.o." and ( + pe.signatures[i].serial == "00:b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05" or + pe.signatures[i].serial == "b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e9268ed63a7d7e9dfd40a664ddfbaf18 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Casta, s.r.o." and ( + pe.signatures[i].serial == "00:e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18" or + pe.signatures[i].serial == "e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_425dc3e0ca8bcdce19d00d87e3f0ba28 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Protover LLC" and + pe.signatures[i].serial == "42:5d:c3:e0:ca:8b:cd:ce:19:d0:0d:87:e3:f0:ba:28" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_afc0ddb7bdc8207e8c3b7204018eecd3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE9\\x83\\xB4\\xE5\\xB7\\x9E\\xE8\\x9C\\x97\\xE7\\x89\\x9B\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( + pe.signatures[i].serial == "00:af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3" or + pe.signatures[i].serial == "af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_38989ec61ecdb7391ff5647f7d58ad18 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RotA Games ApS" and + pe.signatures[i].serial == "38:98:9e:c6:1e:cd:b7:39:1f:f5:64:7f:7d:58:ad:18" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bc6c43d206a360f2d6b58537c456b709 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ANKADA GROUP, d.o.o." and ( + pe.signatures[i].serial == "00:bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09" or + pe.signatures[i].serial == "bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09" + ) and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4929ab561c812af93ddb9758b545f546 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Everything Wow s.r.o." and + pe.signatures[i].serial == "49:29:ab:56:1c:81:2a:f9:3d:db:97:58:b5:45:f5:46" and + 1592961292 <= pe.signatures[i].not_after + ) +} \ No newline at end of file