YARA rules for PcShare
2 rules · scoped to tool · back to PcShare
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule CN_Tools_PcShare {
meta:
description = "Chinese Hacktool Set - file PcShare.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ee7ba9784fae413d644cdf5a093bd93b73537652"
id = "0c4e9f9b-9839-56a0-be21-a4e9f19cdfdb"
strings:
$s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
$s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide
$s5 = "port=%s;name=%s;pass=%s;" fullword wide
$s16 = "%s\\ini\\*.dat" fullword wide
$s17 = "pcinit.exe" fullword wide
$s18 = "http://www.pcshare.cn" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them
}
rule datPcShare {
meta:
description = "Chinese Hacktool Set - file datPcShare.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "87acb649ab0d33c62e27ea83241caa43144fc1c4"
id = "1bf44c0d-6aa7-5486-baee-c17d3e82403f"
strings:
$s1 = "PcShare.EXE" fullword wide
$s2 = "MZKERNEL32.DLL" fullword ascii
$s3 = "PcShare" fullword wide
$s4 = "QQ:4564405" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them
}