-
Notifications
You must be signed in to change notification settings - Fork 1
/
RAT_Xtreme.yar
145 lines (122 loc) · 3.36 KB
/
RAT_Xtreme.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Xtreme
{
meta:
description = "Xtreme RAT"
author = "botherder https://github.com/botherder"
strings:
$string1 = /(X)tremeKeylogger/ wide ascii
$string2 = /(X)tremeRAT/ wide ascii
$string3 = /(X)TREMEUPDATE/ wide ascii
$string4 = /(S)TUBXTREMEINJECTED/ wide ascii
$unit1 = /(U)nitConfigs/ wide ascii
$unit2 = /(U)nitGetServer/ wide ascii
$unit3 = /(U)nitKeylogger/ wide ascii
$unit4 = /(U)nitCryptString/ wide ascii
$unit5 = /(U)nitInstallServer/ wide ascii
$unit6 = /(U)nitInjectServer/ wide ascii
$unit7 = /(U)nitBinder/ wide ascii
$unit8 = /(U)nitInjectProcess/ wide ascii
condition:
5 of them
}
rule xtreme_rat : Trojan
{
meta:
author="Kevin Falcoz"
date="23/02/2013"
description="Xtreme RAT"
strings:
$signature1={58 00 54 00 52 00 45 00 4D 00 45} /*X.T.R.E.M.E*/
condition:
$signature1
}
rule XtremeRATCode : XtremeRAT Family
{
meta:
description = "XtremeRAT code features"
author = "Seth Hardy"
last_modified = "2014-07-09"
strings:
// call; fstp st
$ = { E8 ?? ?? ?? ?? DD D8 }
// hiding string
$ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
condition:
all of them
}
rule XtremeRATStrings : XtremeRAT Family
{
meta:
description = "XtremeRAT Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-09"
strings:
$ = "dqsaazere"
$ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
condition:
all of them
}
rule XtremeRAT : Family
{
meta:
description = "XtremeRAT"
author = "Seth Hardy"
last_modified = "2014-07-09"
condition:
XtremeRATCode or XtremeRATStrings
}
rule xtremrat : rat
{
meta:
author = "Jean-Philippe Teissier / @Jipe_"
description = "Xtrem RAT v3.5"
date = "2012-07-12"
version = "1.0"
filetype = "memory"
strings:
$a = "XTREME" wide
$b = "XTREMEBINDER" wide
$c = "STARTSERVERBUFFER" wide
$d = "SOFTWARE\\XtremeRAT" wide
$e = "XTREMEUPDATE" wide
$f = "XtremeKeylogger" wide
$g = "myversion|3.5" wide
$h = "xtreme rat" wide nocase
condition:
2 of them
}
rule xtreme_rat_0
{
meta:
maltype = "Xtreme RAT"
reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/xtreme-rat-targets-israeli-government/"
strings:
$type="Microsoft-Windows-Security-Auditing"
$eventid="5156"
$data="windows\\system32\\sethc.exe"
$type1="Microsoft-Windows-Security-Auditing"
$eventid1="4688"
$data1="AppData\\Local\\Temp\\Microsoft Word.exe"
condition:
all of them
}
rule xtreme_rat_1
{
meta:
maltype = "Xtreme RAT"
ref = "https://github.com/reed1713"
reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/xtreme-rat-targets-israeli-government/"
strings:
$type="Microsoft-Windows-Security-Auditing"
$eventid="5156"
$data="windows\\system32\\sethc.exe"
$type1="Microsoft-Windows-Security-Auditing"
$eventid1="4688"
$data1="AppData\\Local\\Temp\\Microsoft Word.exe"
condition:
all of them
}