Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_remcos_rat.yara

21 lines
834 B
Text
Raw Normal View History

rule malware_windows_remcos_rat
{
meta:
description = "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2"
reference = "https://breaking-security.net/remcos/remcos-changelog/"
author = "@mimeframe"
md5 = "c8dafe143fe1d81ae6a3c0cd4724b272"
strings:
$a1 = "[Following text has been pasted from clipboard:]" wide ascii
$a2 = "[Chrome StoredLogins found, cleared!]" wide ascii
$a3 = "[Firefox StoredLogins cleared!]" wide ascii
$b1 = "getclipboard" wide ascii
$b2 = "stopmiccapture" wide ascii
$b3 = "downloadfromurltofile" wide ascii
$b4 = "getcamsingleframe" wide ascii
$c1 = "Breaking-Security.Net" wide ascii
$c2 = "REMCOS v" wide ascii
condition:
any of ($a*) or 3 of ($b*) or all of ($c*)
}