DefenderYara/Backdoor/Win32/Hupigon/Backdoor_Win32_Hupigon_YA.yar

rule Backdoor_Win32_Hupigon_YA{
	meta:
		description = "Backdoor:Win32/Hupigon.YA,SIGNATURE_TYPE_PEHSTR_EXT,ffffffcd 0f ffffffbe 0f 1e 00 00 "
		
	strings :
		$a_01_0 = {25 73 20 28 25 73 2c 20 6c 69 6e 65 20 25 64 29 } //1 %s (%s, line %d)
		$a_01_1 = {4f 75 74 20 6f 66 20 6d 65 6d 6f 72 79 } //1 Out of memory
		$a_01_2 = {55 6e 6b 6e 6f 77 6e 20 63 6f 6d 70 72 65 73 73 69 6f 6e 20 61 6c 67 6f 72 69 74 68 6d } //1 Unknown compression algorithm
		$a_01_3 = {52 61 6e 67 65 20 63 68 65 63 6b 20 65 72 72 6f 72 } //1 Range check error
		$a_01_4 = {20 5b 25 64 5d } //1  [%d]
		$a_01_5 = {56 61 72 69 61 6e 74 20 69 73 20 6e 6f 74 20 61 6e 20 61 72 72 61 79 } //1 Variant is not an array
		$a_01_6 = {46 6c 6f 61 74 69 6e 67 20 70 6f 69 6e 74 20 64 69 76 69 73 69 6f 6e 20 62 79 20 7a 65 72 6f } //1 Floating point division by zero
		$a_01_7 = {46 6f 72 6d 61 74 20 27 25 73 27 20 69 6e 76 61 6c 69 64 20 6f 72 20 69 6e 63 6f 6d 70 61 74 69 62 6c 65 20 77 69 74 68 20 61 72 67 75 6d 65 6e 74 } //2 Format '%s' invalid or incompatible with argument
		$a_01_8 = {57 69 6e 33 32 20 45 72 72 6f 72 2e 20 20 43 6f 64 65 3a 20 25 64 2e } //4 Win32 Error.  Code: %d.
		$a_01_9 = {41 20 57 69 6e 33 32 20 41 50 49 20 66 75 6e 63 74 69 6f 6e 20 66 61 69 6c 65 64 } //2 A Win32 API function failed
		$a_01_10 = {54 6c 61 6d 65 41 73 6d } //1 TlameAsm
		$a_01_11 = {51 75 65 72 79 50 65 72 66 6f 72 6d 61 6e 63 65 43 6f 75 6e 74 65 72 } //1 QueryPerformanceCounter
		$a_01_12 = {45 57 72 69 74 65 45 72 72 6f 72 } //1 EWriteError
		$a_01_13 = {47 65 74 50 72 6f 70 41 } //1 GetPropA
		$a_01_14 = {45 4c 69 73 74 45 72 72 6f 72 } //1 EListError
		$a_01_15 = {54 57 69 6e 33 32 52 65 73 6f 75 72 63 65 20 } //1 TWin32Resource 
		$a_01_16 = {53 65 74 46 6f 72 65 67 72 6f 75 6e 64 57 69 6e 64 6f 77 } //2 SetForegroundWindow
		$a_01_17 = {54 4c 61 6d 65 4c 6f 61 64 65 72 } //1 TLameLoader
		$a_01_18 = {49 73 57 69 6e 64 6f 77 45 6e 61 62 6c 65 64 } //1 IsWindowEnabled
		$a_01_19 = {54 4c 61 6d 65 50 45 53 65 63 74 69 6f 6e } //2 TLamePESection
		$a_01_20 = {43 6c 69 65 6e 74 54 6f 53 63 72 65 65 6e } //2 ClientToScreen
		$a_01_21 = {53 65 74 52 4f 50 32 } //1 SetROP2
		$a_00_22 = {00 00 00 00 a4 08 92 00 a4 08 92 00 54 00 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 53 59 53 54 45 4d 33 32 00 c4 08 92 00 c4 08 92 00 10 00 00 00 30 00 00 00 27 00 } //1000
		$a_00_23 = {14 00 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 53 59 53 54 45 4d 33 32 5c 54 00 00 00 1f 00 00 00 01 00 00 00 0c 00 00 00 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 00 00 1a 00 00 00 14 f6 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 3c f5 90 00 ff ff ff ff 12 00 00 00 50 f2 90 00 54 09 92 00 00 00 00 00 4a 00 00 00 01 00 00 00 } //1000
		$a_00_24 = {38 00 00 00 ce f8 e8 e1 ea e0 20 ee f2 ea f0 fb f2 e8 ff 20 f4 e0 e9 eb e0 20 5b 43 3a 5c 57 49 4e 44 4f 57 53 5c 53 59 53 54 45 4d 33 32 5c 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 5d 00 00 00 00 04 86 91 00 04 86 91 00 6c 36 00 00 00 00 00 00 } //1000
		$a_00_25 = {eb f0 5f 5e 5b 59 59 5d c2 08 00 00 ff ff ff ff 1a 00 00 00 71 77 65 72 74 79 75 69 6f 70 61 73 64 66 67 68 6a 6b 6c 7a 78 63 76 62 6e 6d 00 00 55 8b ec 81 c4 04 f0 ff ff 50 81 c4 28 ff ff ff } //1000
		$a_00_26 = {0e 0b 54 47 55 49 5f 53 54 52 49 4e 47 0d 00 00 00 03 00 00 00 00 } //1000
		$a_01_27 = {4b 4b 74 69 53 53 36 } //5 KKtiSS6
		$a_01_28 = {65 65 4b 5c 5a } //5 eeK\Z
		$a_01_29 = {5e 5e 78 66 5a 5a 5c 4b 65 65 58 4e 62 62 } //5 ^^xfZZ\KeeXNbb
	condition:
		((#a_01_0  & 1)*1+(#a_01_1  & 1)*1+(#a_01_2  & 1)*1+(#a_01_3  & 1)*1+(#a_01_4  & 1)*1+(#a_01_5  & 1)*1+(#a_01_6  & 1)*1+(#a_01_7  & 1)*2+(#a_01_8  & 1)*4+(#a_01_9  & 1)*2+(#a_01_10  & 1)*1+(#a_01_11  & 1)*1+(#a_01_12  & 1)*1+(#a_01_13  & 1)*1+(#a_01_14  & 1)*1+(#a_01_15  & 1)*1+(#a_01_16  & 1)*2+(#a_01_17  & 1)*1+(#a_01_18  & 1)*1+(#a_01_19  & 1)*2+(#a_01_20  & 1)*2+(#a_01_21  & 1)*1+(#a_00_22  & 1)*1000+(#a_00_23  & 1)*1000+(#a_00_24  & 1)*1000+(#a_00_25  & 1)*1000+(#a_00_26  & 1)*1000+(#a_01_27  & 1)*5+(#a_01_28  & 1)*5+(#a_01_29  & 1)*5) >=4030
 
}