2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
rule TrojanDownloader_O97M_Valyria_H_MTB{
|
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "TrojanDownloader:O97M/Valyria.H!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 03 00 00 "
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_00_0 = {3d 20 22 70 6f 77 65 72 73 68 65 6c 6c 2e 65 78 65 20 20 20 2e 20 28 20 28 5b 73 54 72 49 4e 67 5d 24 56 65 52 42 4f 53 65 50 52 65 66 65 52 45 6e 43 65 29 5b 31 2c 33 5d 2b 27 78 27 2d 4a 4f 49 6e 27 27 29 } //1 = "powershell.exe . ( ([sTrINg]$VeRBOSePRefeREnCe)[1,3]+'x'-JOIn'')
|
2024-07-09 05:28:14 -07:00
|
|
|
$a_02_1 = {28 28 27 28 27 2b [0-0f] 53 27 2b 27 74 [0-0f] 2b [0-0f] 61 72 27 2b 27 74 27 2b 27 2d 50 72 6f 63 65 73 27 2b 27 [0-40] 73 [0-50] 68 74 74 27 2b 27 70 73 3a 2f 2f 66 69 27 2b 27 6c 65 27 2b 27 [0-40] 2e 63 [0-40] 61 74 [0-40] 62 6f 78 27 2b 27 2e 27 2b 27 6d [0-40] 6f 65 2f [0-40] 75 35 74 27 2b 27 [0-40] 37 [0-40] 6e 27 2b 27 6c 2e 70 27 2b 27 6e 27 2b 27 67 27 2b 27 [0-40] 29 } //1
|
|
|
|
|
$a_02_2 = {2e 52 65 70 6c 41 63 27 2b 27 45 27 2b 27 28 28 5b 63 48 61 27 2b 27 72 5d 35 35 2b 5b 63 48 61 72 27 2b 27 5d 27 2b 27 38 33 2b 5b 63 27 2b 27 48 27 2b 27 61 27 2b 27 72 5d 39 30 29 2c 5b 27 2b 27 73 54 52 27 2b 27 69 6e 27 2b 27 67 5d 5b 63 48 61 72 27 2b 27 5d 27 2b 27 33 27 2b 27 34 27 2b 27 29 20 [0-40] 20 26 20 28 20 [0-50] 29 27 29 2e 52 45 50 4c 61 43 45 28 27 [0-0f] 27 2c 5b 73 54 52 49 6e 47 5d 5b 43 68 61 72 5d 31 32 34 29 2e 52 45 50 4c 61 43 45 28 27 [0-0f] 27 2c 5b 73 54 52 49 6e 47 5d 5b 43 68 61 72 5d 33 36 29 2e 52 45 50 4c 61 43 45 28 28 5b 43 68 61 72 5d 31 30 35 2b 5b 43 68 61 72 5d 37 35 2b 5b 43 68 61 72 5d 37 38 29 2c 5b 73 54 52 49 6e 47 5d 5b 43 68 61 72 5d 33 39 29 20 29 20 22 } //1
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_00_0 & 1)*1+(#a_02_1 & 1)*1+(#a_02_2 & 1)*1) >=3
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
}
|
