qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Donoff/TrojanDownloader_O97M_Donof...

15 lines
1.0 KiB
Plaintext
Raw Permalink Normal View History

init
2024-02-05 06:12:47 -08:00
rule TrojanDownloader_O97M_Donoff_AV{
meta:
fix condition
2024-07-06 23:13:08 -07:00
description = "TrojanDownloader:O97M/Donoff.AV,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 "
init
2024-02-05 06:12:47 -08:00
strings :
update like regex pattern strings
2024-07-09 05:28:14 -07:00
$a_03_0 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 52 65 70 6c 61 63 65 28 22 [0-40] 22 2c 20 22 [0-05] 22 2c 20 22 22 29 29 } //1
$a_03_1 = {2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 28 52 65 70 6c 61 63 65 28 22 [0-40] 22 2c 20 22 [0-05] 22 2c 20 22 22 29 29 } //1
$a_03_2 = {43 61 6c 6c 42 79 4e 61 6d 65 20 [0-10] 2c 20 52 65 70 6c 61 63 65 28 22 [0-40] 22 2c 20 22 [0-05] 22 2c 20 22 22 29 2c 20 56 62 4d 65 74 68 6f 64 2c 20 [0-10] 2c 20 32 } //1
$a_03_3 = {69 6e 74 53 74 61 74 75 73 20 3d 20 69 6e 74 53 74 61 74 75 73 20 26 20 43 68 72 28 50 72 6f 70 4d 67 72 28 69 29 20 2d 20 [0-04] 20 2a 20 44 65 6c 65 74 65 32 20 2d 20 [0-04] 20 2d 20 [0-04] 20 2d 20 [0-04] 29 } //1
$a_03_4 = {52 65 70 6c 61 63 65 28 22 5c [0-10] 2e 74 78 74 22 2c 20 22 74 22 2c 20 22 65 22 29 } //1
init
2024-02-05 06:12:47 -08:00
condition:
fix condition
2024-07-06 23:13:08 -07:00
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1) >=5
init
2024-02-05 06:12:47 -08:00
}