DefenderYara/TrojanDownloader/O97M/Donoff/TrojanDownloader_O97M_Donof...


rule TrojanDownloader_O97M_Donoff_RPDO_MTB{
	meta:
		description = "TrojanDownloader:O97M/Donoff.RPDO!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 01 00 00 "
		
	strings :
		$a_03_0 = {3d 63 72 65 61 74 65 6f 62 6a 65 63 74 28 [0-0a] 29 73 65 74 [0-0f] 3d [0-0f] 2e 6f 70 65 6e 74 65 78 74 66 69 6c 65 28 [0-0f] 2b 22 5c 72 66 65 63 6e 2e 76 62 73 22 2c 38 2c 74 72 75 65 29 90 1b 01 2e 77 72 69 74 65 6c 69 6e 65 66 90 1b 01 2e 63 6c 6f 73 65 90 08 00 02 63 72 65 61 74 65 6f 62 6a 65 63 74 [0-2f] 2e 6f 70 65 6e 28 [0-1f] 2b 22 5c 72 66 65 63 6e 2e 76 62 73 22 29 90 08 00 01 3d 67 65 74 74 69 63 6b 63 6f 75 6e 74 2b 28 66 69 6e 69 73 68 2a 31 30 30 30 29 } //1
	condition:
		((#a_03_0  & 1)*1) >=1
 
}
init 2024-02-05 06:12:47 -08:00
			`rule TrojanDownloader_O97M_Donoff_RPDO_MTB{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "TrojanDownloader:O97M/Donoff.RPDO!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 01 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
update like regex pattern strings 2024-07-09 05:28:14 -07:00			`$a_03_0 = {3d 63 72 65 61 74 65 6f 62 6a 65 63 74 28 [0-0a] 29 73 65 74 [0-0f] 3d [0-0f] 2e 6f 70 65 6e 74 65 78 74 66 69 6c 65 28 [0-0f] 2b 22 5c 72 66 65 63 6e 2e 76 62 73 22 2c 38 2c 74 72 75 65 29 90 1b 01 2e 77 72 69 74 65 6c 69 6e 65 66 90 1b 01 2e 63 6c 6f 73 65 90 08 00 02 63 72 65 61 74 65 6f 62 6a 65 63 74 [0-2f] 2e 6f 70 65 6e 28 [0-1f] 2b 22 5c 72 66 65 63 6e 2e 76 62 73 22 29 90 08 00 01 3d 67 65 74 74 69 63 6b 63 6f 75 6e 74 2b 28 66 69 6e 69 73 68 2a 31 30 30 30 29 } //1`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_03_0 & 1)*1) >=1`
init 2024-02-05 06:12:47 -08:00
			`}`