ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Yara Signature For Nerbian RAT Malware
GuitarBob


Joined: 09 Jul 2006
Posts: 4867
Location: USA
Reply with quote
Below is a Yara signature for a new remote access trojan being distributed via email using Covid-19 as a hook. It uses sophisticated evasion techniques. Copy and paste the signature to a new Notepad file from the word rule to the ending } and save it as a file named NerbianRat.yar in the ClamWin database folder. Save it in All Files form. The file name should be NerbianRat.yar and nothing else.

Yara signatures can be kept permanently if they are not for a specific malware. This one is for a specific malware, so keep it for about three months.

Thanks to proofpoint!


rule Nerbian_RAT

{

meta:

author = "ptrouerbach"

reference = "5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597"

malfamily = "NerbianRAT"



strings:

$args_p = "p-" ascii

$args_s = "s-" ascii

$args_h = "h-" ascii

$args_P = "P-" ascii



$hardcoded_aes_key = { 17E87F581F1DF8D6129D65FD50CEB3DD6C4E1C223077CD7D4C595DA6C3DF92B2 }



$param_auth = "auth_post" ascii

$param_session = "session_key" ascii

$param_data = "data_post" ascii

$param_addr = "addr_post" ascii

$param_port = "port_post" ascii



condition:

uint16be(0) == 0x4D5A

and ($hardcoded_aes_key or (all of ($param*) and all of ($args*)))

and filesize < 10MB

}

Regards,
View user's profileSend private message
Yara Signature For Nerbian RAT Malware
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic