YARA
YARA rules for jRAT
7 rules · scoped to tool · back to jRAT
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
◈
YARA rules
7 of 7
direct
HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/AliBawazeEer/RAT-NjRat-0.7d-modded-source-code"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "2b7d1f75-0164-561e-8199-32c601cbca98"
strings:
$name = "RAT-NjRat-0.7d-modded-source-code" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
direct
RAT
RAT_njRat
Detects njRAT
view YARA rule
rule RAT_njRat
{
meta:
author = "Kevin Breen <[email protected]>"
date = "01.04.2014"
description = "Detects njRAT"
reference = "http://malwareconfig.com/stats/njRat"
maltype = "Remote Access Trojan"
filetype = "exe"
id = "6289b9c8-eef6-5cfb-97bd-b819158d6fdd"
strings:
$s1 = {7C 00 27 00 7C 00 27 00 7C} // |'|'|
$s2 = "netsh firewall add allowedprogram" wide
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$s4 = "yyyy-MM-dd" wide
$v1 = "cmd.exe /k ping 0 & del" wide
$v2 = "cmd.exe /c ping 127.0.0.1 & del" wide
$v3 = "cmd.exe /c ping 0 -n 2 & del" wide
condition:
all of ($s*) and any of ($v*)
}
direct
JRAT
MAL_JRAT_Oct18_1
Detects JRAT malware
view YARA rule
rule MAL_JRAT_Oct18_1 {
meta:
description = "Detects JRAT malware"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-10-11"
hash1 = "ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411"
id = "f211ef1c-8def-55f0-8817-d01ebd9c2947"
strings:
$x1 = "/JRat.class" ascii
condition:
uint16(0) == 0x4b50 and filesize < 700KB and 1 of them
}
direct
HKTL_NET_GUID_njRAT
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_njRAT {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/mwsrc/njRAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-30"
modified = "2025-08-15"
id = "2140d69e-fb15-50a2-ba85-b7c8293003fb"
strings:
$typelibguid0lo = "5a542c1b-2d36-4c31-b039-26a88d3967da" ascii wide
$typelibguid1lo = "6b07082a-9256-42c3-999a-665e9de49f33" ascii wide
$typelibguid2lo = "c0a9a70f-63e8-42ca-965d-73a1bc903e62" ascii wide
$typelibguid3lo = "70bd11de-7da1-4a89-b459-8daacc930c20" ascii wide
$typelibguid4lo = "fc790ee5-163a-40f9-a1e2-9863c290ff8b" ascii wide
$typelibguid5lo = "cb3c28b2-2a4f-4114-941c-ce929fec94d3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
direct
crime
crime_win_rat_AlienSpy
Alien Spy Remote Access Trojan
view YARA rule
rule crime_win_rat_AlienSpy
{
meta:
description = "Alien Spy Remote Access Trojan"
author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
date = "04-Apr-15"
filetype = "Java"
hash_1 = "075fa0567d3415fbab3514b8aa64cfcb"
hash_2 = "818afea3040a887f191ee9d0579ac6ed"
hash_3 = "973de705f2f01e82c00db92eaa27912c"
hash_4 = "7f838907f9cc8305544bd0ad4cfd278e"
hash_5 = "071e12454731161d47a12a8c4b3adfea"
hash_6 = "a7d50760d49faff3656903c1130fd20b"
hash_7 = "f399afb901fcdf436a1b2a135da3ee39"
hash_8 = "3698a3630f80a632c0c7c12e929184fb"
hash_9 = "fdb674cadfa038ff9d931e376f89f1b6"
id = "a79789cd-9b16-58f5-ab51-48bb900583d1"
strings:
$sa_1 = "META-INF/MANIFEST.MF"
$sa_2 = "Main.classPK"
$sa_3 = "plugins/Server.classPK"
$sa_4 = "IDPK"
$sb_1 = "config.iniPK"
$sb_2 = "password.iniPK"
$sb_3 = "plugins/Server.classPK"
$sb_4 = "LoadStub.classPK"
$sb_5 = "LoadStubDecrypted.classPK"
$sb_7 = "LoadPassword.classPK"
$sb_8 = "DecryptStub.classPK"
$sb_9 = "ClassLoaders.classPK"
$sc_1 = "config.xml"
$sc_2 = "options"
$sc_3 = "plugins"
/* $sc_4 = "util" */
$sc_5 = "util/OSHelper"
$sc_6 = "Start.class"
$sc_7 = "AlienSpy"
/* $sc_8 = "PK" */ /* too short atom - disabled for performance reasons */
condition:
uint16(0) == 0x4B50 and filesize < 800KB and ( (all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)) )
}
direct
RAT
RAT_unrecom
Detects unrecom RAT
view YARA rule
rule RAT_unrecom
{
meta:
author = "Kevin Breen <[email protected]>"
date = "01.04.2014"
description = "Detects unrecom RAT"
reference = "http://malwareconfig.com/stats/unrecom"
maltype = "Remote Access Trojan"
filetype = "exe"
id = "56b11c22-f43c-5192-9a0a-0ac14b0cd041"
strings:
$meta = "META-INF"
$conf = "load/ID"
$a = "load/JarMain.class"
$b = "load/MANIFEST.MF"
$c = "plugins/UnrecomServer.class"
condition:
all of them
}
direct
RAT
RAT_adWind
Detects Adwind RAT
view YARA rule
rule RAT_adWind
{
meta:
author = "Kevin Breen <[email protected]>"
date = "01.04.2014"
description = "Detects Adwind RAT"
reference = "http://malwareconfig.com/stats/adWind"
maltype = "Remote Access Trojan"
filetype = "exe"
id = "95681c07-0e9c-5688-a8a0-899617521c7b"
strings:
$meta = "META-INF"
$conf = "config.xml"
$a = "Adwind.class"
$b = "Principal.adwind"
condition:
all of them
}
Showing 1-7 of 7