MeldSecurity
Press Enter to search
CVE Database & Search →
Sign In Get Started

Vatet_Loader_Rufus_Backdoor

YARA-2022-0216 High malware Active

Detects backdoored Rufus with Vatet Loader of Defray777

Vatet_Loader_Rufus_Backdoor.yar Valid Syntax 
rule Vatet_Loader_Rufus_Backdoor : defray777
{
	meta:
        author = "Thomas Barabosch, Deutsche Telekom Security"
        twitter = "https://twitter.com/DTCERT"
		date = "2022-03-18"
        description = "Detects backdoored Rufus with Vatet Loader of Defray777"
        reference1 = "https://github.com/pbatard/rufus"
        reference2 = "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777"
        sharing = "TLP:WHITE"
        hash_1 = "c9c1caae50459896a15dce30eaca91e49e875207054d98e32e16a3e203446569"
        hash_2 = "0cb8fc89541969304f3bf806e938452b36348bdd0280fc8f4e9221993e745334"
        in_memory = "False"
	strings:
        /*
            0x4d0714 660FF8C1                      psubb xmm0, xmm1
	        0x4d0718 660FEFC2                      pxor xmm0, xmm2
	        0x4d071c 660FF8C1                      psubb xmm0, xmm1
	    */
        $payload_decryption = { 66 0F F8 C1 66 0F EF C2 66 0F F8 C1 }
        $mz = "MZ" ascii
        $rufus = "https://rufus.ie/" ascii
	condition:
        $mz at 0
        and $payload_decryption
        and $rufus
}

Rule Metadata

author
Thomas Barabosch, Deutsche Telekom Security
twitter
https://twitter.com/DTCERT
date
2022-03-18
description
Detects backdoored Rufus with Vatet Loader of Defray777
reference1
https://github.com/pbatard/rufus
reference2
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777
sharing
TLP:WHITE
hash_1
c9c1caae50459896a15dce30eaca91e49e875207054d98e32e16a3e203446569
hash_2
0cb8fc89541969304f3bf806e938452b36348bdd0280fc8f4e9221993e745334
in_memory
False

Tags

defray777

String Definitions

{"name":"$payload_decryption","value":"{ 66 0F F8 C1 66 0F EF C2 66 0F F8 C1 }"}
{"name":"$mz","value":"\"MZ\" ascii"}
{"name":"$rufus","value":"\"https:\/\/rufus.ie\/\" ascii"}

Threat Analysis

This YARA rule is designed to detect malware threats.

Severity Level: High

The rule uses pattern matching to identify specific byte sequences, strings, or behavioral patterns associated with malicious activity.

Detection Capabilities

  • File-based detection for executables and documents
  • Memory scanning for running processes
  • Network traffic analysis support

Command Line Usage

# Scan a single file
yara Vatet_Loader_Rufus_Backdoor.yar /path/to/suspicious/file

# Scan a directory recursively
yara -r Vatet_Loader_Rufus_Backdoor.yar /path/to/directory/

# Scan with metadata output
yara -m Vatet_Loader_Rufus_Backdoor.yar target_file

# Scan process memory (Linux)
yara Vatet_Loader_Rufus_Backdoor.yar /proc/[pid]/exe

Integration Examples

Python (yara-python)

import yara
rules = yara.compile(filepath='Vatet_Loader_Rufus_Backdoor.yar')
matches = rules.match('/path/to/file')

ClamAV Integration

clamscan --yara-rules=Vatet_Loader_Rufus_Backdoor.yar /path/to/scan

Rule Information

YARA ID
YARA-2022-0216
Created
August 19, 2025
Last Updated
August 19, 2025
Last Imported
Never

Threat Intelligence

Risk Level High
Category malware
Detection Confidence Analysis Pending
False Positive Rate Not Available
Last Seen in Wild No Data

Related Rules

fake_gzip_bokbot_202104
YARA-2021-0162
Medium
Crylock_binary
YARA-2021-0163
Medium
win_systembc_20220311
YARA-2022-0215
Medium
android_teabot
YARA-2025-0553
Medium
win_plugx_encrypted_hunting
YARA-2021-0164
Medium

Export Options

Similar Rules in malware

YARA-2025-0078 MED

T5000Strings

No description
YARA-2025-0079 MED

IMulerCode

IMuler code tricks
YARA-2025-0080 MED

RooterCode

Rooter code features
YARA-2025-0081 MED

cxpidCode

cxpid code features
YARA-2025-0082 MED

BangatCode

Bangat code features
YARA-2025-0083 MED

LuckyCatCode

LuckyCat code tricks
YARA-2025-0084 MED

HTMLVariant

Identifier for html variant of FAKEM
YARA-2025-0085 MED

dubseven_file_set

No description