← Back to SOC feed Coverage →

moose

yara LOW Yara-Rules
community
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-06-19T23:00:00Z · Confidence: medium

Hunt Hypothesis

The moose rule detects potential adversarial activity involving suspicious file behavior that may indicate a low-severity threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could escalate into more severe incidents.

YARA Rule

rule moose
{
    meta:
        Author      = "Thomas Dupuy"
        Date        = "2015/04/21"
        Description = "Linux/Moose malware"
        Reference   = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
        Source = "https://github.com/eset/malware-ioc/"
        Contact = "[email protected]"
        License = "BSD 2-Clause"

    strings:
        $s0 = "Status: OK"
        $s1 = "--scrypt"
        $s2 = "stratum+tcp://"
        $s3 = "cmd.so"
        $s4 = "/Challenge"
        $s7 = "processor"
        $s9 = "cpu model"
        $s21 = "password is wrong"
        $s22 = "password:"
        $s23 = "uthentication failed"
        $s24 = "sh"
        $s25 = "ps"
        $s26 = "echo -n -e "
        $s27 = "chmod"
        $s28 = "elan2"
        $s29 = "elan3"
        $s30 = "chmod: not found"
        $s31 = "cat /proc/cpuinfo"
        $s32 = "/proc/%s/cmdline"
        $s33 = "kill %s"

    condition:
        is_elf and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

This rule contains 20 string patterns in its detection logic.

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/malware/MALW_LinuxMoose.yar