private rule XtremeRATCode : XtremeRAT Family { meta: description = "XtremeRAT code features" author = "Seth Hardy" last_modified = "2014-07-09" strings: // call; fstp st $ = { E8 ?? ?? ?? ?? DD D8 } // hiding string $ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D } condition: all of them } private rule XtremeRATStrings : XtremeRAT Family { meta: description = "XtremeRAT Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-09" strings: $ = "dqsaazere" $ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32" condition: any of them } rule XtremeRAT : Family { meta: description = "XtremeRAT" author = "Seth Hardy" last_modified = "2014-07-09" condition: XtremeRATCode or XtremeRATStrings }