qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Gaertob/Backdoor_Win32_Gaertob_A.yar

14 lines
741 B
Plaintext
Raw Permalink Blame History

rule Backdoor_Win32_Gaertob_A{
meta:
description = "Backdoor:Win32/Gaertob.A,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 04 00 00 "
strings :
$a_03_0 = {59 6a 00 6a 0c 68 ?? ?? ?? ?? ff b5 ?? ?? ff ff ff 15 ?? ?? ?? ?? 6a 01 58 85 c0 0f 84 ?? ?? 00 00 6a 00 6a 63 } //1
$a_03_1 = {ff ff 52 c6 85 ?? ff ff ff 61 c6 85 ?? ff ff ff 72 c6 85 ?? ff ff ff 21 c6 85 ?? ff ff ff 1a } //1
$a_03_2 = {89 45 f8 83 7d f8 03 74 06 83 7d f8 04 75 14 8d 45 fc 50 ff 15 ?? ?? ?? ?? 83 f8 01 75 05 e8 ?? ?? ?? ?? 8a 45 fc 2c 01 88 45 fc 0f be 45 fc 83 f8 62 75 c2 } //1
$a_03_3 = {6e 65 70 65 6e 74 68 65 73 [0-04] 63 75 72 72 65 6e 74 75 73 65 72 00 } //1
condition:
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1) >=2
}
Reference in New Issue View Git Blame Copy Permalink