18 lines
1.4 KiB
Plaintext
18 lines
1.4 KiB
Plaintext
|
|
rule _PseudoThreat_c00009c7{
|
|
meta:
|
|
description = "!PseudoThreat_c00009c7,SIGNATURE_TYPE_PEHSTR_EXT,06 00 05 00 08 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {20 69 73 20 69 6e 66 65 63 74 65 64 } //01 00 is infected
|
|
$a_02_1 = {55 8b ec 81 c4 18 fe ff ff 90 02 03 e8 90 01 04 83 f8 00 0f 85 90 01 01 00 00 00 90 00 } //01 00
|
|
$a_02_2 = {30 fe ff ff 00 8d 85 18 fe ff ff 50 6a 01 e8 90 01 04 90 02 04 0b c0 75 00 90 00 } //01 00
|
|
$a_00_3 = {6a 06 6a 00 6a 00 6a 00 6a 00 6a ff ff 75 08 e8 } //01 00
|
|
$a_02_4 = {75 1e 6a 64 ff 35 90 01 04 e8 90 01 04 a3 90 01 04 c7 05 90 01 04 01 00 00 00 eb 1c 6a 66 ff 35 90 01 04 e8 90 01 04 a3 90 01 04 c7 05 90 01 04 00 00 00 00 68 90 01 04 6a 01 e8 90 01 04 c9 c2 10 00 90 00 } //01 00
|
|
$a_02_5 = {68 e0 93 04 00 68 90 01 04 ff 75 08 e8 90 01 04 e9 90 01 01 00 00 00 81 7d 14 03 02 00 00 74 90 01 01 81 7d 14 04 02 00 00 74 90 01 01 81 7d 14 01 02 00 00 74 90 01 01 81 7d 14 05 04 00 00 90 00 } //01 00
|
|
$a_02_6 = {55 8b ec 81 c4 00 fe ff ff 51 56 57 68 ff 00 00 00 8d 90 01 01 01 ff ff ff 90 01 01 e8 90 01 04 8d 85 02 fe ff ff 50 6a 00 68 90 01 04 8d 85 01 ff ff ff 50 e8 90 01 04 8d 85 02 fe ff ff 50 e8 90 01 04 8d 85 02 fe ff ff 50 ff 15 90 01 04 83 c4 04 b9 03 00 00 00 2b c1 8d bd 02 fe ff ff 90 00 } //01 00
|
|
$a_02_7 = {8d 85 02 fe ff ff 50 ff 75 08 e8 90 01 04 83 f8 01 75 30 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |