2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
rule TrojanDownloader_O97M_Trickbot_A{
|
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "TrojanDownloader:O97M/Trickbot.A,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 04 00 00 "
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_00_0 = {56 42 5f 42 61 73 65 20 3d 20 22 30 7b 35 36 43 44 39 35 46 35 2d 42 33 43 32 2d 34 31 33 45 2d 42 30 36 41 2d 42 43 41 39 42 37 44 41 43 31 31 36 7d 7b 43 32 41 37 45 46 39 43 2d 46 32 43 46 2d 34 38 34 31 2d 41 46 42 45 2d 31 45 44 36 31 42 33 42 42 37 36 41 7d 22 } //1 VB_Base = "0{56CD95F5-B3C2-413E-B06A-BCA9B7DAC116}{C2A7EF9C-F2CF-4841-AFBE-1ED61B3BB76A}"
|
|
|
|
|
$a_00_1 = {56 42 5f 42 61 73 65 20 3d 20 22 30 7b 34 43 37 44 46 32 37 42 2d 43 31 46 36 2d 34 46 32 34 2d 38 31 45 30 2d 38 31 41 43 41 41 39 36 33 31 42 42 7d 7b 45 33 30 36 39 42 30 33 2d 42 44 42 32 2d 34 30 32 45 2d 39 33 35 34 2d 38 31 45 33 43 42 31 35 34 30 43 43 7d 22 } //1 VB_Base = "0{4C7DF27B-C1F6-4F24-81E0-81ACAA9631BB}{E3069B03-BDB2-402E-9354-81E3CB1540CC}"
|
2024-07-09 05:28:14 -07:00
|
|
|
$a_02_2 = {49 66 20 30 20 3d 20 90 12 04 00 32 20 54 68 65 6e 20 53 68 65 6c 6c 20 90 1d 05 00 2c 90 1d 04 00 } //1
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_00_3 = {50 72 69 76 61 74 65 20 53 75 62 20 54 65 78 74 42 6f 78 31 5f 43 68 61 6e 67 65 28 29 } //1 Private Sub TextBox1_Change()
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_02_2 & 1)*1+(#a_00_3 & 1)*1) >=3
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
}
|
