DefenderYara/HackTool/Win32/RefPeInj/HackTool_Win32_RefPeInj_A_.yar

rule HackTool_Win32_RefPeInj_A_{
	meta:
		description = "HackTool:Win32/RefPeInj.A!!RefPeInj.gen!A,SIGNATURE_TYPE_ARHSTR_EXT,05 00 05 00 07 00 00 "
		
	strings :
		$a_00_0 = {52 00 65 00 66 00 6c 00 65 00 63 00 74 00 69 00 76 00 65 00 50 00 45 00 } //1 ReflectivePE
		$a_00_1 = {52 00 65 00 66 00 6c 00 65 00 63 00 74 00 69 00 76 00 65 00 45 00 78 00 65 00 } //1 ReflectiveExe
		$a_00_2 = {24 00 52 00 65 00 6d 00 6f 00 74 00 65 00 53 00 63 00 72 00 69 00 70 00 74 00 42 00 6c 00 6f 00 63 00 6b 00 20 00 2d 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 4c 00 69 00 73 00 74 00 20 00 40 00 28 00 24 00 50 00 45 00 42 00 79 00 74 00 65 00 73 00 } //2 $RemoteScriptBlock -ArgumentList @($PEBytes
		$a_00_3 = {40 00 28 00 30 00 78 00 35 00 33 00 2c 00 20 00 30 00 78 00 34 00 38 00 2c 00 20 00 30 00 78 00 38 00 39 00 2c 00 20 00 30 00 78 00 65 00 33 00 2c 00 20 00 30 00 78 00 34 00 38 00 2c 00 20 00 30 00 78 00 38 00 33 00 2c 00 20 00 30 00 78 00 65 00 63 00 2c 00 20 00 30 00 78 00 32 00 30 00 2c 00 20 00 30 00 78 00 36 00 36 00 2c 00 20 00 30 00 78 00 38 00 33 00 2c 00 20 00 30 00 78 00 65 00 34 00 2c 00 20 00 30 00 78 00 63 00 30 00 2c 00 20 00 30 00 78 00 34 00 38 00 2c 00 20 00 30 00 78 00 62 00 39 00 29 00 } //3 @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
		$a_00_4 = {24 00 4c 00 6f 00 61 00 64 00 4c 00 69 00 62 00 72 00 61 00 72 00 79 00 53 00 43 00 } //1 $LoadLibrarySC
		$a_00_5 = {24 00 47 00 65 00 74 00 50 00 72 00 6f 00 63 00 41 00 64 00 64 00 72 00 65 00 73 00 73 00 53 00 43 00 } //1 $GetProcAddressSC
		$a_00_6 = {24 00 43 00 61 00 6c 00 6c 00 44 00 6c 00 6c 00 4d 00 61 00 69 00 6e 00 53 00 43 00 } //1 $CallDllMainSC
	condition:
		((#a_00_0  & 1)*1+(#a_00_1  & 1)*1+(#a_00_2  & 1)*2+(#a_00_3  & 1)*3+(#a_00_4  & 1)*1+(#a_00_5  & 1)*1+(#a_00_6  & 1)*1) >=5
 
}