42 lines
No EOL
976 B
Text
42 lines
No EOL
976 B
Text
private rule XtremeRATCode : XtremeRAT Family
|
|
{
|
|
meta:
|
|
description = "XtremeRAT code features"
|
|
author = "Seth Hardy"
|
|
last_modified = "2014-07-09"
|
|
|
|
strings:
|
|
// call; fstp st
|
|
$ = { E8 ?? ?? ?? ?? DD D8 }
|
|
// hiding string
|
|
$ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
|
|
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
private rule XtremeRATStrings : XtremeRAT Family
|
|
{
|
|
meta:
|
|
description = "XtremeRAT Identifying Strings"
|
|
author = "Seth Hardy"
|
|
last_modified = "2014-07-09"
|
|
|
|
strings:
|
|
$ = "dqsaazere"
|
|
$ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule XtremeRAT : Family
|
|
{
|
|
meta:
|
|
description = "XtremeRAT"
|
|
author = "Seth Hardy"
|
|
last_modified = "2014-07-09"
|
|
|
|
condition:
|
|
XtremeRATCode or XtremeRATStrings
|
|
} |