qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/Win32/Maywidmzi/TrojanDownloader_Win32_Mayw...

21 lines
3.6 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_Win32_Maywidmzi_A{
meta:
description = "TrojanDownloader:Win32/Maywidmzi.A,SIGNATURE_TYPE_PEHSTR_EXT,0a 00 0a 00 0b 00 00 "
strings :
$a_01_0 = {36 00 38 00 37 00 34 00 37 00 34 00 37 00 30 00 33 00 41 00 32 00 46 00 32 00 46 00 36 00 34 00 36 00 31 00 37 00 32 00 36 00 42 00 36 00 32 00 37 00 32 00 36 00 35 00 36 00 31 00 36 00 42 00 32 00 45 00 36 00 44 00 37 00 39 00 36 00 36 00 37 00 34 00 37 00 30 00 32 00 45 00 36 00 46 00 37 00 32 00 36 00 37 00 32 00 46 00 37 00 33 00 37 00 34 00 36 00 31 00 37 00 32 00 37 00 34 00 32 00 45 00 36 00 33 00 37 00 33 00 37 00 33 00 } //12 687474703A2F2F6461726B627265616B2E6D796674702E6F72672F73746172742E637373
$a_01_1 = {36 00 38 00 37 00 34 00 37 00 34 00 37 00 30 00 37 00 33 00 33 00 41 00 32 00 46 00 32 00 46 00 36 00 34 00 36 00 43 00 32 00 45 00 36 00 34 00 37 00 32 00 36 00 46 00 37 00 30 00 36 00 32 00 36 00 46 00 37 00 38 00 37 00 35 00 37 00 33 00 36 00 35 00 37 00 32 00 36 00 33 00 36 00 46 00 36 00 45 00 37 00 34 00 36 00 35 00 36 00 45 00 37 00 34 00 32 00 45 00 36 00 33 00 36 00 46 00 36 00 44 00 32 00 46 00 37 00 33 00 32 00 46 00 36 00 45 00 33 00 31 00 33 00 33 00 37 00 34 00 33 00 31 00 36 00 32 00 33 00 31 00 33 00 38 00 36 00 35 00 36 00 33 00 36 00 42 00 37 00 32 00 33 00 39 00 36 00 35 00 37 00 30 00 32 00 46 00 37 00 33 00 37 00 34 00 36 00 31 00 37 00 32 00 37 00 34 00 32 00 45 00 36 00 33 00 37 00 33 00 37 00 33 00 } //12 68747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F732F6E3133743162313865636B723965702F73746172742E637373
$a_01_2 = {36 00 38 00 37 00 34 00 37 00 34 00 37 00 30 00 37 00 33 00 33 00 41 00 32 00 46 00 32 00 46 00 36 00 37 00 36 00 46 00 36 00 46 00 36 00 37 00 36 00 43 00 36 00 35 00 36 00 34 00 37 00 32 00 36 00 39 00 37 00 36 00 36 00 35 00 32 00 45 00 36 00 33 00 36 00 46 00 36 00 44 00 32 00 46 00 36 00 38 00 36 00 46 00 37 00 33 00 37 00 34 00 32 00 46 00 33 00 30 00 34 00 32 00 33 00 38 00 34 00 46 00 33 00 33 00 36 00 36 00 34 00 31 00 35 00 41 00 34 00 32 00 34 00 43 00 35 00 39 00 35 00 35 00 35 00 32 00 35 00 41 00 34 00 38 00 34 00 32 00 36 00 38 00 36 00 35 00 36 00 43 00 36 00 38 00 33 00 35 00 36 00 33 00 33 00 30 00 34 00 39 00 37 00 37 00 34 00 45 00 36 00 42 00 35 00 35 00 32 00 46 00 37 00 33 00 37 00 34 00 36 00 31 00 } //12 68747470733A2F2F676F6F676C6564726976652E636F6D2F686F73742F3042384F3366415A424C5955525A484268656C6835633049774E6B552F737461
$a_01_3 = {32 00 46 00 37 00 33 00 37 00 34 00 36 00 31 00 37 00 32 00 37 00 34 00 32 00 45 00 36 00 33 00 37 00 33 00 37 00 33 00 } //2 2F73746172742E637373
$a_01_4 = {36 00 34 00 36 00 31 00 37 00 32 00 36 00 42 00 36 00 32 00 37 00 32 00 36 00 35 00 36 00 31 00 36 00 42 00 32 00 45 00 36 00 44 00 37 00 39 00 36 00 36 00 37 00 34 00 37 00 30 00 32 00 45 00 36 00 46 00 37 00 32 00 36 00 37 00 } //2 6461726B627265616B2E6D796674702E6F7267
$a_01_5 = {70 00 75 00 74 00 72 00 61 00 74 00 53 00 5c 00 73 00 6d 00 61 00 72 00 67 00 6f 00 72 00 50 00 5c 00 75 00 6e 00 65 00 4d 00 20 00 74 00 72 00 61 00 74 00 53 00 5c 00 } //1 putratS\smargorP\uneM tratS\
$a_01_6 = {5c 00 73 00 6e 00 64 00 6d 00 2e 00 7a 00 69 00 70 00 } //1 \sndm.zip
$a_01_7 = {5c 00 6d 00 79 00 61 00 70 00 70 00 2e 00 7a 00 69 00 70 00 } //1 \myapp.zip
$a_01_8 = {54 69 6d 65 72 53 70 72 65 61 64 4d 65 } //1 TimerSpreadMe
$a_01_9 = {42 74 6e 46 74 70 47 65 74 50 6c 75 67 69 6e } //1 BtnFtpGetPlugin
$a_01_10 = {53 63 61 6e 44 72 76 54 79 70 65 } //1 ScanDrvType
condition:
((#a_01_0 & 1)*12+(#a_01_1 & 1)*12+(#a_01_2 & 1)*12+(#a_01_3 & 1)*2+(#a_01_4 & 1)*2+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1) >=10
}
Reference in New Issue View Git Blame Copy Permalink