qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/Win32/Banload/TrojanDownloader_Win32_Banl...

34 lines
5.3 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_Win32_Banload_ACI{
meta:
description = "TrojanDownloader:Win32/Banload.ACI,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 18 00 00 "
strings :
$a_01_0 = {59 00 55 00 51 00 4c 00 32 00 33 00 4b 00 4c 00 32 00 33 00 44 00 46 00 39 00 30 00 57 00 49 00 35 00 45 00 31 00 4a 00 41 00 53 00 } //5 YUQL23KL23DF90WI5E1JAS
$a_01_1 = {32 00 33 00 44 00 32 00 31 00 32 00 44 00 37 00 30 00 34 00 30 00 43 00 30 00 38 00 37 00 43 00 41 00 43 00 32 00 42 00 36 00 41 00 38 00 41 00 42 00 41 00 31 00 33 00 42 00 33 00 34 00 31 00 46 00 } //2 23D212D7040C087CAC2B6A8ABA13B341F
$a_01_2 = {42 00 34 00 38 00 44 00 41 00 30 00 34 00 34 00 46 00 34 00 35 00 37 00 41 00 32 00 39 00 41 00 38 00 35 00 38 00 35 00 44 00 34 00 37 00 41 00 41 00 38 00 32 00 35 00 36 00 33 00 38 00 36 00 41 00 32 00 32 00 32 00 31 00 35 00 34 00 36 00 46 00 32 00 36 00 33 00 39 00 36 00 43 00 33 00 30 00 34 00 34 00 35 00 45 00 } //2 B48DA044F457A29A8585D47AA8256386A2221546F26396C30445E
$a_01_3 = {2d 00 72 00 20 00 2d 00 74 00 20 00 30 00 30 00 20 00 2d 00 66 00 00 00 } //2
$a_01_4 = {5c 00 74 00 69 00 70 00 6f 00 2e 00 74 00 78 00 74 00 00 00 } //2
$a_01_5 = {5c 00 78 00 73 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 6d 00 73 00 67 00 73 00 31 00 31 00 31 00 31 00 2e 00 65 00 78 00 65 00 00 00 } //2
$a_01_6 = {43 00 43 00 35 00 34 00 45 00 43 00 30 00 31 00 32 00 35 00 41 00 36 00 46 00 35 00 32 00 45 00 44 00 38 00 30 00 44 00 } //2 CC54EC0125A6F52ED80D
$a_02_7 = {42 61 69 78 61 72 54 69 6d 65 72 90 09 16 00 46 6f 72 6d 43 72 65 61 74 65 90 01 07 54 69 6d 65 72 90 00 } //2
$a_02_8 = {42 61 73 61 5f 90 09 17 00 53 65 6e 64 65 72 90 01 0b 54 46 72 61 6d 65 90 00 } //2
$a_01_9 = {30 00 42 00 32 00 41 00 43 00 42 00 31 00 31 00 43 00 44 00 33 00 41 00 35 00 41 00 43 00 32 00 36 00 38 00 45 00 39 00 36 00 34 00 39 00 44 00 34 00 41 00 38 00 34 00 43 00 38 00 37 00 39 00 41 00 32 00 45 00 35 00 30 00 39 00 34 00 41 00 33 00 33 00 32 00 30 00 31 00 44 00 37 00 46 00 } //2 0B2ACB11CD3A5AC268E9649D4A84C879A2E5094A33201D7F
$a_01_10 = {38 00 46 00 45 00 34 00 34 00 41 00 44 00 35 00 35 00 43 00 34 00 45 00 39 00 32 00 42 00 38 00 36 00 42 00 45 00 44 00 37 00 43 00 41 00 45 00 35 00 35 00 38 00 33 00 43 00 35 00 42 00 32 00 41 00 35 00 45 00 41 00 36 00 30 00 42 00 46 00 } //2 8FE44AD55C4E92B86BED7CAE5583C5B2A5EA60BF
$a_01_11 = {35 00 44 00 39 00 43 00 34 00 34 00 45 00 39 00 31 00 36 00 36 00 32 00 41 00 32 00 39 00 41 00 35 00 45 00 45 00 37 00 36 00 43 00 44 00 45 00 30 00 39 00 34 00 35 00 39 00 42 00 } //2 5D9C44E91662A29A5EE76CDE09459B
$a_01_12 = {42 00 44 00 37 00 46 00 41 00 36 00 34 00 41 00 46 00 36 00 30 00 33 00 30 00 31 00 37 00 42 00 39 00 30 00 33 00 36 00 39 00 30 00 34 00 32 00 46 00 36 00 35 00 33 00 46 00 37 00 } //2 BD7FA64AF603017B90369042F653F7
$a_01_13 = {38 00 35 00 42 00 34 00 37 00 43 00 41 00 31 00 35 00 45 00 41 00 41 00 45 00 41 00 35 00 31 00 46 00 45 00 34 00 30 00 39 00 45 00 35 00 30 00 46 00 38 00 35 00 35 00 46 00 39 00 } //2 85B47CA15EAAEA51FE409E50F855F9
$a_01_14 = {31 00 31 00 30 00 41 00 33 00 45 00 46 00 44 00 32 00 44 00 41 00 45 00 46 00 44 00 31 00 41 00 33 00 37 00 39 00 37 00 33 00 46 00 45 00 34 00 31 00 35 00 34 00 30 00 39 00 35 00 35 00 46 00 } //2 110A3EFD2DAEFD1A37973FE41540955F
$a_01_15 = {5c 00 73 00 68 00 6f 00 77 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 62 00 62 00 62 00 31 00 2e 00 65 00 78 00 65 00 } //2 \showwindowsbbb1.exe
$a_01_16 = {32 00 30 00 44 00 31 00 31 00 33 00 44 00 36 00 30 00 42 00 34 00 43 00 42 00 35 00 41 00 46 00 39 00 32 00 33 00 38 00 39 00 43 00 35 00 30 00 33 00 38 00 41 00 33 00 32 00 34 00 44 00 41 00 30 00 30 00 35 00 30 00 38 00 31 00 39 00 45 00 34 00 } //2 20D113D60B4CB5AF92389C5038A324DA0050819E4
$a_01_17 = {30 00 38 00 32 00 39 00 43 00 38 00 36 00 43 00 39 00 30 00 46 00 38 00 31 00 42 00 30 00 31 00 33 00 34 00 39 00 39 00 32 00 32 00 31 00 34 00 43 00 30 00 31 00 42 00 42 00 31 00 34 00 34 00 45 00 30 00 37 00 38 00 41 00 46 00 32 00 45 00 45 00 42 00 30 00 } //2 0829C86C90F81B0134992214C01BB144E078AF2EEB0
$a_03_18 = {31 45 d8 8d 45 90 01 01 50 8b 45 d8 89 45 90 01 01 c6 45 90 01 01 00 8d 55 90 09 0b 00 8b 45 e0 8b 55 ec 0f b7 44 50 fe 90 00 } //1
$a_03_19 = {70 fe 33 d8 8d 45 90 01 01 50 89 90 09 0b 00 be 01 00 00 00 8b 90 01 02 0f b7 44 90 00 } //1
$a_01_20 = {53 00 70 00 79 00 77 00 61 00 72 00 65 00 20 00 42 00 72 00 6f 00 77 00 73 00 65 00 72 00 } //-5 Spyware Browser
$a_01_21 = {65 6e 67 65 6e 68 6f 73 6f 66 74 77 61 72 65 2e 63 6f 6d } //-5 engenhosoftware.com
$a_01_22 = {43 00 65 00 6e 00 74 00 72 00 61 00 6c 00 20 00 64 00 65 00 20 00 53 00 75 00 70 00 6f 00 72 00 74 00 65 00 20 00 61 00 6f 00 20 00 53 00 41 00 43 00 53 00 } //-100 Central de Suporte ao SACS
$a_01_23 = {45 00 6d 00 62 00 61 00 72 00 63 00 61 00 64 00 65 00 72 00 6f 00 20 00 54 00 65 00 63 00 68 00 6e 00 6f 00 6c 00 6f 00 67 00 69 00 65 00 73 00 20 00 49 00 6e 00 63 00 2e 00 } //-100 Embarcadero Technologies Inc.
condition:
((#a_01_0 & 1)*5+(#a_01_1 & 1)*2+(#a_01_2 & 1)*2+(#a_01_3 & 1)*2+(#a_01_4 & 1)*2+(#a_01_5 & 1)*2+(#a_01_6 & 1)*2+(#a_02_7 & 1)*2+(#a_02_8 & 1)*2+(#a_01_9 & 1)*2+(#a_01_10 & 1)*2+(#a_01_11 & 1)*2+(#a_01_12 & 1)*2+(#a_01_13 & 1)*2+(#a_01_14 & 1)*2+(#a_01_15 & 1)*2+(#a_01_16 & 1)*2+(#a_01_17 & 1)*2+(#a_03_18 & 1)*1+(#a_03_19 & 1)*1+(#a_01_20 & 1)*-5+(#a_01_21 & 1)*-5+(#a_01_22 & 1)*-100+(#a_01_23 & 1)*-100) >=8
}
Reference in New Issue View Git Blame Copy Permalink