qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Emotet/TrojanDownloader_O97M_Emote...

16 lines
3.6 KiB
Plaintext
Raw Permalink Blame History

rule TrojanDownloader_O97M_Emotet_RPD_MTB{
meta:
description = "TrojanDownloader:O97M/Emotet.RPD!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 06 00 00 "
strings :
$a_01_0 = {3a 2f 22 26 22 2f 64 22 26 22 6d 22 26 22 63 22 26 22 6f 22 26 22 6e 22 26 22 74 22 26 22 61 22 26 22 62 22 26 22 69 22 26 22 6c 22 26 22 69 22 26 22 64 22 26 22 61 22 26 22 64 22 26 22 65 2e 63 22 26 22 6f 22 26 22 6d 2f 63 22 26 22 6f 22 26 22 72 22 26 22 72 22 26 22 65 22 26 22 73 22 26 22 70 22 26 22 6f 22 26 22 6e 22 26 22 64 22 26 22 65 22 26 22 6e 22 26 22 74 22 26 22 65 22 26 22 63 22 26 22 61 22 26 22 69 22 26 22 78 22 26 22 61 2f 54 22 26 22 72 22 26 22 53 2f } //1 :/"&"/d"&"m"&"c"&"o"&"n"&"t"&"a"&"b"&"i"&"l"&"i"&"d"&"a"&"d"&"e.c"&"o"&"m/c"&"o"&"r"&"r"&"e"&"s"&"p"&"o"&"n"&"d"&"e"&"n"&"t"&"e"&"c"&"a"&"i"&"x"&"a/T"&"r"&"S/
$a_01_1 = {3a 2f 22 26 22 2f 66 63 22 26 22 65 6c 22 26 22 69 6b 2e 6e 22 26 22 6c 2f 72 69 22 26 22 74 74 22 26 22 65 22 26 22 6e 22 26 22 72 22 26 22 65 22 26 22 67 22 26 22 69 22 26 22 73 22 26 22 74 22 26 22 72 22 26 22 61 22 26 22 74 22 26 22 69 22 26 22 65 2f 77 22 26 22 65 22 26 22 62 2f 63 22 26 22 73 22 26 22 73 2f 42 22 26 22 33 49 22 26 22 4c 22 26 22 66 22 26 22 55 22 26 22 38 22 26 22 58 22 26 22 6b 22 26 22 32 22 26 22 53 22 26 22 73 22 26 22 45 22 26 22 6d 22 26 22 54 2f } //1 :/"&"/fc"&"el"&"ik.n"&"l/ri"&"tt"&"e"&"n"&"r"&"e"&"g"&"i"&"s"&"t"&"r"&"a"&"t"&"i"&"e/w"&"e"&"b/c"&"s"&"s/B"&"3I"&"L"&"f"&"U"&"8"&"X"&"k"&"2"&"S"&"s"&"E"&"m"&"T/
$a_01_2 = {3a 2f 22 26 22 2f 77 22 26 22 77 22 26 22 77 2e 67 22 26 22 65 22 26 22 73 22 26 22 73 22 26 22 65 22 26 22 72 22 26 22 73 22 26 22 68 2e 63 22 26 22 6f 22 26 22 6d 2f 77 22 26 22 70 2d 69 22 26 22 6e 22 26 22 63 6c 22 26 22 75 22 26 22 64 22 26 22 65 22 26 22 73 2f 5a 22 26 22 77 22 26 22 51 22 26 22 4c 22 26 22 65 22 26 22 70 22 26 22 57 2f } //1 :/"&"/w"&"w"&"w.g"&"e"&"s"&"s"&"e"&"r"&"s"&"h.c"&"o"&"m/w"&"p-i"&"n"&"cl"&"u"&"d"&"e"&"s/Z"&"w"&"Q"&"L"&"e"&"p"&"W/
$a_01_3 = {3a 2f 22 26 22 2f 77 22 26 22 77 22 26 22 77 2e 66 22 26 22 61 22 26 22 6e 22 26 22 74 22 26 22 61 73 22 26 22 74 22 26 22 69 22 26 22 63 22 26 22 6d 22 26 22 6f 22 26 22 74 22 26 22 69 22 26 22 6f 22 26 22 6e 2e 6a 22 26 22 70 2f 5f 63 22 26 22 6e 22 26 22 73 22 26 22 6b 22 26 22 69 22 26 22 6e 2f 71 22 26 22 66 22 26 22 57 22 26 22 45 22 26 22 51 22 26 22 72 22 26 22 72 22 26 22 77 22 26 22 42 22 26 22 67 2f } //1 :/"&"/w"&"w"&"w.f"&"a"&"n"&"t"&"as"&"t"&"i"&"c"&"m"&"o"&"t"&"i"&"o"&"n.j"&"p/_c"&"n"&"s"&"k"&"i"&"n/q"&"f"&"W"&"E"&"Q"&"r"&"r"&"w"&"B"&"g/
$a_01_4 = {3a 2f 22 26 22 2f 66 22 26 22 61 22 26 22 6e 22 26 22 66 22 26 22 69 22 26 22 65 22 26 22 6c 22 26 22 64 2e 63 22 26 22 6f 2e 75 22 26 22 6b 2f 63 22 26 22 67 22 26 22 69 2d 62 22 26 22 69 22 26 22 6e 2f 37 70 22 26 22 70 22 26 22 36 22 26 22 44 22 26 22 6a 22 26 22 57 22 26 22 46 22 26 22 4e 22 26 22 4a 22 26 22 58 22 26 22 59 22 26 22 38 2f } //1 :/"&"/f"&"a"&"n"&"f"&"i"&"e"&"l"&"d.c"&"o.u"&"k/c"&"g"&"i-b"&"i"&"n/7p"&"p"&"6"&"D"&"j"&"W"&"F"&"N"&"J"&"X"&"Y"&"8/
$a_01_5 = {3a 2f 22 26 22 2f 77 22 26 22 77 22 26 22 77 2e 67 22 26 22 61 22 26 22 72 22 26 22 61 22 26 22 6e 22 26 22 74 22 26 22 69 22 26 22 68 22 26 22 61 22 26 22 6c 22 26 22 69 22 26 22 79 22 26 22 69 22 26 22 6b 22 26 22 61 22 26 22 6d 22 26 22 61 2e 63 22 26 22 6f 22 26 22 6d 22 26 22 2f 77 22 26 22 70 2d 61 22 26 22 64 22 26 22 6d 22 26 22 69 22 26 22 6e 2f 46 22 26 22 6a 22 26 22 67 22 26 22 42 22 26 22 36 22 26 22 49 2f } //1 :/"&"/w"&"w"&"w.g"&"a"&"r"&"a"&"n"&"t"&"i"&"h"&"a"&"l"&"i"&"y"&"i"&"k"&"a"&"m"&"a.c"&"o"&"m"&"/w"&"p-a"&"d"&"m"&"i"&"n/F"&"j"&"g"&"B"&"6"&"I/
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=1
}
Reference in New Issue View Git Blame Copy Permalink