rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

ddsxw

sudhanshu_sabharwal

Sudhanshu Sabharwal

rule Suspicious_Keyword_ASCII {
  meta:
    description = "Detects files containing a suspicious keyword"
    author = "Analyst"
    date = "2025-11-07"
  strings:
    $s1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\malware.exe" ascii
  condition:
    $s1
}

rf

sudhanshu_sabharwal

Sudhanshu Sabharwal

// Function to display a greeting
function greet(name) {
  console.log("Hello, " + name + "!");
}

// Calling the function
greet("World");
greet("Gemini User");

qa

sudhanshu_sabharwal

Sudhanshu Sabharwal

rule Simple_Text_Match {
    meta:
        author = "Gemini" //[highlight]
        description = "Detects files containing a specific command string."
        date = "2025-11-10"

    strings:
        // ASCII string search, default is case-sensitive
        $command_string = "C:\\Windows\\System32\\nc.exe"

    condition:
        // The rule matches if the string $command_string is found.
        $command_string
}

saxas

sudhanshu_sabharwal

Sudhanshu Sabharwal

console.log("hello");
console.log("hello");
console.log("hello");
console.log("hello");

dscxd

sudhanshu_sabharwal

Sudhanshu Sabharwal

Scroll on new L1 post not working

Show more replies

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded