11 lines
355 B
Plaintext
11 lines
355 B
Plaintext
|
|
rule Backdoor_BAT_Crysan_KAB_MTB{
|
|
meta:
|
|
description = "Backdoor:BAT/Crysan.KAB!MTB,SIGNATURE_TYPE_PEHSTR_EXT,0a 00 0a 00 01 00 00 0a 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {00 07 09 06 09 1e 5a 1e 6f 90 01 01 00 00 0a 18 28 90 01 01 00 00 0a 9c 00 09 17 58 0d 09 07 8e 69 17 59 fe 02 16 fe 01 13 04 11 04 2d d6 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |