qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Bancos/TrojanSpy_Win32_Bancos_AKZ.yar

37 lines
5.0 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Bancos_AKZ{
meta:
description = "TrojanSpy:Win32/Bancos.AKZ,SIGNATURE_TYPE_PEHSTR_EXT,16 00 16 00 0a 00 00 "
strings :
$a_01_0 = {37 00 44 00 43 00 31 00 34 00 36 00 43 00 42 00 36 00 32 00 } //1 7DC146CB62
$a_01_1 = {44 00 46 00 36 00 34 00 42 00 39 00 34 00 37 00 45 00 38 00 } //1 DF64B947E8
$a_01_2 = {36 00 30 00 44 00 36 00 32 00 44 00 45 00 38 00 31 00 45 00 33 00 45 00 46 00 34 00 31 00 44 00 30 00 43 00 31 00 34 00 45 00 35 00 32 00 35 00 } //1 60D62DE81E3EF41D0C14E525
$a_01_3 = {32 00 32 00 31 00 34 00 45 00 38 00 32 00 43 00 43 00 33 00 36 00 34 00 39 00 45 00 34 00 33 00 33 00 36 00 43 00 45 00 35 00 41 00 41 00 39 00 } //1 2214E82CC3649E4336CE5AA9
$a_01_4 = {32 00 32 00 31 00 34 00 45 00 41 00 32 00 31 00 44 00 43 00 30 00 30 00 32 00 37 00 44 00 43 00 37 00 39 00 38 00 36 00 39 00 31 00 44 00 37 00 31 00 45 00 44 00 46 00 30 00 33 00 } //1 2214EA21DC0027DC798691D71EDF03
$a_01_5 = {43 00 45 00 34 00 31 00 44 00 39 00 33 00 36 00 46 00 37 00 31 00 44 00 33 00 38 00 45 00 42 00 30 00 41 00 31 00 37 00 45 00 30 00 36 00 37 00 38 00 46 00 41 00 45 00 35 00 30 00 } //1 CE41D936F71D38EB0A17E0678FAE50
$a_01_6 = {30 00 35 00 32 00 30 00 45 00 46 00 32 00 34 00 44 00 35 00 30 00 33 00 32 00 45 00 33 00 44 00 44 00 35 00 37 00 46 00 } //1 0520EF24D5032E3DD57F
$a_01_7 = {39 00 31 00 38 00 37 00 42 00 42 00 35 00 45 00 39 00 37 00 34 00 44 00 38 00 32 00 41 00 34 00 35 00 30 00 44 00 44 00 35 00 44 00 43 00 32 00 37 00 33 00 38 00 35 00 42 00 32 00 36 00 31 00 38 00 42 00 43 00 46 00 30 00 35 00 34 00 45 00 30 00 32 00 37 00 43 00 43 00 36 00 31 00 31 00 34 00 44 00 38 00 42 00 33 00 30 00 39 00 31 00 38 00 41 00 46 00 42 00 31 00 30 00 46 00 31 00 30 00 30 00 31 00 45 00 43 00 33 00 37 00 45 00 39 00 32 00 44 00 39 00 30 00 30 00 33 00 41 00 45 00 44 00 31 00 38 00 44 00 35 00 34 00 46 00 43 00 43 00 37 00 42 00 41 00 46 00 32 00 31 00 42 00 33 00 36 00 34 00 46 00 41 00 35 00 43 00 44 00 46 00 30 00 42 00 42 00 44 00 30 00 31 00 30 00 45 00 33 00 31 00 44 00 42 00 } //1 9187BB5E974D82A450DD5DC27385B2618BCF054E027CC6114D8B30918AFB10F1001EC37E92D9003AED18D54FCC7BAF21B364FA5CDF0BBD010E31DB
$a_01_8 = {6a 00 61 00 75 00 53 00 41 00 46 00 47 00 47 00 68 00 67 00 68 00 5f 00 53 00 45 00 43 00 5f 00 35 00 33 00 37 00 } //10 jauSAFGGhgh_SEC_537
$a_01_9 = {be 01 00 00 00 8b 45 f0 0f b7 44 70 fe 33 } //10
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*10+(#a_01_9 & 1)*10) >=22
}
rule TrojanSpy_Win32_Bancos_AKZ_2{
meta:
description = "TrojanSpy:Win32/Bancos.AKZ,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0e 00 08 00 00 "
strings :
$a_01_0 = {45 00 36 00 32 00 43 00 45 00 46 00 32 00 39 00 43 00 42 00 37 00 43 00 45 00 43 00 31 00 31 00 33 00 38 00 46 00 36 00 } //1 E62CEF29CB7CEC1138F6
$a_01_1 = {36 00 46 00 41 00 34 00 36 00 41 00 42 00 45 00 37 00 31 00 39 00 37 00 38 00 33 00 42 00 30 00 36 00 45 00 38 00 41 00 } //1 6FA46ABE719783B06E8A
$a_01_2 = {37 00 44 00 43 00 31 00 34 00 36 00 43 00 42 00 36 00 32 00 } //1 7DC146CB62
$a_01_3 = {39 00 35 00 39 00 45 00 36 00 37 00 41 00 31 00 35 00 30 00 46 00 38 00 32 00 33 00 31 00 36 00 43 00 44 00 32 00 45 00 43 00 35 00 } //1 959E67A150F82316CD2EC5
$a_01_4 = {44 00 33 00 35 00 41 00 43 00 43 00 34 00 39 00 46 00 43 00 33 00 30 00 45 00 31 00 30 00 34 00 33 00 31 00 46 00 45 00 33 00 43 00 45 00 31 00 31 00 34 00 32 00 34 00 44 00 33 00 30 00 30 00 32 00 43 00 41 00 45 00 32 00 36 00 41 00 44 00 41 00 32 00 44 00 43 00 36 00 35 00 46 00 37 00 36 00 34 00 45 00 34 00 36 00 46 00 44 00 30 00 34 00 41 00 42 00 42 00 35 00 30 00 42 00 31 00 34 00 30 00 44 00 45 00 30 00 32 00 33 00 30 00 43 00 30 00 30 00 38 00 33 00 36 00 45 00 30 00 30 00 34 00 33 00 36 00 46 00 37 00 32 00 39 00 32 00 41 00 44 00 45 00 30 00 33 00 35 00 34 00 38 00 30 00 39 00 30 00 } //1 D35ACC49FC30E10431FE3CE11424D3002CAE26ADA2DC65F764E46FD04ABB50B140DE0230C00836E00436F7292ADE03548090
$a_01_5 = {31 00 39 00 31 00 46 00 31 00 33 00 46 00 37 00 30 00 44 00 43 00 30 00 37 00 45 00 39 00 38 00 34 00 43 00 44 00 39 00 35 00 31 00 46 00 36 00 33 00 46 00 46 00 31 00 32 00 31 00 44 00 33 00 31 00 38 00 42 00 32 00 32 00 41 00 41 00 39 00 41 00 45 00 32 00 33 00 41 00 46 00 33 00 41 00 41 00 36 00 32 00 31 00 41 00 42 00 32 00 44 00 45 00 45 00 30 00 34 00 31 00 38 00 46 00 39 00 30 00 38 00 31 00 36 00 43 00 42 00 30 00 36 00 31 00 41 00 35 00 31 00 38 00 46 00 34 00 41 00 46 00 44 00 32 00 38 00 43 00 35 00 35 00 46 00 46 00 43 00 32 00 42 00 44 00 46 00 37 00 31 00 45 00 33 00 33 00 34 00 } //1 191F13F70DC07E984CD951F63FF121D318B22AA9AE23AF3AA621AB2DEE0418F90816CB061A518F4AFD28C55FFC2BDF71E334
$a_01_6 = {33 00 37 00 31 00 36 00 45 00 35 00 33 00 32 00 43 00 37 00 37 00 35 00 39 00 43 00 41 00 46 00 34 00 32 00 45 00 42 00 } //1 3716E532C7759CAF42EB
$a_01_7 = {be 01 00 00 00 8b 45 f0 0f b7 44 70 fe 33 } //10
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*10) >=14
}
Reference in New Issue View Git Blame Copy Permalink