qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Hasmin/TrojanSpy_Win32_Hasmin_A.yar

14 lines
1.2 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Hasmin_A{
meta:
description = "TrojanSpy:Win32/Hasmin.A,SIGNATURE_TYPE_PEHSTR,04 00 03 00 04 00 00 "
strings :
$a_01_0 = {4c 33 4e 6c 59 33 56 79 61 58 52 35 4c 6d 31 70 65 47 31 31 63 32 6c 6a 59 58 4d 75 62 6d 56 30 4c } //3 L3NlY3VyaXR5Lm1peG11c2ljYXMubmV0L
$a_01_1 = {4c 32 46 73 59 6d 46 30 63 6d 39 36 4c 58 4a 6c 62 43 39 77 4c 32 46 6a 59 32 56 7a 63 79 35 77 } //3 L2FsYmF0cm96LXJlbC9wL2FjY2Vzcy5w
$a_01_2 = {58 00 45 00 31 00 76 00 65 00 6d 00 6c 00 73 00 62 00 47 00 46 00 63 00 52 00 6d 00 6c 00 79 00 5a 00 57 00 5a 00 76 00 65 00 46 00 78 00 51 00 63 00 6d 00 39 00 6d 00 61 00 57 00 78 00 6c 00 63 00 77 00 3d 00 3d 00 } //1 XE1vemlsbGFcRmlyZWZveFxQcm9maWxlcw==
$a_01_3 = {64 00 58 00 4e 00 6c 00 63 00 6c 00 39 00 77 00 63 00 6d 00 56 00 6d 00 4b 00 43 00 4a 00 75 00 5a 00 58 00 52 00 33 00 62 00 33 00 4a 00 72 00 4c 00 6e 00 42 00 79 00 62 00 33 00 68 00 35 00 4c 00 6d 00 46 00 31 00 64 00 47 00 39 00 6a 00 62 00 32 00 35 00 6d 00 61 00 57 00 64 00 66 00 64 00 58 00 4a 00 73 00 } //1 dXNlcl9wcmVmKCJuZXR3b3JrLnByb3h5LmF1dG9jb25maWdfdXJs
condition:
((#a_01_0 & 1)*3+(#a_01_1 & 1)*3+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=3
}
Reference in New Issue View Git Blame Copy Permalink