rule xRAT { meta: author = " Kevin Breen " date = "2014/04" ref = "http://malwareconfig.com/stats/xRat" maltype = "Remote Access Trojan" filetype = "exe" strings: $v1a = "DecodeProductKey" $v1b = "StartHTTPFlood" $v1c = "CodeKey" $v1d = "MESSAGEBOX" $v1e = "GetFilezillaPasswords" $v1f = "DataIn" $v1g = "UDPzSockets" $v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41} $v2a = "k__BackingField" $v2b = "k__BackingField" $v2c = "DownloadAndExecute" $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide $v2e = "england.png" wide $v2f = "Showed Messagebox" wide condition: all of ($v1*) or all of ($v2*) }