qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/FormBook/TrojanSpy_Win32_FormBook_AR...

60 lines
13 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_FormBook_AR_MTB{
meta:
description = "TrojanSpy:Win32/FormBook.AR!MTB,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 32 00 00 "
strings :
$a_03_0 = {8b 1c 17 81 ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 31 f3 (3d|81) ?? ?? ?? ?? ?? (3d|81) [0-0f] 11 1c 10 [0-0f] 83 c2 04 (3d|81) ?? ?? ?? ?? ?? (3d|81) [0-0a] 75 } //2
$a_00_1 = {52 00 48 00 68 00 76 00 67 00 6e 00 51 00 38 00 42 00 58 00 45 00 72 00 51 00 34 00 5a 00 79 00 6d 00 63 00 4f 00 4b 00 62 00 4e 00 32 00 63 00 78 00 4c 00 6a 00 39 00 42 00 38 00 4f 00 38 00 76 00 33 00 6e 00 45 00 42 00 30 00 57 00 56 00 32 00 62 00 63 00 31 00 71 00 68 00 71 00 39 00 56 00 6e 00 44 00 67 00 75 00 61 00 32 00 54 00 6e 00 74 00 41 00 63 00 55 00 4f 00 56 00 69 00 77 00 75 00 77 00 52 00 31 00 49 00 32 00 58 00 31 00 35 00 30 00 35 00 51 00 69 00 46 00 77 00 71 00 33 00 62 00 57 00 43 00 6b 00 56 00 61 00 4b 00 4e 00 66 00 6a 00 69 00 76 00 66 00 33 00 5a 00 54 00 31 00 69 00 30 00 56 00 56 00 53 00 79 00 7a 00 6c 00 4d 00 41 00 77 00 77 00 6c 00 51 00 39 00 } //2 RHhvgnQ8BXErQ4ZymcOKbN2cxLj9B8O8v3nEB0WV2bc1qhq9VnDgua2TntAcUOViwuwR1I2X1505QiFwq3bWCkVaKNfjivf3ZT1i0VVSyzlMAwwlQ9
$a_00_2 = {51 00 41 00 52 00 76 00 70 00 42 00 32 00 44 00 68 00 74 00 67 00 46 00 67 00 41 00 59 00 44 00 66 00 35 00 69 00 75 00 79 00 54 00 31 00 39 00 71 00 59 00 4e 00 56 00 5a 00 52 00 44 00 61 00 65 00 70 00 77 00 63 00 6c 00 4e 00 73 00 6c 00 6b 00 50 00 42 00 70 00 50 00 71 00 4c 00 6b 00 61 00 70 00 34 00 59 00 4a 00 73 00 58 00 6f 00 75 00 74 00 6c 00 37 00 51 00 31 00 36 00 53 00 4a 00 37 00 4b 00 70 00 57 00 65 00 6f 00 48 00 46 00 42 00 59 00 67 00 6d 00 45 00 46 00 52 00 4e 00 53 00 43 00 6e 00 70 00 4d 00 53 00 56 00 54 00 38 00 } //1 QARvpB2DhtgFgAYDf5iuyT19qYNVZRDaepwclNslkPBpPqLkap4YJsXoutl7Q16SJ7KpWeoHFBYgmEFRNSCnpMSVT8
$a_00_3 = {57 00 62 00 54 00 75 00 4d 00 32 00 74 00 75 00 45 00 58 00 70 00 55 00 31 00 6c 00 30 00 35 00 4d 00 6d 00 6e 00 32 00 34 00 31 00 35 00 39 00 } //1 WbTuM2tuEXpU1l05Mmn24159
$a_00_4 = {44 00 56 00 47 00 56 00 6c 00 46 00 36 00 56 00 4e 00 61 00 66 00 4e 00 79 00 35 00 65 00 5a 00 4a 00 6b 00 69 00 42 00 4b 00 32 00 61 00 66 00 65 00 43 00 44 00 72 00 64 00 66 00 6a 00 33 00 45 00 6d 00 50 00 35 00 35 00 4a 00 33 00 38 00 35 00 } //1 DVGVlF6VNafNy5eZJkiBK2afeCDrdfj3EmP55J385
$a_03_5 = {ff 34 0f 81 [0-3f] 5b [0-2f] 31 f3 [0-1f] 81 ?? ?? ?? ?? ?? 89 1c 0a } //1
$a_00_6 = {49 00 4c 00 61 00 57 00 7a 00 32 00 5a 00 4a 00 46 00 77 00 73 00 57 00 79 00 44 00 30 00 4c 00 55 00 71 00 70 00 74 00 62 00 78 00 76 00 39 00 77 00 42 00 64 00 7a 00 55 00 4e 00 4f 00 72 00 76 00 31 00 32 00 37 00 } //1 ILaWz2ZJFwsWyD0LUqptbxv9wBdzUNOrv127
$a_03_7 = {11 1c 10 66 [0-0f] 83 c2 04 [0-0f] 81 fa ?? ?? 00 00 75 90 0a 50 00 8b 1c 17 } //2
$a_03_8 = {01 1c 10 66 [0-0f] 83 c2 04 [0-0a] 81 [0-1f] 75 90 0a 49 00 ff 34 17 [0-0f] 5b [0-0f] 31 f3 } //2
$a_03_9 = {8b 1f 66 85 [0-1f] 31 f3 [0-1f] 89 1c 10 [0-01] 46 81 fa ?? ?? 00 00 75 } //2
$a_00_10 = {66 00 6d 00 63 00 6a 00 75 00 33 00 56 00 50 00 32 00 71 00 35 00 37 00 } //1 fmcju3VP2q57
$a_00_11 = {4b 00 72 00 79 00 6b 00 6b 00 65 00 6e 00 73 00 74 00 69 00 6e 00 6b 00 61 00 64 00 6f 00 72 00 6f 00 73 00 65 00 72 00 73 00 75 00 6d 00 61 00 6b 00 6b 00 65 00 72 00 35 00 } //1 Krykkenstinkadorosersumakker5
$a_03_12 = {ff 37 eb 03 90 08 00 02 34 ?? [0-0a] 31 f1 90 08 00 02 89 0b 90 08 00 02 81 fa } //2
$a_00_13 = {5a 00 65 00 47 00 58 00 44 00 4d 00 4b 00 52 00 5a 00 54 00 65 00 68 00 6e 00 36 00 4d 00 6d 00 38 00 56 00 38 00 57 00 46 00 50 00 6b 00 33 00 31 00 31 00 36 00 } //1 ZeGXDMKRZTehn6Mm8V8WFPk3116
$a_00_14 = {58 00 43 00 5a 00 6a 00 4f 00 51 00 69 00 49 00 4d 00 79 00 74 00 72 00 35 00 75 00 73 00 76 00 63 00 74 00 4c 00 36 00 38 00 52 00 6e 00 36 00 4d 00 62 00 4f 00 50 00 4b 00 31 00 6f 00 36 00 63 00 38 00 53 00 71 00 38 00 53 00 32 00 34 00 38 00 } //1 XCZjOQiIMytr5usvctL68Rn6MbOPK1o6c8Sq8S248
$a_03_15 = {ff 37 85 c0 [0-2f] 31 f1 [0-2f] 01 d3 [0-2f] 89 0b [0-2f] 83 c2 04 [0-2f] 81 fa ?? ?? 00 00 } //1
$a_00_16 = {58 00 66 00 39 00 74 00 33 00 41 00 6b 00 7a 00 64 00 38 00 58 00 39 00 6c 00 6b 00 4b 00 55 00 58 00 34 00 37 00 6e 00 30 00 4c 00 4e 00 64 00 36 00 51 00 43 00 47 00 32 00 6b 00 46 00 71 00 70 00 46 00 36 00 30 00 } //1 Xf9t3Akzd8X9lkKUX47n0LNd6QCG2kFqpF60
$a_00_17 = {62 00 6c 00 5a 00 47 00 5a 00 66 00 79 00 6c 00 35 00 31 00 6d 00 51 00 38 00 72 00 44 00 4b 00 78 00 63 00 4f 00 32 00 6f 00 49 00 67 00 5a 00 57 00 36 00 61 00 6a 00 36 00 74 00 4d 00 7a 00 67 00 70 00 53 00 4d 00 71 00 34 00 30 00 } //1 blZGZfyl51mQ8rDKxcO2oIgZW6aj6tMzgpSMq40
$a_03_18 = {ff 37 81 fb [0-2f] 31 f1 [0-2f] 01 d3 [0-2f] 89 0b [0-2f] 83 c2 04 [0-2f] 81 fa ?? b8 00 } //1
$a_00_19 = {4e 00 6c 00 75 00 55 00 76 00 50 00 72 00 34 00 62 00 75 00 44 00 67 00 42 00 42 00 77 00 39 00 75 00 73 00 78 00 76 00 6f 00 34 00 5a 00 76 00 41 00 37 00 61 00 6a 00 72 00 37 00 4d 00 53 00 50 00 58 00 79 00 34 00 5a 00 37 00 33 00 } //1 NluUvPr4buDgBBw9usxvo4ZvA7ajr7MSPXy4Z73
$a_00_20 = {75 00 7a 00 51 00 48 00 7a 00 66 00 69 00 62 00 55 00 67 00 73 00 67 00 63 00 34 00 6d 00 54 00 6f 00 6a 00 68 00 6e 00 75 00 46 00 41 00 45 00 74 00 47 00 54 00 52 00 44 00 33 00 76 00 66 00 35 00 30 00 58 00 64 00 76 00 34 00 5a 00 41 00 36 00 30 00 } //1 uzQHzfibUgsgc4mTojhnuFAEtGTRD3vf50Xdv4ZA60
$a_03_21 = {ff 37 66 85 90 08 00 02 89 0b 90 08 00 02 83 c2 04 90 08 00 02 83 c7 04 90 08 00 02 31 f1 eb } //1
$a_00_22 = {59 00 47 00 76 00 47 00 58 00 46 00 61 00 38 00 6f 00 34 00 54 00 6e 00 4f 00 4e 00 37 00 4e 00 73 00 6a 00 71 00 77 00 42 00 39 00 6a 00 50 00 58 00 75 00 6b 00 58 00 6e 00 34 00 6a 00 36 00 51 00 32 00 34 00 36 00 } //1 YGvGXFa8o4TnON7NsjqwB9jPXukXn4j6Q246
$a_00_23 = {67 00 6c 00 30 00 41 00 7a 00 35 00 36 00 7a 00 33 00 77 00 69 00 45 00 30 00 72 00 7a 00 31 00 7a 00 53 00 37 00 36 00 6e 00 78 00 35 00 79 00 66 00 7a 00 6f 00 44 00 38 00 38 00 } //1 gl0Az56z3wiE0rz1zS76nx5yfzoD88
$a_03_24 = {ff 37 eb 0f 90 08 00 02 83 c2 04 90 08 00 02 89 0b 90 08 00 02 66 81 fa 90 08 00 02 31 f1 85 } //1
$a_00_25 = {71 00 31 00 72 00 30 00 44 00 45 00 32 00 32 00 65 00 5a 00 50 00 71 00 32 00 55 00 6d 00 6a 00 62 00 6c 00 4e 00 31 00 66 00 4e 00 4a 00 79 00 4e 00 55 00 6a 00 6d 00 33 00 6e 00 74 00 6e 00 4e 00 36 00 43 00 64 00 46 00 32 00 32 00 33 00 } //1 q1r0DE22eZPq2UmjblN1fNJyNUjm3ntnN6CdF223
$a_00_26 = {43 00 6a 00 77 00 5a 00 41 00 68 00 70 00 65 00 68 00 31 00 52 00 38 00 37 00 64 00 6f 00 71 00 52 00 6f 00 31 00 6b 00 59 00 53 00 69 00 7a 00 67 00 38 00 70 00 54 00 44 00 65 00 47 00 42 00 64 00 45 00 68 00 76 00 44 00 66 00 61 00 32 00 38 00 38 00 } //1 CjwZAhpeh1R87doqRo1kYSizg8pTDeGBdEhvDfa288
$a_03_27 = {ff 37 81 fa 90 08 00 05 31 f1 90 08 00 05 09 0b 90 08 00 05 66 3d 90 08 00 05 66 85 d2 [0-0a] e9 } //1
$a_00_28 = {53 00 43 00 64 00 74 00 6a 00 52 00 65 00 72 00 41 00 4d 00 73 00 35 00 59 00 58 00 64 00 64 00 41 00 6a 00 4e 00 4d 00 39 00 30 00 4d 00 55 00 37 00 39 00 } //1 SCdtjRerAMs5YXddAjNM90MU79
$a_00_29 = {69 00 35 00 59 00 4e 00 70 00 59 00 5a 00 32 00 33 00 62 00 38 00 75 00 63 00 71 00 43 00 44 00 67 00 31 00 4f 00 6d 00 6e 00 34 00 49 00 4e 00 58 00 57 00 76 00 70 00 6f 00 5a 00 76 00 6b 00 39 00 71 00 67 00 55 00 57 00 45 00 32 00 41 00 32 00 30 00 37 00 } //1 i5YNpYZ23b8ucqCDg1Omn4INXWvpoZvk9qgUWE2A207
$a_03_30 = {01 0b eb 1b 90 0a ef 00 8b 09 90 08 00 02 31 f1 } //1
$a_00_31 = {43 00 38 00 64 00 67 00 44 00 42 00 6c 00 72 00 46 00 35 00 6e 00 34 00 4d 00 55 00 47 00 38 00 56 00 4e 00 6c 00 31 00 38 00 39 00 } //1 C8dgDBlrF5n4MUG8VNl189
$a_00_32 = {4b 00 45 00 59 00 73 00 74 00 6f 00 72 00 65 00 } //1 KEYstore
$a_03_33 = {31 4b 00 a0 [0-1f] 00 12 31 4b 00 [0-1f] 00 41 36 [0-01] 46 4b 00 0c 36 } //1
$a_00_34 = {66 00 76 00 71 00 52 00 57 00 58 00 51 00 45 00 6e 00 6f 00 59 00 41 00 6d 00 77 00 57 00 65 00 6e 00 44 00 79 00 6f 00 43 00 57 00 4e 00 6a 00 73 00 42 00 53 00 4c 00 47 00 53 00 6d 00 47 00 64 00 72 00 47 00 72 00 62 00 6e 00 67 00 44 00 62 00 6f 00 6e 00 6d 00 6d 00 55 00 47 00 73 00 55 00 47 00 } //1 fvqRWXQEnoYAmwWenDyoCWNjsBSLGSmGdrGrbngDbonmmUGsUG
$a_00_35 = {6b 00 6f 00 78 00 76 00 7a 00 75 00 69 00 63 00 7a 00 71 00 65 00 69 00 64 00 73 00 73 00 6f 00 69 00 6e 00 6a 00 7a 00 75 00 70 00 6a 00 6b 00 75 00 68 00 69 00 69 00 71 00 75 00 72 00 } //1 koxvzuiczqeidssoinjzupjkuhiiqur
$a_00_36 = {5c 00 6e 00 75 00 52 00 5c 00 6e 00 6f 00 69 00 73 00 72 00 65 00 56 00 74 00 6e 00 65 00 72 00 72 00 75 00 43 00 5c 00 73 00 77 00 6f 00 64 00 6e 00 69 00 57 00 5c 00 74 00 66 00 6f 00 73 00 6f 00 72 00 63 00 69 00 4d 00 5c 00 65 00 72 00 61 00 77 00 74 00 66 00 6f 00 53 00 5c 00 52 00 45 00 53 00 55 00 5f 00 54 00 4e 00 45 00 52 00 52 00 55 00 43 00 5f 00 59 00 45 00 4b 00 48 00 } //1 \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\RESU_TNERRUC_YEKH
$a_00_37 = {5c 00 64 00 6e 00 61 00 6d 00 6d 00 6f 00 63 00 5c 00 6e 00 65 00 70 00 6f 00 5c 00 6c 00 6c 00 65 00 68 00 73 00 5c 00 50 00 54 00 54 00 48 00 5c 00 54 00 4f 00 4f 00 52 00 5f 00 53 00 45 00 53 00 53 00 41 00 4c 00 43 00 5f 00 59 00 45 00 4b 00 48 00 } //1 \dnammoc\nepo\llehs\PTTH\TOOR_SESSALC_YEKH
$a_01_38 = {32 40 00 04 00 00 00 d5 c5 46 00 dc c5 46 00 eb } //1
$a_00_39 = {43 00 52 00 50 00 45 00 5a 00 44 00 4d 00 4d 00 51 00 4b 00 55 00 56 00 47 00 59 00 5a 00 4f 00 4f 00 47 00 53 00 50 00 47 00 4a 00 49 00 4a 00 48 00 } //1 CRPEZDMMQKUVGYZOOGSPGJIJH
$a_00_40 = {72 00 75 00 71 00 69 00 69 00 68 00 75 00 6b 00 6a 00 70 00 75 00 7a 00 6a 00 6e 00 69 00 6f 00 73 00 73 00 64 00 69 00 65 00 71 00 7a 00 63 00 69 00 75 00 7a 00 76 00 78 00 6f 00 6b 00 } //1 ruqiihukjpuzjniossdieqzciuzvxok
$a_00_41 = {57 00 38 00 45 00 66 00 4e 00 34 00 45 00 35 00 50 00 74 00 64 00 6d 00 75 00 69 00 7a 00 34 00 6a 00 66 00 44 00 69 00 42 00 4a 00 69 00 63 00 70 00 58 00 59 00 6c 00 47 00 6c 00 75 00 36 00 4c 00 39 00 34 00 79 00 37 00 6f 00 31 00 31 00 32 00 } //1 W8EfN4E5Ptdmuiz4jfDiBJicpXYlGlu6L94y7o112
$a_00_42 = {4f 50 77 6f 6d 6b 4d 77 6e 66 69 72 43 57 6b 6b 65 71 34 47 43 61 77 41 6c 56 44 68 75 35 45 30 37 59 51 33 33 } //1 OPwomkMwnfirCWkkeq4GCawAlVDhu5E07YQ33
$a_00_43 = {45 00 77 00 79 00 45 00 66 00 75 00 79 00 62 00 69 00 44 00 74 00 42 00 44 00 32 00 6e 00 52 00 68 00 35 00 6e 00 42 00 34 00 57 00 6c 00 6b 00 6a 00 65 00 4a 00 47 00 52 00 58 00 4d 00 35 00 6a 00 4e 00 51 00 32 00 34 00 30 00 } //1 EwyEfuybiDtBD2nRh5nB4WlkjeJGRXM5jNQ240
$a_00_44 = {4d 00 36 00 43 00 30 00 47 00 33 00 55 00 53 00 34 00 39 00 34 00 66 00 46 00 76 00 53 00 42 00 79 00 61 00 37 00 6d 00 36 00 6f 00 64 00 34 00 39 00 53 00 31 00 30 00 77 00 79 00 56 00 51 00 46 00 6d 00 36 00 32 00 33 00 38 00 } //1 M6C0G3US494fFvSBya7m6od49S10wyVQFm6238
$a_00_45 = {6a 00 35 00 73 00 73 00 77 00 4d 00 44 00 71 00 70 00 31 00 6f 00 53 00 36 00 31 00 75 00 42 00 35 00 4f 00 33 00 6b 00 31 00 34 00 70 00 32 00 46 00 5a 00 6b 00 43 00 66 00 75 00 68 00 43 00 55 00 49 00 62 00 6e 00 76 00 48 00 31 00 32 00 31 00 } //1 j5sswMDqp1oS61uB5O3k14p2FZkCfuhCUIbnvH121
$a_00_46 = {65 00 57 00 54 00 68 00 35 00 48 00 53 00 4c 00 79 00 52 00 37 00 65 00 54 00 51 00 6a 00 6d 00 45 00 70 00 6d 00 66 00 33 00 61 00 72 00 65 00 4a 00 79 00 69 00 4f 00 45 00 57 00 54 00 32 00 6d 00 33 00 38 00 31 00 30 00 36 00 } //1 eWTh5HSLyR7eTQjmEpmf3areJyiOEWT2m38106
$a_01_47 = {02 ca 31 34 24 0f ee ca 0f da ca 59 0f 38 02 ca 0f ee ca 89 0c 18 } //1
$a_00_48 = {70 00 6d 00 61 00 45 00 46 00 47 00 63 00 53 00 69 00 63 00 4e 00 30 00 76 00 32 00 34 00 56 00 49 00 4b 00 32 00 59 00 56 00 66 00 73 00 62 00 61 00 39 00 35 00 79 00 74 00 65 00 39 00 4d 00 52 00 63 00 30 00 33 00 49 00 35 00 34 00 } //1 pmaEFGcSicN0v24VIK2YVfsba95yte9MRc03I54
$a_00_49 = {4a 00 38 00 65 00 67 00 4b 00 68 00 45 00 4d 00 31 00 61 00 31 00 4a 00 67 00 69 00 68 00 69 00 4f 00 65 00 30 00 4f 00 6e 00 6e 00 66 00 63 00 35 00 59 00 49 00 73 00 48 00 62 00 34 00 78 00 63 00 48 00 49 00 6f 00 77 00 68 00 79 00 6c 00 32 00 35 00 33 00 } //1 J8egKhEM1a1JgihiOe0Onnfc5YIsHb4xcHIowhyl253
condition:
((#a_03_0 & 1)*2+(#a_00_1 & 1)*2+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_03_5 & 1)*1+(#a_00_6 & 1)*1+(#a_03_7 & 1)*2+(#a_03_8 & 1)*2+(#a_03_9 & 1)*2+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_03_12 & 1)*2+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_03_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*1+(#a_03_18 & 1)*1+(#a_00_19 & 1)*1+(#a_00_20 & 1)*1+(#a_03_21 & 1)*1+(#a_00_22 & 1)*1+(#a_00_23 & 1)*1+(#a_03_24 & 1)*1+(#a_00_25 & 1)*1+(#a_00_26 & 1)*1+(#a_03_27 & 1)*1+(#a_00_28 & 1)*1+(#a_00_29 & 1)*1+(#a_03_30 & 1)*1+(#a_00_31 & 1)*1+(#a_00_32 & 1)*1+(#a_03_33 & 1)*1+(#a_00_34 & 1)*1+(#a_00_35 & 1)*1+(#a_00_36 & 1)*1+(#a_00_37 & 1)*1+(#a_01_38 & 1)*1+(#a_00_39 & 1)*1+(#a_00_40 & 1)*1+(#a_00_41 & 1)*1+(#a_00_42 & 1)*1+(#a_00_43 & 1)*1+(#a_00_44 & 1)*1+(#a_00_45 & 1)*1+(#a_00_46 & 1)*1+(#a_01_47 & 1)*1+(#a_00_48 & 1)*1+(#a_00_49 & 1)*1) >=2
}
Reference in New Issue View Git Blame Copy Permalink