qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/VirTool/BAT/Splori/VirTool_BAT_Splori_A.yar

19 lines
939 B
Plaintext
Raw Permalink Blame History

rule VirTool_BAT_Splori_A{
meta:
description = "VirTool:BAT/Splori.A,SIGNATURE_TYPE_PEHSTR_EXT,21 00 21 00 09 00 00 "
strings :
$a_01_0 = {52 75 6e 50 45 00 } //10 畒偮E
$a_01_1 = {49 6e 6a 65 63 74 50 45 00 } //10
$a_01_2 = {68 69 64 5f 73 74 61 72 74 00 } //10 楨彤瑳牡t
$a_01_3 = {49 73 41 6e 75 62 69 73 53 61 6e 64 62 6f 78 00 } //1 獉湁扵獩慓摮潢x
$a_01_4 = {49 73 43 57 53 61 6e 64 62 6f 78 00 } //1 獉坃慓摮潢x
$a_01_5 = {49 73 4e 6f 72 6d 61 6e 53 61 6e 64 62 6f 78 00 } //1 獉潎浲湡慓摮潢x
$a_01_6 = {49 73 53 61 6e 64 62 6f 78 69 65 00 } //1 獉慓摮潢楸e
$a_01_7 = {49 73 53 75 6e 62 65 6c 74 53 61 6e 64 62 6f 78 00 } //1
$a_01_8 = {49 73 57 69 72 65 73 68 61 72 6b 00 } //1 獉楗敲桳牡k
condition:
((#a_01_0 & 1)*10+(#a_01_1 & 1)*10+(#a_01_2 & 1)*10+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1) >=33
}
Reference in New Issue View Git Blame Copy Permalink