import "pe" rule RayXStealer { meta: description = "Detects RayX Stealer malware" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $s1 = "rayxstealer" nocase ascii wide $s2 = "ray-x" nocase ascii wide $token1 = "discordwebhook" nocase ascii wide $token2 = "getTokens" nocase ascii wide $browser1 = "Chrome" nocase ascii wide $browser2 = "Edge" nocase ascii wide $browser3 = "passwords" nocase ascii wide $browser4 = "cookies" nocase ascii wide condition: ($s1 or $s2) and 1 of ($token*) and 2 of ($browser*) } rule PysilonStealer { meta: description = "Detects Pysilon Stealer malware" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $id1 = "pysilon" nocase ascii wide $id2 = "pysilonstealer" nocase ascii wide $grab1 = "grab_discord" nocase ascii wide $grab2 = "grab_passwords" nocase ascii wide $grab3 = "grab_cookies" nocase ascii wide $grab4 = "system_info" nocase ascii wide $net1 = "webhook" nocase ascii wide $net2 = "sendData" nocase ascii wide condition: 1 of ($id*) and 2 of ($grab*) and 1 of ($net*) } rule ExelaStealer { meta: description = "Detects Exela Stealer malware" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $id = "exelastealer" nocase ascii wide $grab1 = "grab_discord" nocase ascii wide $grab2 = "grab_browsers" nocase ascii wide $grab3 = "grab_wallets" nocase ascii wide $net1 = "webhook_url" nocase ascii wide $net2 = "send_report" nocase ascii wide condition: $id or (2 of ($grab*) and 1 of ($net*)) } rule BlankGrabber { meta: description = "Detects BlankGrabber/AmnesiaGrabber malware" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $id1 = "blankgrabber" nocase ascii wide $id2 = "amnesia" nocase ascii wide $func1 = "grab_tokens" nocase ascii wide $func2 = "grab_cookies" nocase ascii wide $func3 = "grab_passwords" nocase ascii wide $func4 = "screenshot" nocase ascii wide $net1 = "webhook" nocase ascii wide $enc1 = "encrypt" nocase ascii wide $enc2 = "decrypt" nocase ascii wide condition: 1 of ($id*) and 2 of ($func*) and ($net1 or 1 of ($enc*)) } rule LunaGrabber { meta: description = "Detects Luna Grabber malware" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $id = "lunagrabber" nocase ascii wide $grab1 = "grab_tokens" nocase ascii wide $grab2 = "grab_password" nocase ascii wide $grab3 = "grab_cookie" nocase ascii wide $net = "webhook" nocase ascii wide condition: $id or (2 of ($grab*) and $net) } rule UmbralStealer { meta: description = "Detects Umbral Stealer malware" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $id = "umbral" nocase ascii wide $grab1 = "get_tokens" nocase ascii wide $grab2 = "get_passwords" nocase ascii wide $grab3 = "get_cookies" nocase ascii wide $grab4 = "get_wallets" nocase ascii wide $net1 = "webhook" nocase ascii wide $net2 = "send_data" nocase ascii wide condition: $id or (2 of ($grab*) and 1 of ($net*)) } rule DiscordRatStealer { meta: description = "Detects Discord RAT malware" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $id1 = "discordrat" nocase ascii wide $id2 = "discord_rat" nocase ascii wide $cmd1 = "command_handler" nocase ascii wide $cmd2 = "remote_control" nocase ascii wide $cmd3 = "remote_cmd" nocase ascii wide $discord1 = "discord.py" nocase ascii wide $discord2 = "discord_webhook" nocase ascii wide $discord3 = "bot.command" nocase ascii wide condition: 1 of ($id*) and (1 of ($cmd*) and 1 of ($discord*)) }