Sneed-Reactivity/yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

49 lines
1.8 KiB
Text

rule TrojanWin32Vawtrak_BackDoor
{
meta:
Description = "Backdoor.Win32.sm"
ThreatLevel = "5"
strings:
$ = "[VNC] New Client" ascii wide
$ = "[VNC] Fail init BC" ascii wide
$ = "[VNC] Fail addr proto BC" ascii wide
$ = "[VNC] Fail connect BC" ascii wide
$ = "[VNC] Fail init work:" ascii wide
$ = "[VNC] Start Sever" ascii wide
$ = "[VNC] Parse param error:" ascii wide
$ = "[VNC] Fail create process:" ascii wide
$ = "[VNC] Fail inject to process:" ascii wide
$ = "[Socks] New Client" ascii wide
$ = "[Socks] Failt Init BC" ascii wide
$ = "[Socks] Fail add proto BC" ascii wide
$ = "[Socks] Failt connect BC" ascii wide
$ = "[Socks] Fail parse param:" ascii wide
$ = "[Pony] Fail Get Pass" ascii wide
$ = "DL_EXEC Status [Pipe]" ascii wide
$ = "DL_EXEC Status[Local]" ascii wide
$ = "Start Socks addr:" ascii wide
$ = "Start Socks Status[Pipe]" ascii wide
$ = "Start Socks Status[Local]" ascii wide
$ = "Start VNC addr: %s" ascii wide
$ = "Start VNC Status[Pipe]: %u-%u-%u" ascii wide
$ = "Start VNC Status[Local]: %u" ascii wide
$ = "PID: %u [%0.2u:%0.2u:%0.2u]" ascii wide
$ = "[BC] Cmd Ver Error" ascii wide
$ = "[BC] Wait Ping error %u[%u]" ascii wide
$ = "[BC] Fail Connect" ascii wide
$ = "[BC] Fail send auth" ascii wide
$ = "[BC] Fail read cmd" ascii wide
$ = "[BC] cmd error: %u" ascii wide
$ = "[BC] Cmd need disconnect" ascii wide
$ = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins" ascii wide
$str_0 = "T:\\Develop\\EQ2\\bin\\tmp" ascii wide
$str_1 = "T:\\Develop\\EQ2\\bin\\tmp\\client_32.pdb" ascii wide
$str_2 = "T:\\Develop\\EQ2\\bin\\tmp\\client_64.pdb" ascii wide
$str_3 = "client_64.dll" ascii wide
$str_4 = "client_32.dll" ascii wide
condition:
(5 of them) or (any of ($str_*))
}