19 lines
659 B
Text
19 lines
659 B
Text
rule malware_windows_t3ntman_crunchrat
|
|
{
|
|
meta:
|
|
description = "HTTPS-based Remote Administration Tool (RAT)"
|
|
reference = "https://github.com/t3ntman/CrunchRAT"
|
|
author = "@mimeframe"
|
|
strings:
|
|
$a1 = "<action>command<action>" wide ascii
|
|
$a2 = "<action>upload<action>" wide ascii
|
|
$a3 = "<action>download<action>" wide ascii
|
|
$a4 = "cmd.exe" wide ascii
|
|
$a5 = "application/x-www-form-urlencoded" wide ascii
|
|
$a6 = "&action=" wide ascii
|
|
$a7 = "&secondary=" wide ascii
|
|
$a8 = "<secondary>" wide ascii
|
|
$a9 = "<action>" wide ascii
|
|
condition:
|
|
all of ($a*)
|
|
}
|