Update Miscelanea.yar

0a18c7db · mmorenog · 3425a192 · 0a18c7db
Commit 0a18c7db authored May 27, 2015 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 88 additions and 0 deletions

Miscelanea.yar malware/Miscelanea.yar +88 -0

No files found.
--- a/malware/Miscelanea.yar
+++ b/malware/Miscelanea.yar
@@ -1339,4 +1339,92 @@ rule CyberGate
 	condition:
 		all of ($string*) and any of ($res*)
 }
+rule DarkRAT
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/DarkRAT"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "@1906dark1996coder@"
+		$b = "SHEmptyRecycleBinA"
+		$c = "mciSendStringA"
+		$d = "add_Shutdown"
+		$e = "get_SaveMySettingsOnExit"
+		$f = "get_SpecialDirectories"
+		$g = "Client.My"
+
+	condition:
+		all of them
+}
+rule Greame
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Greame"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+		
+	strings:
+    		$a = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}
+            $b = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}
+            $c = "EditSvr"
+            $d = "TLoader"
+			$e = "Stroks"
+            $f = "Avenger by NhT"
+			$g = "####@####"
+			$h = "GREAME"
+			
+
+        
+    condition:
+    		all of them
+}
+rule LostDoor
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/LostDoor"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+        
+    strings:
+    	$a0 = {0D 0A 2A 45 44 49 54 5F 53 45 52 56 45 52 2A 0D 0A}
+        $a1 = "*mlt* = %"
+        $a2 = "*ip* = %"
+        $a3 = "*victimo* = %"
+        $a4 = "*name* = %"
+        $b5 = "[START]"
+        $b6 = "[DATA]"
+        $b7 = "We Control Your Digital World" wide ascii
+        $b8 = "RC4Initialize" wide ascii
+        $b9 = "RC4Decrypt" wide ascii
+        
+    condition:
+    	all of ($a*) or all of ($b*)
+}
+rule LuxNet
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/LuxNet"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "GetHashCode"
+		$b = "Activator"
+		$c = "WebClient"
+		$d = "op_Equality"
+		$e = "dickcursor.cur" wide
+		$f = "{0}|{1}|{2}" wide

+	condition:
+		all of them
+}