qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Bancos/TrojanSpy_Win32_Bancos_gen_...

57 lines
4.3 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Bancos_gen_U{
meta:
description = "TrojanSpy:Win32/Bancos.gen!U,SIGNATURE_TYPE_PEHSTR_EXT,ffffffec 05 ffffff9c 05 2f 00 00 "
strings :
$a_01_0 = {53 4f 46 54 57 41 52 45 5c 42 6f 72 6c 61 6e 64 5c 44 65 6c 70 68 69 } //1000 SOFTWARE\Borland\Delphi
$a_01_1 = {4d 6f 7a 69 6c 6c 61 57 69 6e 64 6f 77 43 6c 61 73 73 } //200 MozillaWindowClass
$a_01_2 = {6d 75 6c 74 69 70 61 72 74 2f 6d 69 78 65 64 3b 20 62 6f 75 6e 64 61 72 79 3d } //200 multipart/mixed; boundary=
$a_02_3 = {41 67 65 6e 63 69 61 [0-21] 43 6f 6e 74 61 [0-50] 53 65 6e 68 61 } //100
$a_02_4 = {43 6f 6e 74 61 3a 2e 2e 2e [0-30] 53 65 6e 68 61 [0-30] 44 69 67 69 74 6f } //100
$a_01_5 = {62 6f 75 6e 64 61 72 79 3d 22 3d 5f 4e 65 78 74 50 61 72 74 5f 32 72 65 6c } //10 boundary="=_NextPart_2rel
$a_01_6 = {67 6d 61 69 6c 2d 73 6d 74 70 2d 69 6e 2e 6c 2e 67 6f 6f 67 6c 65 2e 63 6f 6d } //10 gmail-smtp-in.l.google.com
$a_03_7 = {33 43 6c 69 63 6b 13 00 [0-10] 49 6d 61 67 65 } //5
$a_00_8 = {63 61 69 78 61 } //5 caixa
$a_00_9 = {62 61 6e 63 6f 62 72 61 73 69 6c } //5 bancobrasil
$a_00_10 = {76 69 72 75 73 20 73 65 6d 70 72 65 20 61 74 75 61 6c 69 7a 61 64 6f } //5 virus sempre atualizado
$a_00_11 = {62 61 6e 63 6f 72 65 61 6c } //5 bancoreal
$a_00_12 = {41 42 4e 20 41 4d 52 4f 20 } //5 ABN AMRO
$a_00_13 = {50 6f 72 74 61 6c 20 42 72 61 73 69 6c } //5 Portal Brasil
$a_01_14 = {73 61 6e 74 61 6e 64 65 72 } //5 santander
$a_00_15 = {42 61 6e 63 6f } //5 Banco
$a_01_16 = {53 61 6e 74 61 6e 64 65 72 } //5 Santander
$a_01_17 = {62 61 6e 65 73 70 61 } //5 banespa
$a_00_18 = {62 72 61 64 65 73 63 6f } //5 bradesco
$a_00_19 = {47 65 72 65 6e 63 69 61 64 6f 72 } //5 Gerenciador
$a_00_20 = {46 69 6e 61 6e 63 65 69 72 6f } //5 Financeiro
$a_01_21 = {42 61 6e 65 73 70 61 } //5 Banespa
$a_00_22 = {69 74 61 75 2e 63 6f 6d } //5 itau.com
$a_00_23 = {62 62 2e 63 6f 6d 2e 62 72 } //5 bb.com.br
$a_00_24 = {5c 47 62 50 6c 75 67 69 6e 5c } //5 \GbPlugin\
$a_01_25 = {28 4c 53 68 69 66 74 20 68 6f 63 68 29 } //10 (LShift hoch)
$a_01_26 = {42 72 61 64 65 73 63 6f 20 49 6e 74 65 72 6e 65 74 20 42 61 6e 6b 69 6e 67 } //12 Bradesco Internet Banking
$a_00_27 = {4b 65 79 50 72 65 73 73 } //2 KeyPress
$a_00_28 = {41 67 65 6e 63 69 61 4b 65 79 50 72 65 73 73 } //7 AgenciaKeyPress
$a_00_29 = {43 6f 6e 74 61 4b 65 79 50 72 65 73 73 } //7 ContaKeyPress
$a_00_30 = {54 69 74 75 6c 61 72 2e 2e 2e } //6 Titular...
$a_00_31 = {43 6f 6e 74 61 2e 2e 2e } //6 Conta...
$a_00_32 = {64 69 67 69 74 6f 73 2e } //5 digitos.
$a_00_33 = {69 6d 67 4c 6f 67 69 6e } //4 imgLogin
$a_00_34 = {69 6d 67 43 6f 6e 66 69 72 6d } //3 imgConfirm
$a_00_35 = {30 4d 6f 75 73 65 44 6f 77 6e } //2 0MouseDown
$a_00_36 = {53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e } //3 Software\Microsoft\Windows\CurrentVersion\Run
$a_00_37 = {53 65 6e 68 61 } //3 Senha
$a_00_38 = {73 65 63 72 65 74 61 } //2 secreta
$a_00_39 = {6f 20 54 65 63 6c 61 64 6f 20 56 69 72 74 75 61 6c } //4 o Teclado Virtual
$a_00_40 = {54 65 63 6c 61 64 6f } //1 Teclado
$a_00_41 = {70 72 69 76 61 63 } //1 privac
$a_00_42 = {66 6f 74 6f 73 } //2 fotos
$a_00_43 = {41 72 71 75 69 76 6f } //1 Arquivo
$a_00_44 = {69 64 65 6e 74 69 66 69 63 } //2 identific
$a_00_45 = {69 6e 63 6f 72 72 65 74 61 } //1 incorreta
$a_00_46 = {40 6c 6f 67 68 61 75 73 2e 63 6f 6d 2e 62 72 00 } //-200 汀杯慨獵挮浯戮r
condition:
((#a_01_0 & 1)*1000+(#a_01_1 & 1)*200+(#a_01_2 & 1)*200+(#a_02_3 & 1)*100+(#a_02_4 & 1)*100+(#a_01_5 & 1)*10+(#a_01_6 & 1)*10+(#a_03_7 & 1)*5+(#a_00_8 & 1)*5+(#a_00_9 & 1)*5+(#a_00_10 & 1)*5+(#a_00_11 & 1)*5+(#a_00_12 & 1)*5+(#a_00_13 & 1)*5+(#a_01_14 & 1)*5+(#a_00_15 & 1)*5+(#a_01_16 & 1)*5+(#a_01_17 & 1)*5+(#a_00_18 & 1)*5+(#a_00_19 & 1)*5+(#a_00_20 & 1)*5+(#a_01_21 & 1)*5+(#a_00_22 & 1)*5+(#a_00_23 & 1)*5+(#a_00_24 & 1)*5+(#a_01_25 & 1)*10+(#a_01_26 & 1)*12+(#a_00_27 & 1)*2+(#a_00_28 & 1)*7+(#a_00_29 & 1)*7+(#a_00_30 & 1)*6+(#a_00_31 & 1)*6+(#a_00_32 & 1)*5+(#a_00_33 & 1)*4+(#a_00_34 & 1)*3+(#a_00_35 & 1)*2+(#a_00_36 & 1)*3+(#a_00_37 & 1)*3+(#a_00_38 & 1)*2+(#a_00_39 & 1)*4+(#a_00_40 & 1)*1+(#a_00_41 & 1)*1+(#a_00_42 & 1)*2+(#a_00_43 & 1)*1+(#a_00_44 & 1)*2+(#a_00_45 & 1)*1+(#a_00_46 & 1)*-200) >=1436
}
Reference in New Issue View Git Blame Copy Permalink