qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Spybot/Backdoor_Win32_Spybot.yar

37 lines
2.6 KiB
Plaintext
Raw Permalink Blame History

rule Backdoor_Win32_Spybot{
meta:
description = "Backdoor:Win32/Spybot,SIGNATURE_TYPE_PEHSTR_EXT,10 00 10 00 1b 00 00 "
strings :
$a_01_0 = {21 6b 69 6c 6c 74 68 72 65 61 64 } //1 !killthread
$a_01_1 = {21 6b 69 6c 6c 70 72 6f 63 } //1 !killproc
$a_01_2 = {21 72 65 64 69 72 65 63 74 6d 65 } //1 !redirectme
$a_01_3 = {21 72 65 64 73 70 79 } //1 !redspy
$a_01_4 = {21 6b 69 6c 6c 63 6c 6f 6e 65 73 } //1 !killclones
$a_01_5 = {21 73 74 61 72 74 6c 6f 67 } //1 !startlog
$a_01_6 = {21 6f 70 65 6e 63 6d 64 } //1 !opencmd
$a_01_7 = {21 6e 74 73 74 61 74 73 } //1 !ntstats
$a_01_8 = {72 69 66 66 72 61 66 66 } //1 riffraff
$a_01_9 = {77 69 6e 64 6f 7a 65 78 70 } //1 windozexp
$a_01_10 = {69 68 61 76 65 6e 6f 70 61 73 73 } //1 ihavenopass
$a_01_11 = {5b 50 72 69 6e 74 20 53 63 72 65 65 6e 5d } //1 [Print Screen]
$a_01_12 = {68 34 78 30 72 69 6e 67 } //2 h4x0ring
$a_01_13 = {68 72 65 66 3d 22 25 73 25 73 22 3e 25 73 3c 2f 41 3e } //2 href="%s%s">%s</A>
$a_01_14 = {42 6f 74 20 56 65 72 73 69 6f 6e 3a } //2 Bot Version:
$a_01_15 = {25 73 5c 41 64 6d 69 6e 24 } //2 %s\Admin$
$a_01_16 = {25 73 5c 63 24 5c 77 69 6e 6e 74 } //2 %s\c$\winnt
$a_01_17 = {45 78 70 6c 6f 69 74 65 64 20 25 64 20 53 79 73 74 65 6d 73 } //3 Exploited %d Systems
$a_01_18 = {6c 69 73 74 69 6e 20 70 6f 72 74 3a 20 25 69 } //3 listin port: %i
$a_01_19 = {53 65 61 72 73 69 6e 67 20 66 6f 72 20 70 61 73 73 77 6f 72 64 73 } //3 Searsing for passwords
$a_01_20 = {4e 65 74 55 73 65 72 45 6e 75 6d 00 4e 65 74 52 65 6d 6f 74 65 54 4f 44 00 4e 65 74 53 63 68 65 64 } //3
$a_01_21 = {25 73 5c 69 70 63 24 00 5b 4e 55 4c 4c 5d } //3 猥楜捰$乛䱕嵌
$a_01_22 = {50 52 49 56 4d 53 47 20 25 73 20 3a 50 6f 72 74 20 25 69 } //3 PRIVMSG %s :Port %i
$a_01_23 = {73 74 6f 70 6b 65 79 6c 6f 67 67 65 72 22 20 74 6f 20 73 74 6f 70 } //3 stopkeylogger" to stop
$a_01_24 = {b9 3c 00 00 00 ba 89 88 88 88 f7 e2 c1 ea 05 } //10
$a_03_25 = {b9 a0 05 00 00 31 d2 f7 f1 89 95 ?? ?? ?? ff b8 60 ea 00 00 f7 a5 } //10
$a_03_26 = {59 31 f6 eb 1c e8 ?? ?? ?? 00 b9 1a 00 00 00 99 f7 f9 89 d7 83 c7 61 89 fa 88 14 35 } //10
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*2+(#a_01_13 & 1)*2+(#a_01_14 & 1)*2+(#a_01_15 & 1)*2+(#a_01_16 & 1)*2+(#a_01_17 & 1)*3+(#a_01_18 & 1)*3+(#a_01_19 & 1)*3+(#a_01_20 & 1)*3+(#a_01_21 & 1)*3+(#a_01_22 & 1)*3+(#a_01_23 & 1)*3+(#a_01_24 & 1)*10+(#a_03_25 & 1)*10+(#a_03_26 & 1)*10) >=16
}
Reference in New Issue View Git Blame Copy Permalink