Over the past few months I manually emulated 94 legacy remote tool builder applications (often used to create unauthorized remote control frameworks during the 2000s–2010s) inside isolated QEMU sandboxes.

Each builder was used to generate a unique binary sample. I then:

    Wrote one variant-specific YARA rule per builder output

    Extracted PE metadata (sections, timestamps, entropy, IAT)

    Captured static capability signatures with CAPA

    Logged obfuscation artifacts via Detect It Easy (DIE)

    Committed everything granularly (1.1k commits) for traceability

The focus is not generic detection — it’s forensic fingerprinting of distinct builder families.

All samples were sandbox-generated (not recycled from VT or hybrid analysis). For ethical reasons, I do not share raw binaries, but I do provide structural hashes and extracted metadata.

The repo includes full documentation, including my QEMU workflow, rule methodology, and internal hash policy.

Repo link: https://github.com/GokbakarE/RuleSetRAT

I’m currently 15. Feedback from RE researchers and signature writers is welcome — especially if you’ve dealt with old tooling or variant detection in the wild.