14 lines
1.0 KiB
Plaintext
14 lines
1.0 KiB
Plaintext
|
|
rule Backdoor_BAT_Soybalek_A_dha{
|
|
meta:
|
|
description = "Backdoor:BAT/Soybalek.A!dha,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {75 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 90 01 02 70 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 90 01 04 7b 00 30 00 7d 00 09 00 7b 00 31 00 7d 00 09 00 7b 00 32 00 7d 00 09 00 7b 00 33 00 7d 00 09 00 7b 00 34 00 7d 00 09 00 7b 00 35 00 7d 00 90 00 } //01 00
|
|
$a_03_1 = {02 7b 01 00 00 04 6f 90 01 01 00 00 0a 6f 90 01 01 00 00 0a 72 90 01 01 00 00 70 6f 90 01 01 00 00 0a 0a 02 7b 01 00 00 04 6f 90 01 01 00 00 0a 6f 90 01 01 00 00 0a 72 90 01 01 00 00 70 6f 90 01 01 00 00 0a 0b 06 90 00 } //01 00
|
|
$a_03_2 = {18 08 a2 11 08 19 06 a2 11 08 1a 07 a2 11 08 1b 09 a2 11 08 28 90 01 01 00 00 0a 90 00 } //01 00
|
|
$a_03_3 = {02 72 01 00 00 70 7d 02 00 00 04 02 72 90 01 01 00 00 70 7d 03 00 00 04 02 72 90 01 01 00 00 70 7d 04 00 00 04 02 90 02 0c 03 7d 01 00 00 04 02 7b 01 00 00 04 02 fe 06 90 01 01 00 00 06 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |