Created
June 10, 2021 17:06
-
-
Save silence-is-best/5e182a5d3d33b29eb68412698bd97f02 to your computer and use it in GitHub Desktop.
Bitrat yara sigs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule bitrat_2_mem | |
{ | |
meta: | |
description = "BitRAT" | |
author = "James_inthe_box" | |
reference = "7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b" | |
date = "2021/06" | |
maltype = "RAT" | |
strings: | |
$string1 = "cli_sleep" ascii | |
$string2 = "cli_hib" ascii | |
$string3 = "cli_rs" ascii | |
$string4 = "drives_get" ascii | |
$string5 = "srv_list" ascii | |
$string6 = "klgonlinestop" ascii | |
$string7 = "klgoff_dl_recent" ascii | |
$string8 = "socks4r_stop" ascii | |
$string9 = "socks5_srv_stop" ascii | |
$string10 = "crd_logins" ascii | |
$string11 = "reg_keys_get" ascii | |
$string12 = "autoruns_del" ascii | |
condition: | |
9 of ($string*) and filesize > 8000KB | |
} | |
rule bitrat_3_mem | |
{ | |
meta: | |
description = "BitRAT" | |
author = "James_inthe_box" | |
reference = "7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b" | |
date = "2021/06" | |
maltype = "RAT" | |
strings: | |
$string1 = "err data" ascii | |
$string2 = "-prs" wide | |
$string3 = "-wdkill" wide | |
$string4 = "%I64u" wide | |
condition: | |
all of ($string*) and filesize > 8000KB | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment