qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDropper/Win32/VB/TrojanDropper_Win32_VB_BB.yar

21 lines
2.7 KiB
Plaintext
Raw Blame History

rule TrojanDropper_Win32_VB_BB{
meta:
description = "TrojanDropper:Win32/VB.BB,SIGNATURE_TYPE_PEHSTR_EXT,41 00 3f 00 0b 00 00 01 00 "
strings :
$a_00_0 = {42 73 74 4b 4c 4f 47 5f 4d 61 69 6c 65 65 72 } //01 00 BstKLOG_Maileer
$a_00_1 = {74 6d 72 46 54 50 59 4f 4c 4c 41 4d 41 53 55 52 45 53 49 } //01 00 tmrFTPYOLLAMASURESI
$a_00_2 = {74 6d 72 46 4f 52 4d 41 49 4c } //01 00 tmrFORMAIL
$a_00_3 = {41 63 74 69 76 65 58 20 44 65 62 75 67 67 65 72 2e 65 78 65 } //01 00 ActiveX Debugger.exe
$a_00_4 = {57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 58 00 50 00 20 00 50 00 72 00 6f 00 66 00 65 00 73 00 69 00 6f 00 6e 00 6e 00 65 00 6c 00 } //0a 00 Windows XP Profesionnel
$a_00_5 = {61 63 74 69 76 65 78 64 65 62 75 67 67 65 72 33 32 } //0a 00 activexdebugger32
$a_00_6 = {4d 53 56 42 56 4d 36 30 2e 44 4c 4c } //0a 00 MSVBVM60.DLL
$a_00_7 = {32 00 63 00 34 00 39 00 66 00 38 00 30 00 30 00 2d 00 63 00 32 00 64 00 64 00 2d 00 31 00 31 00 63 00 66 00 2d 00 39 00 61 00 64 00 36 00 2d 00 30 00 30 00 38 00 30 00 63 00 37 00 65 00 37 00 62 00 37 00 38 00 64 00 } //0a 00 2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
$a_00_8 = {44 00 3a 00 5c 00 40 00 6c 00 69 00 69 00 68 00 73 00 61 00 6e 00 32 00 33 00 39 00 37 00 5c 00 42 00 65 00 6c 00 67 00 65 00 6c 00 65 00 72 00 69 00 6d 00 5c 00 56 00 42 00 5f 00 50 00 72 00 6f 00 6a 00 65 00 6c 00 65 00 72 00 69 00 6d 00 5c 00 68 00 41 00 63 00 6b 00 45 00 72 00 5c 00 4b 00 65 00 79 00 4c 00 4f 00 47 00 45 00 52 00 73 00 5c 00 46 00 6f 00 72 00 20 00 42 00 73 00 74 00 4b 00 4c 00 4f 00 47 00 20 00 53 00 65 00 6e 00 64 00 20 00 4d 00 61 00 69 00 6c 00 6c 00 65 00 65 00 72 00 20 00 4e 00 4f 00 43 00 58 00 5c 00 42 00 73 00 74 00 4b 00 4c 00 4f 00 47 00 5f 00 4d 00 61 00 69 00 6c 00 65 00 65 00 72 00 2e 00 76 00 62 00 70 00 } //0a 00 D:\@liihsan2397\Belgelerim\VB_Projelerim\hAckEr\KeyLOGERs\For BstKLOG Send Mailleer NOCX\BstKLOG_Maileer.vbp
$a_02_9 = {c7 45 fc 0f 00 00 00 c7 85 0c ff ff ff 90 01 02 40 00 c7 85 04 ff ff ff 08 00 00 00 8d 95 04 ff ff ff 8d 4d 98 ff 15 90 01 04 8d 45 98 50 8d 4d 88 51 ff 15 90 01 04 c7 85 fc fe ff ff 90 01 02 40 00 c7 85 f4 fe ff ff 08 00 00 00 6a 00 8d 55 88 52 8d 85 f4 fe ff ff 50 8d 8d 78 ff ff ff 51 ff 15 90 01 04 50 ff 15 90 01 04 ff 15 90 01 04 89 45 dc 8d 95 78 ff ff ff 52 8d 45 88 50 8d 4d 98 51 6a 03 90 00 } //0a 00
$a_02_10 = {c7 85 58 ff ff ff 90 01 02 40 00 c7 85 50 ff ff ff 08 00 00 00 c7 85 48 ff ff ff 90 01 02 40 00 c7 85 40 ff ff ff 08 00 00 00 8d 45 94 50 8d 8d 50 ff ff ff 51 8d 55 84 52 ff 15 90 01 02 40 00 50 8d 85 40 ff ff ff 50 8d 8d 74 ff ff ff 51 ff 15 90 01 02 40 00 50 ff 15 90 01 02 40 00 8d 95 74 ff ff ff 52 8d 45 84 50 8d 4d 94 51 6a 03 90 00 } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink