qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Worm/Win32/Vobfus/Worm_Win32_Vobfus_gen_B.yar

13 lines
1.0 KiB
Plaintext
Raw Blame History

rule Worm_Win32_Vobfus_gen_B{
meta:
description = "Worm:Win32/Vobfus.gen!B,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 03 00 00 01 00 "
strings :
$a_02_0 = {f5 3c 00 00 00 04 90 01 02 0a 90 01 04 04 90 01 02 fb ef 90 01 02 f5 50 00 00 00 04 90 01 02 0a 90 01 04 04 90 01 02 fb ef 90 01 02 f5 41 00 00 00 04 90 01 02 0a 90 01 04 04 90 01 02 fb ef 90 01 02 f5 54 00 00 00 04 90 01 02 0a 90 01 04 04 90 01 02 fb ef 90 01 02 f5 43 00 00 00 0b 90 01 04 46 90 01 02 fb ef 90 01 02 f5 48 00 00 00 90 00 } //01 00
$a_02_1 = {f5 3c 00 00 00 0b 90 01 04 46 90 01 02 fb ef 90 01 02 f5 50 00 00 00 0b 90 01 04 46 90 01 02 fb ef 90 01 02 f5 41 00 00 00 04 90 01 02 0a 90 01 04 04 90 01 02 fb ef 90 01 02 f5 54 00 00 00 04 90 01 02 0a 90 01 04 04 90 01 02 fb ef 90 01 02 f5 43 00 00 00 0b 90 01 04 46 90 01 02 fb ef 90 01 02 f5 48 00 00 00 90 00 } //01 00
$a_02_2 = {f5 00 00 00 00 f5 40 00 00 00 3e 90 01 02 46 90 01 02 04 90 01 02 0a 90 01 04 04 90 01 02 60 31 90 01 02 2f 90 01 02 36 90 01 06 00 90 01 01 1b 90 02 05 f4 02 90 00 } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink