Sneed-Reactivity/yara-mikesxrs/Jipe_/Spyeye.yar

65 lines
1.5 KiB
Text
Raw Normal View History

rule spyeye : banker
{
meta:
author = "Jean-Philippe Teissier / @Jipe_"
description = "SpyEye X.Y memory"
date = "2012-05-23"
version = "1.0"
filetype = "memory"
strings:
$spyeye = "SpyEye"
$a = "%BOTNAME%"
$b = "globplugins"
$c = "data_inject"
$d = "data_before"
$e = "data_after"
$f = "data_end"
$g = "bot_version"
$h = "bot_guid"
$i = "TakeBotGuid"
$j = "TakeGateToCollector"
$k = "[ERROR] : Omfg! Process is still active? Lets kill that mazafaka!"
$l = "[ERROR] : Update is not successfull for some reason"
$m = "[ERROR] : dwErr == %u"
$n = "GRABBED DATA"
condition:
$spyeye or (any of ($a,$b,$c,$d,$e,$f,$g,$h,$i,$j,$k,$l,$m,$n))
}
rule spyeye_plugins : banker
{
meta:
author = "Jean-Philippe Teissier / @Jipe_"
description = "SpyEye X.Y Plugins memory"
date = "2012-05-23"
version = "1.0"
filetype = "memory"
strings:
$a = "webfakes.dll"
$b = "config.dat" //may raise some FP
$c = "collectors.txt"
$d = "webinjects.txt"
$e = "screenshots.txt"
$f = "billinghammer.dll"
$g = "block.dll" //may raise some FP
$h = "bugreport.dll" //may raise some FP
$i = "ccgrabber.dll"
$j = "connector2.dll"
$k = "creditgrab.dll"
$l = "customconnector.dll"
$m = "ffcertgrabber.dll"
$n = "ftpbc.dll"
$o = "rdp.dll" //may raise some FP
$p = "rt_2_4.dll"
$q = "socks5.dll" //may raise some FP
$r = "spySpread.dll"
$s = "w2chek4_4.dll"
$t = "w2chek4_6.dll"
condition:
any of them
}