qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Banker/TrojanSpy_Win32_Banker_PD.yar

22 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Banker_PD{
meta:
description = "TrojanSpy:Win32/Banker.PD,SIGNATURE_TYPE_PEHSTR_EXT,2e 00 2e 00 0c 00 00 "
strings :
$a_00_0 = {55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 } //10 URLDownloadToFileA
$a_00_1 = {46 69 6e 64 57 69 6e 64 6f 77 41 } //10 FindWindowA
$a_00_2 = {48 00 4b 00 45 00 59 00 5f 00 43 00 55 00 52 00 52 00 45 00 4e 00 54 00 5f 00 55 00 53 00 45 00 52 00 5c 00 53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4d 00 49 00 43 00 52 00 4f 00 53 00 4f 00 46 00 54 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 57 00 53 00 5c 00 43 00 55 00 52 00 52 00 45 00 4e 00 54 00 56 00 45 00 52 00 53 00 49 00 4f 00 4e 00 5c 00 52 00 55 00 4e 00 5c 00 } //10 HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
$a_02_3 = {5c 00 4e 00 4f 00 56 00 4f 00 5f 00 50 00 48 00 41 00 52 00 4d 00 49 00 4e 00 47 00 5c 00 [0-30] 2e 00 76 00 62 00 70 00 } //10
$a_00_4 = {6f 00 70 00 65 00 6e 00 62 00 61 00 6e 00 6b 00 2e 00 65 00 73 00 } //1 openbank.es
$a_00_5 = {6c 00 61 00 63 00 61 00 69 00 78 00 61 00 2e 00 65 00 73 00 } //1 lacaixa.es
$a_00_6 = {62 00 61 00 6e 00 63 00 6f 00 72 00 65 00 61 00 6c 00 2e 00 63 00 6f 00 6d 00 2e 00 62 00 72 00 } //1 bancoreal.com.br
$a_00_7 = {6e 00 6f 00 73 00 73 00 61 00 63 00 61 00 69 00 78 00 61 00 2e 00 63 00 6f 00 6d 00 2e 00 62 00 72 00 } //1 nossacaixa.com.br
$a_00_8 = {69 00 74 00 61 00 75 00 70 00 72 00 69 00 76 00 61 00 74 00 65 00 62 00 61 00 6e 00 6b 00 2e 00 63 00 6f 00 6d 00 2e 00 62 00 72 00 } //1 itauprivatebank.com.br
$a_00_9 = {62 00 72 00 61 00 64 00 65 00 73 00 63 00 6f 00 2e 00 63 00 6f 00 6d 00 2e 00 62 00 72 00 } //1 bradesco.com.br
$a_00_10 = {75 00 6e 00 69 00 62 00 61 00 6e 00 63 00 6f 00 2e 00 63 00 6f 00 6d 00 2e 00 62 00 72 00 } //1 unibanco.com.br
$a_00_11 = {61 00 6d 00 65 00 72 00 69 00 63 00 61 00 6e 00 61 00 73 00 2e 00 63 00 6f 00 6d 00 } //1 americanas.com
condition:
((#a_00_0 & 1)*10+(#a_00_1 & 1)*10+(#a_00_2 & 1)*10+(#a_02_3 & 1)*10+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1) >=46
}
Reference in New Issue View Git Blame Copy Permalink