qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/Linux/Ursnif/TrojanDownloader_Linux_Ursn...

37 lines
3.0 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_Linux_Ursnif_A{
meta:
description = "TrojanDownloader:Linux/Ursnif.A,SIGNATURE_TYPE_MACROHSTR_EXT,07 00 07 00 03 00 00 05 00 "
strings :
$a_01_0 = {67 6f 64 6d 6d 77 2f 70 68 22 29 } //01 00
$a_01_1 = {3d 20 33 0d 0a 45 6e 64 20 46 75 6e 63 74 69 6f 6e } //01 00
$a_03_2 = {28 29 20 41 73 20 56 61 72 69 61 6e 74 90 02 6b 3d 20 41 72 72 61 79 28 90 05 40 07 41 2d 5a 61 2d 7a 2e 28 22 90 05 80 04 20 2c 2d 7a 22 29 90 02 18 2c 20 90 1b 01 28 22 90 05 80 04 20 2c 2d 7a 22 29 2c 20 90 00 } //00 00
condition:
any of ($a_*)
}
rule TrojanDownloader_Linux_Ursnif_A_2{
meta:
description = "TrojanDownloader:Linux/Ursnif.A,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 02 00 00 02 00 "
strings :
$a_03_0 = {41 74 74 72 69 62 75 74 65 20 56 42 5f 4e 61 6d 65 20 3d 20 22 90 02 12 50 75 62 6c 69 63 20 46 75 6e 63 74 69 6f 6e 20 90 05 10 06 41 2d 5a 61 2d 7a 28 42 79 56 61 6c 20 90 05 10 06 41 2d 5a 61 2d 7a 20 41 73 20 53 74 72 69 6e 67 2c 20 42 79 56 61 6c 20 90 05 10 06 41 2d 5a 61 2d 7a 20 41 73 20 53 74 72 69 6e 67 29 20 41 73 20 53 74 72 69 6e 67 90 02 40 46 6f 72 20 90 05 10 06 41 2d 5a 61 2d 7a 20 3d 20 90 05 10 06 41 2d 5a 61 2d 7a 20 54 6f 20 90 05 10 06 41 2d 5a 61 2d 7a 2e 90 05 10 06 41 2d 5a 61 2d 7a 28 22 90 1d 25 00 22 2c 20 90 1b 02 29 90 02 04 90 1b 01 20 3d 20 90 1b 07 2e 90 05 10 06 41 2d 5a 61 2d 7a 28 22 90 1d 25 00 22 2c 20 90 1b 01 2c 90 00 } //01 00
$a_03_1 = {49 66 20 4e 6f 74 20 90 05 10 06 41 2d 5a 61 2d 7a 2e 90 1d 18 00 28 90 1d 18 00 2c 20 22 90 04 02 09 30 2d 39 41 2d 5a 61 2d 7a 90 1d 20 00 22 2c 90 00 } //00 00
$a_00_2 = {8f 98 } //01 00
condition:
any of ($a_*)
}
rule TrojanDownloader_Linux_Ursnif_A_3{
meta:
description = "TrojanDownloader:Linux/Ursnif.A,SIGNATURE_TYPE_MACROHSTR_EXT,07 00 07 00 03 00 00 05 00 "
strings :
$a_03_0 = {45 6e 64 20 53 75 62 0d 0a 50 72 69 76 61 74 65 20 46 75 6e 63 74 69 6f 6e 20 90 05 18 06 41 2d 5a 61 2d 7a 28 29 20 41 73 20 53 74 72 69 6e 67 0d 0a 90 1b 00 20 3d 20 90 05 18 06 41 2d 5a 61 2d 7a 2e 90 05 18 06 41 2d 5a 61 2d 7a 28 22 90 05 80 04 20 2c 2d 7a 22 2c 20 22 90 05 10 04 20 2c 2d 7a 22 29 0d 0a 45 6e 64 20 46 75 6e 63 74 69 6f 6e 0d 0a 50 72 69 76 61 74 65 20 46 75 6e 63 74 69 6f 6e 20 90 05 18 06 41 2d 5a 61 2d 7a 28 29 20 41 73 20 53 74 72 69 6e 67 0d 0a 90 1b 06 20 3d 20 90 1b 02 2e 90 1b 03 28 22 90 05 80 04 20 2c 2d 7a 22 2c 20 22 90 05 10 04 20 2c 2d 7a 22 29 0d 0a 90 02 80 3d 20 90 1b 02 2e 90 1b 03 28 22 90 02 ff 3d 20 90 1b 02 2e 90 1b 03 28 22 90 00 } //01 00
$a_03_1 = {28 29 20 41 73 20 56 61 72 69 61 6e 74 90 02 18 3d 20 41 72 72 61 79 28 90 05 18 06 41 2d 5a 61 2d 7a 2e 90 05 18 06 41 2d 5a 61 2d 7a 28 22 90 05 80 04 20 2c 2d 7a 22 2c 20 22 90 05 10 04 20 2c 2d 7a 22 29 90 02 18 2c 20 90 1b 01 2e 90 1b 02 28 22 90 05 80 04 20 2c 2d 7a 22 2c 20 22 90 05 10 04 20 2c 2d 7a 22 29 90 02 60 2c 20 90 1b 01 2e 90 1b 02 28 22 90 05 80 04 20 2c 2d 7a 22 2c 20 22 90 05 10 04 20 2c 2d 7a 22 29 90 00 } //01 00
$a_01_2 = {3d 20 33 0d 0a 45 6e 64 20 46 75 6e 63 74 69 6f 6e } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink