DefenderYara/Backdoor/Win32/Phdet/Backdoor_Win32_Phdet_T.yar


rule Backdoor_Win32_Phdet_T{
	meta:
		description = "Backdoor:Win32/Phdet.T,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 04 00 00 "
		
	strings :
		$a_03_0 = {3d b7 00 00 00 0f 84 ?? ?? ?? ?? e8 ?? ?? ?? ?? 89 85 ?? ?? ff ff 81 bd ?? ?? ff ff 28 0a 00 00 74 ?? 81 bd ?? ?? ff ff ce 0e 00 00 74 } //1
		$a_00_1 = {68 6f 45 59 4e 6a 01 e8 } //1
		$a_00_2 = {2d 6e 20 33 20 20 26 20 6d 6f 76 65 20 22 25 73 22 20 22 25 73 22 20 26 } //1 -n 3  & move "%s" "%s" &
		$a_03_3 = {83 78 04 04 74 ?? 81 bd ?? ?? ff ff 70 17 00 00 0f 82 ?? ?? ?? ?? 8b 85 ?? ?? ff ff 83 78 04 03 } //1
	condition:
		((#a_03_0  & 1)*1+(#a_00_1  & 1)*1+(#a_00_2  & 1)*1+(#a_03_3  & 1)*1) >=3
 
}
init 2024-02-05 06:12:47 -08:00
			`rule Backdoor_Win32_Phdet_T{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "Backdoor:Win32/Phdet.T,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 04 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
update like regex pattern strings 2024-07-09 05:28:14 -07:00			`$a_03_0 = {3d b7 00 00 00 0f 84 ?? ?? ?? ?? e8 ?? ?? ?? ?? 89 85 ?? ?? ff ff 81 bd ?? ?? ff ff 28 0a 00 00 74 ?? 81 bd ?? ?? ff ff ce 0e 00 00 74 } //1`
fix condition 2024-07-06 23:13:08 -07:00			`$a_00_1 = {68 6f 45 59 4e 6a 01 e8 } //1`
			`$a_00_2 = {2d 6e 20 33 20 20 26 20 6d 6f 76 65 20 22 25 73 22 20 22 25 73 22 20 26 } //1 -n 3 & move "%s" "%s" &`
update like regex pattern strings 2024-07-09 05:28:14 -07:00			`$a_03_3 = {83 78 04 04 74 ?? 81 bd ?? ?? ff ff 70 17 00 00 0f 82 ?? ?? ?? ?? 8b 85 ?? ?? ff ff 83 78 04 03 } //1`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_03_0 & 1)1+(#a_00_1 & 1)1+(#a_00_2 & 1)1+(#a_03_3 & 1)1) >=3`
init 2024-02-05 06:12:47 -08:00
			`}`