qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Ursnif/TrojanSpy_Win32_Ursnif_HM.yar

31 lines
2.6 KiB
Plaintext
Raw Normal View History

init
2024-02-05 06:12:47 -08:00
rule TrojanSpy_Win32_Ursnif_HM{
meta:
description = "TrojanSpy:Win32/Ursnif.HM,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 01 00 "
strings :
$a_03_0 = {8b 11 48 3b 55 90 01 01 75 08 8b 51 04 3b 55 90 01 01 74 15 83 c1 28 85 c0 75 e9 c7 45 90 01 01 77 17 00 00 90 00 } //01 00
$a_01_1 = {2f 00 25 00 73 00 3f 00 75 00 73 00 65 00 72 00 3d 00 25 00 30 00 38 00 78 00 25 00 30 00 38 00 78 00 25 00 30 00 38 00 78 00 25 00 30 00 38 00 78 00 26 00 69 00 64 00 3d 00 25 00 75 00 26 00 76 00 65 00 72 00 3d 00 25 00 75 00 26 00 6f 00 73 00 3d 00 25 00 6c 00 75 00 26 00 6f 00 73 00 32 00 3d 00 25 00 6c 00 75 00 26 00 68 00 6f 00 73 00 74 00 3d 00 25 00 75 00 26 00 6b 00 3d 00 25 00 6c 00 75 00 26 00 74 00 79 00 70 00 65 00 3d 00 25 00 75 00 } //01 00
$a_01_2 = {63 00 5f 00 31 00 32 00 35 00 32 00 2e 00 6e 00 6c 00 73 00 } //01 00
$a_01_3 = {63 00 6d 00 64 00 20 00 2f 00 43 00 20 00 22 00 6e 00 65 00 74 00 2e 00 65 00 78 00 65 00 20 00 76 00 69 00 65 00 77 00 20 00 3e 00 20 00 25 00 73 00 22 00 } //01 00
$a_01_4 = {63 00 6d 00 64 00 20 00 2f 00 43 00 20 00 22 00 69 00 70 00 63 00 6f 00 6e 00 66 00 69 00 67 00 20 00 2d 00 61 00 6c 00 6c 00 20 00 3e 00 20 00 25 00 73 00 22 00 } //00 00
condition:
any of ($a_*)
}
rule TrojanSpy_Win32_Ursnif_HM_2{
meta:
description = "TrojanSpy:Win32/Ursnif.HM,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 06 00 00 01 00 "
strings :
$a_03_0 = {41 3b c8 7c f7 81 f6 ba 90 90 09 ab 89 35 90 00 } //01 00
$a_01_1 = {57 35 c0 ba e0 12 8d 7d fc 89 45 fc e8 } //01 00
$a_01_2 = {75 00 73 00 65 00 72 00 3d 00 25 00 30 00 38 00 78 00 25 00 30 00 38 00 78 00 25 00 30 00 38 00 78 00 25 00 30 00 38 00 78 00 26 00 69 00 64 00 3d 00 25 00 75 00 26 00 76 00 65 00 72 00 3d 00 25 00 75 00 26 00 6f 00 73 00 3d 00 25 00 6c 00 75 00 26 00 6f 00 73 00 32 00 3d 00 25 00 6c 00 75 00 26 00 68 00 6f 00 73 00 74 00 3d 00 25 00 75 00 26 00 6b 00 3d 00 25 00 6c 00 75 00 26 00 74 00 79 00 70 00 65 00 3d 00 25 00 75 00 } //01 00
$a_01_3 = {63 00 6d 00 64 00 20 00 2f 00 43 00 20 00 22 00 69 00 70 00 63 00 6f 00 6e 00 66 00 69 00 67 00 20 00 2d 00 61 00 6c 00 6c 00 20 00 3e 00 20 00 25 00 73 00 22 00 } //01 00
$a_03_4 = {5c 00 52 00 75 00 6e 00 00 90 02 08 52 00 65 00 67 00 69 00 73 00 74 00 65 00 72 00 00 90 02 08 00 72 00 75 00 6e 00 64 00 6c 00 6c 00 33 00 32 00 20 00 22 00 25 00 73 00 22 00 2c 00 25 00 73 00 90 00 } //01 00
$a_01_5 = {5c 00 63 00 5f 00 31 00 32 00 35 00 32 00 2e 00 6e 00 6c 00 73 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 4e 00 6f 00 74 00 69 00 66 00 79 00 } //00 00
$a_00_6 = {5d 04 00 } //00 8b
condition:
any of ($a_*)
}