qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Kshell/Backdoor_Win32_Kshell_A.yar

20 lines
1.0 KiB
Plaintext
Raw Blame History

rule Backdoor_Win32_Kshell_A{
meta:
description = "Backdoor:Win32/Kshell.A,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 0a 00 00 04 00 "
strings :
$a_02_0 = {3d a1 55 40 77 7f 56 74 2d 3d 90 01 04 74 14 3d 64 79 43 58 0f 85 90 01 02 00 00 90 00 } //03 00
$a_02_1 = {b8 04 00 00 00 b1 a7 30 88 90 01 04 40 3d 00 01 00 00 72 f2 90 00 } //01 00
$a_02_2 = {3d 22 00 00 c0 75 90 01 01 8d 90 01 01 24 90 01 02 68 00 00 06 00 90 00 } //01 00
$a_02_3 = {68 00 10 00 00 81 90 01 01 00 f0 ff ff 90 01 01 6a 00 6a 04 90 01 01 ff 15 90 00 } //01 00
$a_02_4 = {0f b6 03 83 f8 0c 77 0c ff 24 85 90 01 02 40 00 90 00 } //01 00
$a_00_5 = {25 73 5c 64 6c 6c 63 61 63 68 65 5c 73 65 74 68 63 2e 65 78 65 } //01 00 %s\dllcache\sethc.exe
$a_00_6 = {4d 79 53 68 65 6c 6c 20 76 } //01 00 MyShell v
$a_00_7 = {2d 69 6e 66 65 63 74 } //02 00 -infect
$a_00_8 = {6d 6e 6a 63 63 2e 76 69 63 70 2e 6e 65 74 } //01 00 mnjcc.vicp.net
$a_00_9 = {53 6f 66 74 77 61 72 65 5c 6e 74 73 68 65 6c 6c } //00 00 Software\ntshell
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink