Home/Crimson/YARA rules
YARA

YARA rules for Crimson

2 rules · scoped to tool · back to Crimson
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

2 of 2
direct CrimsonRAT
CrimsonRAT_Mar18_1
Detects CrimsonRAT malware
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule CrimsonRAT_Mar18_1 {
   meta:
      description = "Detects CrimsonRAT malware"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "Internal Research"
      date = "2018-03-06"
      hash1 = "acf2e8013b6fafcf436d5a05049896504ffa2e982bca05155d19981d1931c611"
      hash2 = "7ca6e5ef1d346ec35993c910128a3526b098a07445131784a9358bf5679e3975"
      hash3 = "be4264973de9886caedae1cb707586588d0da85ac7a2ad277db4258033ea12a8"
      hash4 = "acf2e8013b6fafcf436d5a05049896504ffa2e982bca05155d19981d1931c611"
      hash5 = "ff52b4a64ed7caeab00350e493968dbdb159aeb545fcba67d83ab9b158464de4"
      id = "af21876c-f99d-5307-abba-02c57ee93df0"
   strings:
      $x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|" wide
      $x2 = "\\Release\\RTLBot.pdb" ascii
      $x3 = "cmd.exe/c systeminfo >> 1.txt" fullword wide
      $x4 = "/online >> Get online target with important info" fullword wide
      $x5 = "/screen >> ScreenShot from target PC" fullword wide
      $x6 = "/restart >> Restart Target PC" fullword wide
      $x7 = "/log_key >> Get log key file" fullword wide

      $a1 = "get_ShiftKey" fullword ascii
      $a2 = "get_ControlKey" fullword ascii
      $a3 = "get_AltKey" fullword ascii
      $a4 = "get_MineInterval" fullword ascii

      $fp1 = "Copyright Software Secure" wide
   condition:
      uint16(0) == 0x5a4d and filesize < 400KB and ( 1 of ($x*) or all of ($a*) )
      and not 1 of ($fp*)
}
direct ProjectM
ProjectM_CrimsonDownloader
Detects ProjectM Malware
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule ProjectM_CrimsonDownloader {
	meta:
		description = "Detects ProjectM Malware"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/"
		date = "2016-03-26"
		hash = "dc8bd60695070152c94cbeb5f61eca6e4309b8966f1aa9fdc2dd0ab754ad3e4c"
		id = "2e0658c9-a93d-5eef-93a2-eb1ab29acaee"
	strings:
		$x1 = "E:\\Projects\\m_project\\main\\mj shoaib"

		$s1 = "\\obj\\x86\\Debug\\secure_scan.pdb" ascii
		$s2 = "secure_scan.exe" fullword wide
		$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|mswall" fullword wide
		$s4 = "secure_scan|mswall" fullword wide
		$s5 = "[Microsoft-Security-Essentials]" fullword wide
	condition:
		( uint16(0) == 0x5a4d and filesize < 400KB and $x1 ) or ( all of them )
}
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin