YARA Rule to detect backdoor_w32_hupigon.shtml

By | June 16, 2015

rule Trojan_Win_Hupigon { meta: author = “chort (@chort0)” description = “Trojan Hupigon” comment = “Should match 1.0.4 and 1.1.4” filetype = “pe” date = “2013-03” MD5 = “117a886a8d017e6be8f75a4b21791e13” MD5_alt1 = “9951f5e727b7c45d230d1170786be091” MD5_alt2 = “a4113ffae49e10e6c161ab42ae331ad8” Reference = “http://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml” version = “2.1” strings: $strA = { 5c 57 69 6e 4f 6c 64 41 70 70 [9-12] 75 6e 69 6e 73 74 61 6c 2e } // WinOldApp … uninstal. $strB = { 64 65 6c 20 22 [11] 63 6d 64 5f 2e 62 61 74 } // del ” … cmd_.bat $strC = { 5368 6f77 4465 7369 676e 696e 6708 0949 636f 6e2e 4461 7461 } // ShowDesigning..Icon.Data $strD = “GrayPigeon” ascii nocase fullword $strE = “pmRightClick” ascii nocase fullword $strF = “downloadinfo|Error File douse not exist.” ascii fullword $strG = “com.cn_MUTEX” ascii fullword nocase $strH = “svh0st.exe” ascii fullword $strI = “BEI_ZHU” ascii fullword // $date1 = { 195e 422a } // 708992537 (Fri, 19 Jun 1992 22:22:17 UTC) $date2 = { 422a } // 708986623 (Fri, 19 Jun 1992 ???? UTC) $date3 = { 0000 0000 } // 0 (Thu, 01 Jan 1970 00:00:00 UTC) $date4 = { 430b 3c4e } // 1312557891 (Fri, 05 Aug 2011 15:24:51 UTC) condition: 2 of ($str*) and (($date2 at 266) or ($date3 at 264) or ($date4 at 264)) }

Share Button

2 thoughts on “YARA Rule to detect backdoor_w32_hupigon.shtml

  1. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria claim to raise money for charities via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *