Sneed-Reactivity/yara-mikesxrs/group-ib/albaniiutas_rat_dll.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

33 lines
1.2 KiB
Text

rule albaniiutas_rat_dll
{
meta:
author = "Dmitry Kupin"
company = "Group-IB"
family = "albaniiutas.rat"
description = "Suspected Albaniiutas RAT (fileless)"
reference = "https://blog.group-ib.com/task"
sample = "fd43fa2e70bcc3b602363667560494229287bf4716638477889ae3f816efc705" // dumped
severity = 9
date = "2021-07-06"
strings:
$rc4_key = { 00 4C 21 51 40 57 23 45 24 52 25 54 5E 59 26 55 2A 41 7C 7D 74 7E 6B 00 } // L!Q@W#E$R%T^Y&U*A|}t~k
$aes256_str_seed = { 00 30 33 30 34 32 37 36 63 66 34 66 33 31 33 34 35 00 } // 0304276cf4f31345
$s0 = "http://%s/%s/%s/" fullword ascii
$s1 = "%s%04d/%s" fullword ascii
$s2 = "GetRemoteFileData error!" fullword ascii
$s3 = "ReadInjectFile error!" fullword ascii
$s4 = "%02d%02d" fullword ascii
$s5 = "ReadInject succeed!" fullword ascii
$s6 = "/index.htm" fullword ascii
$s7 = "commandstr" fullword ascii
$s8 = "ClientX.dll" fullword ascii
$s9 = "GetPluginObject" fullword ascii
$s10 = "D4444 0k!" fullword ascii
$s11 = "D5555 E00r!" fullword ascii
$s12 = "U4444 0k!" fullword ascii
$s13 = "U5555 E00r!" fullword ascii
condition:
5 of them
}