Updates RAT King Parser to commit b85abe5

[jeFF0Falltrades]

Hi CAPE Team!

This PR brings the CAPEv2 implementation of RAT King Parser (ported over by @doomedraven - thank you again 💖) to the latest commit of the RAT King Parser.

The updates included introduce a few key changes to the parser that produced better reliability of the parser across a large sample set of AsyncRAT/DcRAT/VenomRAT/QuasarRAT/XenoRAT/XWorm samples, particularly among obfuscated samples.

I also swapped out the existing AsyncRAT and XWorm parsers in CAPEv2 with the RAT King Parser, as I believe RKP will be more robust than the existing configuration parsers as it's designed to not rely on specific config field names (as these are often obfuscated or changed by malware authors); However, if you would prefer to keep those existing parsers, please feel free to revert my changes.

I tried to keep the changes minimal and align them with the CAPEv2 style guide, but would appreciate someone checking the format and testing the configuration parsers within CAPE as I do not have a local instance stood up yet to test on.

Lastly, I am using a specific set of YARA rules in the non-ported version of RAT King Parser to detect payloads that can be extracted with RKP; You can find those in the RKP repository, or in my YARA signature repo, if they are needed for testing, and the following samples (found in the RKP README) can also be downloaded and used for testing:

034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e
0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e
9d07ca4a98787aac65235cec31822246a0eb918094124a1dfe5a5fc11168e933
fb0d45b0e48b0cdda2dd8c5a152f3c7a375c18d63e588f6a217c9d47f7d5199d
6b99acfa5961591c39b3f889cf29970c1dd48ddb0e274f14317940cf279a4412
83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce
9bfed30be017e62e482a8792fb643a0ca4fa22167e4b239cde37b70db241f2c4
a76af3d67a95a22efd83d016c9142b7ac9974068625516de23e77a5ac3dd051b
d5028e10a756f2df677f32ebde105d7de8df37e253c431837c8f810260f4428e
db09db5bdf1dcf6e607936a6abbe5ce91efbbf9ce136efc3bdb45222710792fa

Please let me know if there are any questions or edits to be made, and thank you for your continued contributions to the community!

[doomedraven]

hello, oh nice, thank you for update, i will try to review it in few days and add tests

[jeFF0Falltrades]

@doomedraven : Thank you again so much for the time you spent reviewing, as well as the samples you sent over.

I was planning on doing a refactor of RKP for a while now, and after seeing your comments in private chat, I decided that now was as good of a time as any, and spent the last few weeks refactoring RKP to what is now v3.0.0.

I've now updated this PR with that new code, and whenever you have the time, I'd love to know if this passes with the samples that were giving you trouble before (and hopefully it hasn't broken anything new😄 ).

Please let me know if you run into any issues or see anything out of sorts.

Thanks as always to you and the team!

[kevoreilly]

Right I've begun reviewing this, and have ended up having to create a PR to make some changes. This seems over-complicated when my changes were so trivial but I couldn't work out a better way.

I have also pushed some corresponding updates to the yara sigs in community repo (although I'm considering moving these to main repo as I think if the main repo has a parser for a family, the yara should be there too).