rule malware_windows_xrat_quasarrat { meta: description = "xRAT is a derivative of QuasarRAT; this catches both RATs." reference = "https://github.com/quasar/QuasarRAT" author = "@mimeframe" strings: // RemoteShell $a1 = ">> New Session created" wide ascii $a2 = ">> Session unexpectedly closed" wide ascii $a3 = ">> Session closed" wide ascii $a4 = "session unexpectedly closed" wide ascii $a5 = "cmd" fullword wide ascii $a6 = "/K" fullword wide ascii // Commands $b1 = "echo DONT CLOSE THIS WINDOW!" wide ascii $b2 = "ping -n 20 localhost > nul" wide ascii $b3 = "Downloading file..." wide ascii $b4 = "Visited Website" wide ascii $b5 = "Adding Autostart Item failed!" wide ascii $b6 = ":Zone.Identifier" wide ascii // System Handler $c1 = "GetDrives I/O error" wide ascii $c2 = "/r /t 0" wide ascii $c3 = "desktop.ini" wide ascii $c4 = "WAN IP Address" wide ascii $c5 = "User refused the elevation request." wide ascii $c6 = "Process already elevated." wide ascii condition: 5 of ($a*) or 5 of ($b*) or 5 of ($c*) }