qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Fankoob/TrojanSpy_Win32_Fankoob_A.yar

16 lines
2.0 KiB
Plaintext
Raw Blame History

rule TrojanSpy_Win32_Fankoob_A{
meta:
description = "TrojanSpy:Win32/Fankoob.A,SIGNATURE_TYPE_PEHSTR_EXT,3b 01 31 01 06 00 00 64 00 "
strings :
$a_01_0 = {32 00 46 00 31 00 37 00 30 00 31 00 31 00 30 00 31 00 30 00 31 00 30 00 30 00 36 00 30 00 31 00 30 00 39 00 } //64 00 2F1701101010060109
$a_01_1 = {37 00 41 00 38 00 30 00 38 00 44 00 37 00 36 00 38 00 33 00 44 00 46 00 37 00 36 00 44 00 31 00 35 00 41 00 45 00 41 00 32 00 38 00 46 00 44 00 30 00 34 00 30 00 42 00 31 00 34 00 46 00 37 00 30 00 32 00 30 00 46 00 34 00 34 00 44 00 33 00 32 00 36 00 46 00 31 00 } //64 00 7A808D7683DF76D15AEA28FD040B14F7020F44D326F1
$a_01_2 = {38 00 41 00 39 00 30 00 37 00 43 00 38 00 34 00 39 00 31 00 41 00 39 00 41 00 31 00 41 00 34 00 37 00 36 00 38 00 37 00 38 00 32 00 39 00 46 00 36 00 36 00 41 00 44 00 37 00 36 00 41 00 45 00 37 00 44 00 42 00 43 00 34 00 43 00 30 00 45 00 31 00 34 00 45 00 31 00 33 00 36 00 } //0a 00 8A907C8491A9A1A47687829F66AD76AE7DBC4C0E14E136
$a_01_3 = {39 00 34 00 39 00 34 00 38 00 43 00 38 00 45 00 39 00 34 00 36 00 36 00 46 00 46 00 31 00 30 00 31 00 41 00 35 00 38 00 42 00 42 00 34 00 35 00 44 00 36 00 32 00 39 00 45 00 31 00 32 00 31 00 32 00 34 00 33 00 33 00 32 00 41 00 45 00 } //05 00 94948C8E9466FF101A58BB45D629E12124332AE
$a_01_4 = {31 00 45 00 31 00 38 00 31 00 32 00 46 00 35 00 33 00 39 00 43 00 46 00 33 00 45 00 45 00 42 00 33 00 42 00 43 00 32 00 36 00 36 00 43 00 37 00 35 00 34 00 44 00 35 00 33 00 31 00 44 00 34 00 32 00 44 00 46 00 45 00 31 00 43 00 45 00 34 00 32 00 34 00 31 00 39 00 46 00 42 00 31 00 45 00 } //05 00 1E1812F539CF3EEB3BC266C754D531D42DFE1CE42419FB1E
$a_01_5 = {45 00 37 00 33 00 35 00 44 00 35 00 33 00 44 00 46 00 43 00 32 00 32 00 45 00 45 00 31 00 35 00 45 00 32 00 32 00 41 00 45 00 31 00 32 00 32 00 31 00 44 00 45 00 30 00 32 00 41 00 45 00 39 00 33 00 36 00 43 00 37 00 34 00 46 00 44 00 46 00 35 00 37 00 41 00 45 00 36 00 34 00 } //00 00 E735D53DFC22EE15E22AE1221DE02AE936C74FDF57AE64
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink