qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/DarkView/Backdoor_Win32_DarkView_A.yar

18 lines
1.0 KiB
Plaintext
Raw Blame History

rule Backdoor_Win32_DarkView_A{
meta:
description = "Backdoor:Win32/DarkView.A,SIGNATURE_TYPE_PEHSTR_EXT,6b 00 6b 00 08 00 00 64 00 "
strings :
$a_02_0 = {53 83 ec 20 89 e0 89 c2 83 c2 20 c7 00 00 00 00 00 83 c0 04 39 d0 75 f3 8b 54 24 28 8d 0c 24 e8 90 01 02 00 00 c7 44 24 04 00 00 00 00 ff 34 24 e8 90 01 02 00 00 89 c3 43 89 5c 24 08 ff 74 24 2c 68 00 00 00 00 68 ff 0f 1f 00 e8 90 01 02 00 00 89 44 24 0c 83 7c 24 0c 00 0f 84 90 01 02 00 00 68 04 00 00 00 68 00 10 00 00 ff 74 24 10 68 00 00 00 00 ff 74 24 1c 90 00 } //02 00
$a_00_1 = {78 63 6f 6e 66 69 67 2e 73 72 76 00 } //01 00
$a_00_2 = {25 70 72 6f 67 72 61 6d 66 69 6c 65 73 25 00 } //01 00
$a_00_3 = {25 64 65 73 6b 74 6f 70 25 00 } //01 00 搥獥瑫灯%
$a_00_4 = {25 6f 77 6e 64 61 74 61 25 00 } //01 00 漥湷慤慴%
$a_00_5 = {25 73 79 73 74 65 6d 72 6f 6f 74 25 00 } //01 00
$a_00_6 = {25 73 79 73 74 65 6d 33 32 25 00 } //01 00
$a_00_7 = {5c 53 68 65 6c 6c 5c 4f 70 65 6e 5c 43 6f 6d 6d 61 6e 64 00 } //00 00 卜敨汬作数屮潃浭湡d
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink