qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/BAT/Bladabindi/Backdoor_BAT_Bladabindi_B.yar

171 lines
9.8 KiB
Plaintext
Raw Permalink Blame History

rule Backdoor_BAT_Bladabindi_B{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 "
strings :
$a_01_0 = {00 57 4c 00 44 4c 56 00 6e 00 } //1 圀L䱄Vn
$a_01_1 = {00 47 65 74 4b 65 79 00 6b 65 79 00 70 72 00 } //1
$a_01_2 = {00 66 78 00 62 00 73 70 6c 00 5a 49 50 00 43 4d 00 } //1
$a_01_3 = {00 53 42 00 53 00 42 53 00 42 00 } //1
$a_01_4 = {00 57 52 4b 00 55 53 42 00 } //1
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=4
}
rule Backdoor_BAT_Bladabindi_B_2{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 03 00 00 "
strings :
$a_01_0 = {00 44 4c 56 00 6e 00 47 54 56 00 53 54 56 00 74 00 69 6e 66 00 46 52 00 45 4e 42 00 73 00 44 45 42 00 52 4e 00 63 00 53 42 00 53 00 42 53 00 42 00 66 78 00 } //1 䐀噌渀䜀噔匀噔琀椀普䘀R久Bs䕄B乒挀匀BS卂䈀昀x
$a_01_1 = {00 70 72 00 53 65 6e 64 00 52 43 00 55 4e 53 00 } //1 瀀r敓摮刀C乕S
$a_01_2 = {00 5a 49 50 00 43 4d 00 43 61 6d 00 41 43 54 00 48 57 44 00 } //1 娀偉䌀M慃m䍁T坈D
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1) >=2
}
rule Backdoor_BAT_Bladabindi_B_3{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0c 00 06 00 00 "
strings :
$a_01_0 = {00 6d 61 69 6e 00 57 4c 00 6b 6c 00 50 6c 75 67 69 6e 00 } //10
$a_01_1 = {00 41 00 77 00 6b 6c 00 55 53 42 00 } //10 䄀眀欀l单B
$a_01_2 = {00 49 6e 64 00 62 00 53 65 6e 64 00 53 00 52 43 00 55 4e 53 00 } //1
$a_01_3 = {00 44 4c 56 00 6e 00 47 54 56 00 53 54 56 00 74 00 69 6e 66 00 } //1
$a_01_4 = {00 42 53 00 42 00 66 78 00 73 70 6c 00 } //1
$a_01_5 = {00 66 78 00 62 00 73 70 6c 00 5a 49 50 00 43 4d 00 } //1
condition:
((#a_01_0 & 1)*10+(#a_01_1 & 1)*10+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=12
}
rule Backdoor_BAT_Bladabindi_B_4{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,6e 00 6e 00 0e 00 00 "
strings :
$a_01_0 = {00 53 42 00 42 53 00 66 78 00 } //100 匀B卂昀x
$a_01_1 = {00 44 4c 56 00 } //1
$a_01_2 = {00 47 54 56 00 } //1
$a_01_3 = {00 53 54 56 00 } //1
$a_01_4 = {00 75 73 62 00 } //1
$a_01_5 = {00 69 6e 66 00 } //1
$a_01_6 = {00 41 43 54 00 } //1
$a_01_7 = {00 49 6e 64 00 } //1
$a_01_8 = {00 43 61 6d 00 } //1
$a_01_9 = {00 49 6e 73 00 } //1
$a_01_10 = {00 55 4e 53 00 } //1
$a_01_11 = {00 53 50 4c 00 } //1
$a_01_12 = {00 48 57 44 00 } //1
$a_01_13 = {00 57 52 4b 00 } //1
condition:
((#a_01_0 & 1)*100+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1) >=110
}
rule Backdoor_BAT_Bladabindi_B_5{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,06 00 05 00 07 00 00 "
strings :
$a_01_0 = {61 d2 13 04 09 1e 63 08 61 d2 13 05 07 08 11 05 1e 62 11 04 60 d1 9d 08 17 58 0c 08 07 8e 69 38 } //2
$a_01_1 = {63 01 6b 02 60 03 6c 04 64 05 5c 06 01 } //1
$a_01_2 = {67 01 61 02 72 03 72 04 65 05 71 06 67 07 5d 08 } //1
$a_01_3 = {61 01 64 02 74 03 6a 04 77 05 6c 06 64 07 75 08 } //1
$a_01_4 = {42 05 43 06 40 07 5c 08 52 09 4d 0a 59 0b 49 0c } //1
$a_01_5 = {46 06 76 07 6c 08 78 09 6b 0a 7a 0b 76 0c 75 0d } //1
$a_01_6 = {3e 08 7b 09 2f 0a 7e 0b 64 0c 62 0d 6c 0e 2a 0f } //1
condition:
((#a_01_0 & 1)*2+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1) >=5
}
rule Backdoor_BAT_Bladabindi_B_6{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 "
strings :
$a_01_0 = {00 3c 4d 6f 64 75 6c 65 3e 00 42 61 62 65 6c 41 74 74 72 69 62 75 74 65 00 41 00 77 00 6b 6c 00 } //1 㰀潍畤敬>慂敢䅬瑴楲畢整䄀眀欀l
$a_01_1 = {00 41 43 54 00 48 57 44 00 6d 61 69 6e 00 50 6c 75 67 69 6e 00 42 79 74 65 4f 66 50 6c 75 67 69 6e 00 } //1 䄀呃䠀䑗洀楡n汐杵湩䈀瑹佥偦畬楧n
$a_01_2 = {00 49 6e 64 00 47 65 74 4b 65 79 00 6b 65 79 00 70 72 00 53 65 6e 64 00 52 43 00 55 4e 53 00 } //1
$a_01_3 = {00 57 52 4b 00 4f 66 66 00 45 78 65 4e 61 6d 65 00 64 72 00 53 74 61 72 74 00 63 6c 65 61 6e 00 6c 6e 6b 00 } //1 圀䭒伀晦䔀數慎敭搀r瑓牡t汣慥n湬k
$a_01_4 = {00 66 78 00 62 00 73 70 6c 00 5a 49 50 00 } //1 昀xb灳l䥚P
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=4
}
rule Backdoor_BAT_Bladabindi_B_7{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 0b 00 00 "
strings :
$a_01_0 = {00 41 00 6b 6c 00 3c 4d 6f 64 75 6c 65 3e } //1 䄀欀l䴼摯汵㹥
$a_01_1 = {00 77 2e 65 78 65 00 3c 4d 6f 64 75 6c 65 3e 00 } //1 眀攮數㰀潍畤敬>
$a_01_2 = {00 6b 6c 00 52 65 73 6f 75 72 63 65 73 00 77 2e 4d 79 2e 52 65 73 6f 75 72 63 65 73 00 } //1
$a_01_3 = {00 47 65 74 4b 65 79 00 52 65 67 69 73 74 72 79 4b 65 79 00 6b 65 79 00 52 65 70 6c 61 63 65 00 70 72 00 } //1
$a_01_4 = {00 47 65 74 4b 65 79 00 6b 65 79 00 70 72 00 53 65 6e 64 00 } //1 䜀瑥敋y敫y牰匀湥d
$a_01_5 = {00 70 72 00 67 65 74 5f 48 61 6e 64 6c 65 00 53 65 6e 64 00 } //1 瀀r敧彴慈摮敬匀湥d
$a_01_6 = {00 4c 6f 67 73 00 4c 6f 67 73 50 61 74 68 00 57 52 4b 00 } //1
$a_01_7 = {00 47 65 74 41 73 79 6e 63 4b 65 79 53 74 61 74 65 00 57 52 4b 00 } //1 䜀瑥獁湹䭣祥瑓瑡e剗K
$a_01_8 = {00 44 4c 56 00 6e 00 47 54 56 00 53 54 56 00 74 00 } //1
$a_01_9 = {00 47 54 56 00 47 65 74 56 61 6c 75 65 00 53 54 56 00 74 00 } //1 䜀噔䜀瑥慖畬e呓Vt
$a_01_10 = {00 42 53 00 42 00 66 78 00 } //1
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1) >=4
}
rule Backdoor_BAT_Bladabindi_B_8{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,0d 00 0d 00 0d 00 00 "
strings :
$a_01_0 = {00 41 00 6b 6c 00 3c 4d 6f 64 75 6c 65 3e } //10 䄀欀l䴼摯汵㹥
$a_01_1 = {00 41 00 6b 6c 00 55 53 42 00 44 52 56 00 } //10 䄀欀l单B剄V
$a_01_2 = {00 3c 4d 6f 64 75 6c 65 3e 00 42 61 62 65 6c 41 74 74 72 69 62 75 74 65 00 41 00 } //10
$a_01_3 = {00 44 4c 56 00 6e 00 47 54 56 00 } //1
$a_01_4 = {00 47 54 56 00 53 54 56 00 74 00 69 6e 66 00 } //1
$a_01_5 = {00 44 4c 56 00 47 54 56 00 53 54 56 00 69 6e 66 00 } //1
$a_01_6 = {00 42 53 00 42 00 66 78 00 } //1
$a_01_7 = {00 42 53 00 42 00 67 65 74 5f 44 65 66 61 75 6c 74 00 66 78 00 } //1
$a_01_8 = {00 53 42 00 42 53 00 66 78 00 41 72 72 61 79 00 } //1 匀B卂昀x牁慲y
$a_01_9 = {00 70 72 00 53 65 6e 64 00 53 6f 63 6b 65 74 46 6c 61 67 73 00 } //1
$a_01_10 = {00 49 6e 64 00 47 65 74 4b 65 79 00 6b 65 79 00 70 72 00 } //1
$a_01_11 = {00 70 72 00 53 65 6e 64 00 52 43 00 } //1 瀀r敓摮刀C
$a_01_12 = {00 70 72 00 67 65 74 5f 48 61 6e 64 6c 65 00 53 65 6e 64 00 } //1 瀀r敧彴慈摮敬匀湥d
condition:
((#a_01_0 & 1)*10+(#a_01_1 & 1)*10+(#a_01_2 & 1)*10+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1) >=13
}
rule Backdoor_BAT_Bladabindi_B_9{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,21 00 21 00 07 00 00 "
strings :
$a_01_0 = {53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 5c 00 52 00 75 00 6e 00 } //10 Software\Microsoft\Windows\CurrentVersion\Run
$a_01_1 = {5b 00 65 00 6e 00 64 00 6f 00 66 00 5d 00 } //10 [endof]
$a_01_2 = {7c 00 27 00 7c 00 27 00 7c 00 } //10 |'|'|
$a_01_3 = {2e 00 65 00 78 00 65 00 20 00 2f 00 6b 00 20 00 70 00 69 00 6e 00 67 00 20 00 30 00 20 00 26 00 20 00 64 00 65 00 6c 00 20 00 22 00 } //1 .exe /k ping 0 & del "
$a_01_4 = {6e 00 65 00 74 00 73 00 68 00 20 00 66 00 69 00 72 00 65 00 77 00 61 00 6c 00 6c 00 20 00 61 00 64 00 64 00 20 00 61 00 6c 00 6c 00 6f 00 77 00 65 00 64 00 70 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 } //1 netsh firewall add allowedprogram
$a_01_5 = {30 00 2e 00 34 00 2e 00 31 00 61 00 } //1 0.4.1a
$a_00_6 = {31 00 31 00 37 00 37 00 } //1 1177
condition:
((#a_01_0 & 1)*10+(#a_01_1 & 1)*10+(#a_01_2 & 1)*10+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_00_6 & 1)*1) >=33
}
rule Backdoor_BAT_Bladabindi_B_10{
meta:
description = "Backdoor:BAT/Bladabindi.B,SIGNATURE_TYPE_PEHSTR_EXT,11 00 11 00 09 00 00 "
strings :
$a_01_0 = {56 4b 43 6f 64 65 54 6f 55 6e 69 63 6f 64 65 } //2 VKCodeToUnicode
$a_01_1 = {67 65 74 5f 53 68 69 66 74 4b 65 79 44 6f 77 6e } //2 get_ShiftKeyDown
$a_01_2 = {5b 00 45 00 4e 00 54 00 45 00 52 00 5d 00 } //3 [ENTER]
$a_01_3 = {5b 00 65 00 6e 00 64 00 6f 00 66 00 5d 00 } //3 [endof]
$a_01_4 = {63 00 6d 00 64 00 2e 00 65 00 78 00 65 00 20 00 2f 00 6b 00 20 00 70 00 69 00 6e 00 67 00 20 00 30 00 20 00 26 00 20 00 64 00 65 00 6c 00 } //3 cmd.exe /k ping 0 & del
$a_01_5 = {6e 00 65 00 74 00 73 00 68 00 20 00 66 00 69 00 72 00 65 00 77 00 61 00 6c 00 6c 00 20 00 61 00 64 00 64 00 20 00 61 00 6c 00 6c 00 6f 00 77 00 65 00 64 00 70 00 72 00 6f 00 67 00 72 00 61 00 6d 00 } //4 netsh firewall add allowedprogram
$a_03_6 = {07 57 00 69 00 6e 00 00 03 ae 00 ?? 03 22 21 } //2
$a_01_7 = {53 00 47 00 46 00 6a 00 53 00 32 00 56 00 6b 00 } //3 SGFjS2Vk
$a_01_8 = {22 00 20 00 22 00 77 00 73 00 63 00 72 00 69 00 70 00 74 00 2e 00 65 00 78 00 65 00 22 00 20 00 45 00 4e 00 41 00 42 00 4c 00 45 00 } //2 " "wscript.exe" ENABLE
condition:
((#a_01_0 & 1)*2+(#a_01_1 & 1)*2+(#a_01_2 & 1)*3+(#a_01_3 & 1)*3+(#a_01_4 & 1)*3+(#a_01_5 & 1)*4+(#a_03_6 & 1)*2+(#a_01_7 & 1)*3+(#a_01_8 & 1)*2) >=17
}
Reference in New Issue View Git Blame Copy Permalink