Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_remcos_rat.yara

rule malware_windows_remcos_rat
{
    meta:
        description = "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2"
        reference = "https://breaking-security.net/remcos/remcos-changelog/"
        author = "@mimeframe"
        md5 = "c8dafe143fe1d81ae6a3c0cd4724b272"
    strings:
        $a1 = "[Following text has been pasted from clipboard:]" wide ascii
        $a2 = "[Chrome StoredLogins found, cleared!]" wide ascii
        $a3 = "[Firefox StoredLogins cleared!]" wide ascii
        $b1 = "getclipboard" wide ascii
        $b2 = "stopmiccapture" wide ascii
        $b3 = "downloadfromurltofile" wide ascii
        $b4 = "getcamsingleframe" wide ascii
        $c1 = "Breaking-Security.Net" wide ascii
        $c2 = "REMCOS v" wide ascii
    condition:
        any of ($a*) or 3 of ($b*) or all of ($c*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule malware_windows_remcos_rat`
			`{`
			`meta:`
			`description = "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2"`
			`reference = "https://breaking-security.net/remcos/remcos-changelog/"`
			`author = "@mimeframe"`
			`md5 = "c8dafe143fe1d81ae6a3c0cd4724b272"`
			`strings:`
			`$a1 = "[Following text has been pasted from clipboard:]" wide ascii`
			`$a2 = "[Chrome StoredLogins found, cleared!]" wide ascii`
			`$a3 = "[Firefox StoredLogins cleared!]" wide ascii`
			`$b1 = "getclipboard" wide ascii`
			`$b2 = "stopmiccapture" wide ascii`
			`$b3 = "downloadfromurltofile" wide ascii`
			`$b4 = "getcamsingleframe" wide ascii`
			`$c1 = "Breaking-Security.Net" wide ascii`
			`$c2 = "REMCOS v" wide ascii`
			`condition:`
			`any of ($a) or 3 of ($b) or all of ($c*)`
			`}`