DefenderYara/Backdoor/BAT/WebShell/Backdoor_BAT_WebShell_AG_MTB.yar

rule Backdoor_BAT_WebShell_AG_MTB{
	meta:
		description = "Backdoor:BAT/WebShell.AG!MTB,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 08 00 00 01 00 "
		
	strings :
		$a_01_0 = {32 00 31 00 32 00 33 00 32 00 66 00 32 00 39 00 37 00 61 00 35 00 37 00 61 00 35 00 61 00 37 00 34 00 33 00 38 00 39 00 34 00 61 00 30 00 65 00 34 00 61 00 38 00 30 00 31 00 66 00 63 00 33 00 } //01 00  21232f297a57a5a743894a0e4a801fc3
		$a_01_1 = {49 00 49 00 53 00 3a 00 2f 00 2f 00 6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 2f 00 57 00 33 00 53 00 56 00 43 00 } //01 00  IIS://localhost/W3SVC
		$a_01_2 = {41 00 73 00 70 00 78 00 2f 00 45 00 4e 00 2f 00 75 00 65 00 66 00 74 00 49 00 6e 00 76 00 65 00 73 00 74 00 65 00 72 00 2e 00 61 00 73 00 70 00 78 00 } //01 00  Aspx/EN/ueftInvester.aspx
		$a_01_3 = {42 00 69 00 6e 00 5f 00 42 00 75 00 74 00 74 00 6f 00 6e 00 5f 00 4b 00 69 00 6c 00 6c 00 4d 00 65 00 } //01 00  Bin_Button_KillMe
		$a_01_4 = {72 6f 6f 74 5c 39 66 34 33 33 38 35 66 5c 33 35 64 66 62 64 32 65 } //01 00  root\9f43385f\35dfbd2e
		$a_01_5 = {44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 64 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 20 00 21 00 } //01 00  Directory created success !
		$a_01_6 = {50 00 72 00 6f 00 63 00 65 00 73 00 73 00 20 00 4b 00 69 00 6c 00 6c 00 20 00 53 00 75 00 63 00 63 00 65 00 73 00 73 00 20 00 21 00 } //01 00  Process Kill Success !
		$a_01_7 = {43 00 6c 00 65 00 61 00 72 00 20 00 41 00 6c 00 6c 00 20 00 54 00 68 00 72 00 65 00 61 00 64 00 20 00 2e 00 2e 00 2e 00 2e 00 2e 00 2e 00 } //00 00  Clear All Thread ......
	condition:
		any of ($a_*)
 
}