20 lines
659 B
Text
20 lines
659 B
Text
|
rule malware_windows_t3ntman_crunchrat
|
||
|
{
|
||
|
meta:
|
||
|
description = "HTTPS-based Remote Administration Tool (RAT)"
|
||
|
reference = "https://github.com/t3ntman/CrunchRAT"
|
||
|
author = "@mimeframe"
|
||
|
strings:
|
||
|
$a1 = "<action>command<action>" wide ascii
|
||
|
$a2 = "<action>upload<action>" wide ascii
|
||
|
$a3 = "<action>download<action>" wide ascii
|
||
|
$a4 = "cmd.exe" wide ascii
|
||
|
$a5 = "application/x-www-form-urlencoded" wide ascii
|
||
|
$a6 = "&action=" wide ascii
|
||
|
$a7 = "&secondary=" wide ascii
|
||
|
$a8 = "<secondary>" wide ascii
|
||
|
$a9 = "<action>" wide ascii
|
||
|
condition:
|
||
|
all of ($a*)
|
||
|
}
|