API tools faq
paste
James_inthe_box

Flawedammyy yara

James_inthe_box
Feb 19th, 2019
1,556
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.08 KB | None | 0 0
raw download clone embed print report
  1. rule Flawedammyy_bin
  2. {
  3. meta:
  4. description = "Flawed Ammyy RAT"
  5. author = "James_inthe_box"
  6. reference = "84259a3c6fd62a61f010f972db97eee69a724020af39d53c9ed1e9ecefc4b6b6"
  7. date = "2019/02"
  8. maltype = "RAT"
  9.  
  10. strings:
  11. $mz = { 4d 5a }
  12. $string1 = "service.log" wide
  13. $string2 = "readme!!!.txt" wide
  14. $string3 = "Global\\Ammyy.Service" wide
  15. $string4 = "Ammyy Admin"
  16.  
  17. condition:
  18. uint16(0) == 0x5A4D and uint8(uint32(0x3c)+23) == 0x21 and all of ($string*) and filesize < 800KB
  19. }
  20.  
  21. rule Flawedammyy_mem
  22. {
  23. meta:
  24. description = "Flawed Ammyy RAT"
  25. author = "James_inthe_box"
  26. reference = "84259a3c6fd62a61f010f972db97eee69a724020af39d53c9ed1e9ecefc4b6b6"
  27. date = "2019/02"
  28. maltype = "RAT"
  29.  
  30. strings:
  31. $string1 = "service.log" wide
  32. $string2 = "readme!!!.txt" wide
  33. $string3 = "Global\\Ammyy.Service" wide
  34. $string4 = "Ammyy Admin"
  35.  
  36. condition:
  37. all of ($string*) and filesize > 800KB
  38. }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!