Sneed-Reactivity/yara-mikesxrs/crowdstrike/CrowdStrike_FlyingKitten.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

37 lines
No EOL
786 B
Text

rule CrowdStrike_FlyingKitten : rat
{
meta:
copyright = "CrowdStrike, Inc"
description = "Flying Kitten RAT"
version = "1.0"
actor = "FLYING KITTEN"
in_the_wild = true
strings:
$classpath = "Stealer.Properties.Resources.resources"
//$pdbstr = "\Stealer\obj\x86\Release\Stealer.pdb"
condition:
all of them and
uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and
uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and
((uint16(uint32(0x3c)+24) == 0x010b and
uint32(uint32(0x3c)+232) > 0) or
(uint16(uint32(0x3c)+24) == 0x020b and
uint32(uint32(0x3c)+248) > 0))
}