Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save silence-is-best/5e182a5d3d33b29eb68412698bd97f02 to your computer and use it in GitHub Desktop.
Save silence-is-best/5e182a5d3d33b29eb68412698bd97f02 to your computer and use it in GitHub Desktop.
Bitrat yara sigs
rule bitrat_2_mem
{
meta:
description = "BitRAT"
author = "James_inthe_box"
reference = "7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b"
date = "2021/06"
maltype = "RAT"
strings:
$string1 = "cli_sleep" ascii
$string2 = "cli_hib" ascii
$string3 = "cli_rs" ascii
$string4 = "drives_get" ascii
$string5 = "srv_list" ascii
$string6 = "klgonlinestop" ascii
$string7 = "klgoff_dl_recent" ascii
$string8 = "socks4r_stop" ascii
$string9 = "socks5_srv_stop" ascii
$string10 = "crd_logins" ascii
$string11 = "reg_keys_get" ascii
$string12 = "autoruns_del" ascii
condition:
9 of ($string*) and filesize > 8000KB
}
rule bitrat_3_mem
{
meta:
description = "BitRAT"
author = "James_inthe_box"
reference = "7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b"
date = "2021/06"
maltype = "RAT"
strings:
$string1 = "err data" ascii
$string2 = "-prs" wide
$string3 = "-wdkill" wide
$string4 = "%I64u" wide
condition:
all of ($string*) and filesize > 8000KB
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment