19 lines
990 B
Plaintext
19 lines
990 B
Plaintext
|
|
rule _PseudoThreat_c000095d{
|
|
meta:
|
|
description = "!PseudoThreat_c000095d,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0b 00 09 00 00 04 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {56 57 be d8 07 01 00 8b fe b9 f0 00 00 00 } //03 00
|
|
$a_02_1 = {8b 45 0c c7 40 18 00 00 00 00 90 02 01 83 60 1c 00 6a 00 ff 75 0c 90 00 } //03 00
|
|
$a_02_2 = {02 01 00 64 ff 35 00 00 00 00 89 25 90 01 02 01 00 64 89 25 00 00 00 00 8d 0d 90 01 02 01 00 ba 40 02 00 00 e8 90 00 } //02 00
|
|
$a_00_3 = {c7 00 18 00 00 00 89 48 08 89 50 0c } //03 00
|
|
$a_00_4 = {01 00 c7 00 18 00 00 00 c7 40 04 00 00 00 00 89 48 08 89 50 0c c7 } //02 00
|
|
$a_02_5 = {01 00 8b 73 0c 8d b8 90 01 02 01 00 b9 10 00 00 00 f3 a4 68 90 00 } //02 00
|
|
$a_02_6 = {01 00 8b 33 8d b8 90 01 02 01 00 b9 1a 00 00 00 f3 a4 68 90 00 } //02 00
|
|
$a_00_7 = {8d 05 c8 07 01 00 8b f0 8b fe b9 f5 00 00 00 } //02 00
|
|
$a_00_8 = {8b 44 24 12 80 3d 90 01 02 01 00 03 75 18 c7 05 90 01 02 01 00 2d 00 00 00 50 ff 35 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |