DefenderYara/Backdoor/Win32/Visel/Backdoor_Win32_Visel_C.yar

rule Backdoor_Win32_Visel_C{
	meta:
		description = "Backdoor:Win32/Visel.C,SIGNATURE_TYPE_PEHSTR_EXT,1d 00 1d 00 1d 00 00 01 00 "
		
	strings :
		$a_00_0 = {6d 64 2e 65 78 65 20 2f 63 20 22 25 73 22 } //01 00  md.exe /c "%s"
		$a_00_1 = {5b 4e 75 6d 20 4c 6f 63 6b 5d } //01 00  [Num Lock]
		$a_00_2 = {5b 44 6f 77 6e 5d } //01 00  [Down]
		$a_00_3 = {5b 52 69 67 68 74 5d } //01 00  [Right]
		$a_00_4 = {5b 4c 65 66 74 5d } //01 00  [Left]
		$a_00_5 = {5b 50 61 67 65 44 6f 77 6e 5d } //01 00  [PageDown]
		$a_00_6 = {5b 45 6e 64 5d } //01 00  [End]
		$a_00_7 = {5b 44 65 6c 5d } //01 00  [Del]
		$a_00_8 = {5b 50 61 67 65 55 70 5d } //01 00  [PageUp]
		$a_00_9 = {5b 48 6f 6d 65 5d } //01 00  [Home]
		$a_00_10 = {5b 49 6e 73 65 72 74 5d } //01 00  [Insert]
		$a_00_11 = {5b 53 63 72 6f 6c 6c 20 4c 6f 63 6b 5d } //01 00  [Scroll Lock]
		$a_00_12 = {5b 50 72 69 6e 74 20 53 63 72 65 65 6e 5d } //01 00  [Print Screen]
		$a_00_13 = {5b 57 49 4e 5d } //01 00  [WIN]
		$a_00_14 = {5b 43 54 52 4c 5d } //01 00  [CTRL]
		$a_00_15 = {5b 54 41 42 5d } //01 00  [TAB]
		$a_00_16 = {5b 46 31 32 5d } //01 00  [F12]
		$a_00_17 = {5b 46 31 31 5d } //01 00  [F11]
		$a_00_18 = {5b 46 31 30 5d } //01 00  [F10]
		$a_00_19 = {5b 45 53 43 5d } //01 00  [ESC]
		$a_00_20 = {3c 45 6e 74 65 72 3e } //01 00  <Enter>
		$a_00_21 = {3c 42 61 63 6b 3e } //01 00  <Back>
		$a_01_22 = {2d 2d 2d 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2d 2d 2d } //01 00  ---Internet Explorer---
		$a_01_23 = {70 61 73 73 77 6f 72 44 } //01 00  passworD
		$a_00_24 = {73 76 63 68 6f 73 74 2e 65 78 65 } //01 00  svchost.exe
		$a_00_25 = {57 00 69 00 6e 00 6c 00 6f 00 67 00 6f 00 6e 00 2e 00 65 00 78 00 65 00 } //01 00  Winlogon.exe
		$a_00_26 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 5c 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 74 00 20 00 45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 69 00 65 00 78 00 70 00 6c 00 6f 00 72 00 65 00 2e 00 65 00 78 00 65 00 } //01 00  \Program Files\Internet Explorer\iexplore.exe
		$a_00_27 = {4d 00 79 00 20 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 20 00 57 00 69 00 6e 00 64 00 6f 00 77 00 } //01 00  My Capture Window
		$a_00_28 = {41 00 63 00 63 00 65 00 70 00 74 00 3a 00 20 00 2a 00 2f 00 2a 00 } //00 00  Accept: */*
	condition:
		any of ($a_*)
 
}