qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Caphaw/Backdoor_Win32_Caphaw_A.yar

21 lines
1.2 KiB
Plaintext
Raw Blame History

rule Backdoor_Win32_Caphaw_A{
meta:
description = "Backdoor:Win32/Caphaw.A,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 0a 00 00 03 00 "
strings :
$a_03_0 = {8b 03 8d 73 08 85 f6 74 90 01 01 8a 0e 33 ff 32 c8 74 90 01 01 69 c0 4d 03 00 00 05 41 02 00 00 83 c9 ff 33 d2 f7 f1 47 8a 0c 37 8b c2 32 c8 75 e4 90 00 } //03 00
$a_03_1 = {3d 78 56 34 12 74 04 0b c0 75 07 c7 45 90 01 01 01 00 00 00 e8 90 01 04 6a 00 ff 15 90 00 } //03 00
$a_01_2 = {69 c0 4d 03 00 00 05 41 02 00 00 33 d2 83 cf ff f7 f7 46 8b c2 8a 14 0e 32 d0 75 e4 } //02 00
$a_00_3 = {43 50 48 57 20 6b 69 6c 6c 20 62 79 20 74 69 6d 65 6f 75 74 00 } //02 00
$a_00_4 = {2a 2a 2a 4c 6f 61 64 20 69 6e 6a 65 63 74 73 20 75 72 6c 3d 25 73 20 28 25 73 29 00 } //02 00
$a_00_5 = {2a 2a 2a 69 73 49 6e 6a 65 63 74 3d 25 73 00 } //02 00
$a_03_6 = {3d 00 00 50 00 0f 87 90 01 04 85 d2 7c 90 01 01 7f 07 3d 00 d0 07 00 76 90 00 } //01 00
$a_01_7 = {41 56 43 49 6e 6a 65 63 74 73 50 61 63 6b 40 40 } //01 00 AVCInjectsPack@@
$a_01_8 = {41 56 46 46 5f 48 6f 6f 6b 40 40 } //01 00 AVFF_Hook@@
$a_01_9 = {41 56 49 45 5f 48 6f 6f 6b 40 40 } //00 00 AVIE_Hook@@
$a_00_10 = {7e 15 00 } //00 2a
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink