id: virusrat-malware

info:
  name: VirusRat Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "virustotal"
          - "virusscan"
          - "abccba"
          - "pronoip"
          - "streamWebcam"
          - "DOMAIN_PASSWORD"
          - "Stub.Form1.resources"
          - "ftp://{0}@{1}"
          - "SELECT * FROM moz_logins"
          - "SELECT * FROM moz_disabledHosts"
          - "DynDNS\\Updater\\config.dyndns"
          - "|BawaneH|"
        condition: and

# digest: 490a00463044022061bcb47a0873b0588f265a7e601cd05b6bb37ad8e063e592fdd7d903ad4cc0be02202d8867290f2fdd9ab8efecfb3d5fedc3cadfc2dafc41e8a2adef2fbb43b83e1d:922c64590222798bb761d5b6d8e72950