2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
rule TrojanDownloader_Win32_Banload_ANP{
|
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "TrojanDownloader:Win32/Banload.ANP,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0c 00 07 00 00 "
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_01_0 = {31 00 39 00 36 00 33 00 31 00 30 00 } //1 196310
|
|
|
|
|
$a_01_1 = {32 00 30 00 36 00 32 00 35 00 35 00 } //1 206255
|
|
|
|
|
$a_01_2 = {31 00 39 00 35 00 33 00 31 00 32 00 } //1 195312
|
|
|
|
|
$a_01_3 = {32 00 30 00 31 00 32 00 34 00 38 00 32 00 34 00 38 00 32 00 35 00 39 00 33 00 31 00 33 00 33 00 31 00 37 00 33 00 31 00 37 00 } //3 201248248259313317317
|
|
|
|
|
$a_01_4 = {32 00 30 00 36 00 33 00 32 00 32 00 33 00 32 00 36 00 33 00 32 00 32 00 32 00 35 00 32 00 33 00 } //3 2063223263222523
|
|
|
|
|
$a_01_5 = {31 00 37 00 34 00 32 00 32 00 30 00 32 00 39 00 34 00 32 00 38 00 35 00 32 00 37 00 36 00 32 00 37 00 35 00 32 00 38 00 38 00 32 00 37 00 39 00 32 00 37 00 36 00 32 00 36 00 36 00 32 00 39 00 34 00 32 00 38 00 35 00 32 00 37 00 36 00 32 00 37 00 35 00 32 00 38 00 38 00 32 00 37 00 39 00 32 00 34 00 34 00 32 00 30 00 36 00 32 00 37 00 31 00 32 00 38 00 32 00 32 00 38 00 32 00 32 00 37 00 39 00 32 00 39 00 36 00 32 00 38 00 35 00 } //3 174220294285276275288279276266294285276275288279244206271282282279296285
|
|
|
|
|
$a_03_6 = {66 83 fb 03 90 03 02 02 76 40 77 c0 90 09 08 00 66 83 eb 90 03 01 01 02 03 90 00 } //3
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*3+(#a_01_4 & 1)*3+(#a_01_5 & 1)*3+(#a_03_6 & 1)*3) >=12
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
}
|
