qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/PcClient/Backdoor_Win32_PcClient_AC.yar

20 lines
1.6 KiB
Plaintext
Raw Blame History

rule Backdoor_Win32_PcClient_AC{
meta:
description = "Backdoor:Win32/PcClient.AC,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 0a 00 00 05 00 "
strings :
$a_02_0 = {68 74 74 70 3a 2f 2f 25 73 3a 25 64 2f 25 73 25 64 25 73 90 02 10 69 6e 64 65 78 2e 61 73 70 3f 90 02 10 25 73 25 73 25 73 25 73 25 73 90 02 10 53 65 72 76 69 63 65 44 6c 6c 90 02 10 53 59 53 54 45 4d 5c 90 02 10 25 53 79 73 74 65 6d 52 6f 6f 74 25 5c 73 79 73 74 65 6d 33 32 5c 90 02 10 73 65 6e 73 90 02 10 77 62 90 02 10 73 65 6e 73 2e 64 6c 6c 90 02 10 53 65 72 76 69 63 65 4d 61 69 6e 90 02 10 53 65 6e 73 4e 6f 74 69 66 79 4e 65 74 63 6f 6e 45 76 65 6e 74 90 00 } //01 00
$a_00_1 = {52 65 67 53 72 63 76 } //01 00 RegSrcv
$a_00_2 = {4e 6f 72 6d 61 33 32 2e 64 6c 6c } //01 00 Norma32.dll
$a_00_3 = {28 2a 2e 65 78 65 29 7c 2a 2e 65 78 65 7c } //01 00 (*.exe)|*.exe|
$a_00_4 = {53 68 65 6c 6c 45 78 65 63 75 74 65 41 } //01 00 ShellExecuteA
$a_00_5 = {43 72 65 61 74 65 53 65 72 76 69 63 65 41 } //03 00 CreateServiceA
$a_02_6 = {52 65 67 53 72 63 76 90 02 05 25 73 5c 54 65 73 74 57 72 69 74 65 50 72 6f 74 65 63 74 2e 74 78 74 90 02 05 25 73 5c 61 75 74 6f 72 75 6e 2e 69 6e 66 90 00 } //01 00
$a_00_7 = {52 65 63 79 63 6c 65 } //04 00 Recycle
$a_01_8 = {89 06 0f 84 d7 00 00 00 8b 45 08 3b c3 0f 84 cc 00 00 00 8b 55 0c 3b d3 0f 84 c1 00 00 00 8d 48 01 89 56 1c 89 4e 18 88 5e 20 8a 08 6a 01 58 88 4e 22 d3 e0 89 5e 30 66 89 46 08 40 66 89 46 0a 8b 45 10 89 46 2c 8d 04 c5 1f 00 00 00 c1 e8 05 c1 e0 02 38 5d 18 } //01 00
$a_01_9 = {c6 85 a4 fe ff ff 2e c6 85 a5 fe ff ff 64 c6 85 a6 fe ff ff 6c c6 85 a7 fe ff ff 6c } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink