Occamy yara sig

1. http://devscoserv.tk/a.php
2. http://devscoserv.ht.cx/a.php
3. http://devscoserv.nut.cc/a.php
4. http://devscoserv.ht.cx/b.php
5. http://devscoserv.nut.cc/b.php
6.  
7. C:\Users\USER\AppData\Roaming\System\jobs\debo\debo 0219\ClassSolutionApplication\ClassSolutionApplication\obj\x86\Debug\ClsSolApp.pdb
8.  
9. http://devscoserv.ht.cx/a.php?sync=UmpKR05DMDRNVFpFTFVRM1JqY3RPRFZGT1MwNVFrUkJMVVE0UmpBdE1ESkNOQzFDTjBSQ096VHA=&main1=T7wC9a+Xt6ZbShzlI6AktpEOA30F1aGVAeGqb93KkWAHayqIvBSTGNEaFirkaFTfAoNmH7K85hirBotjsbntQbZ4nKu/yABtsUyK9k5d1Kw=&main2=SukqE2ZzJBgbC+dK5qxheTo8EtwRqQuB6o7HeaAHasgQrIDNSvg4yILh38AeafOgTIU5KzXKrTtyzDNTrkQqAw==&unique1=Q0Y4&unique2=RG9OZQ==
10.  
11. *BLR1-SOUMYAD-V1*ADMIN-DE9CB88BB*HOME-OFF-D5F0AC*TESPC0*POKILLER-F38A4E*CHENFENGWEN*POKILLER*HP-E027TX*POKILLER-PC*KAFAN-CEBE75E95*BEA-CHI-T-7PR01*JOHN DOE*KLONE-PC*KLONE_X64-PC*KLONE_X64*DESKTOP-24G11BB*VM_WIN10_PRO_X64*CRNJEUFU*URNXYMAV*ANTONY-PC*AVIRA-9B5A46E43*BETON-RATS1*SIMON STARK*RATS-PC*XXXX-00-00-38*VIRUSMASTER*XXXX-00-00-65*RICKYBOB-919CD4*USER X86*PXE472179*8-MWS01*8-MWS02*10-MWS02*4-MWS05*4-MWS06*13-MWS06*13-MWS10*9-MWS04*4-MWS04*13-MWS08*6-MWS06*6-MWS04*4-MWS07*11-MWS02*7-MWS06*7-MWS04*5-MWS02*6-MWS05*7-MWS07*AHN-CZY*ALC-D6C19B0AF99*TVMCOM*GQ5GQIG8L3*PSPUBWS*NILS NILSEN*J7CDV99CH8*2OFSXNS5VY*U4TOK1H37D*BUERO11*PUBLIC-EA8367E7*SYS-BC2D6EDD88E*GT-FDCCD9A7405D*C2F3F0B206C14E9*LUSER*SINCODER-ZZZZZZ*MR-COMPUTER*MR_COMPUTER*COMP-HOME261245*USER-ECCD4B251C*WILBERT-SC1508*XP-SP3-TEMPLATE*MIP-XP-CHT*CWS01_03*WILBERT-SC2202*DC-FILESRV*BRBRB-D8FB22AF1*PLACEHOL-6F699A*CWS05D102*CWS06D208*C2F3F0B206C14E9*CWS10D002*FORTINET-5B6ACF*WILBERT-SC2511*PETER-64D0B6F77*USER-2A6E79DA98*LUSER-PC*JOE SMITH*Q221FPK8XESQIKK*GCTU-PK*GCTUPKM-XC*RYOE-VO*AKDSLWH-ZK*ABC-WIN7*ABC-XP*PCISBCVM1*VAL\x00c9RIA-PC*PC_COORD02*SERVIDOR-A546B3*USERPC336346446*BB-04-6*VM_WINXP*TEQUILABOOMBOOM*CUCKOO0806-VM*BR-TAYLOR-87*0E2E44DF465C41A*DIJKSTRA-B459AD*BRIAN-75445F269*JOE-8A81C76C9DF*SINCODER-B046F9*VPSVST01*ADMIN-B2619D2D3*ADMIN-WINXP*ADMIN-WIN7*COMPUTER_1*MOTOMIX*BAECHI-H*APIARY7-PC*NN3AVLA4-PC*VMG-CLIENT*DESKTOP-BE9C1O0*MICHAEL-7-X64*
12.  
13. yara sig:
14. rule Occamy_bin
15. {
16. meta:
17. description = "Occamy Eng Wiz rat"
18. author = "James_inthe_box"
19. reference = "https://app.any.run/tasks/b71c1ef7-85b6-4e20-8bfb-e4c58ca6f8a4"
20. date = "2019/02"
21. maltype = "RAT"
22.  
23. strings:
24. $string1 = "RW5nIFdpei" wide
25. $string2 = "(x86)" wide
26. $string3 = "U01UUCBTZXJ2ZXI" wide
27. $string4 = "VVJMOiA" wide
28. $string5 = "IC9jIA" wide
29.  
30.  
31. condition:
32. uint16(0) == 0x5A4D and all of ($string*) and filesize < 1MB
33. }
34.  
35. rule Occamy_mem
36. {
37. meta:
38. description = "Occamy Eng Wiz rat"
39. author = "James_inthe_box"
40. reference = "https://app.any.run/tasks/b71c1ef7-85b6-4e20-8bfb-e4c58ca6f8a4"
41. date = "2019/02"
42. maltype = "RAT"
43.  
44. strings:
45. $string1 = "RW5nIFdpei" wide
46. $string2 = "(x86)" wide
47. $string3 = "U01UUCBTZXJ2ZXI" wide
48. $string4 = "VVJMOiA" wide
49. $string5 = "IC9jIA" wide
50.  
51.  
52. condition:
53. all of ($string*) and filesize > 1MB
54. }