qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Begman/Backdoor_Win32_Begman_A.yar

20 lines
1019 B
Plaintext
Raw Blame History

rule Backdoor_Win32_Begman_A{
meta:
description = "Backdoor:Win32/Begman.A,SIGNATURE_TYPE_PEHSTR_EXT,0a 00 0a 00 0a 00 00 05 00 "
strings :
$a_03_0 = {74 0c 8d 55 fc 8b c6 e8 90 01 02 ff ff eb 0d 46 83 c3 04 83 fe 03 0f 85 5f ff ff ff 69 05 90 01 04 60 ea 00 00 50 a1 90 01 04 8b 00 ff 50 18 e9 2e ff ff ff 90 00 } //01 00
$a_00_1 = {0b 00 00 00 63 6c 62 63 61 74 71 2e 64 6c 6c 00 } //01 00
$a_00_2 = {09 00 00 00 69 6e 74 65 72 76 61 6c 22 00 } //01 00
$a_00_3 = {09 00 00 00 73 6f 63 6b 73 69 6e 74 22 00 } //01 00
$a_00_4 = {06 00 00 00 73 6f 63 6b 73 22 00 } //01 00
$a_00_5 = {08 00 00 00 73 65 6c 66 64 65 6c 22 00 } //01 00
$a_00_6 = {05 00 00 00 65 78 65 63 22 00 } //01 00
$a_00_7 = {0a 00 00 00 2c 4d 61 69 6e 42 65 67 69 6e 00 } //02 00
$a_00_8 = {0c 00 00 00 77 75 73 61 20 2f 71 75 69 65 74 20 00 } //02 00
$a_00_9 = {1f 00 00 00 5b 61 75 74 6f 72 75 6e 5d 0d 0a 55 73 65 41 75 74 6f 50 6c 61 79 3d 31 0d 0a 6f 70 65 6e 3d 00 } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink