DefenderYara/TrojanDownloader/O97M/EncDoc/TrojanDownloader_O97M_EncDo...


rule TrojanDownloader_O97M_EncDoc_SSMF_MTB{
	meta:
		description = "TrojanDownloader:O97M/EncDoc.SSMF!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 01 00 "
		
	strings :
		$a_01_0 = {28 28 28 52 75 6e 28 28 28 28 28 28 28 28 28 28 22 4d 22 20 26 20 22 34 22 20 26 20 22 22 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 } //01 00 
		$a_01_1 = {56 42 5f 4e 61 6d 65 20 3d 20 22 46 6f 67 6c 69 6f 31 } //01 00 
		$a_01_2 = {3d 20 53 70 6c 69 74 28 66 66 69 6e 65 73 74 72 61 2c 20 22 38 22 29 } //01 00 
		$a_03_3 = {63 44 44 20 3d 20 22 54 22 20 26 20 74 74 72 6f 76 76 61 20 26 20 22 4f 28 29 22 90 02 03 45 6e 64 20 46 75 6e 63 74 69 6f 6e 90 00 } //01 00 
		$a_01_4 = {63 20 3d 20 28 62 4e 28 22 3d 22 20 26 20 64 61 2c 20 31 20 2b 20 37 29 29 3a 20 66 6f 67 5f 54 20 28 28 64 69 5f 70 61 67 6f 29 29 } //00 00 
	condition:
		any of ($a_*)
 
}
init 2024-02-05 06:12:47 -08:00
			`rule TrojanDownloader_O97M_EncDoc_SSMF_MTB{`
			`meta:`
			`description = "TrojanDownloader:O97M/EncDoc.SSMF!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 01 00 "`

			`strings :`
			`$a_01_0 = {28 28 28 52 75 6e 28 28 28 28 28 28 28 28 28 28 22 4d 22 20 26 20 22 34 22 20 26 20 22 22 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 } //01 00`
			`$a_01_1 = {56 42 5f 4e 61 6d 65 20 3d 20 22 46 6f 67 6c 69 6f 31 } //01 00`
			`$a_01_2 = {3d 20 53 70 6c 69 74 28 66 66 69 6e 65 73 74 72 61 2c 20 22 38 22 29 } //01 00`
			`$a_03_3 = {63 44 44 20 3d 20 22 54 22 20 26 20 74 74 72 6f 76 76 61 20 26 20 22 4f 28 29 22 90 02 03 45 6e 64 20 46 75 6e 63 74 69 6f 6e 90 00 } //01 00`
			`$a_01_4 = {63 20 3d 20 28 62 4e 28 22 3d 22 20 26 20 64 61 2c 20 31 20 2b 20 37 29 29 3a 20 66 6f 67 5f 54 20 28 28 64 69 5f 70 61 67 6f 29 29 } //00 00`
			`condition:`
			`any of ($a_*)`

			`}`