qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Aibatook/TrojanSpy_Win32_Aibatook_C.yar

15 lines
859 B
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Aibatook_C{
meta:
description = "TrojanSpy:Win32/Aibatook.C,SIGNATURE_TYPE_PEHSTR_EXT,03 00 02 00 05 00 00 "
strings :
$a_01_0 = {00 38 43 39 44 44 33 36 36 41 44 39 37 44 41 00 } //1 㠀㥃䑄㘳䄶㥄䐷A
$a_01_1 = {39 45 38 32 43 35 35 36 42 42 38 32 43 39 43 34 39 31 41 30 43 41 34 31 42 45 38 43 43 38 43 45 41 42 39 39 46 46 37 35 41 35 38 44 44 46 43 45 42 41 39 45 46 46 36 31 42 39 39 31 43 39 43 34 41 } //1 9E82C556BB82C9C491A0CA41BE8CC8CEAB99FF75A58DDFCEBA9EFF61B991C9C4A
$a_00_2 = {43 61 72 64 4e 75 6d 00 45 78 70 4d 00 00 00 00 45 78 70 59 } //1
$a_03_3 = {00 3f 4d 41 43 3d 00 [0-10] 26 56 45 52 3d 00 } //1
$a_02_4 = {61 69 6b 6f 74 6f 62 61 [0-10] 6c 6f 67 69 6e 50 61 73 73 77 6f 72 64 } //1
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_00_2 & 1)*1+(#a_03_3 & 1)*1+(#a_02_4 & 1)*1) >=2
}
Reference in New Issue View Git Blame Copy Permalink