qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Hisbucken/TrojanSpy_Win32_Hisbucken_A...

16 lines
1.6 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Hisbucken_A{
meta:
description = "TrojanSpy:Win32/Hisbucken.A,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0a 00 06 00 00 "
strings :
$a_01_0 = {38 00 35 00 38 00 34 00 36 00 34 00 31 00 34 00 32 00 34 00 34 00 37 00 39 00 31 00 39 00 36 00 39 00 34 00 37 00 34 00 36 00 34 00 37 00 33 00 30 00 30 00 32 00 31 00 45 00 35 00 38 00 34 00 41 00 35 00 32 00 35 00 } //4 8584641424479196947464730021E584A525
$a_01_1 = {35 00 38 00 35 00 38 00 34 00 36 00 34 00 31 00 34 00 32 00 34 00 34 00 37 00 39 00 31 00 39 00 36 00 39 00 34 00 37 00 34 00 36 00 34 00 37 00 33 00 30 00 30 00 32 00 31 00 45 00 35 00 38 00 34 00 41 00 35 00 32 00 } //4 58584641424479196947464730021E584A52
$a_01_2 = {53 00 4f 00 55 00 52 00 43 00 45 00 3d 00 4b 00 52 00 41 00 4b 00 45 00 4e 00 3b 00 55 00 49 00 44 00 3d 00 73 00 61 00 3b 00 44 00 41 00 54 00 41 00 42 00 41 00 53 00 45 00 3d 00 6b 00 72 00 61 00 6b 00 65 00 6e 00 3b 00 50 00 57 00 44 00 3d 00 73 00 61 00 } //4 SOURCE=KRAKEN;UID=sa;DATABASE=kraken;PWD=sa
$a_01_3 = {39 00 30 00 36 00 33 00 37 00 44 00 37 00 33 00 36 00 36 00 36 00 30 00 30 00 32 00 36 00 34 00 30 00 33 00 36 00 43 00 37 00 43 00 35 00 39 00 32 00 30 00 34 00 33 00 35 00 46 00 34 00 33 00 35 00 36 00 35 00 36 00 } //2 90637D7366600264036C7C5920435F435656
$a_01_4 = {31 00 32 00 35 00 45 00 35 00 44 00 35 00 38 00 35 00 37 00 37 00 45 00 30 00 37 00 } //2 125E5D58577E07
$a_01_5 = {38 00 34 00 34 00 35 00 44 00 34 00 35 00 35 00 44 00 } //2 8445D455D
condition:
((#a_01_0 & 1)*4+(#a_01_1 & 1)*4+(#a_01_2 & 1)*4+(#a_01_3 & 1)*2+(#a_01_4 & 1)*2+(#a_01_5 & 1)*2) >=10
}
Reference in New Issue View Git Blame Copy Permalink