13 lines
1.4 KiB
Plaintext
13 lines
1.4 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Obfuse_PKSD_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.PKSD!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 03 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {53 38 76 4f 6e 42 30 64 47 67 6e 4a 79 68 6c 62 47 6c 47 5a 47 45 6e 4f 79 52 55 51 7a 30 6b 59 7a 4d 73 4a 47 49 30 5a 47 59 73 4a 48 64 6c 4d 6a 49 67 4c 55 70 76 61 57 34 67 4a 79 63 37 53 55 56 59 4b 43 68 62 63 6d 56 6e 5a 58 68 64 4f 6a 70 4e 59 58 52 6a 61 47 56 7a 4b 43 52 55 51 79 77 6e 4c 69 63 73 4a 31 } //1 S8vOnB0dGgnJyhlbGlGZGEnOyRUQz0kYzMsJGI0ZGYsJHdlMjIgLUpvaW4gJyc7SUVYKChbcmVnZXhdOjpNYXRjaGVzKCRUQywnLicsJ1
|
|
$a_01_1 = {4a 70 5a 32 68 30 56 47 39 4d 5a 57 5a 30 4a 79 6b 67 66 43 42 47 62 33 4a 46 59 57 4e 6f 49 48 73 6b 58 79 35 32 59 57 78 31 5a 58 30 70 49 43 31 71 62 32 6c 75 49 43 63 6e 4b 54 74 7a 64 47 46 79 64 43 31 77 63 6d 39 6a 5a 58 4e 7a 4b 43 52 6c 62 6e 59 36 64 47 56 74 63 43 73 67 4a 31 } //1 JpZ2h0VG9MZWZ0JykgfCBGb3JFYWNoIHskXy52YWx1ZX0pIC1qb2luICcnKTtzdGFydC1wcm9jZXNzKCRlbnY6dGVtcCsgJ1
|
|
$a_01_2 = {78 69 62 47 56 7a 63 33 4d 75 64 6d 4a 7a 4a 79 6b 37 63 6d 56 74 62 33 5a 6c 4c 57 6c 30 5a 57 30 67 4b 43 52 6c 62 6e 59 36 59 58 42 77 5a 47 46 30 59 53 41 72 49 43 64 63 57 55 70 76 51 33 4d 75 59 6d 46 30 4a 79 6b } //1 xibGVzc3MudmJzJyk7cmVtb3ZlLWl0ZW0gKCRlbnY6YXBwZGF0YSArICdcWUpvQ3MuYmF0Jyk
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1) >=3
|
|
|
|
} |