Create Hsdfihdf.yar

malware/Hsdfihdf.yar

+rule Hsdfihdf
+{
+meta:
+	author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com"
+	date = "2014-04-06"
+	description = "Polish banking malware"
+	hash0 = "db1675c74a444fd35383d9a45631cada"
+	hash1 = "f48ba39df38056449a3e9a1a7289f657"
+	filetype = "exe"
+strings:
+	$s0 = "ANSI_CHARSET"
+	$s1 = "][Vee_d_["
+	$s2 = "qfcD:6<"
+	$s3 = "%-%/%1%3%5%7%9%;%"
+	$s4 = "imhzxsc\\WWKD<.)w"
+	$s5 = "Vzlarf\\]VOZVMskf"
+	$s6 = "JKWFAp\\Z"
+	$s7 = "<aLLwhg"
+	$s8 = "bdLeftToRight"
+	$s9 = "F/.pTC7"
+	$s10 = "O><8,)-$ "
+	$s11 = "mjeUB>D.'8)5\\\\vhe["
+	$s12 = "JGiVRk[W]PL("
+	$s13 = "zwWNNG:8"
+	$s14 = "zv7,'$"
+	$a0 = "#hsdfihdf"
+	$a1 = "polska.irc.pl"
+	$b0 = "firehim@o2.pl"
+	$b1 = "firehim@go2.pl"
+	$b2 = "firehim@tlen.pl"
+	$c0 = "cyberpunks.pl"
+	$c1 = "kaper.phrack.pl"
+	$c2 = "serwer.uk.to"
+	$c3 = "ns1.ipv4.hu"
+	$c4 = "scorebot.koth.hu"
+	$c5 = "esopoland.pl"
+condition:
+	14 of ($s*) or all of ($a*) or 1 of ($b*) or 2 of ($c*)
+}