Sneed-Reactivity/yara-mikesxrs/Yoroi/CobianRAT.yar

rule CobianRAT { 
meta: 
  	description = "Yara Rule for Cobian RAT in Aggah Wayback campaign" 
  	author = "Yoroi Malware Zlab" 
    reference = "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/"
  	last_updated = "2021_06_18" 
  	tlp = "white" 
  	category = "informational" 

strings: 
$s1="bWFzdGVy" wide
$s2="Ydmzipw~" wide 

$a1={11 8E B7 16 FE 01 5F 2C 46 1B 8D 1D} 
$a2={07 17 D6 0B 07 1A 30 20 14 0C 07 B5 1F 64 28 33} 

condition: 
   uint16(0) == 0x5A4D and any of ($s*) and 1 of ($a*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule CobianRAT {`
			`meta:`
			`description = "Yara Rule for Cobian RAT in Aggah Wayback campaign"`
			`author = "Yoroi Malware Zlab"`
			`reference = "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/"`
			`last_updated = "2021_06_18"`
			`tlp = "white"`
			`category = "informational"`

			`strings:`
			`$s1="bWFzdGVy" wide`
			`$s2="Ydmzipw~" wide`

			`$a1={11 8E B7 16 FE 01 5F 2C 46 1B 8D 1D}`
			`$a2={07 17 D6 0B 07 1A 30 20 14 0C 07 B5 1F 64 28 33}`

			`condition:`
			`uint16(0) == 0x5A4D and any of ($s) and 1 of ($a)`
			`}`