17 lines
1.0 KiB
Plaintext
17 lines
1.0 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Emotet_PKSS_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Emotet.PKSS!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {77 77 77 2e 61 67 72 65 74 74 6f 2e 63 6f 6d 2f 54 65 6d 70 6c 61 74 65 2f [0-20] 2f 22 2c 22 } //1
|
|
$a_03_1 = {77 77 77 2e 61 67 6e 65 73 6c 65 75 6e 67 2e 63 6f 6d 2f 72 61 77 2e 62 61 63 6b 75 70 2f [0-20] 2f 22 2c 22 } //1
|
|
$a_03_2 = {6c 69 66 65 62 6f 74 6c 2e 63 6f 6d 2f 52 65 73 70 6f 6e 73 65 2f [0-20] 2f 22 2c 22 } //1
|
|
$a_03_3 = {6c 69 76 65 6a 61 67 61 74 2e 63 6f 6d 2f 68 2f [0-20] 2f } //1
|
|
$a_03_4 = {31 38 35 2e 31 38 37 2e 37 30 2e 33 35 2f 77 6f 72 64 70 72 65 73 73 5f 62 6f 2f [0-20] 2f 22 2c 22 } //1
|
|
$a_03_5 = {31 38 38 2e 31 36 36 2e 32 34 35 2e 31 31 32 2f 73 69 70 61 64 75 2f [0-20] 2f 22 2c 22 } //1
|
|
$a_03_6 = {31 30 33 2e 38 35 2e 39 35 2e 35 2f 76 31 2f 75 70 6c 6f 61 64 73 2f [0-20] 2f 22 2c 22 } //1
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*1+(#a_03_6 & 1)*1) >=1
|
|
|
|
} |