qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/Win32/Banavkill/TrojanDownloader_Win32_Bana...

24 lines
4.2 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_Win32_Banavkill_A{
meta:
description = "TrojanDownloader:Win32/Banavkill.A,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 0e 00 00 "
strings :
$a_80_0 = {41 44 35 42 46 30 32 32 30 37 32 32 44 45 31 30 44 37 36 41 39 33 43 33 41 35 35 43 46 35 35 44 36 42 42 38 36 31 38 45 42 35 36 39 39 46 34 39 45 41 30 46 32 34 41 30 38 34 42 42 35 33 46 43 36 36 44 36 30 34 32 31 44 36 30 42 32 34 44 46 30 45 33 35 39 37 46 33 32 36 43 45 36 31 39 31 41 31 44 45 38 36 43 32 42 36 } //AD5BF0220722DE10D76A93C3A55CF55D6BB8618EB5699F49EA0F24A084BB53FC66D60421D60B24DF0E3597F326CE6191A1DE86C2B6 2
$a_80_1 = {32 35 32 39 35 45 46 35 30 46 30 43 37 39 38 34 38 30 39 41 39 42 44 45 37 35 38 31 39 39 38 43 38 35 45 42 30 41 30 33 31 32 32 43 33 32 31 38 33 32 33 34 32 32 35 44 45 32 37 32 46 44 37 35 38 31 38 30 39 39 39 36 42 33 33 41 32 38 32 36 33 42 43 46 32 31 41 43 33 35 44 43 41 39 41 46 41 37 39 30 41 37 44 42 36 35 46 } //25295EF50F0C7984809A9BDE7581998C85EB0A03122C32183234225DE272FD7581809996B33A28263BCF21AC35DCA9AFA790A7DB65F 2
$a_80_2 = {31 31 31 39 30 39 37 32 44 37 37 45 39 38 41 43 41 38 39 46 42 31 43 44 36 37 46 39 30 46 36 45 44 41 32 43 33 31 31 39 32 45 33 41 43 33 34 33 32 39 } //11190972D77E98ACA89FB1CD67F90F6EDA2C31192E3AC34329 1
$a_80_3 = {44 30 35 38 34 38 33 31 31 34 33 41 44 43 37 31 39 33 45 34 37 31 38 41 39 39 41 35 44 41 31 43 36 38 39 46 41 45 38 36 39 42 41 44 42 39 34 35 43 46 35 32 46 37 38 43 38 39 46 38 } //D0584831143ADC7193E4718A99A5DA1C689FAE869BADB945CF52F78C89F8 1
$a_80_4 = {43 42 34 30 42 46 35 32 44 36 37 32 43 37 35 37 43 46 34 33 43 38 33 41 33 44 44 35 43 31 33 32 44 31 31 35 39 32 41 39 38 42 39 33 39 35 41 39 42 35 34 36 33 31 34 31 43 31 35 45 46 43 30 37 37 33 45 34 30 31 37 37 } //CB40BF52D672C757CF43C83A3DD5C132D11592A98B9395A9B5463141C15EFC0773E40177 1
$a_80_5 = {44 39 37 30 38 46 41 35 38 30 39 45 38 41 41 32 41 32 41 33 38 42 39 43 42 36 42 45 33 39 42 38 41 39 46 41 30 33 31 41 33 32 33 45 43 36 34 36 43 43 36 32 46 30 32 32 32 42 32 33 32 32 34 43 35 34 46 38 30 33 31 39 30 34 37 41 43 38 } //D9708FA5809E8AA2A2A38B9CB6BE39B8A9FA031A323EC646CC62F0222B23224C54F80319047AC8 1
$a_80_6 = {32 41 32 34 35 35 45 43 37 44 39 30 38 43 39 41 42 35 38 32 46 35 30 42 36 44 44 39 31 37 35 31 32 35 41 31 34 31 45 43 31 44 43 31 37 38 41 44 34 43 38 33 42 46 31 37 33 41 44 30 37 41 44 33 33 41 43 46 37 31 39 41 } //2A2455EC7D908C9AB582F50B6DD9175125A141EC1DC178AD4C83BF173AD07AD33ACF719A 2
$a_80_7 = {30 44 33 42 34 43 44 42 36 32 46 35 36 41 46 34 31 32 36 35 44 30 32 30 30 36 37 30 38 44 45 46 34 34 39 45 35 39 46 32 32 41 43 36 37 41 41 43 34 45 46 32 30 33 34 34 45 39 32 46 44 30 43 37 31 35 44 44 37 41 } //0D3B4CDB62F56AF41265D02006708DEF449E59F22AC67AAC4EF20344E92FD0C715DD7A 2
$a_80_8 = {42 34 35 33 41 34 42 33 42 42 35 46 46 44 30 38 30 37 37 30 44 42 31 35 37 33 45 37 30 35 36 37 44 33 30 39 33 38 45 32 30 41 33 44 45 31 31 30 36 36 38 38 35 36 38 38 } //B453A4B3BB5FFD080770DB1573E70567D30938E20A3DE11066885688 2
$a_80_9 = {30 33 30 44 37 45 39 35 41 35 41 38 41 34 42 32 41 44 39 41 38 44 45 34 34 33 33 37 42 34 33 37 30 33 35 35 46 37 32 32 44 33 30 43 33 43 32 30 44 44 31 35 32 44 } //030D7E95A5A8A4B2AD9A8DE44337B4370355F722D30C3C20DD152D 2
$a_80_10 = {44 33 37 32 38 33 39 32 39 38 42 42 35 30 44 45 37 38 43 46 42 41 33 36 31 30 37 41 46 37 37 30 43 34 31 44 43 38 30 39 33 42 45 41 31 37 43 33 37 31 44 43 31 35 42 45 36 30 } //D372839298BB50DE78CFBA36107AF770C41DC8093BEA17C371DC15BE60 2
$a_80_11 = {30 39 33 41 41 31 42 43 35 39 46 38 30 42 33 44 43 37 36 36 39 30 43 33 37 35 41 39 43 36 30 30 33 32 39 32 } //093AA1BC59F80B3DC76690C375A9C6003292 1
$a_80_12 = {33 30 32 33 35 38 39 34 34 30 46 34 33 31 45 31 31 34 } //3023589440F431E114 1
$a_80_13 = {30 38 31 36 37 42 45 42 36 30 46 43 36 35 44 45 37 34 45 43 35 41 42 41 34 33 43 45 33 35 35 30 43 38 33 32 33 37 33 33 33 35 32 35 32 31 33 46 44 30 35 37 46 41 } //08167BEB60FC65DE74EC5ABA43CE3550C83237333525213FD057FA 1
condition:
((#a_80_0 & 1)*2+(#a_80_1 & 1)*2+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*2+(#a_80_7 & 1)*2+(#a_80_8 & 1)*2+(#a_80_9 & 1)*2+(#a_80_10 & 1)*2+(#a_80_11 & 1)*1+(#a_80_12 & 1)*1+(#a_80_13 & 1)*1) >=3
}
Reference in New Issue View Git Blame Copy Permalink