Sudhanshu Sabharwal
November 25, 2025
Solved
test
- November 25, 2025
- 6 replies
- 32 views
test
Solved
test
test
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
rule InvisiDoor_Backdoor : backdoor windows
{
meta:
description = "Identifies the InvisiDoor stealth backdoor malware."
author = "AI Security Bot"
date = "2025-11-06"
version = "1.0"
severity = "High"
strings:
// Text string often used in the malware's command-and-control communication
$c2_ip = "192.168.42.10" fullword ascii
// Unique mutex name the malware creates to ensure only one instance runs
$mutex = "InvisiDoor_Global_Mutex_01" wide ascii
// A specific sequence of binary instructions (hex pattern) in the code
// '??' represents a wildcard (any single byte)
$code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }
// A regular expression to find an obfuscated configuration file path
$config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase
condition:
// The file must contain the unique mutex string ($mutex)
// AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
// AND the file size must be between 10 KB and 500 KB
$mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.