qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Trojan/O97M/Donoff/Trojan_O97M_Donoff_GA_MSR.yar

13 lines
591 B
Plaintext
Raw Permalink Blame History

rule Trojan_O97M_Donoff_GA_MSR{
meta:
description = "Trojan:O97M/Donoff.GA!MSR,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 03 00 00 "
strings :
$a_02_0 = {2b 20 43 68 72 28 [0-10] 20 58 6f 72 20 [0-10] 29 } //2
$a_02_1 = {3d 20 56 61 6c 28 22 26 48 22 20 26 20 28 4d 69 64 24 28 46 46 46 46 2c 20 28 32 20 2a 20 [0-10] 29 20 2d 20 31 2c 20 32 29 29 29 } //2
$a_02_2 = {4d 69 64 28 [0-08] 2c 20 69 2c 20 31 29 20 3d 20 43 68 72 28 41 73 63 28 4d 69 64 28 [0-08] 2c 20 69 2c 20 31 29 29 20 2d 20 6e 29 } //2
condition:
((#a_02_0 & 1)*2+(#a_02_1 & 1)*2+(#a_02_2 & 1)*2) >=6
}
Reference in New Issue View Git Blame Copy Permalink