Sneed-Reactivity/yara-Neo23x0/gen_xtreme_rat.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

86 lines
3.1 KiB
Text

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-09-27
Identifier: Xtreme / XRat
Reference: Internal Research
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule Xtreme_Sep17_1 {
meta:
description = "Detects XTREME sample analyzed in September 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-09-27"
hash1 = "93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6"
id = "7517e237-9cad-5619-9028-4c7ab5463040"
strings:
$x1 = "ServerKeyloggerU" fullword ascii
$x2 = "TServerKeylogger" fullword ascii
$x3 = "XtremeKeylogger" fullword wide
$x4 = "XTREMEBINDER" fullword wide
$s1 = "shellexecute=" fullword wide
$s2 = "[Execute]" fullword wide
$s3 = ";open=RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\" wide
condition:
uint16(0) == 0x5a4d and filesize < 4000KB and (
pe.imphash() == "735af2a144f62c50ba8e89c1c59764eb" or
( 1 of ($x*) or 3 of them )
)
}
rule Xtreme_Sep17_2 {
meta:
description = "Detects XTREME sample analyzed in September 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-09-27"
hash1 = "f8413827c52a5b073bdff657d6a277fdbfda29d909b4247982f6973424fa2dcc"
id = "b4878e80-54dc-5a16-9129-ddf2b1a5d287"
strings:
$s1 = "Spy24.exe" fullword wide
$s2 = "Remote Service Application" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 3000KB and all of them )
}
rule Xtreme_Sep17_3 {
meta:
description = "Detects XTREME sample analyzed in September 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-09-27"
hash1 = "f540a4cac716438da0c1c7b31661abf35136ea69b963e8f16846b96f8fd63dde"
id = "160673ea-b263-520a-a1c1-da0f3e920f12"
strings:
$s2 = "Keylogg" fullword ascii
$s4 = "XTREME" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 700KB and all of them )
}
rule Xtreme_RAT_Gen_Imp {
meta:
description = "Detects XTREME sample analyzed in September 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-09-27"
hash1 = "7b5082bcc8487bb65c38e34c192c2a891e7bb86ba97281352b0837debee6f1cf"
id = "10b23099-2a87-5918-927b-f20bcba1cd70"
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "d0bdf112886f3d846cc7780967d8efb9" or
pe.imphash() == "cc6f630f214cf890e63e899d8ebabba6" or
pe.imphash() == "e0f7991d50ceee521d7190effa3c494e"
)
}