qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/VirTool/Win64/Blindz/VirTool_Win64_Blindz_A_MTB.yar

14 lines
846 B
Plaintext
Raw Permalink Blame History

rule VirTool_Win64_Blindz_A_MTB{
meta:
description = "VirTool:Win64/Blindz.A!MTB,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 "
strings :
$a_02_0 = {c7 45 10 68 00 00 00 41 b8 18 00 00 00 33 d2 48 8d ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? b9 8f 0a 87 06 e8 ?? ?? ?? ?? 48 89 85 c8 00 00 00 ba 71 91 32 37 48 8b 8d c8 00 00 00 } //1
$a_02_1 = {48 8b f8 33 c0 b9 d0 04 00 00 f3 aa c7 45 40 12 00 10 00 48 8b 85 50 0f 00 00 48 89 45 58 48 c7 85 80 00 00 00 01 00 00 00 48 8d ?? ?? 48 8b 8d 58 0f 00 00 ff 15 } //1
$a_02_2 = {48 8b f8 33 c0 b9 d0 04 00 00 f3 aa c7 85 00 06 00 00 1f 00 10 00 48 8d ?? ?? ?? ?? ?? 48 8b 8d 58 0f 00 00 ff 15 } //1
$a_02_3 = {48 63 45 24 48 8b 8d 20 01 00 00 0f be 04 01 03 45 04 8b 4d 04 8d ?? ?? 89 45 04 eb b8 } //1
condition:
((#a_02_0 & 1)*1+(#a_02_1 & 1)*1+(#a_02_2 & 1)*1+(#a_02_3 & 1)*1) >=4
}
Reference in New Issue View Git Blame Copy Permalink