2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
rule TrojanSpy_Win32_Bancos_AMZ{
|
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "TrojanSpy:Win32/Bancos.AMZ,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 0a 00 00 "
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_01_0 = {33 00 43 00 37 00 43 00 34 00 42 00 34 00 35 00 35 00 39 00 34 00 32 00 34 00 46 00 34 00 31 00 35 00 32 00 34 00 34 00 37 00 43 00 33 00 45 00 } //1 3C7C4B4559424F4152447C3E
|
|
|
|
|
$a_01_1 = {36 00 32 00 36 00 43 00 36 00 46 00 36 00 33 00 36 00 42 00 32 00 45 00 37 00 34 00 37 00 38 00 37 00 34 00 } //1 626C6F636B2E747874
|
|
|
|
|
$a_01_2 = {33 00 43 00 37 00 43 00 34 00 46 00 34 00 42 00 37 00 43 00 33 00 45 00 } //1 3C7C4F4B7C3E
|
|
|
|
|
$a_01_3 = {33 00 43 00 37 00 43 00 35 00 30 00 34 00 39 00 34 00 45 00 34 00 37 00 37 00 43 00 33 00 45 00 } //1 3C7C50494E477C3E
|
|
|
|
|
$a_01_4 = {33 00 43 00 37 00 43 00 34 00 45 00 34 00 46 00 35 00 33 00 36 00 35 00 36 00 45 00 36 00 38 00 36 00 31 00 37 00 43 00 33 00 45 00 } //1 3C7C4E4F53656E68617C3E
|
|
|
|
|
$a_01_5 = {33 00 43 00 37 00 43 00 34 00 33 00 34 00 43 00 34 00 39 00 35 00 30 00 37 00 43 00 33 00 45 00 } //1 3C7C434C49507C3E
|
|
|
|
|
$a_01_6 = {36 00 33 00 36 00 43 00 36 00 39 00 36 00 33 00 36 00 42 00 } //1 636C69636B
|
|
|
|
|
$a_01_7 = {3c 00 7c 00 67 00 65 00 74 00 73 00 7c 00 3e 00 } //1 <|gets|>
|
|
|
|
|
$a_01_8 = {3c 00 7c 00 54 00 41 00 4d 00 41 00 4e 00 48 00 4f 00 7c 00 3e 00 } //1 <|TAMANHO|>
|
|
|
|
|
$a_01_9 = {3c 7c 43 6c 6f 73 65 43 68 61 74 7c 3e } //1 <|CloseChat|>
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1) >=7
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
}
|
