qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Obfuse/TrojanDownloader_O97M_Obfus...

34 lines
3.2 KiB
Plaintext
Raw Permalink Blame History

rule TrojanDownloader_O97M_Obfuse_PHI_MTB{
meta:
description = "TrojanDownloader:O97M/Obfuse.PHI!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 03 00 00 01 00 "
strings :
$a_03_0 = {53 6f 75 72 63 65 20 68 74 74 60 70 3a 2f 2f 31 38 2e 31 39 35 2e 31 34 33 2e 31 38 33 2f 90 02 1e 2e 65 60 78 65 90 00 } //01 00
$a_03_1 = {2d 44 65 73 74 69 6e 61 74 69 6f 6e 20 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 44 6f 63 75 6d 65 6e 74 73 5c 90 02 14 2e 65 60 78 65 90 00 } //01 00
$a_01_2 = {3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 } //00 00 = CreateObject
condition:
any of ($a_*)
}
rule TrojanDownloader_O97M_Obfuse_PHI_MTB_2{
meta:
description = "TrojanDownloader:O97M/Obfuse.PHI!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,0c 00 0c 00 0c 00 00 01 00 "
strings :
$a_01_0 = {70 6f 77 65 72 73 68 65 6c 6c 20 2d 45 78 65 63 20 62 79 70 61 73 73 20 2d 4e 6f 6e 49 20 2d 57 20 48 69 64 64 65 6e 20 28 28 27 26 20 28 28 47 65 54 22 } //01 00 powershell -Exec bypass -NonI -W Hidden (('& ((GeT"
$a_01_1 = {2d 56 41 52 49 41 62 6c 65 20 53 58 42 2a 4d 44 72 2a 53 58 42 29 2e 6e 61 4d 65 5b 33 2c 31 31 2c 32 5d 2d 6a 6f 69 4e 53 58 42 53 58 42 29 28 20 28 22 } //01 00 -VARIAble SXB*MDr*SXB).naMe[3,11,2]-joiNSXBSXB)( ("
$a_01_2 = {6d 41 4e 41 67 65 6d 65 6e 74 2e 41 75 54 6f 4d 61 54 49 4f 4e 2e 50 73 43 72 27 2b 27 45 44 65 4e 54 22 } //01 00 mANAgement.AuToMaTION.PsCr'+'EDeNT"
$a_01_3 = {49 61 4c 20 53 58 42 20 53 58 42 2c 28 20 53 58 42 37 36 34 39 32 64 31 31 31 36 37 34 33 66 30 34 32 33 34 31 33 62 31 36 30 35 30 61 35 33 34 35 4d 22 } //01 00 IaL SXB SXB,( SXB76492d1116743f0423413b16050a5345M"
$a_01_4 = {4f 51 41 31 41 44 45 41 4d 41 41 35 41 47 49 41 4e 51 41 78 41 44 41 41 4e 77 41 35 41 44 67 41 5a 27 2b 27 67 42 6b 41 44 55 41 5a 41 41 34 41 44 41 22 } //01 00 OQA1ADEAMAA5AGIANQAxADAANwA5ADgAZ'+'gBkADUAZAA4ADA"
$a_01_5 = {41 44 41 41 59 77 42 69 41 44 49 41 4e 51 41 7a 41 44 6b 41 4d 41 41 79 41 44 6b 41 59 67 42 6c 41 44 4d 41 4e 77 41 78 41 44 55 41 4f 51 41 79 41 47 22 } //01 00 ADAAYwBiADIANQAzADkAMAAyADkAYgBlADMANwAxADUAOQAyAG"
$a_01_6 = {49 41 4d 77 41 32 41 47 55 41 59 51 41 31 41 47 4d 41 4d 41 41 32 41 44 63 41 27 2b 27 4e 41 41 7a 41 44 67 41 59 51 42 6c 41 44 55 41 4e 67 41 78 41 22 } //01 00 IAMwA2AGUAYQA1AGMAMAA2ADcA'+'NAAzADgAYQBlADUANgAxA"
$a_01_7 = {43 75 52 45 73 74 72 49 4e 47 20 2d 6b 20 20 28 32 27 2b 27 32 37 2e 2e 32 34 32 29 20 29 20 27 2b 27 29 2e 67 65 74 4e 45 54 77 6f 72 6b 43 72 65 64 22 } //01 00 CuREstrING -k (2'+'27..242) ) '+').getNETworkCred"
$a_01_8 = {45 4e 74 49 61 6c 28 29 2e 50 61 53 53 77 6f 72 64 29 27 29 20 2d 72 65 50 4c 61 43 65 20 20 28 5b 43 48 61 52 5d 39 37 2b 5b 43 48 61 52 5d 35 36 2b 22 } //01 00 ENtIal().PaSSword)') -rePLaCe ([CHaR]97+[CHaR]56+"
$a_01_9 = {43 48 61 52 5d 36 36 29 2c 5b 43 48 61 52 5d 33 39 29 20 7c 20 26 20 28 20 24 73 68 45 4c 6c 69 44 5b 31 5d 2b 24 73 48 45 4c 4c 49 44 5b 31 33 5d 2b 22 } //01 00 CHaR]66),[CHaR]39) | & ( $shELliD[1]+$sHELLID[13]+"
$a_01_10 = {53 74 72 20 3d 20 53 74 72 20 2b 20 22 27 58 27 29 22 } //01 00 Str = Str + "'X')"
$a_01_11 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 73 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 2e 52 75 6e 20 53 74 72 } //00 00 CreateObject("Wscript.Shell").Run Str
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink