1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule ShadowTech_2
{
meta:
description = "ShadowTech RAT"
author = "botherder https://github.com/botherder"
strings:
$string1 = /\#(S)trings/
$string2 = /\#(G)UID/
$string3 = /\#(B)lob/
$string4 = /(S)hadowTech Rat\.exe/
$string5 = /(S)hadowTech_Rat/
condition:
all of them
}
rule ShadowTech
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/ShadowTech"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "ShadowTech" nocase
$b = "DownloadContainer"
$c = "MySettings"
$d = "System.Configuration"
$newline = "#-@NewLine@-#" wide
$split = "pSIL" wide
$key = "ESIL" wide
condition:
4 of them
}