DefenderYara/TrojanSpy/Win32/Sappwort/TrojanSpy_Win32_Sappwort_A.yar

rule TrojanSpy_Win32_Sappwort_A{
	meta:
		description = "TrojanSpy:Win32/Sappwort.A,SIGNATURE_TYPE_PEHSTR_EXT,60 09 ffffff98 08 0e 00 00 "
		
	strings :
		$a_02_0 = {8d 83 04 03 00 00 ba ?? ?? 45 00 e8 ?? ?? fb ff 8d 83 08 03 00 00 ba ?? ?? 45 00 e8 ?? ?? fb ff } //1000
		$a_02_1 = {b3 01 33 c0 55 68 ?? ?? 45 00 64 ff 30 64 89 20 8d 45 f8 50 8d 45 f4 e8 ?? ?? ?? ff 8b 45 f4 b9 03 00 00 00 ba 01 00 00 00 e8 ?? ?? ?? ff 8d 45 f8 ba ?? ?? 45 00 e8 ?? ?? ?? ff 8b 4d f8 b2 01 } //1000
		$a_02_2 = {6a 00 6a 00 ff b3 04 03 00 00 68 ?? ?? 45 00 8d 4d f4 8b 83 00 03 00 00 8b 55 fc 8b 38 ff 57 0c ff 75 f4 8d 45 f8 ba 03 00 00 00 e8 ?? ?? ?? ff 8b 45 f8 e8 ?? ?? ?? ff 50 68 ?? ?? 45 00 68 ?? ?? 45 00 8b c3 } //1000
		$a_02_3 = {6a 00 6a 00 8b 45 f8 e8 ?? ?? ?? ff 50 68 ?? ?? 45 00 68 ?? ?? 45 00 8b c3 e8 ?? ?? ?? ff 50 e8 ?? ?? ?? ff ff 45 fc 4e 75 aa } //1000
		$a_00_4 = {ff ff ff ff 0a 00 00 00 5c 73 79 73 74 65 6d 33 32 5c 00 } //100
		$a_00_5 = {5c 73 79 73 74 65 6d 33 32 5c 61 75 64 69 74 2e 65 78 65 } //100 \system32\audit.exe
		$a_00_6 = {5c 73 79 73 74 65 6d 33 32 5c 77 69 6e 73 79 73 2e 65 78 65 } //100 \system32\winsys.exe
		$a_00_7 = {ff ff ff ff 04 00 00 00 55 49 4e } //100
		$a_00_8 = {ff ff ff ff 04 ff 00 00 55 49 4e } //100
		$a_00_9 = {25 32 30 25 32 30 25 32 30 50 61 73 73 77 6f 72 74 25 32 30 3a 25 32 30 } //100 %20%20%20Passwort%20:%20
		$a_00_10 = {25 32 30 25 32 30 25 32 30 50 61 73 73 60 6f 72 74 25 32 30 3a 25 32 30 } //100 %20%20%20Pass`ort%20:%20
		$a_00_11 = {25 32 30 25 32 30 25 32 30 50 61 73 73 77 6f 72 74 25 32 30 11 25 32 30 } //100 ㈥┰〲㈥倰獡睳牯╴〲┑〲
		$a_00_12 = {25 32 30 25 32 30 25 32 30 50 61 73 73 77 6f 90 74 25 32 30 3a 25 32 30 } //100
		$a_00_13 = {25 32 30 25 32 30 25 32 30 50 61 73 73 77 6f 72 74 25 3a 30 3a 25 32 30 } //100 %20%20%20Passwort%:0:%20
	condition:
		((#a_02_0  & 1)*1000+(#a_02_1  & 1)*1000+(#a_02_2  & 1)*1000+(#a_02_3  & 1)*1000+(#a_00_4  & 1)*100+(#a_00_5  & 1)*100+(#a_00_6  & 1)*100+(#a_00_7  & 1)*100+(#a_00_8  & 1)*100+(#a_00_9  & 1)*100+(#a_00_10  & 1)*100+(#a_00_11  & 1)*100+(#a_00_12  & 1)*100+(#a_00_13  & 1)*100) >=2200
 
}