qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Obfuse/TrojanDownloader_O97M_Obfus...

18 lines
2.8 KiB
Plaintext
Raw Permalink Blame History

rule TrojanDownloader_O97M_Obfuse_PC_MTB{
meta:
description = "TrojanDownloader:O97M/Obfuse.PC!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 08 00 00 "
strings :
$a_00_0 = {36 38 20 37 34 20 37 34 20 37 30 20 33 41 20 32 46 20 32 46 20 36 44 20 36 31 20 36 39 20 36 43 20 32 45 20 37 41 20 36 31 20 36 45 20 36 35 20 36 43 20 36 43 20 36 46 20 32 45 20 36 31 20 36 34 20 37 36 20 32 45 20 36 32 20 37 32 20 32 46 20 37 37 20 36 46 20 37 32 20 36 34 20 37 30 20 37 32 20 36 35 20 37 33 20 37 33 20 32 46 20 37 37 20 37 30 20 32 44 20 36 39 20 36 45 20 36 33 20 36 43 20 37 35 20 36 34 20 36 35 20 37 33 20 32 46 20 33 31 20 36 31 20 32 46 20 36 39 20 36 32 20 32 45 20 36 35 20 37 38 20 36 35 } //1 68 74 74 70 3A 2F 2F 6D 61 69 6C 2E 7A 61 6E 65 6C 6C 6F 2E 61 64 76 2E 62 72 2F 77 6F 72 64 70 72 65 73 73 2F 77 70 2D 69 6E 63 6C 75 64 65 73 2F 31 61 2F 69 62 2E 65 78 65
$a_03_1 = {36 38 20 37 34 20 37 34 20 37 30 20 37 33 20 33 41 20 32 46 20 32 46 20 36 31 20 32 45 20 37 35 20 36 37 20 37 35 20 37 35 20 32 45 20 37 33 20 36 35 20 32 46 20 [0-14] 20 32 45 20 36 41 20 37 30 20 36 37 } //1
$a_03_2 = {36 38 20 37 34 20 37 34 20 37 30 20 33 41 20 32 46 20 32 46 20 36 31 20 37 32 20 36 46 20 36 44 20 36 31 20 37 34 20 36 35 20 37 32 20 36 31 20 37 30 20 36 39 20 36 31 20 36 33 20 36 43 20 36 39 20 36 45 20 36 39 20 36 33 20 36 31 20 36 32 20 37 32 20 36 31 20 37 33 20 36 39 20 36 43 20 32 45 20 36 33 20 36 46 20 36 44 20 32 45 20 36 32 20 37 32 20 32 46 20 37 37 20 37 30 20 32 44 20 36 33 20 36 37 20 36 39 20 32 46 20 [0-0a] 20 32 45 20 36 41 20 37 30 20 36 37 } //1
$a_03_3 = {36 38 20 37 34 20 37 34 20 37 30 20 37 33 20 33 41 20 32 46 20 32 46 20 36 33 20 36 31 20 36 45 20 36 32 20 36 35 20 37 32 20 37 32 20 36 31 20 36 33 20 36 38 20 36 31 20 36 44 20 36 32 20 36 35 20 37 32 20 37 33 20 32 45 20 36 33 20 36 46 20 36 44 20 32 45 20 36 31 20 37 35 20 32 46 20 [0-32] 20 32 45 20 36 35 20 37 38 20 36 35 } //1
$a_00_4 = {35 37 20 35 33 20 36 33 20 37 32 20 36 39 20 37 30 20 37 34 20 32 65 20 35 33 20 36 38 20 36 35 20 36 63 20 36 63 } //1 57 53 63 72 69 70 74 2e 53 68 65 6c 6c
$a_00_5 = {34 33 20 33 61 20 35 63 20 35 35 20 37 33 20 36 35 20 37 32 20 37 33 20 35 63 20 35 30 20 37 35 20 36 32 20 36 63 20 36 39 20 36 33 20 35 63 20 37 33 20 37 36 20 36 33 20 36 38 20 36 66 20 37 33 20 37 34 20 33 33 20 33 32 20 32 65 20 36 35 20 37 38 20 36 35 } //1 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65
$a_00_6 = {2e 4f 70 65 6e 20 22 47 22 20 2b 20 22 45 22 20 2b 20 22 54 22 2c 20 55 72 6c } //1 .Open "G" + "E" + "T", Url
$a_00_7 = {2e 52 75 6e 20 52 55 4e 43 4d 44 } //1 .Run RUNCMD
condition:
((#a_00_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1) >=5
}
Reference in New Issue View Git Blame Copy Permalink