MALW_Hsdfihdf_banking.yar
1.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Hsdfihdf: banking malware
{
meta:
author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com"
date = "2014-04-06"
description = "Polish banking malware"
hash0 = "db1675c74a444fd35383d9a45631cada"
hash1 = "f48ba39df38056449a3e9a1a7289f657"
filetype = "exe"
strings:
$s0 = "ANSI_CHARSET"
$s1 = "][Vee_d_["
$s2 = "qfcD:6<"
$s3 = "%-%/%1%3%5%7%9%;%"
$s4 = "imhzxsc\\WWKD<.)w"
$s5 = "Vzlarf\\]VOZVMskf"
$s6 = "JKWFAp\\Z"
$s7 = "<aLLwhg"
$s8 = "bdLeftToRight"
$s9 = "F/.pTC7"
$s10 = "O><8,)-$ "
$s11 = "mjeUB>D.'8)5\\\\vhe["
$s12 = "JGiVRk[W]PL("
$s13 = "zwWNNG:8"
$s14 = "zv7,'$"
$a0 = "#hsdfihdf"
$a1 = "polska.irc.pl"
$b0 = "firehim@o2.pl"
$b1 = "firehim@go2.pl"
$b2 = "firehim@tlen.pl"
$c0 = "cyberpunks.pl"
$c1 = "kaper.phrack.pl"
$c2 = "serwer.uk.to"
$c3 = "ns1.ipv4.hu"
$c4 = "scorebot.koth.hu"
$c5 = "esopoland.pl"
condition:
14 of ($s*) or all of ($a*) or 1 of ($b*) or 2 of ($c*)
}