/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule universal_1337_stealer_serveur : Stealer { meta: author="Kevin Falcoz" date="24/02/2013" description="Universal 1337 Stealer Serveur" strings: $signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/ $signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/ $signature3={46 54 50 7E} /*FTP~*/ $signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/ condition: $signature1 and $signature2 or $signature3 and $signature4 }