id: xtremerat-trojan

info:
  name: XtremeRAT Trojan - Detect
  author: pussycat0x
  severity: info
  description: |
    Xtreme Rat is a Remote Access Trojan that can steal information. This RAT has been used in attacks targeting Israeli and Syrian governments last 2012.
  reference:
    - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
  metadata:
    verified: true
    max-request: 1
    shodan-query: product:'XtremeRAT Trojan'
  tags: network,c2,ir,osint,cti,xtreamerat

tcp:
  - inputs:
      - data: 2E
        type: hex

    host:
      - "{{Hostname}}"
    port: 10001
    read-size: 1024

    matchers:
      - type: regex
        regex:
          - "^X$"
# digest: 4a0a0047304502203e69816e86c96597b53b68c265972455eb51b9f8b0a59250a6ee55cd0d37222c022100d7bedfe4486bf9d0275f38620dc70321d06c027224dbc726d96ac70a0441f402:922c64590222798bb761d5b6d8e72950