Home/MagicRAT/YARA rules
YARA

YARA rules for MagicRAT

1 rules · scoped to tool · back to MagicRAT
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

1 of 1
direct
MAL_APT_NK_Andariel_CutieDrop_MagicRAT
Detects the MagicRAT variant used by Andariel
author CISA.gov (modified by Florian Roth, Nextron Systems) license see source repo
view YARA rule 
rule MAL_APT_NK_Andariel_CutieDrop_MagicRAT {
   meta:
      author = "CISA.gov (modified by Florian Roth, Nextron Systems)"
      description = "Detects the MagicRAT variant used by Andariel"
      reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
      date = "2024-07-25"
      score = 80
      id = "104244de-83fb-5112-a2b6-e20d38a6ced6"
   strings:
      // I removed the 'wide' from the strings because the samples don't contain the strings
      // UTF-16 formatted and there's no indication that they ever will be, F.R.

      $config_os_w = "os/windows" ascii
      $config_os_l = "os/linux" ascii
      $config_os_m = "os/mac" ascii
      $config_comp_msft = "company/microsoft" ascii
      $config_comp_orcl = "company/oracle" ascii
      $POST_field_1 = "session=" ascii
      $POST_field_2 = "type=" ascii
      // $POST_field_3 = "id=" ascii wide  // disabled this string because it's too short
      $command_misspelled = "renmae" ascii
   condition:
      uint16(0) == 0x5a4d
      and 7 of them
}

rule MAL_APT_NK_Andariel_HHSD_FileTransferTool {
   meta:
      author = "CISA.gov"
      description = "Detects a variant of the HHSD File Transfer Tool"
      reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
      date = "2024-07-25"
      modified = "2025-07-09"
      score = 70
      id = "46b6dbaf-1272-5bbd-a586-5e48ba6c5022"
   strings:
      // 30 4D C7                xor     [rbp+buffer_v41+3], cl
      // 81 7D C4 22 C0 78 00    cmp      dword ptr [rbp+buffer_v41], 78C022h
      // 44 88 83 00 01 00 00    mov      [rbx+100h], r8b
      $handshake = { 30 ?? ?? 81 7? ?? 22 C0 78 00 4? 88 }

      // B1 14                   mov     cl, 14h
      // C7 45 F7 14 00 41 00    mov      [rbp+57h+Src], 410014h
      // C7 45 FB 7A 00 7F 00    mov      [rbp+57h+var_5C], 7F007Ah
      // C7 45 FF 7B 00 63 00    mov     [rbp+57h+var_58], 63007Bh
      // C7 45 03 7A 00 34 00    mov      [rbp+57h+var_54], 34007Ah
      // C7 45 07 51 00 66 00    mov      [rbp+57h+var_50], 660051h
      // C7 45 0B 66 00 7B 00    mov      [rbp+57h+var_4C], 7B0066h
      // C7 45 0F 66 00 00 00    mov      [rbp+57h+var_48], 66h ; 'f'
      $err_xor_str = { 14 C7 [2] 14 00 41 00 C7 [2] 7A 00 7F 00 C7 [2] 7B 00 63 00 C7 [2] 7A 00 34 00 }

      // 41 02 D0                add     dl, r8b
      // 44 02 DA                add     r11b, dl
      // 3C 1F                   cmp     al, 1Fh
      // $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F }      removed due to 1 byte atom
      // B9 8D 10 B7 F8          mov     ecx, 0F8B7108Dh
      // E8 F1 BA FF FF          call    sub_140001280
      $hash_call_loadlib = { B? 8D 10 B7 F8 E8 }
      $hash_call_unk = { B? 91 B8 F6 88 E8 }
   condition:
      uint16(0) == 0x5a4d
      and 1 of ($handshake, $err_xor_str)
      and 1 of ($hash_call_*)
      or 2 of ($handshake, $err_xor_str)
}

rule MAL_APT_NK_Andariel_Atharvan_3RAT {
   meta:
      author = "CISA.gov"
      description = "Detects a variant of the Atharvan 3RAT malware family"
      reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
      date = "2024-07-25"
      score = 80
      id = "9ff6998a-a2dd-5671-bd3f-ee69561f71ef"
   strings:
      $3RAT = "D:\\rang\\TOOL\\3RAT"
      $atharvan = "Atharvan_dll.pdb"
   condition:
      uint16(0) == 0x5a4d
      and 1 of them
}

rule MAL_APT_NK_Andariel_LilithRAT_Variant {
   meta:
      author = "CISA.gov (modified by Florian Roth, Nextron Systems)"
      description = "Detects a variant of the Lilith RAT malware family"
      reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
      date = "2024-07-25"
      modified = "2024-07-26"
      score = 80
      id = "916a289b-db7b-5f09-9d3e-589c3f09101d"
   strings:
      // I removed the 'wide' from the strings because the samples don't contain the strings
      // UTF-16 formatted and there's no indication that they ever will be, F.R.

      // The following are strings seen in the open source version of Lilith
      $lilith_1 = "Initiate a CMD session first." ascii
      $lilith_2 = "CMD is not open" ascii
      $lilith_3 = "Couldn't write command" ascii
      $lilith_4 = "Couldn't write to CMD: CMD not open" ascii

      // The following are strings that appear to be unique to the Unnamed Trojan based on Lilith
      $unique_1 = "Upload Error!" ascii
      $unique_2 = "ERROR: Downloading is already running!" ascii
      $unique_3 = "ERROR: Unable to open file:" ascii
      $unique_4 = "General error" ascii
      $unique_5 = "CMD error" ascii
      $unique_6 = "killing self" ascii
   condition:
      // I refactored the condition to make it more generic, F.R.
      uint16(0) == 0x5a4d
      and filesize < 150KB
      and (
         all of ($lilith_*)
         or 4 of ($unique_*)
         or 1 of ($lilith_4, $unique_2)  // both strings are very specific - let's use them as a unique indicator, F.R.
      )
}
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin