17 lines
1.4 KiB
Plaintext
17 lines
1.4 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Dridex_NYMC_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Dridex.NYMC!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,07 00 07 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 6a 73 2f 74 69 6e 79 6d 63 65 2f 73 6b 69 6e 73 2f 6c 69 67 68 74 67 72 61 79 2f 41 32 6a 56 49 55 66 69 66 41 37 7a 77 52 2e 70 68 70 90 0a 5a 00 68 74 74 70 73 3a 2f 2f 61 69 6d 73 31 2e 65 7a 69 63 6f 64 65 73 } //5
|
|
$a_03_1 = {2e 63 6f 6d 2f 66 69 72 6d 61 73 2f 69 6d 67 2f 55 69 67 6e 75 4e 37 4e 54 5a 73 53 2e 70 68 70 90 0a 3c 00 68 74 74 70 73 3a 2f 2f 63 61 6e 74 65 72 61 73 70 61 6c 6f 6d 69 6e 6f } //5
|
|
$a_03_2 = {3d 20 4d 69 64 28 22 [0-0f] 57 73 63 72 69 70 74 2e 53 68 65 6c 6c } //1
|
|
$a_03_3 = {3d 20 52 65 70 6c 61 63 65 28 22 [0-0f] 41 70 70 44 61 74 61 } //1
|
|
$a_03_4 = {3d 20 52 65 70 6c 61 63 65 28 22 [0-1e] 2e 64 6c 6c 22 2c } //1
|
|
$a_03_5 = {2e 75 73 2f 37 36 61 37 53 67 36 41 41 5a 52 58 2e 70 68 70 90 0a 28 00 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2d 63 61 6c 6c } //5
|
|
$a_03_6 = {63 6f 6d 2e 63 6f 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 73 68 6f 72 74 63 6f 64 65 73 2d 75 6c 74 69 6d 61 74 65 2f 69 6e 63 2f 63 6f 72 65 2f 4b 32 6b 47 58 4b 69 36 76 35 72 43 2e 70 68 70 90 0a 5a 00 68 74 74 70 73 3a 2f 2f 63 69 61 74 72 61 6e 2e } //5
|
|
condition:
|
|
((#a_03_0 & 1)*5+(#a_03_1 & 1)*5+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*5+(#a_03_6 & 1)*5) >=7
|
|
|
|
} |