qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Cinasquel/Backdoor_Win32_Cinasquel_A.yar

20 lines
1.0 KiB
Plaintext
Raw Blame History

rule Backdoor_Win32_Cinasquel_A{
meta:
description = "Backdoor:Win32/Cinasquel.A,SIGNATURE_TYPE_PEHSTR_EXT,12 00 10 00 09 00 00 02 00 "
strings :
$a_01_0 = {78 70 64 6c 33 5f 69 6e 69 74 } //02 00 xpdl3_init
$a_03_1 = {63 3a 5c 57 69 6e 64 6f 77 73 5c 74 65 6d 70 5c 90 02 10 2e 65 78 65 90 00 } //02 00
$a_03_2 = {25 74 65 6d 70 5c 74 6d 70 90 02 05 5c 90 02 10 2e 65 78 65 90 00 } //02 00
$a_01_3 = {70 00 69 00 72 00 65 00 73 00 73 00 } //02 00 piress
$a_01_4 = {61 00 64 00 6d 00 69 00 6e 00 6c 00 76 00 31 00 32 00 33 00 } //02 00 adminlv123
$a_01_5 = {6d 79 73 71 6c 2e 64 6c 6c 00 78 70 64 6c 33 } //0a 00
$a_01_6 = {83 e8 04 74 3e 48 74 0e 48 8d 54 24 48 75 43 } //02 00
$a_01_7 = {28 25 73 29 20 70 6f 72 74 6e 75 6d 62 65 72 20 28 25 64 29 20 6f 73 76 65 72 73 69 6f 6e 20 28 25 73 29 } //0a 00 (%s) portnumber (%d) osversion (%s)
$a_03_8 = {8b 84 24 b0 00 00 00 83 e8 04 90 02 10 48 74 90 01 01 48 8d 54 24 48 90 00 } //00 00
$a_00_9 = {80 10 00 00 } //76 89
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink