15 lines
1.9 KiB
Plaintext
15 lines
1.9 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Obfuse_FD_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.FD!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {35 37 20 35 33 20 36 33 20 37 32 20 36 39 20 37 30 20 37 34 20 32 45 20 35 33 20 36 38 20 36 35 20 36 43 20 36 43 22 29 29 2e 52 75 6e } //1 57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run
|
|
$a_00_1 = {61 48 52 30 63 44 6f 76 4c 33 4e 6f 62 33 42 77 61 47 39 75 5a 33 52 70 62 6d 67 75 59 32 39 74 4c 30 78 70 62 57 56 66 54 47 6c 74 5a 56 4a 68 64 43 35 6c 65 47 55 3d } //1 aHR0cDovL3Nob3BwaG9uZ3RpbmguY29tL0xpbWVfTGltZVJhdC5leGU=
|
|
$a_00_2 = {63 47 39 33 5a 58 4a 7a 61 47 56 73 62 43 35 6c 65 47 55 67 4c 57 56 34 5a 57 4e 31 64 47 6c 76 62 6e 42 76 62 47 6c 6a 65 53 42 69 65 58 42 68 63 33 4d 67 4c 56 63 67 53 47 6c 6b 5a 47 56 75 49 43 31 6a 62 32 31 74 59 57 35 6b 49 43 68 75 5a 58 63 74 62 32 4a 71 5a 57 4e 30 49 46 4e 35 63 33 52 6c 62 53 35 4f 5a 58 51 75 56 32 56 69 51 32 78 70 5a 57 35 30 4b 53 35 45 62 33 64 75 62 47 39 68 5a 45 5a 70 62 47 55 6f 4a 77 3d 3d } //1 cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVcgSGlkZGVuIC1jb21tYW5kIChuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJw==
|
|
$a_00_3 = {4a 79 77 6b 5a 57 35 32 4f 6c 52 6c 62 58 41 72 4a 31 78 7a 64 6d 4e 6f 62 33 4e 30 4c 6d 56 34 5a 53 63 70 4f 79 68 4f 5a 58 63 74 54 32 4a 71 5a 57 4e 30 49 43 31 6a 62 32 30 67 55 32 68 6c 62 47 77 75 51 58 42 77 62 47 6c 6a 59 58 52 70 62 32 34 70 4c 6c 4e 6f 5a 57 78 73 52 58 68 6c 59 33 56 30 5a 53 67 6b 5a 57 35 32 4f 6c 52 6c 62 58 41 72 4a 31 78 7a 64 6d 4e 6f 62 33 4e 30 4c 6d 56 34 5a 53 63 70 } //1 JywkZW52OlRlbXArJ1xzdmNob3N0LmV4ZScpOyhOZXctT2JqZWN0IC1jb20gU2hlbGwuQXBwbGljYXRpb24pLlNoZWxsRXhlY3V0ZSgkZW52OlRlbXArJ1xzdmNob3N0LmV4ZScp
|
|
$a_00_4 = {6e 47 72 6f 75 70 } //1 nGroup
|
|
condition:
|
|
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=5
|
|
|
|
} |