Sneed-Reactivity/yara-mikesxrs/kevthehermit/xRAT.yar

29 lines
821 B
Text
Raw Permalink Normal View History

rule xRAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/xRat"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$v1a = "DecodeProductKey"
$v1b = "StartHTTPFlood"
$v1c = "CodeKey"
$v1d = "MESSAGEBOX"
$v1e = "GetFilezillaPasswords"
$v1f = "DataIn"
$v1g = "UDPzSockets"
$v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}
$v2a = "<URL>k__BackingField"
$v2b = "<RunHidden>k__BackingField"
$v2c = "DownloadAndExecute"
$v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide
$v2e = "england.png" wide
$v2f = "Showed Messagebox" wide
condition:
all of ($v1*) or all of ($v2*)
}