ghostYara
Curated YARA rules by family and tags. Fast filter + copy.
Astaroth
CLEARFamily: Astaroth · Tags: infostealer
By Sab0x1D · Updated 2025-11-10
rule Astaroth {
meta:
author = "Sab0x1D"
description = "Detects Astaroth malware"
strings:
$str1 = "\\x73\\x63\\162\\x69\\x70\\x74\\x3a\\x48\\x54\\x74\\x70\\"
condition:
any of them
}
AsyncRAT
CLEARFamily: AsyncRAT · Tags: rat remote
By Sab0x1D · Updated 2025-11-03
rule AsyncRAT {
meta:
author = "Sab0x1D"
description = "Detects AsyncRAT malware"
strings:
$str1 = "AsyncRAT"
$str2 = "con-ip.com"
$str3 = "Server0"
$domain1 = "robertocruzandradedomin.con-ip.com"
$domain2 = "melo2024.kozow.com"
$domain3 = "dios123.kozow.com"
$domain4 = "andresrosado218.kozow.com"
$domain5 = "ancy2024.kozow.com"
$domain6 = "kozow.com"
$domain7 = "modsmasync.duckdns.org"
$domain8 = "envio1206.duckdns.org"
$domain9 = "19nov2024.duckdns.org"
$ip1 = "181.131.219.51"
$ip2 = "45.40.96.97"
$ip3 = "191.88.249.120"
$ip4 = "104.156.247.38"
$ip5 = "179.14.8.215"
condition:
2 of them
}
W32/BlackMoon
CLEARFamily: BlackMoon · Tags: trojan banker stealer
By Sab0x1D · Updated 2025-11-10
rule Black Moon {
meta:
author = "Sab0x1D"
description = "Detects W32/BlackMoon malware"
strings:
$str1 = "Tomcat.exe"
$str2 = "E_Loader 1.0"
$str3 = "https://github.com/ldcsaa/HP-Socket"
$str4 = "blackmoon"
$str5 = "WPS.lnk"
$ip1 = "206.238.199.123"
$ip2 = "203.107.1.33"
$ip3 = "206.238.220.51"
$ip4 = "154.55.135.78"
condition:
2 of them
}
Cobalt Strike Ransomware
CLEARFamily: Cobalt Strike · Tags: c2 framework ransomware
By Sab0x1D · Updated 2025-11-10
rule Cobalt Strike {
meta:
author = "Sab0x1D"
description = "Detects the Cobalt Strike Ransomware"
strings:
$str1 = "HTTP/1.1 101 Switching Protocols"
$ip1 = "159.75.57.69"
$ip2 = "12.202.180.134"
$ip3 = "192.197.113.45"
condition:
2 of them
}
DcRAT
CLEARFamily: DcRAT · Tags: rat remote
By Sab0x1D · Updated 2025-11-06
rule DcRAT
{
meta:
description = "Detects DcRat"
strings:
$str1 = "DcRat" nocase
$str3 = "DcRatByqwqdanchun"
$str4 = "DcRatMutex" nocase
$str5 = "DCRat-Log"
$str6 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53"
$c21 = "wins23octok.duckdns.org"
$c22 = "enviasept.duckdns.org"
$str7 = "DcRat By qwqdanchun1"
$str8 = "DarkCrystal RAT"
$str9 = "DCRat-Log#"
condition:
2 of them
}
FormBook
CLEARFamily: FormBook · Tags: infostealer stealer keylogger
By Sab0x1D · Updated 2025-11-10
rule FormBook {
meta:
description = "Detects the FormBook malware"
part_author = "Elastic Security"
id = "1112e116-dee0-4818-a41f-ca5c1c41b4b8"
fingerprint = "b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134"
creation_date = "2021-06-14"
modified = "2021-08-23"
last_modified = "2025-11-10"
strings:
$str1 = "www.liangyuen528.com"
$str2 = "www.3xfootball.com"
$str3 = "www.goldenjade-travel.com"
$str4 = "www.empowermedeco.com"
$str5 = "www.kasegitai.tokyo"
$str6 = "www.rssnewscast.com"
$a1 = { 3C 30 50 4F 53 54 74 09 40 }
$a2 = { 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 }
$a3 = { 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 }
$a4 = { 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 }
condition:
any of them
}
FormBook -Elastic
CLEARFamily: FormBook · Tags: infostealer stealer keylogger
By Sab0x1D · Updated 2025-11-10
rule FormBook_Elastic {
meta:
author = "Elastic Security"
id = "772cc62d-345c-42d8-97ab-f67e447ddca4"
fingerprint = "3d732c989df085aefa1a93b38a3c078f9f0c3ee214292f6c1e31a9fc1c9ae50e"
creation_date = "2022-05-23"
modified = "2022-07-18"
threat_name = "Windows.Trojan.Formbook"
reference = "https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach"
strings:
$a1 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko"
$a2 = "signin"
$a3 = "persistent"
$r1 = /.\:\\Users\\[^\\]{1,50}\\AppData\\Roaming\\[a-zA-Z0-9]{8}\\[a-zA-Z0-9]{3}log\.ini/ wide
condition:
2 of ($a*) and $r1
}
FormBook -Elastic Security
CLEARFamily: FormBook · Tags: infostealer keylogger stealer
By Sab0x1D · Updated 2025-11-10
rule FormBook_ElasticSecurity {
meta:
main_author = "Elastic Security"
id = "5799d1f2-4d4f-49d6-b010-67d2fbc04824"
fingerprint = "b262c4223e90c539c73831f7f833d25fe938eaecb77ca6d2e93add6f93e7d75d"
creation_date = "2022-06-08"
modified = "2022-09-29"
threat_name = "Windows.Trojan.Formbook"
reference_sample = "8555a6d313cb17f958fc2e08d6c042aaff9ceda967f8598ac65ab6333d14efd9"
strings:
$a = { E9 C5 9C FF FF C3 E8 00 00 00 00 58 C3 68 }
condition:
all of them
}
GhostRAT
CLEARFamily: GhostRAT · Tags: rat remote
By Sab0x1D · Updated 2025-11-06
rule GhostRAT
{
meta:
description = "Detects GhostRAT malware"
strings:
$str1 = "WinSta0\\Default"
$str2 = "GetClipboardData"
$str3 = /(%)s\\shell\\open\\command/
$ip1 = "129.226.170.223"
$str4 = "ZhuDongFangYu.exe"
$str5 = "Software\\Tencent\\Plugin\\VAS"
$str6 = "UnThreat.exe"
$str7 = "LogonTrigger"
$str8 = "AdjustTokenPrivileges"
condition:
4 of them
}
GotoRAT
CLEARFamily: GotoRAT · Tags: rat remote
By Sab0x1D · Updated 2025-11-06
rule GotoRAT{
meta:
description = "detects GotoRAT malware"
strings:
$str1 = "GoTo Resolve"
$str2 = "GoToResolve"
$c21 = "https://dumpster.console.gotoresolve.com/api/sendEventsV2"
$c22 = "34.120.195.249"
condition:
any of them
}
Grandoreiro
CLEARFamily: Grandoreiro · Tags: trojan banker infostealer keylogger
By Sab0x1D · Updated 2025-11-10
rule Grandoreiro {
meta:
description = "Detecting Grandoreiro malware"
strings:
$str1 = "Binary.EoAKtlbmxJOYOsaVKGCVNhNF.dll"
condition:
any of them
}
LodaRAT
CLEARFamily: LodaRAT · Tags: rat infostealer cookies
By Sab0x1D · Updated 2025-11-10
rule LodaRAT {
meta:
description = "Detects LodaRAT malware"
strings:
$ip1 = "172.111.138.100"
$str1 = "mp3quran.net"
condition:
any of them
}
Lumma Stealer
CLEARFamily: LummaStealer · Tags: infostealer stealer
By Sab0x1D · Updated 2025-11-06
rule LummaStealer
{
meta:
description = "Detects Lumma Stealer malware"
strings:
$str1 = "valleydod.fun"
$str2 = "magaway.fun"
$str4 = "TeslaBrowser/5.5"
$str5 = "AutoFillStates"
$str6 = "c2sock"
$str7 = "africathrillthes.pw"
$str8 = ".pw/api"
$str9 = ".site/api"
$str10 = ".shop/api"
$str11 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0"
$ip1 = "172.67.176.254"
$ip2 = "188.114.97.7"
$ip3 = "172.67.136.213"
$ip4 = "89.23.98.56"
$ip5 = "91.215.85.210"
$ip6 = "172.67.171.214"
$ip7 = "95.164.87.61"
$ip8 = "104.21.32.39"
$c21 = "https://secretionsuitcasenioise.shop/api"
$c22 = "racedsuitreow.shop"
$wallet1 = "Wallets/Electrum"
$wallet2 = "Wallets/Bitcoin core"
$wallet3 = "Wallets/Ethereum"
$wallet4 = "Wallets/Ledger Live"
$wallet5 = "Wallets/Authy Desktop"
condition:
any of them
}
Mispadu
CLEARFamily: Mispadu · Tags: trojan banker infostealer
By Sab0x1D · Updated 2025-11-10
rule Mispadu {
meta:
description = "Detects Mispadu malware"
strings:
$str1 = "geradcontsad.pro"
$str2 = "contadcom.pro"
$str3 = "pat2wx"
$str4 = "contou infect"
$dom1 = ".zapto.org"
$dom2 = ".viewdns.net"
$dom3 = "archivodzb.pro"
$dom4 = "host.secureserver.net/g1/"
$dom5 = "up.ddnsking.com"
$ip1 = "91.92.244.191"
$ip2 = "208.109.188.20"
condition:
2 of them
}
NetSupport Manager
CLEARFamily: NetSupport · Tags: rat remote legitimate-tool
By Sab0x1D · Updated 2025-11-10
rule NetSupport {
meta:
description = "Detects NetSupport Manager RAT"
strings:
$str1 = "NetSupport Manager"
$str2 = "f36a7294ff7aa92571a3fd7c91282dd5"
$str4 = "geo.netsupportsoftware.com"
$str6 = "client32.exe"
$c21 = "81.19.137.226"
$c22 = "192.236.192.48"
$c23 = "blawx.com/letter.php"
condition:
any of them
}
NjRAT
CLEARFamily: NjRAT · Tags: rat remote keylogger
By Sab0x1D · Updated 2025-11-10
rule NjRAT {
meta:
description = "Detects NjRAT malware"
strings:
$str1 = "njnjnjs.duckdns.org"
$str2 = "junio2023.duckdns.org"
$str3 = "njz.txt"
$str4 = "mofers"
$str5 = "NYAN CAT"
$str6 = "nj.txt"
$str7 = "dfasdfasdgs.duckdns.org"
$ip1 = "46.246.86.16"
$ip2 = "154.12.254.215"
condition:
any of them
}
PDQ Connect
CLEARFamily: PDQRAT · Tags: rat rmm remote legitimate-tool
By Sab0x1D · Updated 2025-11-10
rule PDQConnect {
meta:
description = "Detects PDQ RAT"
strings:
$str1 = "PDQConnectAgent"
$str2 = "pdq-connect-agent.exe"
$ip1 = "34.54.45.198"
condition:
any of them
}
PocoRAT
CLEARFamily: PocoRAT · Tags: rat remote infostealer
By Sab0x1D · Updated 2025-11-10
rule PocoRAT {
meta:
description = "Detects PocoRAT malware"
strings:
$str1 = "Poco"
$str2 = "x:\\poco-1.12.4-all\\foundation\\include\\poco"
$ip1 = "94.131.119.126"
condition:
2 of them
}
RedLine Stealer
CLEARFamily: RedLine · Tags: stealer infostealer
By Sab0x1D · Updated 2025-11-03
rule RedLine {
meta:
author = "Sab0x1D"
description = "Detects RedLine Stealer malware"
strings:
$str1 = "%userprofile%\\Desktop|*.txt,*.doc*,*key*,*wallet*,*seed*|0"
$str2 = "Chrome\\User Data\\AutofillStates\\*"
$str3 = "tempuri.org"
$str4 = "net.tcp://"
$c2_2 = "37.1.203.45"
$c2_1 = "45.135.232.2"
$c2_3 = "5.42.64.70"
$c2_4 = "185.29.9.108"
$c2_5 = "147.45.45.81"
$c2_6 = "94.232.249.204"
condition:
2 of them
}
Remcos
CLEARFamily: Remcos · Tags: rat keylogger
By Sab0x1D · Updated 2025-11-03
rule Remcos {
meta:
author = "Sab0x1D"
description = "Detects Remcos malware"
strings:
$str1 = "Remcos"
$str2 = "remcos"
$str3 = "XWinRemcoso"
$ip1 = "212.193.30.230"
$ip2 = "95.214.27.6"
$ip3 = "213.152.161.181"
$ip4 = "178.237.33.50"
$ip5 = "179.15.149.222"
$c21 = "allonsy.hopto.org"
$c22 = "181.131.217.242"
$c24 = "jelelaiyegba.duckdns.org"
$c25 = "bbuseruploads.s3.amazonaws.com"
$c26 = "estrillajuju.con-ip.com"
$c27 = "148.113.165.11"
condition:
any of them
}
Rhadamanthys Stealer
CLEARFamily: Rhadamanthys · Tags: infostealer stealer
By Sab0x1D · Updated 2025-11-06
rule Rhadamanthys {
meta:
author = "Sab0x1D"
description = "Detects Rhadamanthys Stealer variant of the RedLine malware"
strings:
$str1 = "Notepad++\\plugins\\config"
$str2 = "atomic_qt\\config"
$str3 = "Qtum-Electrum\\config"
$str4 = "Electrum-LTC\\config"
$str5 = ".gir3n"
$ip1 = "45.128.234.63"
$ip2 = "185.172.128.163"
condition:
3 of them
}
Snake Keylogger
CLEARFamily: Snake Keylogger · Tags: keylogger infostealer stealer
By Sab0x1D · Updated 2025-11-03
rule SnakeKeylogger {
meta:
description = "Detects Snake Keylogger malware"
strings:
$str1 = "SnakeKeylogger"
$str3 = "Snake Tracker"
$str4 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)"
$ip1 = "77.81.142.87"
$ip2 = "51.38.247.67"
condition:
2 of them
}
StrRAT
CLEARFamily: StrRAT · Tags: rat java infostealer keylogger plugin-based
By Sab0x1D · Updated 2025-11-10
rule StrRAT {
meta:
description = "Detects StrRAT malware"
strings:
$str1 = "STRRAT"
$str2 = "carLambo"
$str3 = "RegisterClipboardFormat(Ljava/lang/String;)"
$str4 = "HBrowserNativeApis"
$str5 = "jbfrost.livestrigoi"
$str6 = "Branchlock"
$str7 = "strigoi"
$c21 = "lastdopelast.ddns.net"
$c22 = "mysaviourlives.ddns.net"
condition:
any of them
}
StrRAT -Cyber Raiju
CLEARFamily: StrRAT · Tags: rat java infostealer keylogger plugin-based
By Sab0x1D · Updated 2025-11-10
rule StrRAT_CyberRaiju {
meta:
description = "Detects components or the presence of STRRat used in eCrime operations"
author = "@CyberRaiju"
date = "2022-05-19"
hash1 = "ec48d708eb393d94b995eb7d0194bded701c456c666c7bb967ced016d9f1eff5"
hash2 = "0A6D2526077276F4D0141E9B4D94F373CC1AE9D6437A02887BE96A16E2D864CF"
reference = "https://www.jaiminton.com/reverse-engineering/strrat"
strings:
$ntwk1 = "wshsoft.company" fullword ascii
$ntwk2 = "str-master.pw" fullword ascii
$ntwk3 = "jbfrost.live" fullword ascii
$ntwk4 = "ip-api.com" fullword ascii
$ntwk5 = "strigoi" fullword ascii
$host1 = "ntfsmgr" fullword ascii
$host2 = "Skype" fullword ascii
$host3 = "lock.file" fullword ascii
$rat1 = "HBrowserNativeApis" fullword ascii
$rat2 = "carLambo" fullword ascii
$rat3 = "config" fullword ascii
$rat4 = "loorqhustq" fullword ascii
condition:
filesize < 2000KB and (2 of ($ntwk*) or all of ($host*) or 2 of ($rat*))
}
StrRAT -Elastic Security
CLEARFamily: StrRAT · Tags: rat java infostealer keylogger plugin-based
By Sab0x1D · Updated 2025-11-10
rule StrRAT_ElasticSec {
meta:
author = "Elastic Security"
id = "a3e48cd2-e65f-40db-ab55-8015ad871dd6"
fingerprint = "efda9a8bd5f9e227a6696de1b4ea7eb7343b08563cfcbe73fdd75164593bd111"
creation_date = "2024-03-13"
modified = "2024-03-21"
threat_name = "Windows.Trojan.STRRAT"
reference_sample = "97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9"
strings:
$str1 = "strigoi/server/ping.php?lid="
$str2 = "/strigoi/server/?hwid="
condition:
all of them
}
XenoRAT
CLEARFamily: XenoRAT · Tags: rat remote
By Sab0x1D · Updated 2025-11-06
rule XenoRAT
{
meta:
description = "Detects Xeno RAT malware"
strings:
$str1 = "xeno rat client"
$str2 = "XenoManager"
$str3 = "xeno_rat_client"
$str4 = "xeno rat" nocase
condition:
any of them
}
XWorm
CLEARFamily: XWorm · Tags: rat remote infostealer keylogger c2
By Sab0x1D · Updated 2025-11-10
rule XWorm {
meta:
description = "Detects the XWorm malware"
strings:
$str1 = "freshinxworm.ddns.net"
$str2 = "colmbat82.duckdns.org"
$str3 = "XWorm"
$str5 = "L_optReArmSku"
$str6 = "futurist2.ddns.net"
$str7 = "<Xwormmm>"
$str8 = "XWorm V5.2"
$str9 = "plat.zip"
$dom1 = "xw9402may.duckdns.org"
$dom2 = "dcxwq1.duckdns.org"
$dom3 = "xw9402may.duckdns.org"
$dom4 = "xwrmmone.duckdns.org"
$ip1 = "154.53.51.233"
$ip2 = "154.12.233.76"
$ip3 = "91.207.57.115"
$ip4 = "157.20.182.172"
condition:
any of them
}