Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_t3ntman_crunchrat.yara

20 lines
659 B
Text
Raw Normal View History

rule malware_windows_t3ntman_crunchrat
{
meta:
description = "HTTPS-based Remote Administration Tool (RAT)"
reference = "https://github.com/t3ntman/CrunchRAT"
author = "@mimeframe"
strings:
$a1 = "<action>command<action>" wide ascii
$a2 = "<action>upload<action>" wide ascii
$a3 = "<action>download<action>" wide ascii
$a4 = "cmd.exe" wide ascii
$a5 = "application/x-www-form-urlencoded" wide ascii
$a6 = "&action=" wide ascii
$a7 = "&secondary=" wide ascii
$a8 = "<secondary>" wide ascii
$a9 = "<action>" wide ascii
condition:
all of ($a*)
}