qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Satcoiru/TrojanSpy_Win32_Satcoiru_A.yar

16 lines
1.5 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Satcoiru_A{
meta:
description = "TrojanSpy:Win32/Satcoiru.A,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0c 00 06 00 00 "
strings :
$a_01_0 = {30 00 30 00 32 00 30 00 35 00 46 00 34 00 37 00 34 00 31 00 34 00 34 00 35 00 36 00 35 00 32 00 35 00 39 00 32 00 42 00 34 00 33 00 32 00 32 00 } //4 00205F4741445652592B4322
$a_01_1 = {31 00 38 00 35 00 39 00 35 00 43 00 35 00 31 00 35 00 33 00 34 00 46 00 31 00 46 00 34 00 36 00 32 00 41 00 34 00 30 00 } //4 18595C51534F1F462A40
$a_01_2 = {39 00 30 00 36 00 33 00 37 00 44 00 37 00 33 00 36 00 36 00 36 00 30 00 30 00 32 00 36 00 34 00 30 00 33 00 36 00 43 00 37 00 43 00 35 00 39 00 32 00 30 00 34 00 33 00 35 00 46 00 34 00 33 00 35 00 36 00 35 00 36 00 } //2 90637D7366600264036C7C5920435F435656
$a_01_3 = {30 00 30 00 32 00 30 00 35 00 44 00 35 00 33 00 35 00 36 00 35 00 37 00 35 00 33 00 35 00 35 00 34 00 34 00 32 00 37 00 34 00 33 00 33 00 30 00 } //2 00205D535657535544274330
$a_01_4 = {30 00 30 00 32 00 34 00 37 00 39 00 35 00 43 00 35 00 36 00 35 00 41 00 34 00 32 00 35 00 38 00 34 00 34 00 30 00 33 00 34 00 36 00 32 00 41 00 34 00 35 00 35 00 45 00 } //2 0024795C565A42584403462A455E
$a_01_5 = {30 00 30 00 32 00 38 00 35 00 45 00 35 00 44 00 35 00 38 00 35 00 33 00 35 00 35 00 35 00 30 00 35 00 38 00 32 00 31 00 35 00 46 00 32 00 37 00 35 00 37 00 35 00 35 00 35 00 39 00 34 00 35 00 } //2 00285E5D5853555058215F2757555945
condition:
((#a_01_0 & 1)*4+(#a_01_1 & 1)*4+(#a_01_2 & 1)*2+(#a_01_3 & 1)*2+(#a_01_4 & 1)*2+(#a_01_5 & 1)*2) >=12
}
Reference in New Issue View Git Blame Copy Permalink