diff --git a/malware/RAT_Kurinium.yar b/malware/RAT_Kurinium.yar
new file mode 100644
index 00000000..9c11061a
--- /dev/null
+++ b/malware/RAT_Kurinium.yar
@@ -0,0 +1,848 @@
+/*
+ * YARA Rules for Kurinium RAT (Discord-based Remote Access Trojan)
+ * Author: MidasRX
+ * Date: 2025
+ *
+ * Kurinium is a Rust-based Discord RAT by Mikasuru
+ * GitHub: https://github.com/Mikasuru/Kurinium
+ *
+ * SHA256: E323C24B669727A7C4494D5BC6AB9A6A542453A303677AFAB3CF4F3CA08B7261
+ * MD5: E4D31DADB754F6AF6A09EDC0E5683662
+ * File Size: ~12MB (Rust binary)
+ */
+
+import "pe"
+import "hash"
+import "math"
+
+// =============================================================================
+// RULE 1: Exact Sample Match (Hash-based)
+// =============================================================================
+rule Kurinium_RAT_Exact_Hash
+{
+ meta:
+ description = "Kurinium RAT - Exact sample match via hash"
+ author = "MidasRX"
+ date = "2025-01"
+ hash_sha256 = "e323c24b669727a7c4494d5bc6ab9a6a542453a303677afab3cf4f3ca08b7261"
+ hash_md5 = "e4d31dadb754f6af6a09edc0e5683662"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 10
+
+ condition:
+ hash.sha256(0, filesize) == "e323c24b669727a7c4494d5bc6ab9a6a542453a303677afab3cf4f3ca08b7261" or
+ hash.md5(0, filesize) == "e4d31dadb754f6af6a09edc0e5683662"
+}
+
+// =============================================================================
+// RULE 2: Kurinium Primary Detection (Brand Strings)
+// =============================================================================
+rule Kurinium_RAT_Primary
+{
+ meta:
+ description = "Kurinium RAT - Primary detection via unique strings"
+ author = "MidasRX"
+ date = "2025-01"
+ reference = "https://github.com/Mikasuru/Kurinium"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 10
+
+ strings:
+ // Unique Kurinium identifiers
+ $brand1 = "Kurinium" ascii wide nocase
+ $brand2 = "Mikasuru" ascii wide
+ $brand3 = "kurinium-bot" ascii wide
+ $brand4 = "Kurinium Bot" ascii wide
+ $brand5 = "https://github.com/Mikasuru/Kurinium" ascii wide
+ $brand6 = "Kurinium is Shutting Down" ascii wide
+
+ // Service installation strings
+ $svc1 = "ServiceName=\"Kurinium\"" ascii wide
+ $svc2 = "ShortSvcName=\"Kurinium\"" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ any of ($brand*) or
+ any of ($svc*)
+ )
+}
+
+// =============================================================================
+// RULE 3: Kurinium Source Paths (Rust Compilation Artifacts)
+// =============================================================================
+rule Kurinium_RAT_Rust_Sources
+{
+ meta:
+ description = "Kurinium RAT - Detection via Rust source path artifacts"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 9
+
+ strings:
+ // Core command paths
+ $src1 = "src\\commands\\core\\run.rs" ascii
+ $src2 = "src\\commands\\core\\exit.rs" ascii
+ $src3 = "src\\commands\\core\\shell.rs" ascii
+ $src4 = "src\\commands\\core\\uninstall.rs" ascii
+
+ // Filesystem command paths
+ $src5 = "src\\commands\\filesystem\\grabcookie.rs" ascii
+ $src6 = "src\\commands\\filesystem\\upload.rs" ascii
+ $src7 = "src\\commands\\filesystem\\download.rs" ascii
+
+ // System command paths
+ $src8 = "src\\commands\\system\\blockinput.rs" ascii
+ $src9 = "src\\commands\\system\\winkill.rs" ascii
+ $src10 = "src\\commands\\system\\screen.rs" ascii
+
+ // Utility command paths
+ $src11 = "src\\commands\\utility\\screenshot.rs" ascii
+ $src12 = "src\\commands\\utility\\webcam.rs" ascii
+ $src13 = "src\\commands\\utility\\jumpscare.rs" ascii
+ $src14 = "src\\commands\\utility\\clipboard.rs" ascii
+
+ // Crypto command paths
+ $src15 = "src\\commands\\crypto\\decrypt.rs" ascii
+ $src16 = "src\\commands\\crypto\\encrypt.rs" ascii
+
+ // Core module paths
+ $core1 = "src\\core\\screenshot.rs" ascii
+ $core2 = "src\\core\\evasion.rs" ascii
+ $core3 = "src\\core\\startup.rs" ascii
+ $core4 = "src\\core\\exit_patcher.rs" ascii
+ $core5 = "src\\core\\wifi_monitor.rs" ascii
+ $core6 = "src\\core\\discord\\channel.rs" ascii
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 3 of ($src*) or
+ 2 of ($core*)
+ )
+}
+
+// =============================================================================
+// RULE 4: Kurinium Bot Commands
+// =============================================================================
+rule Kurinium_RAT_Bot_Commands
+{
+ meta:
+ description = "Kurinium RAT - Detection via bot command patterns"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 9
+
+ strings:
+ // Bot command strings (backtick format)
+ $cmd1 = "`.shell" ascii
+ $cmd2 = "`.screenshot" ascii
+ $cmd3 = "`.webcam" ascii
+ $cmd4 = "`.blockinput" ascii
+ $cmd5 = "`.capsflicker" ascii
+ $cmd6 = "`.jumpscare" ascii
+ $cmd7 = "`.winkill" ascii
+ $cmd8 = "`.encrypt" ascii
+ $cmd9 = "`.decrypt" ascii
+ $cmd10 = "`.uninstall" ascii
+ $cmd11 = "`.grabcookie" ascii
+ $cmd12 = "`.playsound" ascii
+ $cmd13 = "`.openurl" ascii
+ $cmd14 = "`.clipboard" ascii
+ $cmd15 = "`.foreground" ascii
+ $cmd16 = "`.process" ascii
+ $cmd17 = "`.visible" ascii
+ $cmd18 = "`.volume" ascii
+ $cmd19 = "`.ipconfig" ascii
+ $cmd20 = "`.unrar" ascii
+ $cmd21 = "`.unzip" ascii
+
+ // Alternative command format
+ $alt1 = ".blockinput" ascii
+ $alt2 = ".capsflicker" ascii
+ $alt3 = ".jumpscare" ascii
+ $alt4 = ".grabcookie" ascii
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 5 of ($cmd*) or
+ 3 of ($alt*)
+ )
+}
+
+// =============================================================================
+// RULE 5: Kurinium C2 Infrastructure
+// =============================================================================
+rule Kurinium_RAT_C2_Infrastructure
+{
+ meta:
+ description = "Kurinium RAT - Detection via C2 and infrastructure URLs"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 9
+
+ strings:
+ // Discord API endpoints (C2)
+ $discord1 = "wss://gateway.discord.gg" ascii wide
+ $discord2 = "https://discord.com/api/v10/channels/" ascii wide
+ $discord3 = "https://discord.com/api/v10/gateway" ascii wide
+ $discord4 = "https://discord.com/api/v10/users/" ascii wide
+ $discord5 = "https://discord.com/api/v10/interactions/" ascii wide
+
+ // Asset/payload download URLs
+ $asset1 = "https://github.com/Mikasuru/Arc/raw/refs/heads/main/Assets/Scripts/kurion.rar" ascii wide
+ $asset2 = "https://github.com/Mikasuru/Arc/raw/refs/heads/main/Assets/Scripts/UnRAR.exe" ascii wide
+
+ // File upload services
+ $upload1 = "https://litterbox.catbox.moe/resources/internals/api.php" ascii wide
+ $upload2 = "https://x0.at" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 3 of ($discord*) or
+ any of ($asset*) or
+ any of ($upload*)
+ )
+}
+
+// =============================================================================
+// RULE 6: Kurinium Persistence Mechanism (CMSTP Bypass)
+// =============================================================================
+rule Kurinium_RAT_CMSTP_Bypass
+{
+ meta:
+ description = "Kurinium RAT - CMSTP UAC bypass persistence technique"
+ author = "MidasRX"
+ date = "2025-01"
+ mitre_attack = "T1218.003"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 9
+
+ strings:
+ // CMSTP bypass strings
+ $cmstp1 = "cmstp.exe" ascii wide nocase
+ $cmstp2 = "/auKurinium" ascii wide
+ $cmstp3 = "RunPreSetupCommands" ascii wide
+ $cmstp4 = "RunPreSetupCommandsSection" ascii wide
+ $cmstp5 = "REPLACE_COMMAND_LINE" ascii wide
+ $cmstp6 = "CustomDestination" ascii wide
+ $cmstp7 = "CustInstDestSectionAllUsers" ascii wide
+ $cmstp8 = "DefaultInstall" ascii wide
+ $cmstp9 = "AdvancedINF" ascii wide
+
+ // Task scheduler XML fragments
+ $task1 = "InteractiveToken" ascii wide
+ $task2 = "HighestAvailable" ascii wide
+ $task3 = "LogonTrigger" ascii wide
+ $task4 = "http://schemas.microsoft.com/windows/2004/02/mit/task" ascii wide
+
+ // Schtasks commands
+ $schtask1 = "schtasks/Query/TN" ascii wide
+ $schtask2 = "schtasks" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ (any of ($cmstp*) and 3 of ($task*)) or
+ ($cmstp2) or
+ (5 of ($cmstp*))
+ )
+}
+
+// =============================================================================
+// RULE 7: Kurinium Remote Desktop Detection
+// =============================================================================
+rule Kurinium_RAT_RDP_Detection
+{
+ meta:
+ description = "Kurinium RAT - Remote desktop software detection strings"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 8
+
+ strings:
+ // Remote desktop detection strings
+ $rdp1 = "rdp-tcp" ascii wide
+ $rdp2 = "AnyDesk" ascii wide
+ $rdp3 = "TeamViewer" ascii wide
+ $rdp4 = "RustDesk" ascii wide
+ $rdp5 = "Supremo" ascii wide
+ $rdp6 = "Radmin" ascii wide
+ $rdp7 = "UltraVNC" ascii wide
+ $rdp8 = "TightVNC" ascii wide
+ $rdp9 = "ScreenConnect" ascii wide
+ $rdp10 = "ConnectWise" ascii wide
+ $rdp11 = "Bomgar/BeyondTrust" ascii wide
+ $rdp12 = "Splashtop" ascii wide
+ $rdp13 = "LogMeIn" ascii wide
+ $rdp14 = "RemotePC" ascii wide
+ $rdp15 = "DWService" ascii wide
+ $rdp16 = "NoMachine" ascii wide
+ $rdp17 = "Chrome Remote Desktop" ascii wide
+
+ // VPN/Tunneling detection
+ $vpn1 = "Cloudflare" ascii wide
+ $vpn2 = "Tailscale" ascii wide
+ $vpn3 = "ZeroTier" ascii wide
+ $vpn4 = "Hamachi" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 8 of ($rdp*) or
+ (4 of ($rdp*) and 2 of ($vpn*))
+ )
+}
+
+// =============================================================================
+// RULE 8: Kurinium Windows Evasion Techniques
+// =============================================================================
+rule Kurinium_RAT_Evasion
+{
+ meta:
+ description = "Kurinium RAT - Windows API evasion and anti-analysis"
+ author = "MidasRX"
+ date = "2025-01"
+ mitre_attack = "T1055, T1562"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 9
+
+ strings:
+ // NT API strings for evasion
+ $nt1 = "NtProtectVirtualMemory" ascii wide
+ $nt2 = "NtQueryInformationProcess" ascii wide
+ $nt3 = "NtQuerySystemInformation" ascii wide
+ $nt4 = "NtTerminateProcess" ascii wide
+ $nt5 = "NtOpenProcessToken" ascii wide
+ $nt6 = "NtCreateNamedPipeFile" ascii wide
+
+ // Defender evasion
+ $def1 = "Defender" ascii wide
+ $def2 = "Disabled exclusions" ascii wide
+
+ // Input blocking
+ $block1 = "BlockInput" ascii wide
+ $block2 = "user32.dll" ascii wide
+ $block3 = "Add-Type" ascii wide
+ $block4 = "-MemberDefinition" ascii wide
+
+ // Exit patching
+ $exit1 = "exit_patcher" ascii wide
+ $exit2 = "JmpRel32" ascii wide
+ $exit3 = "JmpIndirect" ascii wide
+ $exit4 = "MovJmpRax" ascii wide
+ $exit5 = "PushRet" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 3 of ($nt*) or
+ all of ($def*) or
+ (2 of ($block*) and any of ($exit*))
+ )
+}
+
+// =============================================================================
+// RULE 9: Kurinium Cookie/Credential Stealer
+// =============================================================================
+rule Kurinium_RAT_Credential_Stealer
+{
+ meta:
+ description = "Kurinium RAT - Cookie grabber and credential stealer"
+ author = "MidasRX"
+ date = "2025-01"
+ mitre_attack = "T1539, T1555"
+ malware_type = "Stealer"
+ malware_family = "Kurinium"
+ threat_level = 9
+
+ strings:
+ // Cookie grabbing
+ $cookie1 = "grabcookie" ascii wide
+ $cookie2 = "ROBLOX SECURITY COOKIES" ascii wide
+ $cookie3 = "Cookies Grabbed" ascii wide
+ $cookie4 = "roblox.txt" ascii wide
+ $cookie5 = "cookies_" ascii wide
+
+ // Cookie formats
+ $format1 = "Format: json or netscape" ascii wide
+ $format2 = "grabcookies" ascii wide
+
+ // Browser paths
+ $path1 = "AppData\\Local" ascii wide
+ $path2 = "LocalLow" ascii wide
+ $path3 = "\\Users\\Public\\AppData" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 2 of ($cookie*) or
+ (any of ($format*) and any of ($path*))
+ )
+}
+
+// =============================================================================
+// RULE 10: Kurinium Screenshot/Webcam Capture
+// =============================================================================
+rule Kurinium_RAT_Surveillance
+{
+ meta:
+ description = "Kurinium RAT - Screenshot and webcam surveillance"
+ author = "MidasRX"
+ date = "2025-01"
+ mitre_attack = "T1113, T1125"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 9
+
+ strings:
+ // Screenshot capability
+ $screen1 = "Screenshot capture failed" ascii wide
+ $screen2 = "Desktop Screenshot" ascii wide
+ $screen3 = "screenshot_.png" ascii wide
+ $screen4 = "GetDIBits" ascii wide
+ $screen5 = "Current Desktop Screenshot" ascii wide
+
+ // Webcam capability
+ $webcam1 = "Webcam capture failed" ascii wide
+ $webcam2 = "webcam.jpg" ascii wide
+ $webcam3 = "Webcam Capture (Index:" ascii wide
+ $webcam4 = "Accessing webcam" ascii wide
+ $webcam5 = "nokhwa" ascii wide
+ $webcam6 = "l1npengtul/nokhwa" ascii wide
+
+ // Video/camera APIs
+ $cam1 = "CameraControl" ascii wide
+ $cam2 = "IAMVideoH" ascii wide
+ $cam3 = "MFStartup" ascii wide
+ $cam4 = "MFCreateSourceReaderFromMed" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 3 of ($screen*) or
+ 3 of ($webcam*) or
+ (2 of ($screen*) and 2 of ($webcam*))
+ )
+}
+
+// =============================================================================
+// RULE 11: Kurinium Crypto/Ransomware Module
+// =============================================================================
+rule Kurinium_RAT_Crypto_Module
+{
+ meta:
+ description = "Kurinium RAT - Encryption/decryption module (potential ransomware)"
+ author = "MidasRX"
+ date = "2025-01"
+ mitre_attack = "T1486"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 9
+
+ strings:
+ // Encryption module
+ $enc1 = "encrypt " ascii wide
+ $enc2 = "decrypt " ascii wide
+ $enc3 = "Decryption failed - wrong password" ascii wide
+ $enc4 = "Some files failed to decrypt" ascii wide
+ $enc5 = "Decrypting..." ascii wide
+
+ // Crypto library strings
+ $crypto1 = "aes-gcm" ascii wide
+ $crypto2 = "Argon2 hashing" ascii wide
+ $crypto3 = "cipher-0.4.4" ascii wide
+ $crypto4 = "ctr-0.9.2" ascii wide
+ $crypto5 = "StreamCipherError" ascii wide
+
+ // AES-related
+ $aes1 = "largeAES" ascii wide
+ $aes2 = "AES encryption" ascii wide
+ $aes3 = "InvalidKeyLength" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 2 of ($enc*) or
+ 3 of ($crypto*) or
+ (any of ($enc*) and any of ($aes*))
+ )
+}
+
+// =============================================================================
+// RULE 12: Kurinium WiFi Monitor
+// =============================================================================
+rule Kurinium_RAT_WiFi_Monitor
+{
+ meta:
+ description = "Kurinium RAT - WiFi connection monitoring"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 7
+
+ strings:
+ $wifi1 = "wifi_monitor" ascii wide
+ $wifi2 = "wi-fi" ascii wide
+ $wifi3 = "connected" ascii wide
+ $wifi4 = "disconnected" ascii wide
+ $wifi5 = "netsh" ascii wide
+ $wifi6 = "interface" ascii wide
+ $wifi7 = "show" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ $wifi1 or
+ (4 of ($wifi*))
+ )
+}
+
+// =============================================================================
+// RULE 13: Kurinium Discord Bot Framework (Serenity/Poise)
+// =============================================================================
+rule Kurinium_RAT_Discord_Framework
+{
+ meta:
+ description = "Kurinium RAT - Rust Discord bot framework detection"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 8
+
+ strings:
+ // Serenity Discord library
+ $ser1 = "serenity-0.12" ascii
+ $ser2 = "serenity-rs/serenity" ascii wide
+ $ser3 = "serenity::g" ascii
+
+ // Poise command framework
+ $poise1 = "poise-0.6.1" ascii
+ $poise2 = "poise-0.6.1\\src\\dispatch" ascii
+ $poise3 = "poise-0.6.1\\src\\structs" ascii
+ $poise4 = "framework_options" ascii
+ $poise5 = "framework_error" ascii
+
+ // Discord-specific
+ $disc1 = "DiscordJsonError" ascii wide
+ $disc2 = "Discord API error" ascii wide
+ $disc3 = "x-token" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ any of ($ser*) or
+ 2 of ($poise*) or
+ 2 of ($disc*)
+ )
+}
+
+// =============================================================================
+// RULE 14: Kurinium Rust Tokio Async Runtime
+// =============================================================================
+rule Kurinium_RAT_Rust_Tokio
+{
+ meta:
+ description = "Kurinium RAT - Rust async runtime artifacts (large binary)"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 7
+
+ strings:
+ // Tokio runtime
+ $tok1 = "tokio-1.49.0" ascii
+ $tok2 = "tokio-1.49.0\\src\\fs" ascii
+ $tok3 = "tokio-1.49.0\\src\\signal" ascii
+ $tok4 = "tokio-1.49.0\\src\\process" ascii
+
+ // Reqwest HTTP client
+ $req1 = "reqwest-0.12.28" ascii
+
+ // Other Rust crates
+ $crate1 = "regex-automata-0.4.13" ascii
+ $crate2 = "zip-0.6.6" ascii
+ $crate3 = "bzip2-0.4.4" ascii
+ $crate4 = "zstd-0.11.2" ascii
+ $crate5 = "winreg-0.55.0" ascii
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 2 of ($tok*) or
+ (any of ($tok*) and any of ($req*) and any of ($crate*))
+ )
+}
+
+// =============================================================================
+// RULE 15: Kurinium Error Messages
+// =============================================================================
+rule Kurinium_RAT_Error_Strings
+{
+ meta:
+ description = "Kurinium RAT - Unique error message patterns"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 8
+
+ strings:
+ // Unique error patterns
+ $err1 = "DiscordMessageSendFailed" ascii wide
+ $err2 = "UploadFailed" ascii wide
+ $err3 = "DownloadFailed" ascii wide
+ $err4 = "ProcessExecution" ascii wide
+ $err5 = "ProcessNotFound" ascii wide
+ $err6 = "AuthNotInitialized" ascii wide
+ $err7 = "AuthAlreadyInitialized" ascii wide
+ $err8 = "WindowsApi" ascii wide
+ $err9 = "ScreenshotWebcamSystemInfo" ascii wide
+
+ // Connection states
+ $conn1 = "reconnected" ascii wide
+ $conn2 = "Session:" ascii wide
+ $conn3 = "Connections:" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 3 of ($err*) or
+ ($err1 and any of ($conn*))
+ )
+}
+
+// =============================================================================
+// RULE 16: Kurinium System Information Gathering
+// =============================================================================
+rule Kurinium_RAT_System_Info
+{
+ meta:
+ description = "Kurinium RAT - System information gathering"
+ author = "MidasRX"
+ date = "2025-01"
+ mitre_attack = "T1082"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 8
+
+ strings:
+ // System info strings
+ $sys1 = "MachineGuid" ascii wide
+ $sys2 = "Hostname:" ascii wide
+ $sys3 = "Username:" ascii wide
+ $sys4 = "Architecture:" ascii wide
+ $sys5 = "Elevated:" ascii wide
+ $sys6 = "x86_64" ascii wide
+ $sys7 = "DisplayVersion" ascii wide
+ $sys8 = "CurrentBuild" ascii wide
+ $sys9 = "ReleaseId" ascii wide
+
+ // Registry paths
+ $reg1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion" ascii wide
+ $reg2 = "App Paths" ascii wide
+
+ // Combined info pattern
+ $info1 = "Information:" ascii wide
+ $info2 = "unknown-device" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 4 of ($sys*) or
+ (any of ($reg*) and 2 of ($sys*))
+ )
+}
+
+// =============================================================================
+// RULE 17: Generic Discord RAT Behavior
+// =============================================================================
+rule Generic_Discord_RAT_Behavior
+{
+ meta:
+ description = "Generic Discord-based RAT behavior patterns"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ threat_level = 7
+
+ strings:
+ // Discord bot infrastructure
+ $bot1 = "gateway.discord.gg" ascii wide
+ $bot2 = "/api/v10/" ascii wide
+ $bot3 = "Bot " ascii wide // Bot token prefix
+
+ // RAT-like commands combined with Discord
+ $rat1 = "shell" ascii wide
+ $rat2 = "screenshot" ascii wide
+ $rat3 = "webcam" ascii wide
+ $rat4 = "keylog" ascii wide
+ $rat5 = "download" ascii wide
+ $rat6 = "upload" ascii wide
+ $rat7 = "execute" ascii wide
+
+ // File operations
+ $file1 = "Discord" ascii wide
+ $file2 = "<8MB" ascii wide
+ $file3 = "Upload file" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 2 of ($bot*) and
+ 4 of ($rat*) and
+ any of ($file*)
+ )
+}
+
+// =============================================================================
+// RULE 18: Kurinium PE Characteristics
+// =============================================================================
+rule Kurinium_RAT_PE_Characteristics
+{
+ meta:
+ description = "Kurinium RAT - PE file characteristics for Rust binary"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 6
+
+ strings:
+ // Section names
+ $sec1 = ".text" ascii
+ $sec2 = ".rdata" ascii
+ $sec3 = ".data" ascii
+ $sec4 = ".pdata" ascii
+ $sec5 = ".rsrc" ascii
+ $sec6 = ".reloc" ascii
+
+ // Rust/LLVM compilation artifacts
+ $rust1 = "rustc" ascii
+ $rust2 = ".cargo\\registry" ascii
+ $rust3 = "index.crates.io" ascii
+
+ condition:
+ uint16(0) == 0x5A4D and
+ pe.is_64bit() and
+ filesize > 10MB and filesize < 20MB and
+ pe.number_of_sections == 6 and
+ (
+ 4 of ($sec*) and
+ 2 of ($rust*)
+ )
+}
+
+// =============================================================================
+// RULE 19: Kurinium Cryptographic Operations
+// =============================================================================
+rule Kurinium_RAT_Crypto_Operations
+{
+ meta:
+ description = "Kurinium RAT - Cryptographic library artifacts"
+ author = "MidasRX"
+ date = "2025-01"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 7
+
+ strings:
+ // OpenSSL/Crypto artifacts
+ $crypto1 = "CRYPTOGAMS" ascii wide
+ $crypto2 = "appro@openssl.org" ascii wide
+ $crypto3 = "Montgomery Multiplication" ascii wide
+
+ // Algorithm identifiers
+ $algo1 = "universal-hash" ascii
+ $algo2 = "aead-0.5.2" ascii
+ $algo3 = "aes-gcm-0.10.3" ascii
+
+ // Argon2 (password hashing)
+ $argon1 = "AdTooLong" ascii
+ $argon2 = "SaltTooShort" ascii
+ $argon3 = "TimeTooSmall" ascii
+ $argon4 = "ThreadsTooFew" ascii
+ $argon5 = "ThreadsTooMany" ascii
+
+ condition:
+ uint16(0) == 0x5A4D and
+ (
+ 2 of ($crypto*) or
+ 2 of ($algo*) or
+ 3 of ($argon*)
+ )
+}
+
+// =============================================================================
+// RULE 20: Kurinium Full Detection (Comprehensive)
+// =============================================================================
+rule Kurinium_RAT_Full_Detection
+{
+ meta:
+ description = "Kurinium RAT - Comprehensive detection combining multiple indicators"
+ author = "MidasRX"
+ date = "2025-01"
+ reference = "https://github.com/Mikasuru/Kurinium"
+ malware_type = "RAT"
+ malware_family = "Kurinium"
+ threat_level = 10
+
+ strings:
+ // Brand/Identity
+ $id1 = "Kurinium" ascii wide nocase
+ $id2 = "Mikasuru" ascii wide
+
+ // Discord C2
+ $c2_1 = "gateway.discord.gg" ascii wide
+ $c2_2 = "discord.com/api" ascii wide
+
+ // Bot commands
+ $cmd1 = "screenshot" ascii wide
+ $cmd2 = "webcam" ascii wide
+ $cmd3 = "shell" ascii wide
+ $cmd4 = "blockinput" ascii wide
+
+ // Persistence
+ $pers1 = "cmstp.exe" ascii wide nocase
+ $pers2 = "schtasks" ascii wide
+
+ // Rust artifacts
+ $rust1 = "serenity" ascii wide
+ $rust2 = "poise" ascii wide
+ $rust3 = "tokio" ascii wide
+
+ // Evasion
+ $eva1 = "NtProtectVirtualMemory" ascii wide
+ $eva2 = "exit_patcher" ascii wide
+
+ condition:
+ uint16(0) == 0x5A4D and
+ pe.is_64bit() and
+ filesize > 5MB and
+ (
+ any of ($id*) or
+ (
+ any of ($c2_*) and
+ 2 of ($cmd*) and
+ any of ($pers*) and
+ 2 of ($rust*)
+ )
+ )
+}
diff --git a/malware_index.yar b/malware_index.yar
index 4bf20d61..c6fa32d4 100644
--- a/malware_index.yar
+++ b/malware_index.yar
@@ -387,6 +387,7 @@ include "./malware/RAT_PoisonIvy.yar"
include "./malware/RAT_Ratdecoders.yar"
include "./malware/RAT_Sakula.yar"
include "./malware/RAT_ShadowTech.yar"
+include "./malware/RAT_Kurinium.yar"
include "./malware/RAT_Shim.yar"
include "./malware/RAT_Terminator.yar"
include "./malware/RAT_Xtreme.yar"