20 lines
834 B
Text
20 lines
834 B
Text
rule malware_windows_remcos_rat
|
|
{
|
|
meta:
|
|
description = "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2"
|
|
reference = "https://breaking-security.net/remcos/remcos-changelog/"
|
|
author = "@mimeframe"
|
|
md5 = "c8dafe143fe1d81ae6a3c0cd4724b272"
|
|
strings:
|
|
$a1 = "[Following text has been pasted from clipboard:]" wide ascii
|
|
$a2 = "[Chrome StoredLogins found, cleared!]" wide ascii
|
|
$a3 = "[Firefox StoredLogins cleared!]" wide ascii
|
|
$b1 = "getclipboard" wide ascii
|
|
$b2 = "stopmiccapture" wide ascii
|
|
$b3 = "downloadfromurltofile" wide ascii
|
|
$b4 = "getcamsingleframe" wide ascii
|
|
$c1 = "Breaking-Security.Net" wide ascii
|
|
$c2 = "REMCOS v" wide ascii
|
|
condition:
|
|
any of ($a*) or 3 of ($b*) or all of ($c*)
|
|
}
|