/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule MSILStealer
{
meta:
description = "Detects strings from C#/VB Stealers and QuasarRat"
reference = "https://github.com/quasar/QuasarRAT"
author = "https://github.com/hwvs"
last_modified = "2019-11-21"
strings:
$ = "Firefox does not have any profiles, has it ever been launched?" wide ascii
$ = "Firefox is not installed, or the install path could not be located" wide ascii
$ = "No installs of firefox recorded in its key." wide ascii
$ = "{0}\\\\FileZilla\\\\recentservers.xml" wide ascii
$ = "{1}{0}Cookie Name: {2}{0}Value: {3}{0}Path" wide ascii
$ = "[PRIVATE KEY LOCATION: \\\"{0}\\\"]" wide ascii
condition:
1 of them
}