15 lines
687 B
Plaintext
15 lines
687 B
Plaintext
|
|
rule Backdoor_Win32_Phdet_S{
|
|
meta:
|
|
description = "Backdoor:Win32/Phdet.S,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {68 44 4e 57 50 ff 15 90 09 09 00 81 7d ?? 00 30 00 00 72 } //1
|
|
$a_03_1 = {56 8b 74 24 08 6a 02 56 ff 15 ?? ?? ?? ?? 85 c0 75 ?? b8 4d 5a 00 00 66 39 06 75 } //1
|
|
$a_00_2 = {22 25 73 22 20 2f 65 78 70 6c 6f 69 74 00 } //1 ┢≳⼠硥汰楯t
|
|
$a_01_3 = {5f 50 59 41 4c 4f 41 44 00 } //1
|
|
$a_00_4 = {7b 33 44 35 41 31 36 39 34 2d 43 43 32 43 2d 34 65 65 37 2d 41 33 44 35 2d 41 38 37 39 41 39 45 33 41 36 32 41 7d 00 } //1
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_00_2 & 1)*1+(#a_01_3 & 1)*1+(#a_00_4 & 1)*1) >=3
|
|
|
|
} |