qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Banker/TrojanSpy_Win32_Banker_AFI.yar

21 lines
2.2 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Banker_AFI{
meta:
description = "TrojanSpy:Win32/Banker.AFI,SIGNATURE_TYPE_PEHSTR_EXT,ffffffa0 00 ffffff8c 00 0b 00 00 32 00 "
strings :
$a_01_0 = {4b 00 71 00 7a 00 36 00 4c 00 35 00 54 00 31 00 4b 00 61 00 4c 00 53 00 4a 00 4b 00 62 00 33 00 4b 00 61 00 7a 00 4a 00 4a 00 71 00 50 00 4b 00 4e 00 35 00 54 00 39 00 4a 00 61 00 48 00 46 00 4c 00 72 00 44 00 53 00 47 00 72 00 4c 00 49 00 4b 00 61 00 4c 00 45 00 4c 00 35 00 50 00 35 00 4b 00 62 00 44 00 39 00 4a 00 71 00 76 00 53 00 4b 00 62 00 4c 00 45 00 } //32 00 Kqz6L5T1KaLSJKb3KazJJqPKN5T9JaHFLrDSGrLIKaLEL5P5KbD9JqvSKbLE
$a_01_1 = {49 00 4e 00 48 00 58 00 2b 00 59 00 } //32 00 INHX+Y
$a_01_2 = {76 00 69 00 73 00 69 00 74 00 61 00 73 00 6e 00 65 00 74 00 2e 00 63 00 6f 00 6d 00 2f 00 6a 00 31 00 2f 00 63 00 6f 00 6e 00 65 00 63 00 74 00 2e 00 70 00 68 00 70 00 } //14 00 visitasnet.com/j1/conect.php
$a_01_3 = {53 00 63 00 7a 00 71 00 51 00 4d 00 76 00 58 00 46 00 4c 00 4c 00 47 00 48 00 34 00 35 00 4b 00 48 00 47 00 } //14 00 SczqQMvXFLLGH45KHG
$a_01_4 = {47 00 70 00 66 00 53 00 4b 00 37 00 39 00 6c 00 50 00 74 00 39 00 58 00 52 00 4b 00 48 00 58 00 54 00 36 00 35 00 53 00 } //14 00 GpfSK79lPt9XRKHXT65S
$a_01_5 = {49 00 4b 00 66 00 4b 00 43 00 72 00 48 00 59 00 44 00 4b 00 39 00 46 00 4f 00 4b 00 6d 00 76 00 48 00 36 00 39 00 4f 00 45 00 34 00 62 00 58 00 54 00 61 00 54 00 49 00 49 00 73 00 72 00 6d 00 47 00 70 00 30 00 } //14 00 IKfKCrHYDK9FOKmvH69OE4bXTaTIIsrmGp0
$a_01_6 = {63 00 6f 00 6c 00 6f 00 63 00 61 00 6e 00 64 00 6f 00 20 00 6e 00 6f 00 20 00 49 00 65 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 } //05 00 colocando no Iexplorer
$a_01_7 = {30 00 6a 00 38 00 34 00 50 00 62 00 51 00 4e 00 48 00 6c 00 38 00 35 00 31 00 58 00 53 00 63 00 34 00 57 00 4c 00 63 00 7a 00 5a 00 77 00 57 00 } //05 00 0j84PbQNHl851XSc4WLczZwW
$a_01_8 = {47 00 50 00 4e 00 39 00 70 00 52 00 73 00 76 00 6b 00 4f 00 4d 00 6e 00 66 00 54 00 45 00 61 00 } //05 00 GPN9pRsvkOMnfTEa
$a_01_9 = {47 00 53 00 63 00 62 00 73 00 4f 00 4e 00 48 00 62 00 38 00 34 00 39 00 58 00 52 00 63 00 69 00 } //05 00 GScbsONHb849XRci
$a_01_10 = {4c 00 52 00 63 00 62 00 5a 00 52 00 36 00 35 00 70 00 53 00 6d 00 } //00 00 LRcbZR65pSm
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink