YARA rules for Pandora
1 rules · scoped to tool · back to Pandora
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule RAT_Pandora
{
meta:
author = "Kevin Breen <kevin@techanarchy.net>"
date = "01.04.2014"
description = "Detects Pandora RAT"
reference = "http://malwareconfig.com/stats/Pandora"
maltype = "Remote Access Trojan"
filetype = "exe"
id = "d31e4366-8911-5c9c-92dc-a99f5233c626"
strings:
$a = "Can't get the Windows version"
$b = "=M=Q=U=Y=]=a=e=i=m=q=u=y=}="
$c = "JPEG error #%d" wide
$d = "Cannot assign a %s to a %s" wide
$g = "%s, ProgID:"
$h = "clave"
$i = "Shell_TrayWnd"
$j = "melt.bat"
$k = "\\StubPath"
$l = "\\logs.dat"
$m = "1027|Operation has been canceled!"
$n = "466|You need to plug-in! Double click to install... |"
$0 = "33|[Keylogger Not Activated!]"
condition:
all of them
}