17 lines
1.5 KiB
Plaintext
17 lines
1.5 KiB
Plaintext
|
|
rule Trojan_O97M_Dridex_SM_MTB{
|
|
meta:
|
|
description = "Trojan:O97M/Dridex.SM!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,07 00 07 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {70 20 3d 20 4c 65 6e 28 64 67 29 20 5c 20 32 } //1 p = Len(dg) \ 2
|
|
$a_01_1 = {46 6f 72 20 6d 68 20 3d 20 31 20 54 6f 20 70 } //1 For mh = 1 To p
|
|
$a_01_2 = {65 20 3d 20 65 20 26 20 4d 69 64 28 64 67 2c 20 6d 68 2c 20 31 29 20 26 20 4d 69 64 28 64 67 2c 20 6d 68 20 2b 20 70 2c 20 31 29 } //1 e = e & Mid(dg, mh, 1) & Mid(dg, mh + p, 1)
|
|
$a_03_3 = {45 78 63 65 6c 34 4d 61 63 72 6f 53 68 65 65 74 73 2e 41 64 64 28 42 65 66 6f 72 65 3a 3d 57 6f 72 6b 73 68 65 65 74 73 28 28 [0-05] 29 29 29 2e 4e 61 6d 65 20 3d 20 22 53 73 68 65 65 74 22 } //1
|
|
$a_01_4 = {70 6c 20 3d 20 22 68 74 74 22 } //1 pl = "htt"
|
|
$a_01_5 = {6c 74 5f 67 6f 20 3d 20 70 6c 20 26 20 22 70 73 3a 2f 2f 22 20 26 20 74 67 5f 54 61 6e 28 22 22 20 26 20 61 2c 20 22 4b 22 2c 20 22 2e 22 29 } //1 lt_go = pl & "ps://" & tg_Tan("" & a, "K", ".")
|
|
$a_01_6 = {61 20 3d 20 74 67 5f 54 61 6e 28 22 22 20 26 20 70 69 63 5f 76 6f 6c 5f 63 68 61 74 28 53 70 6c 69 74 28 73 69 75 5f 73 75 6d 6d 65 72 28 73 69 75 5f 73 75 6d 6d 65 72 28 43 65 6c 6c 73 28 31 35 39 2c 20 35 29 29 29 29 29 28 31 29 2c 20 22 22 20 26 20 73 69 6d 5f 53 2c 20 22 2f 22 29 } //1 a = tg_Tan("" & pic_vol_chat(Split(siu_summer(siu_summer(Cells(159, 5)))))(1), "" & sim_S, "/")
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1) >=7
|
|
|
|
} |