anti-abuse/signatures/common.yara

rule CHIENESE_NEZHA_ARGO
{
  strings:
    $a1 = "TkVaSEE="
    $a2 = "tunnel.json"
    $a3 = "vless"
    $a4 = "dmxlc3M="
    $a5 = "/vmess"
    $a6 = "L3ZtZXNz"
    $a7 = "V0FSUA=="
    $a8 = "/eooce/"
    $a9 = "ARGO_AUTH"
    $a10 = "--edge-ip-version"
    $a11 = "LS1lZGdlLWlwLXZlcnNpb24="
    $12 = "sub.txt"
    $13 = "Server\x20is\x20running\x20on\x20port\x20"
    $14 = "nysteria2"
    $15 = "openssl req"

    condition:
    2 of ($a1, $a2, $a3, $a4, $a5, $a6, $a7, $a8, $a9, $a10, $a11, $12, $13, $14, $15) 
}

rule OBFSCATED_CODE
{
    meta:
        description = "Detects an obfuscated script"

    strings:
        $f1 = "_0x" nocase
        $f2 = "\x20" nocase
        $f3 = "\x0a" nocase
        $f5 = "openssl req -new -x509" nocase
        $f6 = "cert.pem" nocase
        $f7 = "private.key" nocase
    condition:
        2 of ($f*)
}


rule OVERLOAD_CRYPTO_MINER
{
	meta:
        ref = "https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e"
  strings:
    $a1 = "stratum+tcp"
    condition:
    $a1  
}