DefenderYara/TrojanSpy/BAT/Banker/TrojanSpy_BAT_Banker_M.yar


rule TrojanSpy_BAT_Banker_M{
	meta:
		description = "TrojanSpy:BAT/Banker.M,SIGNATURE_TYPE_PEHSTR_EXT,06 00 04 00 07 00 00 01 00 "
		
	strings :
		$a_01_0 = {5f 46 69 6c 65 5a 69 6c 6c 61 52 65 74 00 } //01 00 
		$a_01_1 = {5f 70 61 73 73 00 } //01 00 
		$a_01_2 = {64 65 63 72 69 70 74 00 } //01 00 
		$a_01_3 = {5f 70 61 73 74 61 5f 72 6f 61 6d 69 6e 67 00 } //01 00 
		$a_01_4 = {65 6e 64 65 72 65 63 6f 00 } //01 00 
		$a_00_5 = {67 00 30 00 6c 00 70 00 33 00 6c 00 30 00 34 00 72 00 64 00 33 00 } //01 00 
		$a_03_6 = {40 00 6e 00 6f 00 6d 00 65 00 70 00 63 00 90 02 06 40 00 4c 00 6f 00 67 00 69 00 6e 00 90 00 } //00 00 
	condition:
		any of ($a_*)
 
}
init 2024-02-05 06:12:47 -08:00
			`rule TrojanSpy_BAT_Banker_M{`
			`meta:`
			`description = "TrojanSpy:BAT/Banker.M,SIGNATURE_TYPE_PEHSTR_EXT,06 00 04 00 07 00 00 01 00 "`

			`strings :`
			`$a_01_0 = {5f 46 69 6c 65 5a 69 6c 6c 61 52 65 74 00 } //01 00`
			`$a_01_1 = {5f 70 61 73 73 00 } //01 00`
			`$a_01_2 = {64 65 63 72 69 70 74 00 } //01 00`
			`$a_01_3 = {5f 70 61 73 74 61 5f 72 6f 61 6d 69 6e 67 00 } //01 00`
			`$a_01_4 = {65 6e 64 65 72 65 63 6f 00 } //01 00`
			`$a_00_5 = {67 00 30 00 6c 00 70 00 33 00 6c 00 30 00 34 00 72 00 64 00 33 00 } //01 00`
			`$a_03_6 = {40 00 6e 00 6f 00 6d 00 65 00 70 00 63 00 90 02 06 40 00 4c 00 6f 00 67 00 69 00 6e 00 90 00 } //00 00`
			`condition:`
			`any of ($a_*)`

			`}`