From 5581f4a04e8c3cc6304db5e215cb1fc48a00ceb8 Mon Sep 17 00:00:00 2001 From: Threat Analyst Date: Wed, 5 Aug 2020 11:04:02 +0200 Subject: [PATCH] Added new YARA rules. --- yara/certificate/blocklist.yara | 4215 +++++++++++++++++++++++++++++++ 1 file changed, 4215 insertions(+) create mode 100644 yara/certificate/blocklist.yara diff --git a/yara/certificate/blocklist.yara b/yara/certificate/blocklist.yara new file mode 100644 index 0000000..9c036ee --- /dev/null +++ b/yara/certificate/blocklist.yara @@ -0,0 +1,4215 @@ +/* + + YARA doesn't perform complete digital certificate chain validation. + + This can cause unwanted matches for: + a) Files that are signed with non-verified, self-issued, certificates + b) Files that fail integrity validation due to checksum mismatch + c) Files that have extra data appended after the certificate + + ReversingLabs recommends using Titanium platform for best results with certificate-based classifications. + + References on importance of certificate verification: + https://blog.reversinglabs.com/blog/tampering-with-signed-objects-without-breaking-the-integrity-seal + https://blog.reversinglabs.com/blog/breaking-the-windows-authenticode-security-model + https://blog.reversinglabs.com/blog/breaking-uefi-firmware-authenticode-security-model + https://blog.reversinglabs.com/blog/breaking-the-linux-authenticode-security-model + +*/ + +import "pe" + +rule cert_blocklist_05e2e6a4cd09ea54d665b075fe22A256 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "*.google.com" and + s.serial == "05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:A2:56" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_77019a082385e4b73f569569c9f87bb8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "AND LLC" and + s.serial == "77:01:9a:08:23:85:e4:b7:3f:56:95:69:c9:f8:7b:b8" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_4f2ef29ca5f96e5777b82c62f34fd3a6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Bit9, Inc" and + s.serial == "4f:2e:f2:9c:a5:f9:6e:57:77:b8:2c:62:f3:4f:d3:a6" and + 1342051200 <= s.not_after + ) +} + +rule cert_blocklist_7cc1db2ad0a290a4bfe7a5f336d6800c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Bit9, Inc" and + s.serial == "7c:c1:db:2a:d0:a2:90:a4:bf:e7:a5:f3:36:d6:80:0c" and + 1342051200 <= s.not_after + ) +} + +rule cert_blocklist_13c8351aece71c731158980f575f4133 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Opera Software ASA" and + s.serial == "13:c8:35:1a:ec:e7:1c:73:11:58:98:0f:57:5f:41:33" and + 1371513600 <= s.not_after + ) +} + +rule cert_blocklist_4531954f6265304055f66ce4f624f95b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "IDAutomation.com" and + s.serial == "45:31:95:4f:62:65:30:40:55:f6:6c:e4:f6:24:f9:5b" and + 1384819199 <= s.not_after + ) +} + +rule cert_blocklist_0e808f231515bc519eea1a73cdf3266f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Careto malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "TecSystem Ltd." and + s.serial == "0e:80:8f:23:15:15:bc:51:9e:ea:1a:73:cd:f3:26:6f" and + 1468799999 <= s.not_after + ) +} + +rule cert_blocklist_36be4ad457f062fa77d87595b8ccc8cf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Careto malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "TecSystem Ltd." and + s.serial == "36:be:4a:d4:57:f0:62:fa:77:d8:75:95:b8:cc:c8:cf" and + 1372377599 <= s.not_after + ) +} + +rule cert_blocklist_75a38507bf403b152125b8f5ce1b97ad { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Zeus malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "isonet ag" and + s.serial == "75:a3:85:07:bf:40:3b:15:21:25:b8:f5:ce:1b:97:ad" and + 1395359999 <= s.not_after + ) +} + +rule cert_blocklist_4effa8b216e24b16202940c1bc2fa8a5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Henan Maijiamai Technology Co., Ltd." and + s.serial == "4e:ff:a8:b2:16:e2:4b:16:20:29:40:c1:bc:2f:a8:a5" and + 1404691199 <= s.not_after + ) +} + +rule cert_blocklist_57d7153a89bbf4729be87f3c927043aa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Open Source Developer, zhenganjun" and + s.serial == "57:d7:15:3a:89:bb:f4:72:9b:e8:7f:3c:92:70:43:aa" and + 1469059200 <= s.not_after + ) +} + +rule cert_blocklist_028e1deccf93d38ecf396118dfe908b4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Fortuna Games Co., Ltd." and + s.serial == "02:8e:1d:ec:cf:93:d3:8e:cf:39:61:18:df:e9:08:b4" and + 1392163199 <= s.not_after + ) +} + +rule cert_blocklist_40575df73eaa1b6140c7ef62c08bf216 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Dali Feifang Tech Co.,LTD." and + s.serial == "40:57:5d:f7:3e:aa:1b:61:40:c7:ef:62:c0:8b:f2:16" and + 1394063999 <= s.not_after + ) +} + +rule cert_blocklist_049ce8c47f1f0e650cb086f0cfa7ca53 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Select'Assistance Pro" and + s.serial == "04:9c:e8:c4:7f:1f:0e:65:0c:b0:86:f0:cf:a7:ca:53" and + 1393804799 <= s.not_after + ) +} + +rule cert_blocklist_29f42680e653cf8fafd0e935553f7e86 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Wemade Entertainment co.,Ltd" and + s.serial == "29:f4:26:80:e6:53:cf:8f:af:d0:e9:35:55:3f:7e:86" and + 1390175999 <= s.not_after + ) +} + +rule cert_blocklist_0c15 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "William Richard John" and + s.serial == "0c:15" and + 1387324799 <= s.not_after + ) +} + +rule cert_blocklist_0c0f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Dmitry Vasilev" and + s.serial == "0c:0f" and + 1386719999 <= s.not_after + ) +} + +rule cert_blocklist_06a164ec5978497741ee6cec9966871b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "JOHN WILLIAM RICHARD" and + s.serial == "06:a1:64:ec:59:78:49:77:41:ee:6c:ec:99:66:87:1b" and + 1385596799 <= s.not_after + ) +} + +rule cert_blocklist_1121ed568764e75be35574448feadefcd3bc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "FRINORTE COMERCIO DE PECAS E SERVICOS LTDA - ME" and + s.serial == "11:21:ed:56:87:64:e7:5b:e3:55:74:44:8f:ea:de:fc:d3:bc" and + 1385337599 <= s.not_after + ) +} + +rule cert_blocklist_6ed2450ceac0f72e73fda1727e66e654 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Hohhot Handing Trade and Business Co., Ltd." and + s.serial == "6e:d2:45:0c:ea:c0:f7:2e:73:fd:a1:72:7e:66:e6:54" and + 1376092799 <= s.not_after + ) +} + +rule cert_blocklist_32665079c5a5854a6833623ca77ff5ac { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Ohanae" and + s.serial == "32:66:50:79:c5:a5:85:4a:68:33:62:3c:a7:7f:f5:ac" and + 1381967999 <= s.not_after + ) +} + +rule cert_blocklist_01a90094c83412c00cf98dd2eb0d7042 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "FreeVox SA" and + s.serial == "01:a9:00:94:c8:34:12:c0:0c:f9:8d:d2:eb:0d:70:42" and + 1376956799 <= s.not_after + ) +} + +rule cert_blocklist_55efe24b9674855baf16e67716479c71 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "S2BVISIO BELGIQUE SA" and + s.serial == "55:ef:e2:4b:96:74:85:5b:af:16:e6:77:16:47:9c:71" and + 1374451199 <= s.not_after + ) +} + +rule cert_blocklist_094bf19d509d3074913995160b195b6c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Porral Twinware S.L.L." and + s.serial == "09:4b:f1:9d:50:9d:30:74:91:39:95:16:0b:19:5b:6c" and + 1373241599 <= s.not_after + ) +} + +rule cert_blocklist_0a77cf3ba49b64e6cbe5fb4a6a6aacc6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "I.ST.SAN. Srl" and + s.serial == "0a:77:cf:3b:a4:9b:64:e6:cb:e5:fb:4a:6a:6a:ac:c6" and + 1371081599 <= s.not_after + ) +} + +rule cert_blocklist_1f4c22da1107d20c1eda04569d58e573 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "PlanView, Inc." and + s.serial == "1f:4c:22:da:11:07:d2:0c:1e:da:04:56:9d:58:e5:73" and + 1366156799 <= s.not_after + ) +} + +rule cert_blocklist_4fe68d48634893d18de040d8f1c289d2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Xinghua Yile Network Tech Co.,Ltd." and + s.serial == "4f:e6:8d:48:63:48:93:d1:8d:e0:40:d8:f1:c2:89:d2" and + 1371081600 <= s.not_after + ) +} + +rule cert_blocklist_6767def972d6ea702d8c8a53af1832d3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Guangzhou typical corner Network Technology Co., Ltd." and + s.serial == "67:67:de:f9:72:d6:ea:70:2d:8c:8a:53:af:18:32:d3" and + 1461110399 <= s.not_after + ) +} + +rule cert_blocklist_06477e3425f1448995ced539789e6842 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Karim Lammali" and + s.serial == "06:47:7e:34:25:f1:44:89:95:ce:d5:39:78:9e:68:42" and + 1334275199 <= s.not_after + ) +} + +rule cert_blocklist_0450a7c1c36951da09c8ad0e7f716ff2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "PS Partnership" and + s.serial == "04:50:a7:c1:c3:69:51:da:09:c8:ad:0e:7f:71:6f:f2" and + 1362182399 <= s.not_after + ) +} + +rule cert_blocklist_0f9fbdab9b39645cf3211f87abb5ddb7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "The Motivo Group, Inc." and + s.serial == "0f:9f:bd:ab:9b:39:64:5c:f3:21:1f:87:ab:b5:dd:b7" and + 1361318399 <= s.not_after + ) +} + +rule cert_blocklist_4211d2e4f0e87127319302c55b85bcf2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "yinsheng xie" and + s.serial == "42:11:d2:e4:f0:e8:71:27:31:93:02:c5:5b:85:bc:f2" and + 1360713599 <= s.not_after + ) +} + +rule cert_blocklist_07b44cdbfffb78de05f4261672a67312 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Buster Paper Comercial Ltda" and + s.serial == "07:b4:4c:db:ff:fb:78:de:05:f4:26:16:72:a6:73:12" and + 1359503999 <= s.not_after + ) +} + +rule cert_blocklist_4f8b9a1ba5e60c754dbb40ddee7905e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "NOX Entertainment Co., Ltd" and + s.serial == "4f:8b:9a:1b:a5:e6:0c:75:4d:bb:40:dd:ee:79:05:e2" and + 1348617599 <= s.not_after + ) +} + +rule cert_blocklist_0a389b95ee736dd13bc0ed743fd74d2f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "BUSTER ASSISTENCIA TECNICA ELETRONICA LTDA - ME" and + s.serial == "0a:38:9b:95:ee:73:6d:d1:3b:c0:ed:74:3f:d7:4d:2f" and + 1351814399 <= s.not_after + ) +} + +rule cert_blocklist_1a3faaeb3a8b93b2394fec36345996e6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "salvatore macchiarella" and + s.serial == "1a:3f:aa:eb:3a:8b:93:b2:39:4f:ec:36:34:59:96:e6" and + 1468454400 <= s.not_after + ) +} + +rule cert_blocklist_1a35acce5b0c77206b1c3dc2a6a2417c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "cd ingegneri associati srl" and + s.serial == "1a:35:ac:ce:5b:0c:77:20:6b:1c:3d:c2:a6:a2:41:7c" and + 1166054399 <= s.not_after + ) +} + +rule cert_blocklist_6eb40ea11eaac847b050de9b59e25bdc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "My Free Internet Update" and + s.serial == "6e:b4:0e:a1:1e:aa:c8:47:b0:50:de:9b:59:e2:5b:dc" and + 1062201599 <= s.not_after + ) +} + +rule cert_blocklist_6724340ddbc7252f7fb714b812a5c04d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "YNK JAPAN Inc" and + s.serial == "67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d" and + 1306195199 <= s.not_after + ) +} + +rule cert_blocklist_0813ee9b7b9d7c46001d6bc8784df1dd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Les Garcons s'habillent" and + s.serial == "08:13:ee:9b:7b:9d:7c:46:00:1d:6b:c8:78:4d:f1:dd" and + 1334707199 <= s.not_after + ) +} + +rule cert_blocklist_530591c61b5e1212f659138b7cea0a97 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "日照峰川国际矿业贸易有限公司" and + s.serial == "53:05:91:c6:1b:5e:12:12:f6:59:13:8b:7c:ea:0a:97" and + 1403654399 <= s.not_after + ) +} + +rule cert_blocklist_07270ff9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar Cyber CA" and + s.serial == "07:27:0f:f9" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_0727100d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar Cyber CA" and + s.serial == "07:27:10:0d" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_07271003 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar Cyber CA" and + s.serial == "07:27:10:03" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_013134bf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar PKIoverheid CA Organisatie - G2" and + s.serial == "01:31:34:bf" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_01314476 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar PKIoverheid CA Overheid" and + s.serial == "01:31:44:76" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_013169b0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar PKIoverheid CA Overheid en Bedrijven" and + s.serial == "01:31:69:b0" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_0c76da9c910c4e2c9efe15d058933c4c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar Root CA" and + s.serial == "0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_469c2caf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar Root CA" and + s.serial == "46:9c:2c:af" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_469c3cc9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar Root CA" and + s.serial == "46:9c:3c:c9" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_0a82bd1e144e8814d75b1a5527bebf3e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar Root CA G2" and + s.serial == "0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3e" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_469c2cb0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DigiNotar Services 1024 CA" and + s.serial == "46:9c:2c:b0" and + 1308182400 <= s.not_after + ) +} + +rule cert_blocklist_4c0e636a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Digisign Server ID - (Enrich)" and + s.serial == "4c:0e:63:6a" and + 1320191999 <= s.not_after + ) +} + +rule cert_blocklist_072714a9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Digisign Server ID (Enrich)" and + s.serial == "07:27:14:a9" and + 1320191999 <= s.not_after + ) +} + +rule cert_blocklist_00d8f35f4eb7872b2dab0692e315382fb0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "global trustee" and + s.serial == "00:d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0" and + 1300060800 <= s.not_after + ) +} + +rule cert_blocklist_750e40ff97f047edf556c7084eb1abfd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Microsoft Corporation" and + s.serial == "75:0e:40:ff:97:f0:47:ed:f5:56:c7:08:4e:b1:ab:fd" and + 980899199 <= s.not_after + ) +} + +rule cert_blocklist_1b5190f73724399c9254cd424637996a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Microsoft Corporation" and + s.serial == "1b:51:90:f7:37:24:39:9c:92:54:cd:42:46:37:99:6a" and + 980812799 <= s.not_after + ) +} + +rule cert_blocklist_00ebaa11d62e2481081820 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Microsoft Enforced Licensing Intermediate PCA" and + s.serial == "00:eb:aa:11:d6:2e:24:81:08:18:20" and + -62135596800 <= s.not_after + ) +} + +rule cert_blocklist_3aab11dee52f1b19d056 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Microsoft Enforced Licensing Intermediate PCA" and + s.serial == "3a:ab:11:de:e5:2f:1b:19:d0:56" and + -62135596800 <= s.not_after + ) +} + +rule cert_blocklist_6102b01900000000002f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Microsoft Enforced Licensing Registration Authority CA (SHA1)" and + s.serial == "61:02:b0:19:00:00:00:00:00:2f" and + -62135596800 <= s.not_after + ) +} + +rule cert_blocklist_01e2b4f759811c64379fca0be76d2dce { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Sony Pictures Entertainment Inc." and + s.serial == "01:e2:b4:f7:59:81:1c:64:37:9f:ca:0b:e7:6d:2d:ce" and + 1417651200 <= s.not_after + ) +} + +rule cert_blocklist_03e5a010b05c9287f823c2585f547b80 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "MOCOMSYS INC" and + s.serial == "03:e5:a0:10:b0:5c:92:87:f8:23:c2:58:5f:54:7b:80" and + 1385423999 <= s.not_after + ) +} + +rule cert_blocklist_0fe7df6c4b9a33b83d04e23e98a77cce { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "PIXELPLUS CO., LTD." and + s.serial == "0f:e7:df:6c:4b:9a:33:b8:3d:04:e2:3e:98:a7:7c:ce" and + 1396310399 <= s.not_after + ) +} + +rule cert_blocklist_065569a3e261409128a40affa90d6d10 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Police Mutual Aid Association" and + s.serial == "06:55:69:a3:e2:61:40:91:28:a4:0a:ff:a9:0d:6d:10" and + 1381795199 <= s.not_after + ) +} + +rule cert_blocklist_0979616733e062c544df0abd315e3b92 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Jessica Karam" and + s.serial == "09:79:61:67:33:e0:62:c5:44:df:0a:bd:31:5e:3b:92" and + 1408319999 <= s.not_after + ) +} + +rule cert_blocklist_7d3250b27e0547c77307030491b42802 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Banco do Brasil S.A." and + s.serial == "7d:32:50:b2:7e:05:47:c7:73:07:03:04:91:b4:28:02" and + 1412207999 <= s.not_after + ) +} + +rule cert_blocklist_00d1836bd37c331a67 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "MINDSTORM LLC" and + s.serial == "00:d1:83:6b:d3:7c:33:1a:67" and + 1422835199 <= s.not_after + ) +} + +rule cert_blocklist_2ca028d1a4de0eb743135edecf74d7af { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "2c:a0:28:d1:a4:de:0e:b7:43:13:5e:de:cf:74:d7:af" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_dbb14dcf973eada14ece7ea79c895c11 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "db:b1:4d:cf:97:3e:ad:a1:4e:ce:7e:a7:9c:89:5c:11" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_f8c2239de3977b8d4a3dcbedc9031a51 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "f8:c2:23:9d:e3:97:7b:8d:4a:3d:cb:ed:c9:03:1a:51" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_caad8222705d3fb3430e114a31c8c6a4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "ca:ad:82:22:70:5d:3f:b3:43:0e:11:4a:31:c8:c6:a4" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_b191812516e6618d49e6ccf5e63dc343 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "b1:91:81:25:16:e6:61:8d:49:e6:cc:f5:e6:3d:c3:43" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_4ba7fb8ee1deff8f4a1525e1e0580057 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "4b:a7:fb:8e:e1:de:ff:8f:4a:15:25:e1:e0:58:00:57" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_2df9f7eb6cdc5ca243b33122e3941e25 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "2d:f9:f7:eb:6c:dc:5c:a2:43:b3:31:22:e3:94:1e:25" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_58a541d50f9e2fab4380c6a2ed433b82 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "58:a5:41:d5:0f:9e:2f:ab:43:80:c6:a2:ed:43:3b:82" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_5f273626859ae4bc4becbbeb71e2ab2d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "5f:27:36:26:85:9a:e4:bc:4b:ec:bb:eb:71:e2:ab:2d" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_b1ad46ce4db160b348c24f66c9663178 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Adobe Systems" and + s.serial == "b1:ad:46:ce:4d:b1:60:b3:48:c2:4f:66:c9:66:31:78" and + 1341792000 <= s.not_after + ) +} + +rule cert_blocklist_256541e204619033f8b09f9eb7c88ef8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "HON HAI PRECISION INDUSTRY CO. LTD." and + s.serial == "25:65:41:e2:04:61:90:33:f8:b0:9f:9e:b7:c8:8e:f8" and + 1424303999 <= s.not_after + ) +} + +rule cert_blocklist_00e8cc18cf100b6b27443ef26319398734 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Syngenta" and + s.serial == "00:e8:cc:18:cf:10:0b:6b:27:44:3e:f2:63:19:39:87:34" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_62af28a7657ba8ab10fa8e2d47250c69 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "AFINA Fintek" and + s.serial == "62:af:28:a7:65:7b:a8:ab:10:fa:8e:2d:47:25:0c:69" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_04c8eca7243208a110dea926c7ad89ce { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Open Source Developer, Singh Aditya" and + s.serial == "04:c8:ec:a7:24:32:08:a1:10:de:a9:26:c7:ad:89:ce" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_157c3a4a6bcf35cf8453e6b6c0072e1d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Favorite-III" and + s.serial == "15:7c:3a:4a:6b:cf:35:cf:84:53:e6:b6:c0:07:2e:1d" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_04422f12037bc2032521dbb6ae02ea0e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Open Source Developer, Muhammad Lee" and + s.serial == "04:42:2f:12:03:7b:c2:03:25:21:db:b6:ae:02:ea:0e" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_65eae6c98111dc40bf4f962bf27227f2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Open Source Developer, BHARATH KUCHANGI" and + s.serial == "65:ea:e6:c9:81:11:dc:40:bf:4f:96:2b:f2:72:27:f2" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_12d5a4b29fe6156d4195fba55ae0d9a9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Open Source Developer, Marc Chapon" and + s.serial == "12:d5:a4:b2:9f:e6:15:6d:41:95:fb:a5:5a:e0:d9:a9" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_0087d60d1e2b9374eb7a735dce4bbdae56 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "AMO-K Limited Liability Company" and + s.serial == "00:87:d6:0d:1e:2b:93:74:eb:7a:73:5d:ce:4b:bd:ae:56" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_0860c8a7ed18c3f030a32722fd2b220c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Open Source Developer, Tony Yeh" and + s.serial == "08:60:c8:a7:ed:18:c3:f0:30:a3:27:22:fd:2b:22:0c" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_2fdadd0740572270203f8138692c4a83 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Open Source Developer, William Zoltan" and + s.serial == "2f:da:dd:07:40:57:22:70:20:3f:81:38:69:2c:4a:83" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_4fc13d6220c629043a26f81b1cad72d8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Open Source Developer, meicun ge" and + s.serial == "4f:c1:3d:62:20:c6:29:04:3a:26:f8:1b:1c:ad:72:d8" and + 1404172799 <= s.not_after + ) +} + +rule cert_blocklist_3457a918c6d3701b2eaca6a92474a7cc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "KONSALTING PLUS OOO" and + s.serial == "34:57:a9:18:c6:d3:70:1b:2e:ac:a6:a9:24:74:a7:cc" and + 1432252799 <= s.not_after + ) +} + +rule cert_blocklist_621ed8265b0ad872d9f4b4ed6d560513 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Fan Li" and + s.serial == "62:1e:d8:26:5b:0a:d8:72:d9:f4:b4:ed:6d:56:05:13" and + 1463615999 <= s.not_after + ) +} + +rule cert_blocklist_56e22b992b4c7f1afeac1d63b492bf54 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Open Source Developer, Hetem Ramadani" and + s.serial == "56:e2:2b:99:2b:4c:7f:1a:fe:ac:1d:63:b4:92:bf:54" and + 1435622399 <= s.not_after + ) +} + +rule cert_blocklist_3bc3bae4118d46f3fdd9beeeab749fee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "李雪梅" and + s.serial == "3b:c3:ba:e4:11:8d:46:f3:fd:d9:be:ee:ab:74:9f:ee" and + 1442275199 <= s.not_after + ) +} + +rule cert_blocklist_0f0449f7691e5b4c8e74e71cae822179 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "SBO INVEST" and + s.serial == "0f:04:49:f7:69:1e:5b:4c:8e:74:e7:1c:ae:82:21:79" and + 1432079999 <= s.not_after + ) +} + +rule cert_blocklist_43db4448d870d7bdc275f36a01fba36f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "3-T TOV" and + s.serial == "43:db:44:48:d8:70:d7:bd:c2:75:f3:6a:01:fb:a3:6f" and + 1436227199 <= s.not_after + ) +} + +rule cert_blocklist_2880a7f7ff2d334aa08744a8754fab2c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Garena Online Pte Ltd" and + s.serial == "28:80:a7:f7:ff:2d:33:4a:a0:87:44:a8:75:4f:ab:2c" and + 1393891199 <= s.not_after + ) +} + +rule cert_blocklist_0492f5c18e26fa0cd7e15067674aff1c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Ghada Saffarini" and + s.serial == "04:92:f5:c1:8e:26:fa:0c:d7:e1:50:67:67:4a:ff:1c" and + 1445990399 <= s.not_after + ) +} + +rule cert_blocklist_6aa668cd6a9de1fdd476ea8225326937 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "BSCP LIMITED" and + s.serial == "6a:a6:68:cd:6a:9d:e1:fd:d4:76:ea:82:25:32:69:37" and + 1441583999 <= s.not_after + ) +} + +rule cert_blocklist_1cb06dccb482255728671ea12ac41620 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Fangzhen Li" and + s.serial == "1c:b0:6d:cc:b4:82:25:57:28:67:1e:a1:2a:c4:16:20" and + 1445126399 <= s.not_after + ) +} + +rule cert_blocklist_370c2467c41d6019bbecd72e00c5d73d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "UNINFO SISTEMAS LTDA ME" and + s.serial == "37:0c:24:67:c4:1d:60:19:bb:ec:d7:2e:00:c5:d7:3d" and + 1445299199 <= s.not_after + ) +} + +rule cert_blocklist_5067339614c5cc219c489d40420f3bf9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "D-LINK CORPORATION" and + s.serial == "50:67:33:96:14:c5:cc:21:9c:48:9d:40:42:0f:3b:f9" and + 1441371599 <= s.not_after + ) +} + +rule cert_blocklist_6e32531ae83992f0573120a5e78de271 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "3 AM CHP" and + s.serial == "6e:32:53:1a:e8:39:92:f0:57:31:20:a5:e7:8d:e2:71" and + 1451606399 <= s.not_after + ) +} + +rule cert_blocklist_6967a89bcf6efef160aaeebbff376c0a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Chang Yucheng" and + s.serial == "69:67:a8:9b:cf:6e:fe:f1:60:aa:ee:bb:ff:37:6c:0a" and + 1451174399 <= s.not_after + ) +} + +rule cert_blocklist_7473d95405d2b0b3a8f28785ce6e74ca { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Dmitrij Emelyanov" and + s.serial == "74:73:d9:54:05:d2:b0:b3:a8:f2:87:85:ce:6e:74:ca" and + 1453939199 <= s.not_after + ) +} + +rule cert_blocklist_04f380f97579f1702a85e0169bbdfd78 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "GRANIFLOR" and + s.serial == "04:f3:80:f9:75:79:f1:70:2a:85:e0:16:9b:bd:fd:78" and + 1454889599 <= s.not_after + ) +} + +rule cert_blocklist_04d6b8cc6dce353fcf3ae8a532be7255 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "MADERA" and + s.serial == "04:d6:b8:cc:6d:ce:35:3f:cf:3a:e8:a5:32:be:72:55" and + 1451692799 <= s.not_after + ) +} + +rule cert_blocklist_191322a00200f793 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "PRABHAKAR NARAYAN" and + s.serial == "19:13:22:a0:02:00:f7:93" and + 1442966399 <= s.not_after + ) +} + +rule cert_blocklist_451c9d0b413e6e8df175 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "PRASAD UPENDRA" and + s.serial == "45:1c:9d:0b:41:3e:6e:8d:f1:75" and + 1442275199 <= s.not_after + ) +} + +rule cert_blocklist_03943858218f35adb7073a6027555621 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "RuN APps FOrEver lld" and + s.serial == "03:94:38:58:21:8f:35:ad:b7:07:3a:60:27:55:56:21" and + 1480550399 <= s.not_after + ) +} + +rule cert_blocklist_09813ee7318452c28a1f6426d1cee12d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Saly Younes" and + s.serial == "09:81:3e:e7:31:84:52:c2:8a:1f:64:26:d1:ce:e1:2d" and + 1455667199 <= s.not_after + ) +} + +rule cert_blocklist_476bf24a4b1e9f4bc2a61b152115e1fe { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Derusbi malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Wemade Entertainment co.,Ltd" and + s.serial == "47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" and + 1414454399 <= s.not_after + ) +} + +rule cert_blocklist_7bd55818c5971b63dc45cf57cbeb950b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Derusbi malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "XL Games Co.,Ltd." and + s.serial == "7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" and + 1371513599 <= s.not_after + ) +} + +rule cert_blocklist_4c0b2e9d2ef909d15270d4dd7fa5a4a5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Derusbi malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Fuqing Dawu Technology Co.,Ltd." and + s.serial == "4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" and + 1372118399 <= s.not_after + ) +} + +rule cert_blocklist_5e3d76dc7e273e2f313fc0775847a2a2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula and Derusbi malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "NexG" and + s.serial == "5e:3d:76:dc:7e:27:3e:2f:31:3f:c0:77:58:47:a2:a2" and + 1372723199 <= s.not_after + ) +} + +rule cert_blocklist_47d5d5372bcb1562b4c9f4c2bdf13587 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DTOPTOOLZ Co.,Ltd." and + s.serial == "47:d5:d5:37:2b:cb:15:62:b4:c9:f4:c2:bd:f1:35:87" and + 1400803199 <= s.not_after + ) +} + +rule cert_blocklist_3ac10e68f1ce519e84ddcd28b11fa542 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "U-Tech IT service" and + s.serial == "3a:c1:0e:68:f1:ce:51:9e:84:dd:cd:28:b1:1f:a5:42" and + 1420156799 <= s.not_after + ) +} + +rule cert_blocklist_31062e483e0106b18c982f0053185c36 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "MICRO DIGITAL INC." and + s.serial == "31:06:2e:48:3e:01:06:b1:8c:98:2f:00:53:18:5c:36" and + 1332287999 <= s.not_after + ) +} + +rule cert_blocklist_20d0ee42fc901e6b3a8fefe8c1e6087a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "SJ SYSTEM" and + s.serial == "20:d0:ee:42:fc:90:1e:6b:3a:8f:ef:e8:c1:e6:08:7a" and + 1391299199 <= s.not_after + ) +} + +rule cert_blocklist_127251b32b9a50bd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing OSX DokSpy backdoor." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Developer ID Application: Edouard Roulet (W7J9LRHXTG)" and + s.serial == "12:72:51:b3:2b:9a:50:bd" and + 1493769599 <= s.not_after + ) +} + +rule cert_blocklist_48cad4e6966e22d6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing OSX DokSpy backdoor." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Developer ID Application: Seven Muller (FUP9692NN6)" and + s.serial == "48:ca:d4:e6:96:6e:22:d6" and + 1492732799 <= s.not_after + ) +} + +rule cert_blocklist_5e15205f180442cc6c3c0f03e1a33d9f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Ziber Ltd" and + s.serial == "5e:15:20:5f:18:04:42:cc:6c:3c:0f:03:e1:a3:3d:9f" and + 1498607999 <= s.not_after + ) +} + +rule cert_blocklist_4c8e3b1613f73542f7106f272094eb23 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "ADD Audit" and + s.serial == "4c:8e:3b:16:13:f7:35:42:f7:10:6f:27:20:94:eb:23" and + 1472687999 <= s.not_after + ) +} + +rule cert_blocklist_2ce2bd0ad3cfde9ea73eec7ca30400da { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Media Lid" and + s.serial == "2c:e2:bd:0a:d3:cf:de:9e:a7:3e:ec:7c:a3:04:00:da" and + 1493337599 <= s.not_after + ) +} + +rule cert_blocklist_0fbc30db127a536c34d7a0fa81b48193 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Megabit, OOO" and + s.serial == "0f:bc:30:db:12:7a:53:6c:34:d7:a0:fa:81:b4:81:93" and + 1466121599 <= s.not_after + ) +} + +rule cert_blocklist_08448bd6ee9105ae31228ea5fe496f63 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Raffaele Carnacina" and + s.serial == "08:44:8b:d6:ee:91:05:ae:31:22:8e:a5:fe:49:6f:63" and + 1445212799 <= s.not_after + ) +} + +rule cert_blocklist_02f17566ef568dc06c9a379ea2f4faea { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Valeriano Bedeschi" and + s.serial == "02:f1:75:66:ef:56:8d:c0:6c:9a:37:9e:a2:f4:fa:ea" and + 1441324799 <= s.not_after + ) +} + +rule cert_blocklist_7d824ba1f7f730319c50d64c9a7ed507 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "joaweb" and + s.serial == "7d:82:4b:a1:f7:f7:30:31:9c:50:d6:4c:9a:7e:d5:07" and + 1238025599 <= s.not_after + ) +} + +rule cert_blocklist_77a64759f12766e363d779998c71bdc9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Beijing Gigabit Times Technology Co., Ltd" and + s.serial == "77:a6:47:59:f1:27:66:e3:63:d7:79:99:8c:71:bd:c9" and + 1301011199 <= s.not_after + ) +} + +rule cert_blocklist_0b0d17ec1449b4b2d38fcb0f20fbcd3a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "WEBPIC DESENVOLVIMENTO DE SOFTWARE LTDA" and + s.serial == "0b:0d:17:ec:14:49:b4:b2:d3:8f:cb:0f:20:fb:cd:3a" and + 1394150399 <= s.not_after + ) +} + +rule cert_blocklist_fe9404dc73cf1c2ba1450b8398305557 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "厦门翔通信息科技有限公司北京分公司" and + s.serial == "fe:94:04:dc:73:cf:1c:2b:a1:45:0b:83:98:30:55:57" and + 1290643199 <= s.not_after + ) +} + +rule cert_blocklist_1cb2d523a6bf7a066642c578de1c9be4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Shenzhen Hua’nan Xingfa Electronic Equipment Firm" and + s.serial == "1c:b2:d5:23:a6:bf:7a:06:66:42:c5:78:de:1c:9b:e4" and + 1400889599 <= s.not_after + ) +} + +rule cert_blocklist_3a6ccabb1c62f3be3eb03869fa43dc4a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "常州骏景通联数字科技有限公司" and + s.serial == "3a:6c:ca:bb:1c:62:f3:be:3e:b0:38:69:fa:43:dc:4a" and + 1259798399 <= s.not_after + ) +} + +rule cert_blocklist_864196f01971dbec7002b48642a7013a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "WLE DESENVOLVIMENTO DE SOFTWARE E ASSESSORIA LTDA EPP" and + s.serial == "86:41:96:f0:19:71:db:ec:70:02:b4:86:42:a7:01:3a" and + 1384300799 <= s.not_after + ) +} + +rule cert_blocklist_4fda1e121b61adeca936a6aebe079303 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Laizhou wanlei stone Co., LTD" and + s.serial == "4f:da:1e:12:1b:61:ad:ec:a9:36:a6:ae:be:07:93:03" and + 1310687999 <= s.not_after + ) +} + +rule cert_blocklist_03866deb183abfbf4ff458d4de7bd73a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "重庆话语科技有限公司" and + s.serial == "03:86:6d:eb:18:3a:bf:bf:4f:f4:58:d4:de:7b:d7:3a" and + 1371772799 <= s.not_after + ) +} + +rule cert_blocklist_1be41b34127ca9e6270830d2070db426 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "北京耘升天下科技有限公司" and + s.serial == "1b:e4:1b:34:12:7c:a9:e6:27:08:30:d2:07:0d:b4:26" and + 1352764799 <= s.not_after + ) +} + +rule cert_blocklist_9b108b8a1daa0d5581f59fcee0447901 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "CharacTell Ltd" and + s.serial == "9b:10:8b:8a:1d:aa:0d:55:81:f5:9f:ce:e0:44:79:01" and + 1380671999 <= s.not_after + ) +} + +rule cert_blocklist_5f8203c430fc7db4e61f6684f6829ffc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Haivision Network Video" and + s.serial == "5f:82:03:c4:30:fc:7d:b4:e6:1f:66:84:f6:82:9f:fc" and + 1382572799 <= s.not_after + ) +} + +rule cert_blocklist_6b6daef5be29f20ddce4b0f5e9fa6ea5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Calibration Consultants" and + s.serial == "6b:6d:ae:f5:be:29:f2:0d:dc:e4:b0:f5:e9:fa:6e:a5" and + 1280447999 <= s.not_after + ) +} + +rule cert_blocklist_57d6dff1ef96f01b9430666b2733cc87 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Smart Plugin Ltda" and + s.serial == "57:d6:df:f1:ef:96:f0:1b:94:30:66:6b:27:33:cc:87" and + 1314575999 <= s.not_after + ) +} + +rule cert_blocklist_0166b65038d61e5435b48204cae4795a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "TOLGA KAPLAN" and + s.serial == "01:66:b6:50:38:d6:1e:54:35:b4:82:04:ca:e4:79:5a" and + 1403999999 <= s.not_after + ) +} + +rule cert_blocklist_784f226b45c3bd8e4089243d747d1f59 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "FSPro Labs" and + s.serial == "78:4f:22:6b:45:c3:bd:8e:40:89:24:3d:74:7d:1f:59" and + 1242777599 <= s.not_after + ) +} + +rule cert_blocklist_11690f05604445fae0de539eeeeec584 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Tera information Technology co.Ltd" and + s.serial == "11:69:0f:05:60:44:45:fa:e0:de:53:9e:ee:ee:c5:84" and + 1294703999 <= s.not_after + ) +} + +rule cert_blocklist_aa146bff4b832bdbfe30b84580356763 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Yancheng Peoples Information Technology Service Co., Ltd" and + s.serial == "aa:14:6b:ff:4b:83:2b:db:fe:30:b8:45:80:35:67:63" and + 1295481599 <= s.not_after + ) +} + +rule cert_blocklist_e86f46b60142092aae81b8f6fa3d9c7c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Syncode Sistemas e Tecnologia Ltda" and + s.serial == "e8:6f:46:b6:01:42:09:2a:ae:81:b8:f6:fa:3d:9c:7c" and + 1373932799 <= s.not_after + ) +} + +rule cert_blocklist_1a0fd2a4ef4c2a36ab9c5e8f792a35e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "北京金利宏昌科技有限公司" and + s.serial == "1a:0f:d2:a4:ef:4c:2a:36:ab:9c:5e:8f:79:2a:35:e2" and + 1389311999 <= s.not_after + ) +} + +rule cert_blocklist_53bb753b79a99e61a6e822ac52460c70 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "데스크탑아이콘" and + s.serial == "53:bb:75:3b:79:a9:9e:61:a6:e8:22:ac:52:46:0c:70" and + 1400543999 <= s.not_after + ) +} + +rule cert_blocklist_83f68fc6834bf8bd2c801a2d1f1acc76 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Helpful Technologies, Inc" and + s.serial == "83:f6:8f:c6:83:4b:f8:bd:2c:80:1a:2d:1f:1a:cc:76" and + 1407715199 <= s.not_after + ) +} + +rule cert_blocklist_f385e765acfb95605c9b35ca4c32f80e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "CWI SOFTWARE LTDA" and + s.serial == "f3:85:e7:65:ac:fb:95:60:5c:9b:35:ca:4c:32:f8:0e" and + 1382313599 <= s.not_after + ) +} + +rule cert_blocklist_f62c9c4efc81caf0d5a2608009d48018 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "唐山万东润播网络技术有限公司" and + s.serial == "f6:2c:9c:4e:fc:81:ca:f0:d5:a2:60:80:09:d4:80:18" and + 1292889599 <= s.not_after + ) +} + +rule cert_blocklist_cc8d902da36587c9b2113cd76c3c3f8d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "上海金俊坤计算机技术服务有限公司" and + s.serial == "cc:8d:90:2d:a3:65:87:c9:b2:11:3c:d7:6c:3c:3f:8d" and + 1296691199 <= s.not_after + ) +} + +rule cert_blocklist_328bdcc0f679c4649147fbb3eb0e9bc6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Nooly Systems LTD" and + s.serial == "32:8b:dc:c0:f6:79:c4:64:91:47:fb:b3:eb:0e:9b:c6" and + 1204847999 <= s.not_after + ) +} + +rule cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "上海域联软件技术有限公司" and + s.serial == "5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7" and + 1343001599 <= s.not_after + ) +} + +rule cert_blocklist_629d120dd84f9c1688d4da40366fab7a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Delta Controls" and + s.serial == "62:9d:12:0d:d8:4f:9c:16:88:d4:da:40:36:6f:ab:7a" and + 1306799999 <= s.not_after + ) +} + +rule cert_blocklist_039e5d0e3297f574db99e1d9503853d9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Cigam Software Corporativo LTDA" and + s.serial == "03:9e:5d:0e:32:97:f5:74:db:99:e1:d9:50:38:53:d9" and + 1378079999 <= s.not_after + ) +} + +rule cert_blocklist_bc32bbe5bbb4f06f490c50651cd5da50 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Remedica Medical Education and Publishing Ltd" and + s.serial == "bc:32:bb:e5:bb:b4:f0:6f:49:0c:50:65:1c:d5:da:50" and + 1387151999 <= s.not_after + ) +} + +rule cert_blocklist_3e1656dfcaacfed7c2d2564355698aa3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "John W.Richard" and + s.serial == "3e:16:56:df:ca:ac:fe:d7:c2:d2:56:43:55:69:8a:a3" and + 1385251199 <= s.not_after + ) +} + +rule cert_blocklist_4bf1d68e926e2dd8966008c44f95ea1c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Technical and Commercial Consulting Pvt. Ltd." and + s.serial == "4b:f1:d6:8e:92:6e:2d:d8:96:60:08:c4:4f:95:ea:1c" and + 1322092799 <= s.not_after + ) +} + +rule cert_blocklist_149c12083c145e28155510cfc19db0fe { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "3rd Eye Solutions Ltd" and + s.serial == "14:9c:12:08:3c:14:5e:28:15:55:10:cf:c1:9d:b0:fe" and + 1209340799 <= s.not_after + ) +} + +rule cert_blocklist_77e0117e8b2b8faa84bed961019d5ef8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Reiner Wodey Informationssysteme" and + s.serial == "77:e0:11:7e:8b:2b:8f:aa:84:be:d9:61:01:9d:5e:f8" and + 1383695999 <= s.not_after + ) +} + +rule cert_blocklist_4f3feb4baf377aea90a463c5dee63884 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "F3D LIMITED" and + s.serial == "4f:3f:eb:4b:af:37:7a:ea:90:a4:63:c5:de:e6:38:84" and + 1526601599 <= s.not_after + ) +} + +rule cert_blocklist_3d2580e89526f7852b570654efd9a8bf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing LockerGoga ransomware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "MIKL LIMITED" and + s.serial == "3d:25:80:e8:95:26:f7:85:2b:57:06:54:ef:d9:a8:bf" and + 1529888400 <= s.not_after + ) +} + +rule cert_blocklist_0fffe432a53ff03b9223f88be1b83d9d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing BabyShark malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "EGIS Co., Ltd." and + s.serial == "0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d" and + 1498524050 <= s.not_after + ) +} + +rule cert_blocklist_832e161aea5206d815f973e5a1feb3e7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing SeedLocker ransomware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Project NSRM Ltd" and + s.serial == "83:2e:16:1a:ea:52:06:d8:15:f9:73:e5:a1:fe:b3:e7" and + 1549830060 <= s.not_after + ) +} + +rule cert_blocklist_09aecea45bfd40ce7d62d7d711916d7d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "ALINA LTD" and + s.serial == "09:ae:ce:a4:5b:fd:40:ce:7d:62:d7:d7:11:91:6d:7d" and + 1551052800 <= s.not_after + ) +} + +rule cert_blocklist_4ff4eda5fa641e70162713426401f438 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DUHANEY LIMITED" and + s.serial == "4f:f4:ed:a5:fa:64:1e:70:16:27:13:42:64:01:f4:38" and + 1555349604 <= s.not_after + ) +} + +rule cert_blocklist_067dffc5e3026eb4c62971c98ac8a900 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DVERI FADO, TOV" and + s.serial == "06:7d:ff:c5:e3:02:6e:b4:c6:29:71:c9:8a:c8:a9:00" and + 1552176000 <= s.not_after + ) +} + +rule cert_blocklist_b1da219688e51fd0bfac2c891d56cbb8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "FIRNEEZ EUROPE LIMITED" and + s.serial == "b1:da:21:96:88:e5:1f:d0:bf:ac:2c:89:1d:56:cb:b8" and + 1542931200 <= s.not_after + ) +} + +rule cert_blocklist_7289b0f9bd641e3e352dc3183f8de6be { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "ICE ACTIVATION LIMITED" and + s.serial == "72:89:b0:f9:bd:64:1e:3e:35:2d:c3:18:3f:8d:e6:be" and + 1557933274 <= s.not_after + ) +} + +rule cert_blocklist_fd7b7a8678a67181a54bc7499eba44da { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "IMRAN IT SERVICES LTD" and + s.serial == "fd:7b:7a:86:78:a6:71:81:a5:4b:c7:49:9e:ba:44:da" and + 1548028800 <= s.not_after + ) +} + +rule cert_blocklist_ebbdd6cdeda40ca64513280ecd625c54 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "IT PUT LIMITED" and + s.serial == "eb:bd:d6:cd:ed:a4:0c:a6:45:13:28:0e:cd:62:5c:54" and + 1549238400 <= s.not_after + ) +} + +rule cert_blocklist_61da676c1dcfcf188276e2c70d68082e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "P2N ONLINE LTD" and + s.serial == "61:da:67:6c:1d:cf:cf:18:82:76:e2:c7:0d:68:08:2e" and + 1552723954 <= s.not_after + ) +} + +rule cert_blocklist_767436921b2698bd18400a24b01341b6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "REBROSE LEISURE LIMITED" and + s.serial == "76:74:36:92:1b:26:98:bd:18:40:0a:24:b0:13:41:b6" and + 1556284480 <= s.not_after + ) +} + +rule cert_blocklist_3e795531b3265510f935187eca59920a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "sasha catering ltd" and + s.serial == "3e:79:55:31:b3:26:55:10:f9:35:18:7e:ca:59:92:0a" and + 1557243644 <= s.not_after + ) +} + +rule cert_blocklist_8f40b1485309a064a28b96bfa3f55f36 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Singh Agile Content Design Limited" and + s.serial == "8f:40:b1:48:53:09:a0:64:a2:8b:96:bf:a3:f5:5f:36" and + 1542585600 <= s.not_after + ) +} + +rule cert_blocklist_b2120facadbb92cc0a176759604c6a0f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "SLON LTD" and + s.serial == "b2:12:0f:ac:ad:bb:92:cc:0a:17:67:59:60:4c:6a:0f" and + 1554249600 <= s.not_after + ) +} + +rule cert_blocklist_4f407eb50803845cc43937823e1344c0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "SLOW COOKED VENTURES LTD" and + s.serial == "4f:40:7e:b5:08:03:84:5c:c4:39:37:82:3e:13:44:c0" and + 1556555362 <= s.not_after + ) +} + +rule cert_blocklist_6922bb5de88e4127e1ac6969e6a199f5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "SMACHNA PLITKA, TOV" and + s.serial == "69:22:bb:5d:e8:8e:41:27:e1:ac:69:69:e6:a1:99:f5" and + 1552692162 <= s.not_after + ) +} + +rule cert_blocklist_73065efa163b7901fa1ccb0a54e80540 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "SOVA CONSULTANCY LTD" and + s.serial == "73:06:5e:fa:16:3b:79:01:fa:1c:cb:0a:54:e8:05:40" and + 1548115200 <= s.not_after + ) +} + +rule cert_blocklist_4842afad00904ed8c98811e652ccb3b7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "\"VERY EXCLUSIVE LTD\"" and + s.serial == "48:42:af:ad:00:90:4e:d8:c9:88:11:e6:52:cc:b3:b7" and + 1545177600 <= s.not_after + ) +} + +rule cert_blocklist_5a59a686b4a904d0fca07153ea6db6cc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "ABADAN PIZZA LTD" and + s.serial == "5a:59:a6:86:b4:a9:04:d0:fc:a0:71:53:ea:6d:b6:cc" and + 1563403380 <= s.not_after + ) +} + +rule cert_blocklist_0b6d8152f4a06ba781c6677eea5ab74b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "GLARYSOFT LTD" and + s.serial == "0b:6d:81:52:f4:a0:6b:a7:81:c6:67:7e:ea:5a:b7:4b" and + 1568246400 <= s.not_after + ) +} + +rule cert_blocklist_3ad60cea73e1dd1a3e6c02d9b339c380 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "CUS Software GmbH" and + s.serial == "3a:d6:0c:ea:73:e1:dd:1a:3e:6c:02:d9:b3:39:c3:80" and + 1567036800 <= s.not_after + ) +} + +rule cert_blocklist_7df2dfed47c6fd6542131847cffbc102 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "AFVIMPEX SRL" and + s.serial == "7d:f2:df:ed:47:c6:fd:65:42:13:18:47:cf:fb:c1:02" and + 1567036800 <= s.not_after + ) +} + +rule cert_blocklist_74fedf0f8398060fa8378c6d174465c8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DOCS PTY LTD" and + s.serial == "74:fe:df:0f:83:98:06:0f:a8:37:8c:6d:17:44:65:c8" and + 1566172800 <= s.not_after + ) +} + +rule cert_blocklist_3bd6a5bba28e7c1ca44880159dace237 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "TECHNO BEAVERS LIMITED" and + s.serial == "3b:d6:a5:bb:a2:8e:7c:1c:a4:48:80:15:9d:ac:e2:37" and + 1563408000 <= s.not_after + ) +} + +rule cert_blocklist_c04f8f1e00c69e96a51bf14aab1c6ae0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "CHAIKA, TOV" and + s.serial == "c0:4f:8f:1e:00:c6:9e:96:a5:1b:f1:4a:ab:1c:6a:e0" and + 1551398400 <= s.not_after + ) +} + +rule cert_blocklist_23f537ce13c6cccdfd3f8ce81fb981cb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "ISECURE GROUP PTY LTD" and + s.serial == "23:f5:37:ce:13:c6:cc:cd:fd:3f:8c:e8:1f:b9:81:cb" and + 1566086400 <= s.not_after + ) +} + +rule cert_blocklist_73ecfdbb99aec176ddfcf7958d120e1a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "MHOW PTY LTD" and + s.serial == "73:ec:fd:bb:99:ae:c1:76:dd:fc:f7:95:8d:12:0e:1a" and + 1566864000 <= s.not_after + ) +} + +rule cert_blocklist_675129bb174a5b05e330cc09f8bbd70a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "ALEX & CO PTY LIMITED" and + s.serial == "67:51:29:bb:17:4a:5b:05:e3:30:cc:09:f8:bb:d7:0a" and + 1565568000 <= s.not_after + ) +} + +rule cert_blocklist_de13fe2dbb8f890287e1780aff6ffd22 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "LAST TIME PTY LTD" and + s.serial == "de:13:fe:2d:bb:8f:89:02:87:e1:78:0a:ff:6f:fd:22" and + 1566259200 <= s.not_after + ) +} + +rule cert_blocklist_da000d18949c247d4ddfc2585cc8bd0f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "PORT-SERVIS LTD" and + s.serial == "da:00:0d:18:94:9c:24:7d:4d:df:c2:58:5c:c8:bd:0f" and + 1564444800 <= s.not_after + ) +} + +rule cert_blocklist_06e842d3ea6249d783d6b55e29c060c7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "PORT-SERVIS LTD, TOV" and + s.serial == "06:e8:42:d3:ea:62:49:d7:83:d6:b5:5e:29:c0:60:c7" and + 1565568000 <= s.not_after + ) +} + +rule cert_blocklist_06473c3c19d9e1a9429b58b6faec2967 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Digital Leadership Solutions Limited" and + s.serial == "06:47:3c:3c:19:d9:e1:a9:42:9b:58:b6:fa:ec:29:67" and + 1581984001 <= s.not_after + ) +} + +rule cert_blocklist_39f56251df2088223cc03494084e6081 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Inter Med Pty. Ltd." and + s.serial == "39:f5:62:51:df:20:88:22:3c:c0:34:94:08:4e:60:81" and + 1583539200 <= s.not_after + ) +} + +rule cert_blocklist_1362e56d34dc7b501e17fa1ac3c3e3d9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "OOO \"Amaranth\"" and + s.serial == "13:62:e5:6d:34:dc:7b:50:1e:17:fa:1a:c3:c3:e3:d9" and + 1575936000 <= s.not_after + ) +} + +rule cert_blocklist_4b83593fc78d92cfaa9bdf3f97383964 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "OOO Kometa" and + s.serial == "4b:83:59:3f:c7:8d:92:cf:aa:9b:df:3f:97:38:39:64" and + 1579996800 <= s.not_after + ) +} + +rule cert_blocklist_c7505e7464e00ec1dccd8d1b466d15ff { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Ltd. \"Eve Beauty\"" and + s.serial == "c7:50:5e:74:64:e0:0e:c1:dc:cd:8d:1b:46:6d:15:ff" and + 1583824676 <= s.not_after + ) +} + +rule cert_blocklist_cbf91988fb83511de1b3a7a520712e9c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Ltd. \"Eve Beauty\"" and + s.serial == "cb:f9:19:88:fb:83:51:1d:e1:b3:a7:a5:20:71:2e:9c" and + 1578786662 <= s.not_after + ) +} + +rule cert_blocklist_ce3675ae4abfe688870bcacb63060f4f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "OOO \"MPS\"" and + s.serial == "ce:36:75:ae:4a:bf:e6:88:87:0b:ca:cb:63:06:0f:4f" and + 1582675200 <= s.not_after + ) +} + +rule cert_blocklist_9813229efe0046d23542cc7569d5a403 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "OOO \"MPS\"" and + s.serial == "98:13:22:9e:fe:00:46:d2:35:42:cc:75:69:d5:a4:03" and + 1575849600 <= s.not_after + ) +} + +rule cert_blocklist_86e5a9b9e89e5075c475006d0ca03832 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "BlueMarble GmbH" and + s.serial == "86:e5:a9:b9:e8:9e:50:75:c4:75:00:6d:0c:a0:38:32" and + 1574791194 <= s.not_after + ) +} + +rule cert_blocklist_075dca9ca84b93e8a89b775128f90302 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "UAB GT-servis" and + s.serial == "07:5d:ca:9c:a8:4b:93:e8:a8:9b:77:51:28:f9:03:02" and + 1579305601 <= s.not_after + ) +} + +rule cert_blocklist_0ddce8cdc91b5b649bb4b45ffbba6c6c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "SLIM DOG GROUP SP Z O O" and + s.serial == "0d:dc:e8:cd:c9:1b:5b:64:9b:b4:b4:5f:fb:ba:6c:6c" and + 1580722435 <= s.not_after + ) +} + +rule cert_blocklist_9bd614d5869bb66c96b67e154d517384 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "\"CENTR MBP\"" and + s.serial == "9b:d6:14:d5:86:9b:b6:6c:96:b6:7e:15:4d:51:73:84" and + 1581618180 <= s.not_after + ) +} + +rule cert_blocklist_540cea639d5d48669b7f2f64 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "CENTR MBP LLC" and + s.serial == "54:0c:ea:63:9d:5d:48:66:9b:7f:2f:64" and + 1570871755 <= s.not_after + ) +} + +rule cert_blocklist_03a7748a4355020a652466b5e02e07de { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Teleneras MB" and + s.serial == "03:a7:74:8a:43:55:02:0a:65:24:66:b5:e0:2e:07:de" and + 1575244801 <= s.not_after + ) +} + +rule cert_blocklist_b881a72d4117bbc38b81d3c65c792c1a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Red GmbH" and + s.serial == "b8:81:a7:2d:41:17:bb:c3:8b:81:d3:c6:5c:79:2c:1a" and + 1581936420 <= s.not_after + ) +} + +rule cert_blocklist_08653ef2ed9e6ebb56ffa7e93f963235 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Haw Farm LIMITED" and + s.serial == "08:65:3e:f2:ed:9e:6e:bb:56:ff:a7:e9:3f:96:32:35" and + 1581465601 <= s.not_after + ) +} + +rule cert_blocklist_9c4816d900a6ecdbe54adf72b19ebcf5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Datamingo Limited" and + s.serial == "9c:48:16:d9:00:a6:ec:db:e5:4a:df:72:b1:9e:bc:f5" and + 1557187200 <= s.not_after + ) +} + +rule cert_blocklist_269174f9fe7c6ed4e1d19b26c3f5b35f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "GO ONLINE d.o.o." and + s.serial == "26:91:74:f9:fe:7c:6e:d4:e1:d1:9b:26:c3:f5:b3:5f" and + 1586386919 <= s.not_after + ) +} + +rule cert_blocklist_523fb4036368dc26192d68827f2d889b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "OOO MEDUZA SERVICE GROUP" and + s.serial == "52:3f:b4:03:63:68:dc:26:19:2d:68:82:7f:2d:88:9b" and + 1586847880 <= s.not_after + ) +} + +rule cert_blocklist_84f842f6d33cd2f25b88dd1710e21137 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "DataNext s.r.o." and + s.serial == "84:f8:42:f6:d3:3c:d2:f2:5b:88:dd:17:10:e2:11:37" and + 1586775720 <= s.not_after + ) +} + +rule cert_blocklist_4fbcaa289ba925b4e247809b6b028202 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Kimjac ApS" and + s.serial == "4f:bc:aa:28:9b:a9:25:b4:e2:47:80:9b:6b:02:82:02" and + 1588227220 <= s.not_after + ) +} + +rule cert_blocklist_1f2e8effbb08c7dbcc7a7f2d835457b5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "RTI, OOO" and + s.serial == "1f:2e:8e:ff:bb:08:c7:db:cc:7a:7f:2d:83:54:57:b5" and + 1581382360 <= s.not_after + ) +} + +rule cert_blocklist_aeba4c39306fdd022849867801645814 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "SK AI MAS GmbH" and + s.serial == "ae:ba:4c:39:30:6f:dd:02:28:49:86:78:01:64:58:14" and + 1579478400 <= s.not_after + ) +} + +rule cert_blocklist_028d50ae0c554b49148e82db5b1c2699 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "VAS CO PTY LTD" and + s.serial == "02:8d:50:ae:0c:55:4b:49:14:8e:82:db:5b:1c:26:99" and + 1579478400 <= s.not_after + ) +} + +rule cert_blocklist_684f478c7259dde0cfe2260112ca9846 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "LLC \"IP EM\"" and + s.serial == "68:4f:47:8c:72:59:dd:e0:cf:e2:26:01:12:ca:98:46" and + 1584981648 <= s.not_after + ) +} + +rule cert_blocklist_0b7c32208a954a483dd102e1be094867 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Win Sp Z O O" and + s.serial == "0b:7c:32:20:8a:95:4a:48:3d:d1:02:e1:be:09:48:67" and + 1583884800 <= s.not_after + ) +} + +rule cert_blocklist_3e72daf2b9a4449e946009e5084a8e76 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "OOO Infoteh63" and + s.serial == "3e:72:da:f2:b9:a4:44:9e:94:60:09:e5:08:4a:8e:76" and + 1591787570 <= s.not_after + ) +} + +rule cert_blocklist_11edd343e21c36ac985555d85c16135f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Pribyl Handels GmbH" and + s.serial == "11:ed:d3:43:e2:1c:36:ac:98:55:55:d8:5c:16:13:5f" and + 1589925600 <= s.not_after + ) +} + +rule cert_blocklist_093fe63d1a5f68f14ecaac871a03f7a3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "SPECTACLE IMAGE LTD" and + s.serial == "09:3f:e6:3d:1a:5f:68:f1:4e:ca:ac:87:1a:03:f7:a3" and + 1562716800 <= s.not_after + ) +} + +rule cert_blocklist_bb26b7b6634d5db548c437b5085b01c1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "OOO \"IT Mott\"" and + s.serial == "bb:26:b7:b6:63:4d:5d:b5:48:c4:37:b5:08:5b:01:c1" and + 1591919307 <= s.not_after + ) +} + +rule cert_blocklist_29128a56e7b3bfb230742591ac8b4718 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Programavimo paslaugos, MB" and + s.serial == "29:12:8a:56:e7:b3:bf:b2:30:74:25:91:ac:8b:47:18" and + 1590900909 <= s.not_after + ) +} + +rule cert_blocklist_7bfbfdfef43608730ee14779ee3ee2cb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "CSTech Software Inc." and + s.serial == "7b:fb:fd:fe:f4:36:08:73:0e:e1:47:79:ee:3e:e2:cb" and + 1590537600 <= s.not_after + ) +} + +rule cert_blocklist_62205361a758b00572d417cba014f007 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "UNITEKH-S, OOO" and + s.serial == "62:20:53:61:a7:58:b0:05:72:d4:17:cb:a0:14:f0:07" and + 1590470683 <= s.not_after + ) +} + +rule cert_blocklist_4b47d18dbea57abd1563ddf89f87a6c2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "KBK, OOO" and + s.serial == "4b:47:d1:8d:be:a5:7a:bd:15:63:dd:f8:9f:87:a6:c2" and + 1590485607 <= s.not_after + ) +} + +rule cert_blocklist_be41e2c7bb2493044b9241abb732599d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Company Babylon" and + s.serial == "be:41:e2:c7:bb:24:93:04:4b:92:41:ab:b7:32:59:9d" and + 1589146251 <= s.not_after + ) +} + +rule cert_blocklist_15c5af15afecf1c900cbab0ca9165629 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Kompaniya auttek" and + s.serial == "15:c5:af:15:af:ec:f1:c9:00:cb:ab:0c:a9:16:56:29" and + 1586091840 <= s.not_after + ) +} + +rule cert_blocklist_476de2f108d20b43ba3bae6f331af8f1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "Digiwill Limited" and + s.serial == "47:6d:e2:f1:08:d2:0b:43:ba:3b:ae:6f:33:1a:f8:f1" and + 1588135722 <= s.not_after + ) +} + +rule cert_blocklist_08ddcc67f8cad6929607e4cda29b3503 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "FAN-CHAI, TOV" and + s.serial == "08:dd:cc:67:f8:ca:d6:92:96:07:e4:cd:a2:9b:35:03" and + 1564310268 <= s.not_after + ) +} + +rule cert_blocklist_052242ace583adf2a3b96adcb04d0812 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "FAN-CHAI, TOV" and + s.serial == "05:22:42:ac:e5:83:ad:f2:a3:b9:6a:dc:b0:4d:08:12" and + 1573603200 <= s.not_after + ) +} + +rule cert_blocklist_bebef5c533ce92efc402fab8605c43ec { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any s in pe.signatures: ( + s.subject contains "OOO VEKTOR" and + s.serial == "be:be:f5:c5:33:ce:92:ef:c4:02:fa:b8:60:5c:43:ec" and + 1587513600 <= s.not_after + ) +} +