16 lines
1.7 KiB
Plaintext
16 lines
1.7 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Obfuse_PRDF_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.PRDF!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {68 61 68 61 68 61 20 3d 20 22 68 74 74 22 20 2b 20 22 70 22 20 2b 20 22 73 22 20 2b 20 22 3a 22 20 2b 20 22 2f 2f 22 20 2b 20 22 77 22 20 2b 20 22 77 22 20 2b 20 22 77 22 20 2b 20 22 2e 62 69 74 6c 79 2e 63 6f 6d 2f [0-14] 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 [0-14] 22 } //1
|
|
$a_01_1 = {6c 6f 6c 20 3d 20 22 6d 73 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 22 20 2b 20 22 68 74 61 22 } //1 lol = "ms" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "" + "hta"
|
|
$a_01_2 = {53 68 65 65 74 32 2e 6d 69 63 72 6f 73 6f 66 74 2e 53 68 65 6c 6c 45 78 65 63 75 74 65 20 53 68 65 65 74 33 2e 6c 6f 6c 2c 20 53 68 65 65 74 31 2e 68 61 68 61 68 61 } //1 Sheet2.microsoft.ShellExecute Sheet3.lol, Sheet1.hahaha
|
|
$a_01_3 = {46 75 6e 63 74 69 6f 6e 20 6c 6f 6c 28 29 } //1 Function lol()
|
|
$a_01_4 = {46 75 6e 63 74 69 6f 6e 20 68 61 68 61 68 61 28 29 } //1 Function hahaha()
|
|
$a_01_5 = {4f 75 74 6c 6f 6f 6b 2e 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 53 68 65 6c 6c 2e 41 70 70 6c 69 63 61 74 69 6f 6e 22 29 } //1 Outlook.CreateObject("Shell.Application")
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=6
|
|
|
|
} |