qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Bancos/TrojanSpy_Win32_Bancos_gen_...

27 lines
2.4 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Bancos_gen_V{
meta:
description = "TrojanSpy:Win32/Bancos.gen!V,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0b 00 04 00 00 "
strings :
$a_01_0 = {42 00 31 00 42 00 39 00 42 00 39 00 43 00 38 00 43 00 43 00 41 00 35 00 42 00 36 00 38 00 35 00 38 00 36 00 42 00 35 00 42 00 37 00 43 00 32 00 44 00 33 00 43 00 34 00 43 00 30 00 41 00 37 00 42 00 33 00 38 00 46 00 38 00 37 00 44 00 46 00 43 00 46 00 45 00 32 00 45 00 42 00 44 00 30 00 44 00 46 00 } //1 B1B9B9C8CCA5B68586B5B7C2D3C4C0A7B38F87DFCFE2EBD0DF
$a_01_1 = {44 00 30 00 43 00 46 00 45 00 38 00 44 00 30 00 44 00 42 00 39 00 39 00 43 00 46 00 41 00 32 00 41 00 41 00 39 00 45 00 45 00 31 00 45 00 32 00 45 00 36 00 45 00 36 00 44 00 32 00 43 00 34 00 38 00 46 00 39 00 36 00 41 00 33 00 44 00 44 00 00 00 } //1
$a_01_2 = {39 00 38 00 44 00 39 00 44 00 44 00 44 00 43 00 43 00 46 00 43 00 33 00 39 00 32 00 36 00 31 00 39 00 45 00 45 00 30 00 44 00 30 00 00 00 } //1
$a_00_3 = {7a 00 3a 00 5c 00 61 00 62 00 63 00 5c 00 6c 00 6f 00 61 00 64 00 5c 00 6b 00 6f 00 6d 00 62 00 69 00 2e 00 76 00 62 00 70 00 00 00 } //10
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_00_3 & 1)*10) >=11
}
rule TrojanSpy_Win32_Bancos_gen_V_2{
meta:
description = "TrojanSpy:Win32/Bancos.gen!V,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0b 00 04 00 00 "
strings :
$a_01_0 = {44 00 31 00 45 00 34 00 44 00 39 00 45 00 32 00 45 00 37 00 41 00 43 00 39 00 30 00 41 00 32 00 43 00 39 00 44 00 37 00 44 00 39 00 44 00 41 00 39 00 33 00 44 00 34 00 44 00 36 00 41 00 30 00 43 00 34 00 45 00 32 00 44 00 35 00 41 00 34 00 43 00 42 00 45 00 32 00 39 00 34 00 44 00 33 00 44 00 35 00 45 00 32 00 43 00 42 00 41 00 32 00 44 00 34 00 45 00 35 00 44 00 30 00 44 00 39 00 44 00 33 00 45 00 32 00 44 00 41 00 44 00 37 00 38 00 46 00 44 00 35 00 43 00 41 00 00 00 } //1
$a_01_1 = {42 00 32 00 42 00 45 00 41 00 42 00 43 00 31 00 43 00 36 00 42 00 46 00 41 00 36 00 39 00 33 00 41 00 42 00 42 00 45 00 41 00 41 00 43 00 36 00 41 00 41 00 39 00 32 00 42 00 39 00 39 00 32 00 42 00 34 00 42 00 38 00 42 00 36 00 42 00 45 00 41 00 41 00 00 00 } //1
$a_01_2 = {41 00 43 00 42 00 38 00 41 00 36 00 43 00 38 00 42 00 39 00 00 00 } //1
$a_00_3 = {7a 00 3a 00 5c 00 75 00 6c 00 74 00 69 00 6d 00 61 00 74 00 65 00 5c 00 63 00 61 00 73 00 61 00 2e 00 76 00 62 00 70 00 00 00 } //10
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_00_3 & 1)*10) >=11
}
Reference in New Issue View Git Blame Copy Permalink