qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Worm/Win32/Macoute/Worm_Win32_Macoute_A.yar

16 lines
1.0 KiB
Plaintext
Raw Blame History

rule Worm_Win32_Macoute_A{
meta:
description = "Worm:Win32/Macoute.A,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 06 00 00 01 00 "
strings :
$a_00_0 = {61 70 6f 35 00 25 73 5c 77 69 6e 00 25 73 5c 6d 73 6e 2e 65 78 65 00 52 65 67 4b 20 6e 6f 74 20 } //01 00
$a_00_1 = {2f 65 63 6f 75 74 65 2f 73 70 6f 6f 6c 2f 25 73 2d 25 6c 75 00 25 73 5c 69 6f 73 79 73 74 65 6d } //01 00
$a_00_2 = {4d 53 4e 3b 25 73 3b 25 73 3b 25 73 0a 00 00 00 00 48 4f 4c 44 3b 25 73 0d 0a 00 51 55 49 54 00 25 64 7c 25 73 7c 25 6c 75 7c } //01 00
$a_00_3 = {79 65 6c 7e 7d 6b 78 6f 76 67 43 49 58 45 59 45 4c 5e 76 7d 43 44 4e 45 5d 59 76 69 5f 58 58 4f 44 5e 7c 4f 58 59 43 45 44 76 78 5f 44 2a 00 00 } //01 00
$a_01_4 = {8b 54 24 04 31 c0 80 3a 2a 74 0b 80 34 02 2a 40 80 3c 02 2a eb f3 80 34 02 2a c3 } //01 00
$a_03_5 = {89 e0 c6 44 90 01 02 5a c6 44 90 01 02 45 c6 44 90 01 02 5c c6 44 90 01 02 1f c6 44 90 01 02 18 c6 44 90 01 02 1a c6 44 90 01 02 1a c6 44 90 01 02 13 c6 44 90 01 02 2a 50 e8 90 00 } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink