Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
28d7327f
Unverified
Commit
28d7327f
authored
Jan 26, 2018
by
mmorenog
Committed by
GitHub
Jan 26, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #297 from simonsigre/patch-2
Create RAT_CrossRAT.yar
parents
3b5a6627
52e256a4
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
27 additions
and
0 deletions
+27
-0
RAT_CrossRAT.yar
malware/RAT_CrossRAT.yar
+27
-0
No files found.
malware/RAT_CrossRAT.yar
0 → 100644
View file @
28d7327f
import "hash"
global private rule javaarchive
{
strings:
$magic = { 50 4b 03 04 ( 14 | 0a ) 00 }
$string_1 = "META-INF/"
$string_2 = ".class" nocase
condition:
filesize < 400KB and
$magic at 0 and 1 of ($string_*)
}
rule CrossRAT: RAT
{
meta:
description = "Detects CrossRAT known hash"
author = "Simon Sigre (simon.sigre@gmail.com)"
date = "26/01/2018"
ref = "https://simonsigre.com"
ref= "https://objective-see.com/blog/blog_0x28.html"
condition:
filesize < 400KB and
hash.md5(0, filesize) == "85b794e080d83a91e904b97769e1e770"
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
