15 lines
973 B
Plaintext
15 lines
973 B
Plaintext
|
|
rule TrojanClicker_Win32_Pulick_B{
|
|
meta:
|
|
description = "TrojanClicker:Win32/Pulick.B,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {58 52 58 65 58 66 58 65 58 72 58 65 58 72 58 3a 58 } //1 XRXeXfXeXrXeXrX:X
|
|
$a_03_1 = {63 6c 69 63 6b 2e 68 74 6d 6c 90 05 04 01 00 6a 73 90 05 04 01 00 67 6f 6f 67 6c 65 90 05 04 01 00 66 61 63 65 62 6f 6f 6b 90 05 04 01 00 61 64 73 } //1
|
|
$a_03_2 = {78 68 61 6d 73 74 65 72 90 05 04 01 00 64 6f 75 62 6c 65 69 6d 70 90 05 04 01 00 65 72 6f 2d 61 64 76 90 05 04 01 00 65 78 6f 63 6c 69 63 6b } //1
|
|
$a_03_3 = {33 c0 40 50 6a 08 50 6a 07 50 6a 06 50 6a 05 50 6a 04 50 6a 03 50 6a 02 50 50 50 6a 00 b9 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b c8 } //1
|
|
$a_03_4 = {33 ff 89 7d fc 57 68 ?? ?? ?? ?? 8d 4d 10 e8 ?? ?? ?? ?? 83 ce ff 3b c6 0f 8f ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 8d 4d 10 e8 ?? ?? ?? ?? 3b c6 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1) >=5
|
|
|
|
} |