qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/BAT/IRCbot/Backdoor_BAT_IRCbot_E.yar

19 lines
1.5 KiB
Plaintext
Raw Blame History

rule Backdoor_BAT_IRCbot_E{
meta:
description = "Backdoor:BAT/IRCbot.E,SIGNATURE_TYPE_PEHSTR,07 00 07 00 09 00 00 01 00 "
strings :
$a_01_0 = {2e 00 64 00 79 00 6e 00 64 00 6e 00 73 00 2e 00 6f 00 72 00 67 00 } //01 00 .dyndns.org
$a_01_1 = {21 00 68 00 74 00 74 00 70 00 66 00 6c 00 6f 00 6f 00 64 00 } //01 00 !httpflood
$a_01_2 = {21 00 73 00 79 00 6e 00 66 00 6c 00 6f 00 6f 00 64 00 } //01 00 !synflood
$a_01_3 = {21 00 75 00 64 00 70 00 66 00 6c 00 6f 00 6f 00 64 00 } //01 00 !udpflood
$a_01_4 = {21 00 69 00 63 00 6d 00 70 00 66 00 6c 00 6f 00 6f 00 64 00 } //01 00 !icmpflood
$a_01_5 = {50 00 52 00 49 00 56 00 4d 00 53 00 47 00 20 00 7b 00 30 00 7d 00 20 00 3a 00 42 00 6f 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3a 00 20 00 7b 00 31 00 7d 00 } //01 00 PRIVMSG {0} :BotVersion: {1}
$a_01_6 = {50 00 52 00 49 00 56 00 4d 00 53 00 47 00 20 00 7b 00 30 00 7d 00 20 00 3a 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3a 00 20 00 7b 00 31 00 7d 00 } //01 00 PRIVMSG {0} :Windows Version: {1}
$a_01_7 = {50 00 52 00 49 00 56 00 4d 00 53 00 47 00 20 00 7b 00 30 00 7d 00 20 00 3a 00 55 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 3a 00 20 00 7b 00 31 00 7d 00 } //01 00 PRIVMSG {0} :Username: {1}
$a_01_8 = {50 00 52 00 49 00 56 00 4d 00 53 00 47 00 20 00 7b 00 30 00 7d 00 20 00 3a 00 4d 00 61 00 63 00 68 00 69 00 6e 00 65 00 6e 00 61 00 6d 00 65 00 3a 00 20 00 7b 00 31 00 7d 00 } //00 00 PRIVMSG {0} :Machinename: {1}
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink