DefenderYara/Backdoor/Win32/FlyAgent/Backdoor_Win32_FlyAgent_E.yar

rule Backdoor_Win32_FlyAgent_E{
	meta:
		description = "Backdoor:Win32/FlyAgent.E,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0e 00 07 00 00 0a 00 "
		
	strings :
		$a_03_0 = {55 8b ec 83 7d 0c 01 75 09 b8 01 00 00 00 c9 c2 0c 00 83 7d 0c 00 75 38 83 3d 04 30 00 10 00 74 06 ff 15 04 30 00 10 83 3d 08 30 00 10 00 74 0c ff 35 00 30 00 10 ff 15 08 30 00 10 83 3d 0c 30 00 10 00 74 0b ff 35 0c 30 00 10 e8 90 01 02 00 00 c9 c2 0c 00 10 32 54 86 83 3d 10 30 00 10 00 75 07 60 e8 90 01 02 00 00 61 90 00 } //01 00 
		$a_00_1 = {2e 74 6d 70 00 20 3e 20 00 6e 65 74 20 76 69 65 77 20 5c 5c 00 44 69 73 6b } //01 00 
		$a_00_2 = {4f 50 45 4e 00 53 65 53 68 75 74 64 6f 77 6e 50 72 69 76 69 6c 65 67 65 } //01 00  偏久匀卥畨摴睯偮楲楶敬敧
		$a_02_3 = {4c 6f 63 61 6c 20 53 65 74 74 69 6e 67 73 5c 48 69 73 74 6f 72 79 5c 48 69 73 74 6f 72 79 2e 49 45 35 5c 90 02 1a 6d 61 69 6c 74 6f 3a 00 90 00 } //01 00 
		$a_02_4 = {48 41 52 44 57 41 52 45 5c 44 45 53 43 52 49 50 54 49 4f 4e 5c 53 79 73 74 65 6d 5c 43 65 6e 74 72 61 6c 50 72 6f 63 65 73 73 6f 72 5c 30 5c 90 02 20 6d 63 69 20 63 6f 6d 6d 61 6e 64 20 68 61 6e 64 6c 69 6e 67 20 77 69 6e 64 6f 77 90 00 } //01 00 
		$a_00_5 = {24 66 25 77 68 24 } //01 00  $f%wh$
		$a_00_6 = {69 6d 61 67 65 2f 70 6a 70 65 67 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 73 68 6f 63 6b 77 61 76 65 2d 66 6c 61 73 68 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 65 78 63 65 6c 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 70 6f 77 65 72 70 6f 69 6e 74 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6d 73 77 6f 72 64 } //00 00  image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword
	condition:
		any of ($a_*)
 
}