14 lines
1.4 KiB
Plaintext
14 lines
1.4 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Obfuse_AD_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.AD!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {63 20 3d 20 53 74 72 43 6f 6d 70 28 22 53 79 63 61 6d 6f 72 65 22 2c 79 29 } //1 c = StrComp("Sycamore",y)
|
|
$a_01_1 = {65 78 65 63 20 3d 20 27 70 6f 77 65 72 73 68 65 6c 6c 2e 65 78 65 20 2d 6e 6f 70 20 2d 77 20 48 69 64 64 65 6e 20 2d 65 } //1 exec = 'powershell.exe -nop -w Hidden -e
|
|
$a_01_2 = {41 5a 51 41 72 41 43 63 41 58 41 41 75 41 48 49 41 61 51 42 6a 41 47 73 41 58 77 42 79 41 44 41 41 62 41 42 73 41 44 4d 41 5a 41 41 6e 41 43 6b 41 43 67 42 68 41 48 51 41 64 41 42 79 41 47 6b 41 59 67 41 67 41 43 73 41 61 41 41 67 41 43 67 41 4b 41 42 48 41 47 55 41 64 41 41 74 41 45 6b 41 64 41 42 6c 41 47 30 41 49 41 41 74 41 46 41 41 59 51 42 30 41 47 67 41 49 41 41 69 41 43 34 41 58 41 41 69 41 43 6b 41 4c 67 42 47 41 48 55 41 62 41 42 73 41 45 34 41 59 51 42 74 41 47 55 41 4b 77 41 6e 41 46 77 41 4c 67 42 79 41 47 6b 41 59 77 42 72 41 46 38 41 63 67 41 77 41 47 77 41 62 41 41 7a 41 47 51 41 4a 77 41 70 41 41 3d 3d } //1 AZQArACcAXAAuAHIAaQBjAGsAXwByADAAbABsADMAZAAnACkACgBhAHQAdAByAGkAYgAgACsAaAAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAC4AXAAiACkALgBGAHUAbABsAE4AYQBtAGUAKwAnAFwALgByAGkAYwBrAF8AcgAwAGwAbAAzAGQAJwApAA==
|
|
$a_01_3 = {53 68 65 6c 6c 20 28 65 78 65 63 29 } //1 Shell (exec)
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=4
|
|
|
|
} |