42 lines
976 B
Text
42 lines
976 B
Text
|
private rule XtremeRATCode : XtremeRAT Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "XtremeRAT code features"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-09"
|
||
|
|
||
|
strings:
|
||
|
// call; fstp st
|
||
|
$ = { E8 ?? ?? ?? ?? DD D8 }
|
||
|
// hiding string
|
||
|
$ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
private rule XtremeRATStrings : XtremeRAT Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "XtremeRAT Identifying Strings"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-09"
|
||
|
|
||
|
strings:
|
||
|
$ = "dqsaazere"
|
||
|
$ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
rule XtremeRAT : Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "XtremeRAT"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-09"
|
||
|
|
||
|
condition:
|
||
|
XtremeRATCode or XtremeRATStrings
|
||
|
}
|