16 lines
1.6 KiB
Plaintext
16 lines
1.6 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Obfuse_HPY_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.HPY!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {36 38 37 34 37 34 37 30 33 41 32 46 32 46 37 33 36 35 37 36 32 45 36 44 36 39 36 43 36 35 36 45 } //1 687474703A2F2F7365762E6D696C656E
|
|
$a_01_1 = {32 45 35 33 36 38 36 35 36 43 36 43 34 35 37 38 36 35 36 33 37 35 37 34 36 35 32 38 32 34 36 35 36 45 37 36 33 41 35 34 36 35 36 44 37 30 32 42 32 37 35 43 36 37 36 43 36 36 32 45 36 35 37 38 36 35 32 37 32 39 } //1 2E5368656C6C457865637574652824656E763A54656D702B275C676C662E6578652729
|
|
$a_01_2 = {43 61 6c 6c 20 53 68 65 6c 6c 28 43 68 72 45 6e 63 6f 64 65 } //1 Call Shell(ChrEncode
|
|
$a_01_3 = {37 30 36 46 37 37 36 35 37 32 37 33 36 38 36 35 36 43 36 43 32 45 36 35 37 38 36 35 32 30 32 44 36 35 37 38 36 35 36 33 37 35 37 34 36 39 36 46 36 45 37 30 36 46 36 43 36 39 36 33 37 39 32 30 36 32 37 39 37 30 36 31 37 33 37 33 32 30 32 44 35 37 32 30 34 38 36 39 36 34 36 34 36 35 36 45 32 30 32 44 36 33 36 46 36 44 36 44 36 31 36 45 36 34 } //1 706F7765727368656C6C2E657865202D657865637574696F6E706F6C69637920627970617373202D572048696464656E202D636F6D6D616E64
|
|
$a_01_4 = {3d 20 73 53 74 72 20 2b 20 43 68 72 28 43 4c 6e 67 28 22 26 48 22 20 26 20 4d 69 64 28 73 74 72 2c 20 69 2c 20 32 29 29 29 } //1 = sStr + Chr(CLng("&H" & Mid(str, i, 2)))
|
|
$a_01_5 = {32 45 34 34 36 46 37 37 36 45 36 43 36 46 36 31 36 34 34 36 36 39 36 43 36 35 } //1 2E446F776E6C6F616446696C65
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=6
|
|
|
|
} |