Commit 2eaa9ee8 by Yara Rules

Added flying kitten rules

Added flying kitten rules
parent 5c6032ec
This Yara ruleset is under the GNU-GPLv2 license ( and open to any user or organization, as long as you use it under this license.
import "pe"
rule FlyingKitten : rat
Author = "CrowdStrike, Inc"
Date = "2014/05/13"
Description = "Flying Kitten RAT"
Reference = ""
$classpath = "Stealer.Properties.Resources.resources"
$pdbstr = "\\Stealer\\obj\\x86\\Release\\Stealer.pdb"
all of them and uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and ((uint16(uint32(0x3c)+24) == 0x010b and uint32(uint32(0x3c)+232) > 0) or (uint16(uint32(0x3c)+24) == 0x020b and uint32(uint32(0x3c)+248) > 0))
rule CSIT_14003_03 : installer
Author = "CrowdStrike, Inc"
Date = "2014/05/13"
Description = "Flying Kitten Installer"
Reference = ""
$exename = "IntelRapidStart.exe"
$confname = "IntelRapidStart.exe.config"
$cabhdr = { 4d 53 43 46 00 00 00 00 }
all of them
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment