16 lines
1.1 KiB
Plaintext
16 lines
1.1 KiB
Plaintext
|
|
||
|
|
rule VirTool_Win64_Bumblerz_A_MTB{
|
||
|
|
meta:
|
||
|
|
description = "VirTool:Win64/Bumblerz.A!MTB,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 06 00 00 01 00 "
|
||
|
|
|
||
|
|
strings :
|
||
|
|
$a_02_0 = {48 8b 05 61 3a 01 00 48 89 44 24 20 4c 8d 90 01 05 4c 8d 90 01 05 48 8d 90 01 05 48 8d 90 01 05 e8 73 90 00 } //01 00
|
||
|
|
$a_02_1 = {48 89 45 08 48 8d 90 01 05 e8 90 01 04 48 8b 4d 08 e8 90 01 04 ba 04 00 00 00 48 8b c8 ff 15 90 00 } //01 00
|
||
|
|
$a_02_2 = {48 89 4c 24 08 57 48 83 ec 20 33 d2 48 8b 4c 24 30 e8 90 01 04 48 83 c4 20 90 00 } //01 00
|
||
|
|
$a_00_3 = {48 8b 85 c8 01 00 00 48 8b 40 18 48 8b 8d c0 01 00 00 48 2b c8 48 8b c1 48 89 45 08 } //01 00
|
||
|
|
$a_02_4 = {48 c7 45 68 00 00 00 00 8b 05 4a 3c 01 00 48 89 85 88 00 00 00 48 8b 85 88 00 00 00 48 c1 e0 02 89 85 a8 00 00 00 48 8d 90 01 05 48 8b f8 33 c0 b9 04 00 00 00 f3 aa 48 c7 44 24 30 00 00 00 00 c7 44 24 28 00 00 00 08 c7 44 24 20 40 00 00 00 90 00 } //01 00
|
||
|
|
$a_00_5 = {48 8b 45 68 48 39 45 48 0f 83 e4 00 00 00 8b 45 04 ff c0 99 81 e2 ff 00 00 00 03 c2 25 ff 00 00 00 2b c2 89 45 04 48 63 45 04 48 8b 8d 80 01 00 00 0f b6 04 01 8b 4d 24 03 c8 8b c1 } //00 00
|
||
|
|
condition:
|
||
|
|
any of ($a_*)
|
||
|
|
|
||
|
|
}
|