qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Polnur/Backdoor_Win32_Polnur_A.yar

15 lines
647 B
Plaintext
Raw Permalink Blame History

rule Backdoor_Win32_Polnur_A{
meta:
description = "Backdoor:Win32/Polnur.A,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 "
strings :
$a_00_0 = {49 6e 74 65 6c 43 6f 6e 74 72 6f 6c 6c 65 72 } //1 IntelController
$a_01_1 = {4d 61 6e 61 67 65 72 5f 52 75 6e 5f 4c 6f 6f 70 00 00 00 00 45 78 70 5f 4f 6e 52 65 61 64 } //1
$a_00_2 = {7e 4d 48 7a } //1 ~MHz
$a_00_3 = {63 5f 31 31 30 32 2e 6e 6c 73 } //1 c_1102.nls
$a_01_4 = {53 74 61 72 74 46 75 6e 00 00 00 00 53 65 53 68 75 74 64 6f 77 6e 50 72 69 76 69 6c 65 67 65 } //1
condition:
((#a_00_0 & 1)*1+(#a_01_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_01_4 & 1)*1) >=5
}
Reference in New Issue View Git Blame Copy Permalink