Sneed-Reactivity/yara-Neo23x0/apt_exile_rat.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

26 lines
928 B
Text

import "pe"
rule MAL_ExileRAT_Feb19_1 {
meta:
description = "Detects Exile RAT"
author = "Florian Roth (Nextron Systems)"
reference = "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html"
date = "2019-02-04"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
hash1 = "3eb026d8b778716231a07b3dbbdc99e2d3a635b1956de8a1e6efc659330e52de"
id = "f0a510f3-5fea-59a7-8991-9d06dc478b2a"
strings:
$x1 = "Content-Disposition:form-data;name=\"x.bin\"" fullword ascii
$s1 = "syshost.dll" fullword ascii
$s2 = "\\scout\\Release\\scout.pdb" ascii
$s3 = "C:\\data.ini" fullword ascii
$s4 = "my-ip\" value=\"" fullword ascii
$s5 = "ver:%d.%d.%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
pe.imphash() == "da8475fc7c3c90c0604ce6a0b56b5f21" or
3 of them
)
}