DefenderYara/TrojanSpy/Win32/Ursnif/TrojanSpy_Win32_Ursnif_gen_K.yar

rule TrojanSpy_Win32_Ursnif_gen_K{
	meta:
		description = "TrojanSpy:Win32/Ursnif.gen!K,SIGNATURE_TYPE_PEHSTR_EXT,05 00 04 00 10 00 00 03 00 "
		
	strings :
		$a_01_0 = {8b 47 14 2b c6 83 e8 05 89 46 01 c6 06 e9 89 77 14 } //03 00 
		$a_03_1 = {3d 47 45 54 20 74 90 01 01 3d 50 55 54 20 74 90 01 01 3d 50 4f 53 54 90 00 } //03 00 
		$a_01_2 = {8b 43 18 8b 00 3d 48 54 54 50 74 0b 3d 50 4f 53 54 } //03 00 
		$a_01_3 = {8b 47 18 8b 08 81 f9 48 54 54 50 74 0c 81 f9 50 4f 53 54 } //03 00 
		$a_01_4 = {81 38 63 68 75 6e 75 04 83 4e 10 02 8b c6 } //03 00 
		$a_01_5 = {3d 46 46 3a 00 75 0a 83 f9 02 75 1e 83 c6 03 eb 1e 3d 41 4c 3a 00 74 f4 3d 49 45 3a 00 } //03 00 
		$a_01_6 = {43 8a cb d3 c0 33 c6 33 45 0c 8b f0 89 32 83 c2 04 ff 4d 08 75 d3 } //03 00 
		$a_01_7 = {8b 46 14 2b c7 83 e8 05 89 47 01 c6 07 e9 89 7e 14 8b 45 08 89 78 0c 83 7d 14 40 } //03 00 
		$a_01_8 = {80 f9 09 0f 9e c2 fe ca 80 e2 07 80 c2 30 02 d1 88 18 88 50 01 46 40 40 } //01 00 
		$a_00_9 = {75 73 65 72 5f 69 64 3d 25 2e 34 75 26 76 65 72 73 69 6f 6e 5f 69 64 3d 25 6c 75 26 73 6f 63 6b 73 3d 25 6c 75 26 62 75 69 6c 64 3d 25 6c 75 26 63 72 63 3d 25 2e 38 78 } //01 00 
		$a_00_10 = {6e 65 77 67 72 61 62 00 67 72 61 62 73 3d 00 } //01 00 
		$a_00_11 = {64 6c 5f 65 78 65 00 00 64 6c 5f 65 78 65 5f 73 74 00 } //01 00 
		$a_00_12 = {55 52 4c 3a 20 25 73 0d 0a 75 73 65 72 3d 25 73 0d 0a 70 61 73 73 3d 25 73 00 } //01 00 
		$a_00_13 = {4e 45 57 47 52 41 42 00 53 43 52 45 45 4e 53 48 4f 54 00 00 50 52 4f 43 45 53 53 00 48 49 44 44 45 4e 00 } //01 00 
		$a_00_14 = {64 61 74 61 2e 70 68 70 3f 76 65 72 73 69 6f 6e 3d 25 75 26 75 73 65 72 3d 25 30 38 78 25 30 38 78 25 30 38 78 25 30 38 78 26 73 65 72 76 65 72 3d 25 75 26 69 64 3d 25 75 26 74 79 70 65 3d 25 75 26 6e 61 6d 65 3d 25 73 } //01 00 
		$a_00_15 = {2f 75 70 64 20 25 6c 75 00 } //00 00 
	condition:
		any of ($a_*)
 
}