qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Powdow/TrojanDownloader_O97M_Powdo...

18 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

rule TrojanDownloader_O97M_Powdow_HU_MTB{
meta:
description = "TrojanDownloader:O97M/Powdow.HU!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,08 00 08 00 08 00 00 "
strings :
$a_02_0 = {2e 52 65 67 57 72 69 74 65 20 [0-0a] 28 22 34 38 34 42 34 33 35 35 35 43 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 43 37 37 36 39 36 45 36 34 36 39 37 32 } //1
$a_00_1 = {36 33 36 44 36 34 32 30 32 46 36 33 32 30 37 33 36 33 36 38 37 34 36 31 37 33 36 42 37 33 32 30 32 46 37 32 37 35 36 45 32 30 32 46 37 34 36 45 32 30 35 43 } //1 636D64202F63207363687461736B73202F72756E202F746E205C
$a_00_2 = {32 44 35 33 36 43 36 35 36 35 37 30 32 30 33 32 33 42 32 30 35 33 37 34 36 31 37 32 37 34 32 44 35 30 37 32 36 46 36 33 36 35 37 33 37 33 32 30 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 35 43 34 36 36 35 36 44 36 31 35 46 34 45 36 46 37 34 36 39 36 33 36 35 32 45 36 35 37 38 36 35 33 42 32 36 35 32 34 35 34 44 } //1 2D536C65657020323B2053746172742D50726F636573732024656E763A617070646174615C46656D615F4E6F746963652E6578653B2652454D
$a_00_3 = {36 33 36 44 36 34 32 30 32 46 36 33 32 30 37 33 37 34 36 31 37 32 37 34 32 30 37 30 35 45 36 46 37 37 36 35 37 32 37 33 36 38 35 45 36 35 36 43 35 45 36 43 32 30 32 44 37 37 32 30 33 31 32 30 34 31 36 34 36 34 } //1 636D64202F6320737461727420705E6F77657273685E656C5E6C202D77203120416464
$a_00_4 = {36 38 37 34 37 34 37 30 37 33 33 41 32 46 32 46 36 46 36 45 36 35 36 34 37 32 36 39 37 36 36 35 32 45 36 43 36 39 37 36 36 35 32 45 36 33 36 46 36 44 32 46 36 34 36 46 37 37 36 45 36 43 36 46 36 31 36 34 33 46 36 33 36 39 36 34 33 44 34 36 33 37 34 34 33 34 33 37 33 32 33 38 34 31 33 36 34 34 34 33 34 35 33 33 34 36 33 39 33 33 } //1 68747470733A2F2F6F6E6564726976652E6C6976652E636F6D2F646F776E6C6F61643F6369643D46374434373238413644434533463933
$a_00_5 = {32 36 37 32 36 35 37 33 36 39 36 34 33 44 34 36 33 37 34 34 33 34 33 37 33 32 33 38 34 31 33 36 34 34 34 33 34 35 33 33 34 36 33 39 33 33 32 35 33 32 33 31 33 31 33 30 33 37 32 36 36 31 37 35 37 34 36 38 36 42 36 35 37 39 33 44 34 31 34 39 34 33 33 38 35 39 34 42 37 34 35 34 35 30 36 34 36 43 37 33 36 44 36 32 37 33 32 37 32 43 32 38 } //1 2672657369643D4637443437323841364443453346393325323131303726617574686B65793D41494338594B745450646C736D6273272C28
$a_02_6 = {2e 52 75 6e 20 28 [0-02] 29 } //1
$a_00_7 = {2e 52 65 67 44 65 6c 65 74 65 } //1 .RegDelete
condition:
((#a_02_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_02_6 & 1)*1+(#a_00_7 & 1)*1) >=8
}
Reference in New Issue View Git Blame Copy Permalink