qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Obfuse/TrojanDownloader_O97M_Obfus...

28 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

rule TrojanDownloader_O97M_Obfuse_PDQ_MTB{
meta:
description = "TrojanDownloader:O97M/Obfuse.PDQ!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 04 00 00 "
strings :
$a_03_0 = {3d 63 68 72 28 35 30 29 2b 63 68 72 28 34 38 29 2b 63 68 72 28 34 38 29 [0-03] 77 73 68 73 68 65 6c 6c } //1
$a_03_1 = {73 70 65 63 69 61 6c 70 61 74 68 3d 77 73 68 73 68 65 6c 6c 2e 73 70 65 63 69 61 6c 66 6f 6c 64 65 72 73 28 22 [0-0a] 22 29 64 69 6d 64 69 6d } //1
$a_03_2 = {3d 73 70 65 63 69 61 6c 70 61 74 68 2b 28 22 [0-0a] 2e 22 29 2e 6f 70 65 6e 22 67 65 74 22 2c 28 22 68 3a 2f 2f 77 77 77 2e 64 2e 6d 2f 6d 2f 67 68 68 6d 2e } //1
$a_03_3 = {3d 73 70 65 63 69 61 6c 70 61 74 68 2b 28 22 [0-0a] 2e 22 29 2e 6f 70 65 6e 22 67 65 74 22 2c 28 22 68 3a 2f 2f 77 77 77 2e 64 2e 6d 2f 62 6d 2f 2e } //1
condition:
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1) >=3
}
rule TrojanDownloader_O97M_Obfuse_PDQ_MTB_2{
meta:
description = "TrojanDownloader:O97M/Obfuse.PDQ!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 05 00 00 "
strings :
$a_03_0 = {3d 63 68 72 28 35 30 29 2b 63 68 72 28 34 38 29 2b 63 68 72 28 34 38 29 [0-03] 77 73 68 73 68 65 6c 6c } //1
$a_03_1 = {73 70 65 63 69 61 6c 70 61 74 68 3d 77 73 68 73 68 65 6c 6c 2e 73 70 65 63 69 61 6c 66 6f 6c 64 65 72 73 28 22 [0-0a] 22 29 64 69 6d 64 69 6d } //1
$a_03_2 = {3d 73 70 65 63 69 61 6c 70 61 74 68 2b 28 22 [0-0a] 2e 22 29 2e 6f 70 65 6e 22 67 65 74 22 2c 28 22 68 3a 2f 2f 77 77 77 2e 6a 2d 68 6c 67 2e 6d 2f 2f 76 64 68 68 62 67 2f 67 68 67 67 68 68 68 67 62 76 76 6d 68 2e } //1
$a_03_3 = {3d 73 70 65 63 69 61 6c 70 61 74 68 2b 28 22 [0-0a] 2e 22 29 2e 6f 70 65 6e 22 67 65 74 22 2c 28 22 68 3a 2f 2f 77 77 77 2e 6a 2d 68 6c 67 2e 6d 2f 67 2f 64 6a 67 6a 68 64 6a 6a 64 67 6a 68 62 67 68 64 6a 6b 64 68 67 68 6a 64 2f 64 6a 68 64 67 6a 67 6a 76 31 2e } //1
$a_03_4 = {3d 73 70 65 63 69 61 6c 70 61 74 68 2b 28 22 [0-0a] 2e 22 29 2e 6f 70 65 6e 22 67 65 74 22 2c 28 22 68 3a 2f 2f 2e 6d 2e 2f 62 6d 76 71 2e } //1
condition:
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1) >=3
}
Reference in New Issue View Git Blame Copy Permalink