qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/WinNT/Rustock/Backdoor_WinNT_Rustock_F.yar

17 lines
1.4 KiB
Plaintext
Raw Blame History

rule Backdoor_WinNT_Rustock_F{
meta:
description = "Backdoor:WinNT/Rustock.F,SIGNATURE_TYPE_PEHSTR_EXT,15 00 0b 00 07 00 00 0a 00 "
strings :
$a_00_0 = {83 c3 04 83 c0 f8 c1 e8 02 8b cb 74 08 31 11 83 c1 04 48 75 f8 } //0a 00
$a_02_1 = {55 8b ec 56 8b 75 1c 85 f6 74 37 83 7e 04 00 74 31 e8 90 01 04 3b 05 90 01 04 74 24 ff 35 90 01 04 ff 76 04 ff 15 90 01 04 59 50 ff 15 90 01 04 85 c0 59 59 74 07 b8 01 00 00 c0 eb 26 90 00 } //09 00
$a_03_2 = {81 3e 52 43 50 54 0f 85 90 01 04 81 7e 04 20 54 4f 3a 90 00 } //01 00
$a_01_3 = {83 23 00 c7 45 10 34 00 00 c0 } //01 00
$a_00_4 = {43 00 38 00 34 00 35 00 33 00 42 00 32 00 33 00 2d 00 31 00 30 00 38 00 37 00 2d 00 32 00 37 00 64 00 39 00 2d 00 31 00 33 00 39 00 34 00 2d 00 43 00 44 00 42 00 46 00 30 00 33 00 45 00 43 00 37 00 32 00 44 00 38 00 } //01 00 C8453B23-1087-27d9-1394-CDBF03EC72D8
$a_00_5 = {36 00 30 00 46 00 39 00 46 00 43 00 44 00 30 00 2d 00 38 00 44 00 44 00 34 00 2d 00 36 00 34 00 35 00 33 00 2d 00 45 00 33 00 39 00 34 00 2d 00 37 00 37 00 31 00 32 00 39 00 38 00 44 00 32 00 41 00 34 00 37 00 } //01 00 60F9FCD0-8DD4-6453-E394-771298D2A47
$a_00_6 = {35 00 42 00 33 00 37 00 46 00 42 00 33 00 42 00 2d 00 39 00 38 00 34 00 44 00 2d 00 31 00 45 00 35 00 37 00 2d 00 46 00 46 00 33 00 38 00 2d 00 41 00 41 00 36 00 38 00 31 00 42 00 45 00 35 00 43 00 38 00 44 00 } //00 00 5B37FB3B-984D-1E57-FF38-AA681BE5C8D
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink