MoDi RAT yara

1. rule modi_bin
2. {
3. meta:
4. description = "MoDi rat"
5. author = "James_inthe_box"
6. reference = "f9eec7fda9e8d5001161a20f325c207014e3f08ee6bef533587eac651afc3e36"
7. date = "2020/03"
8. maltype = "RAT"
9.  
10. strings:
11. $name1 = "MoDi RAT" ascii wide
12. $string1 = "add_Connected" ascii wide
13. $string2 = "ServerComputer" ascii wide
14. $string3 = "add_Disconnected" ascii wide
15. $string4 = "IsBuzy" ascii wide
16. $string5 = "remove_Data"
17.  
18. condition:
19. uint16(0) == 0x5A4D and (all of ($string*) or $name1) and filesize < 200KB
20. }
21.  
22. rule modi_mem
23. {
24. meta:
25. description = "MoDi rat"
26. author = "James_inthe_box"
27. reference = "f9eec7fda9e8d5001161a20f325c207014e3f08ee6bef533587eac651afc3e36"
28. date = "2020/03"
29. maltype = "RAT"
30.  
31. strings:
32. $name1 = "MoDi RAT" ascii wide
33. $string1 = "add_Connected" ascii wide
34. $string2 = "ServerComputer" ascii wide
35. $string3 = "add_Disconnected" ascii wide
36. $string4 = "IsBuzy" ascii wide
37. $string5 = "remove_Data"
38.  
39. condition:
40. (all of ($string*) or $name1) and filesize > 200KB
41. }
42.  
43. rule cryptage_larbi_bin
44. {
45. meta:
46. description = "MoDi rat loader"
47. author = "James_inthe_box"
48. reference = "c6f3139e24ca5a0d7e21b7ee6128142e36daffac4cd8d9a89c191dc823f099ab"
49. date = "2020/03"
50. maltype = "RAT"
51.  
52. strings:
53. $name1 = "Cryptage VBE" ascii wide fullword
54. $name2 = "Project Larbi" ascii wide fullword
55.  
56. condition:
57. uint16(0) == 0x5A4D and any of ($name*) and filesize < 200KB
58. }
59.  
60. rule cryptage_larbi_mem
61. {
62. meta:
63. description = "MoDi rat loader"
64. author = "James_inthe_box"
65. reference = "c6f3139e24ca5a0d7e21b7ee6128142e36daffac4cd8d9a89c191dc823f099ab"
66. date = "2020/03"
67. maltype = "RAT"
68.  
69. strings:
70. $name1 = "Cryptage VBE" ascii wide fullword
71. $name2 = "Project Larbi" ascii wide fullword
72.  
73. condition:
74. any of ($name*) and filesize > 200KB
75. }