qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/VirTool/Win32/Redosdru/VirTool_Win32_Redosdru_A.yar

15 lines
965 B
Plaintext
Raw Blame History

rule VirTool_Win32_Redosdru_A{
meta:
description = "VirTool:Win32/Redosdru.A,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 01 00 "
strings :
$a_01_0 = {47 00 68 00 30 00 73 00 74 00 20 00 52 00 41 00 54 00 } //01 00 Gh0st RAT
$a_01_1 = {47 00 48 00 30 00 53 00 54 00 43 00 25 00 73 00 47 00 48 00 30 00 53 00 54 00 43 00 } //01 00 GH0STC%sGH0STC
$a_01_2 = {25 00 73 00 20 00 2d 00 20 00 4b 00 65 00 79 00 20 00 4c 00 6f 00 67 00 67 00 65 00 72 00 } //01 00 %s - Key Logger
$a_01_3 = {41 00 20 00 73 00 65 00 72 00 76 00 65 00 72 00 20 00 68 00 61 00 73 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 66 00 75 00 6c 00 6c 00 79 00 20 00 62 00 65 00 65 00 6e 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 64 00 21 00 } //01 00 A server has successfully been created!
$a_01_4 = {65 3a 5c 6a 6f 62 5c 67 68 30 73 74 5c 52 65 6c 65 61 73 65 5c 67 68 30 73 74 2e 70 64 62 } //00 00 e:\job\gh0st\Release\gh0st.pdb
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink