13 lines
891 B
Plaintext
13 lines
891 B
Plaintext
|
|
rule Trojan_O97M_HoaxShell_RDA_MTB{
|
|
meta:
|
|
description = "Trojan:O97M/HoaxShell.RDA!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 03 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4a 41 42 7a 41 44 30 41 4a 77 41 78 41 44 6b 41 4d 67 41 75 41 44 45 41 4e 67 41 34 41 43 34 41 4d 67 41 79 41 44 6b 41 4c 67 41 78 41 44 4d 41 4d 51 41 36 41 44 67 41 4d 41 41 34 41 44 41 41 4a 77 41 37 41 43 51 41 61 51 41 39 41 43 63 41 5a 67 41 35 41 44 67 41 } //2 JABzAD0AJwAxADkAMgAuADEANgA4AC4AMgAyADkALgAxADMAMQA6ADgAMAA4ADAAJwA7ACQAaQA9ACcAZgA5ADgA
|
|
$a_01_1 = {41 41 67 41 43 30 41 56 51 42 7a 41 47 55 41 51 67 42 68 41 48 4d 41 61 51 42 6a 41 46 41 41 59 51 42 79 41 48 4d 41 61 51 42 75 41 47 63 41 49 41 41 74 41 46 55 41 } //2 AAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUA
|
|
$a_01_2 = {49 4c 6f 76 65 48 46 } //2 ILoveHF
|
|
condition:
|
|
((#a_01_0 & 1)*2+(#a_01_1 & 1)*2+(#a_01_2 & 1)*2) >=4
|
|
|
|
} |