DefenderYara/VirTool/Win32/DelfInject/VirTool_Win32_DelfInject_gen_N.yar

rule VirTool_Win32_DelfInject_gen_N{
	meta:
		description = "VirTool:Win32/DelfInject.gen!N,SIGNATURE_TYPE_PEHSTR_EXT,1f 00 1f 00 05 00 00 0a 00 "
		
	strings :
		$a_01_0 = {46 72 65 65 52 65 73 6f 75 72 63 65 } //0a 00  FreeResource
		$a_00_1 = {47 65 74 4d 6f 64 75 6c 65 48 61 6e 64 6c 65 41 } //0a 00  GetModuleHandleA
		$a_01_2 = {53 45 54 54 49 4e 47 53 } //01 00  SETTINGS
		$a_02_3 = {8b 45 fc 8a 5c 38 ff 80 e3 0f b8 90 01 04 8a 44 30 ff 24 0f 32 d8 80 f3 0a 8d 45 fc e8 90 01 04 8b 55 fc 8a 54 3a ff 80 e2 f0 02 d3 88 54 38 ff 46 83 fe 03 7e 05 be 01 00 00 00 47 ff 4d f4 75 bd 90 00 } //01 00 
		$a_02_4 = {8b 45 fc 8a 44 18 ff 24 0f 8b 55 90 01 01 8a 54 32 ff 80 e2 0f 32 c2 88 45 90 01 01 8d 45 90 01 01 e8 90 01 04 8b 55 90 01 01 8a 54 1a ff 80 e2 f0 8a 4d 90 01 01 02 d1 88 54 18 ff 46 90 00 } //00 00 
	condition:
		any of ($a_*)
 
}