qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Exploit/Win32/Senglot/Exploit_Win32_Senglot_M.yar

29 lines
3.0 KiB
Plaintext
Raw Permalink Blame History

rule Exploit_Win32_Senglot_M{
meta:
description = "Exploit:Win32/Senglot.M,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 "
strings :
$a_01_0 = {e9 f3 00 00 00 90 90 90 90 5a 64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 40 08 8b d8 8b 73 3c 8b 74 1e 78 03 f3 8b 7e 20 03 fb 8b 4e 14 33 ed 56 57 51 8b 3f 03 fb 8b f2 6a 0e 59 f3 a6 74 08 59 5f 83 } //1
$a_01_1 = {45 e2 e9 59 5f 5e 8b cd 8b 46 24 03 c3 d1 e1 03 c1 33 c9 66 8b 08 8b 46 1c 03 c3 c1 e1 02 03 c1 8b 00 03 c3 8b fa 8b f7 83 c6 0e 8b d0 6a 04 59 e8 6a 00 00 00 83 ee f3 52 56 ff 57 } //1
$a_01_2 = {fc 5a 8b d8 6a 01 59 e8 57 00 00 00 83 c6 13 56 46 80 3e 80 75 fa 80 36 80 5e 83 ec 40 8b dc c7 03 63 6d 64 20 43 43 43 43 66 c7 03 2f 63 43 43 c6 03 20 43 6a 20 53 ff 57 ec c7 04 03 5c 61 2e 65 c7 44 03 04 78 65 00 00 33 c0 50 50 53 56 50 } //1
$a_01_3 = {ff 57 fc 8b dc 6a 00 53 ff 57 f0 68 51 24 40 00 58 ff d0 33 c0 ac 85 c0 75 f9 51 52 56 53 ff d2 5a 59 ab e2 ee 33 c0 c3 e8 0c ff ff ff 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 47 65 74 53 79 73 74 65 6d 44 69 72 65 63 74 6f 72 79 41 00 } //1
$a_01_4 = {57 69 6e 45 78 65 63 00 45 78 69 74 54 68 72 65 61 64 00 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 75 72 6c 6d 6f 6e 00 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 00 } //1 楗䕮數c硅瑩桔敲摡䰀慯䱤扩慲祲A牵浬湯唀䱒潄湷潬摡潔楆敬A
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=5
}
rule Exploit_Win32_Senglot_M_2{
meta:
description = "Exploit:Win32/Senglot.M,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 "
strings :
$a_01_0 = {90 90 90 90 90 90 33 c0 33 c9 eb 12 5e 66 b9 d2 01 8b fe 80 2e 19 80 36 01 46 e2 f7 eb 05 e8 e9 ff ff ff 8b f7 81 c6 18 00 00 00 81 ef 23 10 40 } //1
$a_01_1 = {00 e8 65 00 00 00 2b c9 51 ff d0 60 fc 33 c0 64 8b 40 30 85 c0 78 0c 8b 40 0c 8b 70 1c ad 8b 40 08 eb 09 8b 40 34 8d 40 7c 8b 40 3c 8b d0 03 52 3c 8b 52 78 03 d0 8b 5a 20 03 d8 33 c9 8b e8 41 8b 3c 8b 03 f8 8b 37 03 77 04 3b 74 24 24 74 02 eb ed 8b 5a 24 03 dd 66 8b 0c 4b 8b 5a 1c 03 dd } //1
$a_01_2 = {03 2c 8b 89 6c 24 1c 61 c2 04 00 55 8b ec 81 c4 a8 fe ff ff 68 98 d8 c3 d6 ff d6 e8 0b 00 00 00 55 52 4c 4d 4f 4e 2e 44 4c 4c 00 ff d0 93 68 b9 d4 d7 91 ff d6 e8 18 00 00 00 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 43 61 63 68 65 46 69 6c 65 41 00 53 ff d0 b9 04 00 00 00 93 53 51 68 c3 b1 } //1
$a_01_3 = {dd 65 ff d6 2b d2 52 ba d0 07 00 00 52 ff d0 2b d2 52 52 68 04 01 00 00 8d 85 fc fe ff ff c7 00 00 00 00 00 50 8d 87 aa 11 40 00 05 25 00 00 00 50 52 ff d3 68 b0 d1 d9 87 ff d6 8d 9d fc fe ff ff 53 ff d0 59 5b 40 49 0b c0 75 04 0b c9 75 ab 68 b7 d7 b5 d3 ff d6 93 57 8d bd b8 fe ff ff b8 } //1
$a_01_4 = {44 00 00 00 ab 8b c8 49 49 49 49 33 c0 f3 aa 5f eb 0b 8d 8f 9d 11 40 00 e8 15 00 00 00 90 8d 8d fc fe ff ff e8 09 00 00 00 68 95 ea d8 d7 ff d6 c9 c3 8d 85 a8 fe ff ff 50 8d 85 b8 fe ff ff 50 33 d2 52 52 52 52 52 52 51 52 ff d3 c3 69 65 78 70 6c 6f 72 65 2e 65 78 65 20 } //1
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=5
}
Reference in New Issue View Git Blame Copy Permalink