SteelTech/Tria.ge-Crawler-WIP
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Tria.ge-Crawler-WIP/rules/infosteal.yar
John husxdev fa8caa5116 Intitial release
2025-04-12 01:40:13 -05:00

136 lines
4.3 KiB
Text
Raw Permalink Blame History

import "pe"
rule RayXStealer {
meta:
description = "Detects RayX Stealer malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$s1 = "rayxstealer" nocase ascii wide
$s2 = "ray-x" nocase ascii wide
$token1 = "discordwebhook" nocase ascii wide
$token2 = "getTokens" nocase ascii wide
$browser1 = "Chrome" nocase ascii wide
$browser2 = "Edge" nocase ascii wide
$browser3 = "passwords" nocase ascii wide
$browser4 = "cookies" nocase ascii wide
condition:
($s1 or $s2) and
1 of ($token*) and
2 of ($browser*)
}
rule PysilonStealer {
meta:
description = "Detects Pysilon Stealer malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id1 = "pysilon" nocase ascii wide
$id2 = "pysilonstealer" nocase ascii wide
$grab1 = "grab_discord" nocase ascii wide
$grab2 = "grab_passwords" nocase ascii wide
$grab3 = "grab_cookies" nocase ascii wide
$grab4 = "system_info" nocase ascii wide
$net1 = "webhook" nocase ascii wide
$net2 = "sendData" nocase ascii wide
condition:
1 of ($id*) and
2 of ($grab*) and
1 of ($net*)
}
rule ExelaStealer {
meta:
description = "Detects Exela Stealer malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id = "exelastealer" nocase ascii wide
$grab1 = "grab_discord" nocase ascii wide
$grab2 = "grab_browsers" nocase ascii wide
$grab3 = "grab_wallets" nocase ascii wide
$net1 = "webhook_url" nocase ascii wide
$net2 = "send_report" nocase ascii wide
condition:
$id or (2 of ($grab*) and 1 of ($net*))
}
rule BlankGrabber {
meta:
description = "Detects BlankGrabber/AmnesiaGrabber malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id1 = "blankgrabber" nocase ascii wide
$id2 = "amnesia" nocase ascii wide
$func1 = "grab_tokens" nocase ascii wide
$func2 = "grab_cookies" nocase ascii wide
$func3 = "grab_passwords" nocase ascii wide
$func4 = "screenshot" nocase ascii wide
$net1 = "webhook" nocase ascii wide
$enc1 = "encrypt" nocase ascii wide
$enc2 = "decrypt" nocase ascii wide
condition:
1 of ($id*) and
2 of ($func*) and
($net1 or 1 of ($enc*))
}
rule LunaGrabber {
meta:
description = "Detects Luna Grabber malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id = "lunagrabber" nocase ascii wide
$grab1 = "grab_tokens" nocase ascii wide
$grab2 = "grab_password" nocase ascii wide
$grab3 = "grab_cookie" nocase ascii wide
$net = "webhook" nocase ascii wide
condition:
$id or (2 of ($grab*) and $net)
}
rule UmbralStealer {
meta:
description = "Detects Umbral Stealer malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id = "umbral" nocase ascii wide
$grab1 = "get_tokens" nocase ascii wide
$grab2 = "get_passwords" nocase ascii wide
$grab3 = "get_cookies" nocase ascii wide
$grab4 = "get_wallets" nocase ascii wide
$net1 = "webhook" nocase ascii wide
$net2 = "send_data" nocase ascii wide
condition:
$id or (2 of ($grab*) and 1 of ($net*))
}
rule DiscordRatStealer {
meta:
description = "Detects Discord RAT malware"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$id1 = "discordrat" nocase ascii wide
$id2 = "discord_rat" nocase ascii wide
$cmd1 = "command_handler" nocase ascii wide
$cmd2 = "remote_control" nocase ascii wide
$cmd3 = "remote_cmd" nocase ascii wide
$discord1 = "discord.py" nocase ascii wide
$discord2 = "discord_webhook" nocase ascii wide
$discord3 = "bot.command" nocase ascii wide
condition:
1 of ($id*) and
(1 of ($cmd*) and 1 of ($discord*))
}
Reference in a new issue View git blame Copy permalink