qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/SoftwareBundler/Win32/Fitsnuf/SoftwareBundler_Win32_Fitsn...

17 lines
947 B
Plaintext
Raw Permalink Normal View History

init
2024-02-05 06:12:47 -08:00
rule SoftwareBundler_Win32_Fitsnuf{
meta:
fix condition
2024-07-06 23:13:08 -07:00
description = "SoftwareBundler:Win32/Fitsnuf,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0c 00 07 00 00 "
init
2024-02-05 06:12:47 -08:00
strings :
fix condition
2024-07-06 23:13:08 -07:00
$a_01_0 = {68 74 74 70 3a 2f 2f 75 6e 73 74 69 66 66 2e 70 77 } //10 http://unstiff.pw
$a_01_1 = {57 61 6a 49 45 6e 68 61 6e 63 65 } //1 WajIEnhance
$a_01_2 = {73 6f 63 69 61 6c 32 73 65 61 72 63 68 2e 65 78 65 } //1 social2search.exe
$a_01_3 = {53 4f 46 54 57 41 52 45 5c 79 65 73 73 65 61 72 63 68 65 73 53 6f 66 74 77 61 72 65 } //1 SOFTWARE\yessearchesSoftware
$a_01_4 = {79 65 73 73 65 61 72 63 68 65 73 68 70 } //1 yessearcheshp
$a_01_5 = {5c 73 74 75 62 5f 79 6f 75 6e 64 6f 6f 2e 65 78 65 } //1 \stub_youndoo.exe
$a_01_6 = {53 4f 46 54 57 41 52 45 5c 79 6f 75 6e 64 6f 6f 53 6f 66 74 77 61 72 65 } //1 SOFTWARE\youndooSoftware
init
2024-02-05 06:12:47 -08:00
condition:
fix condition
2024-07-06 23:13:08 -07:00
((#a_01_0 & 1)*10+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1) >=12
init
2024-02-05 06:12:47 -08:00
}