From 460c6fff79aa2ca1b1b73ab412d7e0f819b466a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?conexioninversa=20-=20Pedro=20S=C3=A1nchez=20Cordero?=
 <pedro.sanchez@conexioninversa.com>
Date: Mon, 27 Mar 2023 10:41:17 +0200
Subject: [PATCH 1/6] Create badgerBruteRatel.yar

---
 badgerBruteRatel.yar | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 badgerBruteRatel.yar

diff --git a/badgerBruteRatel.yar b/badgerBruteRatel.yar
new file mode 100644
index 0000000..faa31fe
--- /dev/null
+++ b/badgerBruteRatel.yar
@@ -0,0 +1,19 @@
+rule BruteRatel_badger
+{
+  strings:
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       $code = { B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50}
+  condition:
+      all of them
+}

From 8edc3c3d8dc149d16300e6024dd7125ff0147635 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?conexioninversa=20-=20Pedro=20S=C3=A1nchez=20Cordero?=
 <pedro.sanchez@conexioninversa.com>
Date: Mon, 27 Mar 2023 10:43:02 +0200
Subject: [PATCH 2/6] Create BruteRatel_badger.yar

---
 YARA/BruteRatel_badger.yar | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 YARA/BruteRatel_badger.yar

diff --git a/YARA/BruteRatel_badger.yar b/YARA/BruteRatel_badger.yar
new file mode 100644
index 0000000..faa31fe
--- /dev/null
+++ b/YARA/BruteRatel_badger.yar
@@ -0,0 +1,19 @@
+rule BruteRatel_badger
+{
+  strings:
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       $code = { B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50}
+  condition:
+      all of them
+}

From 5be753c522188686d43726c03687d765b201fb34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?conexioninversa=20-=20Pedro=20S=C3=A1nchez=20Cordero?=
 <pedro.sanchez@conexioninversa.com>
Date: Mon, 27 Mar 2023 10:43:39 +0200
Subject: [PATCH 3/6] Delete BruteRatel_badger.yar

---
 YARA/BruteRatel_badger.yar | 19 -------------------
 1 file changed, 19 deletions(-)
 delete mode 100644 YARA/BruteRatel_badger.yar

diff --git a/YARA/BruteRatel_badger.yar b/YARA/BruteRatel_badger.yar
deleted file mode 100644
index faa31fe..0000000
--- a/YARA/BruteRatel_badger.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule BruteRatel_badger
-{
-  strings:
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       $code = { B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50}
-  condition:
-      all of them
-}

From 9ed70979f1c3417d1f8a37be021e565732110f9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?conexioninversa=20-=20Pedro=20S=C3=A1nchez=20Cordero?=
 <pedro.sanchez@conexioninversa.com>
Date: Mon, 27 Mar 2023 10:44:35 +0200
Subject: [PATCH 4/6] Create  BruteRatel_badger.yar

---
 YARA/BruteRatel_badger.yar | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 YARA/BruteRatel_badger.yar

diff --git a/YARA/BruteRatel_badger.yar b/YARA/BruteRatel_badger.yar
new file mode 100644
index 0000000..faa31fe
--- /dev/null
+++ b/YARA/BruteRatel_badger.yar
@@ -0,0 +1,19 @@
+rule BruteRatel_badger
+{
+  strings:
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       //mov eax, 0x00
+       // push eax
+       $code = { B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50}
+  condition:
+      all of them
+}

From bb8ac6350153fcff212615d88e8bbb8fcd1ac783 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?conexioninversa=20-=20Pedro=20S=C3=A1nchez=20Cordero?=
 <pedro.sanchez@conexioninversa.com>
Date: Mon, 27 Mar 2023 10:44:56 +0200
Subject: [PATCH 5/6] Delete badgerBruteRatel.yar

---
 badgerBruteRatel.yar | 19 -------------------
 1 file changed, 19 deletions(-)
 delete mode 100644 badgerBruteRatel.yar

diff --git a/badgerBruteRatel.yar b/badgerBruteRatel.yar
deleted file mode 100644
index faa31fe..0000000
--- a/badgerBruteRatel.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule BruteRatel_badger
-{
-  strings:
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       //mov eax, 0x00
-       // push eax
-       $code = { B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50}
-  condition:
-      all of them
-}

From 73b1adc82ebfc00d8202cde11b8670697cf0af17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?conexioninversa=20-=20Pedro=20S=C3=A1nchez=20Cordero?=
 <pedro.sanchez@conexioninversa.com>
Date: Mon, 27 Mar 2023 10:53:11 +0200
Subject: [PATCH 6/6] Create brc4_badger.yar

---
 YARA/brc4_badger.yar | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 YARA/brc4_badger.yar

diff --git a/YARA/brc4_badger.yar b/YARA/brc4_badger.yar
new file mode 100644
index 0000000..ecac1e5
--- /dev/null
+++ b/YARA/brc4_badger.yar
@@ -0,0 +1,10 @@
+rule brc4_badger
+{
+meta:
+    description = "Identifies strings from Brute Ratel v1.1"
+strings:
+    $a = "\"chkin\":"
+    $b = "\"kimche\":"
+condition:
+    $a or $b
+}