27 lines
928 B
Text
27 lines
928 B
Text
|
|
||
|
import "pe"
|
||
|
|
||
|
rule MAL_ExileRAT_Feb19_1 {
|
||
|
meta:
|
||
|
description = "Detects Exile RAT"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html"
|
||
|
date = "2019-02-04"
|
||
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
||
|
hash1 = "3eb026d8b778716231a07b3dbbdc99e2d3a635b1956de8a1e6efc659330e52de"
|
||
|
id = "f0a510f3-5fea-59a7-8991-9d06dc478b2a"
|
||
|
strings:
|
||
|
$x1 = "Content-Disposition:form-data;name=\"x.bin\"" fullword ascii
|
||
|
|
||
|
$s1 = "syshost.dll" fullword ascii
|
||
|
$s2 = "\\scout\\Release\\scout.pdb" ascii
|
||
|
$s3 = "C:\\data.ini" fullword ascii
|
||
|
$s4 = "my-ip\" value=\"" fullword ascii
|
||
|
$s5 = "ver:%d.%d.%d" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 500KB and (
|
||
|
pe.imphash() == "da8475fc7c3c90c0604ce6a0b56b5f21" or
|
||
|
3 of them
|
||
|
)
|
||
|
}
|