qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Drixed/Backdoor_Win32_Drixed_A.yar

18 lines
844 B
Plaintext
Raw Permalink Blame History

rule Backdoor_Win32_Drixed_A{
meta:
description = "Backdoor:Win32/Drixed.A,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 08 00 00 "
strings :
$a_03_0 = {32 cb 75 01 46 40 3b 75 08 7c ef 8d 88 ?? ?? ?? ?? 8a 01 3a c3 74 16 8b f1 8a d8 32 5d ff 8b c7 e8 } //2
$a_01_1 = {65 64 67 00 2e 74 6d 70 00 } //1
$a_01_2 = {73 65 00 63 6d 64 2e 65 78 65 00 20 63 70 00 } //1
$a_01_3 = {63 66 67 00 3c 00 63 6f 6e 66 69 67 20 62 ee 74 f0 65 e6 3d } //1
$a_01_4 = {66 6f 72 6d 67 72 61 62 62 65 72 00 } //1 潦浲牧扡敢r
$a_01_5 = {63 6c 69 63 6b 73 68 6f 74 73 00 } //1
$a_01_6 = {68 74 74 70 69 6e 6a 65 63 74 73 00 } //1 瑨灴湩敪瑣s
$a_01_7 = {6b 65 79 6c 6f 67 00 } //1
condition:
((#a_03_0 & 1)*2+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1) >=5
}
Reference in New Issue View Git Blame Copy Permalink