qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/BAT/Njogv/Backdoor_BAT_Njogv_A.yar

18 lines
872 B
Plaintext
Raw Permalink Blame History

rule Backdoor_BAT_Njogv_A{
meta:
description = "Backdoor:BAT/Njogv.A,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 08 00 00 "
strings :
$a_01_0 = {49 6e 73 74 4d 61 6e 61 67 65 72 00 } //5 湉瑳慍慮敧r
$a_01_1 = {44 65 74 61 74 74 63 68 46 72 6f 6d 45 76 65 6e 74 00 } //5 敄慴瑴档牆浯癅湥t
$a_01_2 = {5f 6d 69 43 6f 6d 6d 61 6e 64 00 } //1
$a_01_3 = {5f 65 69 4f 6e 45 72 72 6f 72 00 } //1
$a_01_4 = {5f 65 69 4f 6e 43 6f 6d 6d 61 6e 64 00 } //1
$a_01_5 = {5f 65 69 4f 6e 46 69 6e 69 73 68 65 64 00 } //1 敟佩䙮湩獩敨d
$a_01_6 = {5f 72 65 6d 6f 74 65 43 6c 65 61 6e 65 64 00 } //1
$a_01_7 = {72 65 6d 6f 76 65 5f 4f 6e 46 69 6e 69 73 68 65 64 00 } //1 敲潭敶佟䙮湩獩敨d
condition:
((#a_01_0 & 1)*5+(#a_01_1 & 1)*5+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1) >=8
}
Reference in New Issue View Git Blame Copy Permalink