Common Information
| Type | Value |
|---|---|
| Value |
rule Nerbian_RAT {
meta:
author = "ptrouerbach"
reference = "5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597"
malfamily = "NerbianRAT"
strings:
$args_p = "p-"
$args_s = "s-"
$args_h = "h-"
$args_P = "P-"
$hardcoded_aes_key = { 17 E8 7F 58 1F 1D F8 D6 12 9D 65 FD 50 CE B3 DD 6C 4E 1C 22 30 77 CD 7D 4C 59 5D A6 C3 DF 92 B2 }
$param_auth = "auth_post"
$param_session = "session_key"
$param_data = "data_post"
$param_addr = "addr_post"
$param_port = "port_post"
condition:
uint16be(0) == 0x4D5A and ($hardcoded_aes_key or (all of ($param*) and all of ($args*))) and filesize < 10MB
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |