DefenderYara/Backdoor/Win32/Kbotrep/Backdoor_Win32_Kbotrep_A.yar

rule Backdoor_Win32_Kbotrep_A{
	meta:
		description = "Backdoor:Win32/Kbotrep.A,SIGNATURE_TYPE_PEHSTR_EXT,0a 00 0a 00 1f 00 00 01 00 "
		
	strings :
		$a_00_0 = {4b 42 4f 54 2e 49 4e 49 } //01 00  KBOT.INI
		$a_00_1 = {49 4e 4a 45 43 54 53 2e 49 4e 49 } //01 00  INJECTS.INI
		$a_00_2 = {57 4f 52 4d 2e 49 4e 49 } //01 00  WORM.INI
		$a_00_3 = {5c 42 43 2e 49 4e 49 } //01 00  \BC.INI
		$a_00_4 = {49 27 6d 20 61 20 74 65 61 70 6f 74 } //01 00  I'm a teapot
		$a_00_5 = {42 41 53 45 43 4f 4e 46 49 47 2e 2e 2e 2e 2e 2e 46 4a } //01 00  BASECONFIG......FJ
		$a_00_6 = {45 6c 65 76 61 74 69 6f 6e 3a 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 21 6e 65 77 3a 7b } //01 00  Elevation:Administrator!new:{
		$a_00_7 = {55 6c 6f 61 64 65 72 33 32 } //01 00  Uloader32
		$a_00_8 = {55 6c 6f 61 64 65 72 36 34 } //01 00  Uloader64
		$a_00_9 = {55 70 64 61 74 65 49 6e 6a 65 63 74 73 } //01 00  UpdateInjects
		$a_00_10 = {55 70 64 61 74 65 43 6f 6e 66 69 67 } //01 00  UpdateConfig
		$a_00_11 = {55 70 64 61 74 65 43 6f 72 65 } //01 00  UpdateCore
		$a_00_12 = {55 70 64 61 74 65 57 6f 72 6d 43 6f 6e 66 69 67 } //01 00  UpdateWormConfig
		$a_00_13 = {55 70 64 61 74 65 42 61 63 6b 63 6f 6e 6e 65 63 74 43 6f 6e 66 69 67 } //01 00  UpdateBackconnectConfig
		$a_00_14 = {42 6f 74 43 6f 6e 66 69 67 } //01 00  BotConfig
		$a_00_15 = {42 6f 74 43 6f 6d 6d 75 6e 69 74 79 } //01 00  BotCommunity
		$a_00_16 = {49 6e 6a 65 63 74 43 6f 6e 66 69 67 } //01 00  InjectConfig
		$a_00_17 = {57 6f 72 6d 43 6f 6e 66 69 67 } //01 00  WormConfig
		$a_00_18 = {49 6e 66 65 63 74 65 64 42 79 49 44 } //01 00  InfectedByID
		$a_00_19 = {4f 53 49 6e 66 65 63 74 65 64 43 6f 75 6e 74 } //01 00  OSInfectedCount
		$a_00_20 = {53 74 69 6c 6c 4c 6f 61 64 65 72 } //01 00  StillLoader
		$a_00_21 = {34 34 44 43 46 33 35 38 36 36 45 42 34 39 39 32 32 36 34 45 38 30 39 45 44 44 30 30 31 37 33 37 43 36 35 45 32 38 42 42 34 44 41 42 38 44 43 37 44 41 35 43 46 41 37 46 31 41 41 30 35 36 31 39 } //01 00  44DCF35866EB4992264E809EDD001737C65E28BB4DAB8DC7DA5CFA7F1AA05619
		$a_00_22 = {67 72 6f 75 70 5f 31 30 32 } //01 00  group_102
		$a_00_23 = {6d 65 6e 73 61 62 75 78 75 73 2e 6e 65 74 } //01 00  mensabuxus.net
		$a_00_24 = {6f 67 72 74 68 75 76 77 66 64 63 66 72 69 35 65 75 77 67 2e 63 6f 6d } //01 00  ogrthuvwfdcfri5euwg.com
		$a_00_25 = {6f 67 72 74 68 75 76 66 65 77 66 64 63 66 72 69 35 65 75 77 67 2e 63 6f 6d } //01 00  ogrthuvfewfdcfri5euwg.com
		$a_03_26 = {03 4d f0 80 39 e8 75 90 01 01 80 79 05 e9 75 90 00 } //01 00 
		$a_01_27 = {e2 f0 81 ff 5b bc 4a 6a } //01 00 
		$a_01_28 = {68 e8 a9 67 08 e8 } //01 00 
		$a_01_29 = {68 3c 92 3d 68 e8 } //01 00 
		$a_03_30 = {8a 44 0a 14 30 81 90 01 04 41 83 f9 10 72 f0 90 00 } //00 00 
	condition:
		any of ($a_*)
 
}