qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/Win16/Donoff/TrojanDownloader_Win16_Dono...

21 lines
2.5 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_Win16_Donoff{
meta:
description = "TrojanDownloader:Win16/Donoff,SIGNATURE_TYPE_MACROHSTR_EXT,0e 00 0e 00 0a 00 00 05 00 "
strings :
$a_01_0 = {56 61 72 69 61 62 6c 20 26 20 43 68 72 28 66 72 6f 6d 41 72 72 28 69 29 20 2d 20 4c 65 6e 4c 65 6e 20 2d 20 34 20 2a 20 4c 65 6e 4c 65 6e 20 2d 20 33 33 31 32 29 } //05 00
$a_01_1 = {2e 4f 70 65 6e 20 22 47 45 22 20 2b 20 55 43 61 73 65 28 43 68 72 28 54 4f 54 4f 29 29 2c } //04 00
$a_03_2 = {20 3d 20 41 72 72 61 79 28 90 04 04 03 30 2d 39 2c 20 90 04 04 03 30 2d 39 2c 20 90 04 04 03 30 2d 39 2c 20 90 04 04 03 30 2d 39 2c 20 90 04 04 03 30 2d 39 2c 90 00 } //05 00
$a_01_3 = {6e 65 77 59 7a 20 2b 20 22 5c 22 20 2b 20 22 63 6f 6c 6f 63 22 20 2b 20 4c 43 61 73 65 28 63 6f 75 6e 74 65 72 29 20 2b 20 22 65 78 65 22 } //05 00
$a_01_4 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 22 20 2b 20 44 42 34 31 31 20 2b 20 22 63 72 69 70 74 22 20 2b 20 44 42 34 30 30 20 2b 20 44 42 34 31 31 20 2b 20 22 68 65 6c 6c 22 29 2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 28 22 50 72 22 20 2b 20 4c 43 61 73 65 28 44 42 34 30 33 29 20 2b 20 22 63 65 22 20 2b 20 4c 43 61 73 65 28 44 42 34 31 31 29 20 2b 20 4c 43 61 73 65 28 44 42 34 31 31 29 29 } //05 00
$a_01_5 = {20 2b 20 43 68 72 28 39 30 20 2b 20 32 29 20 2b 20 22 63 6f 64 61 6b 65 73 22 20 2b 20 43 68 72 28 35 30 20 2d 20 34 29 20 2b 20 22 65 78 65 22 } //05 00
$a_01_6 = {53 65 74 20 42 69 74 6d 61 70 31 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 44 42 34 32 32 20 2b 20 22 69 63 72 6f 73 6f 66 74 2e 22 20 2b 20 44 42 34 30 30 20 2b 20 22 22 20 2b 20 44 42 34 32 32 20 2b 20 22 4c 48 22 20 2b 20 22 22 20 2b 20 22 54 54 50 22 29 } //05 00
$a_01_7 = {42 69 74 6d 61 70 31 2e 4f 70 65 6e 20 43 68 72 28 38 31 20 2d 20 31 30 29 20 2b 20 22 45 22 20 2b 20 55 43 61 73 65 28 43 68 72 28 31 30 31 20 2b 20 31 30 20 2b 20 35 29 29 2c } //07 00
$a_01_8 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 55 43 61 73 65 28 22 6d 22 29 20 2b 20 22 69 63 72 6f 73 6f 66 22 20 2b 20 4c 43 61 73 65 28 65 72 72 6f 72 4d 73 67 29 20 2b 20 22 2e 58 4d 4c 48 22 20 2b 20 65 72 72 6f 72 4d 73 67 20 2b 20 65 72 72 6f 72 4d 73 67 20 2b 20 22 50 22 29 } //07 00
$a_01_9 = {2e 4f 70 65 6e 20 43 68 72 28 41 73 63 28 22 48 22 29 20 2d 20 31 29 20 2b 20 55 43 61 73 65 28 61 72 67 75 6d 65 6e 74 73 29 20 2b 20 65 72 72 6f 72 4d 73 67 2c 20 55 74 69 6c 73 41 73 73 65 72 74 54 6f 6b 65 6e 28 68 6f 6d 65 62 72 65 77 2c 20 34 35 29 2c 20 46 61 6c 73 65 } //00 00
$a_00_10 = {cf 18 00 00 10 } //93 a6
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink