silence-is-best · June 22, 2022 18:42
diff --git a/gistfile1.txt b/gistfile1.txt
 alert tcp any any -> any any (msg:"Unknown Rat Initial Connect"; flow:established,to_server; content:"domaindetect"; fast_pattern; within:13; dsize:<20; classtype:trojan-activity; sid:20166343; rev:1; metadata:created_at 2022_06_22;)

 rule unknownrat1_mem
 {
    meta:
        description = "Unknown rat with ties to Redline"
        author = "James_inthe_box"
        reference = "https://app.any.run/tasks/468748fc-c2b2-45c4-afb5-476c8fe9f026/#"
        date = "2022/06"
        maltype = "RAT"

    strings:
        $string1 = "domaindetect"
        $string2 = "a.out.exe"
        $string3 = "buildinf"
        $string4 = "|END|"
        $string5 = "Firefox"

    condition:
        all of ($string*) and filesize > 100KB
 }
	alert tcp any any -> any any (msg:"Unknown Rat Initial Connect"; flow:established,to_server; content:"domaindetect"; fast_pattern; within:13; dsize:<20; classtype:trojan-activity; sid:20166343; rev:1; metadata:created_at 2022_06_22;)

	rule unknownrat1_mem
	{
	meta:
	description = "Unknown rat with ties to Redline"
	author = "James_inthe_box"
	reference = "https://app.any.run/tasks/468748fc-c2b2-45c4-afb5-476c8fe9f026/#"
	date = "2022/06"
	maltype = "RAT"

	strings:
	$string1 = "domaindetect"
	$string2 = "a.out.exe"
	$string3 = "buildinf"
	$string4 = "\|END\|"
	$string5 = "Firefox"

	condition:
	all of ($string*) and filesize > 100KB
	}