DefenderYara/TrojanDownloader/O97M/Obfuse/TrojanDownloader_O97M_Obfuse_PRS_MTB.yar

rule TrojanDownloader_O97M_Obfuse_PRS_MTB{
	meta:
		description = "TrojanDownloader:O97M/Obfuse.PRS!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,02 00 02 00 02 00 00 "
		
	strings :
		$a_01_0 = {30 30 31 31 30 30 30 31 2c 30 30 31 31 31 30 30 31 2c 30 30 31 31 31 30 30 30 2c 30 30 31 30 31 31 31 30 2c 30 30 31 31 30 30 31 30 2c 30 30 31 31 30 30 31 31 2c 30 30 31 30 31 31 31 30 2c 30 30 31 31 30 30 31 30 2c 30 30 31 31 30 31 30 31 2c 30 30 31 31 30 30 30 31 2c 30 30 31 30 31 31 31 30 2c 30 30 31 31 30 30 30 31 2c 30 30 31 31 30 30 30 31 2c 30 30 31 31 30 30 30 30 2c 30 30 31 30 31 31 31 31 2c 30 31 31 30 31 31 30 31 2c 30 31 31 30 30 30 30 31 2c 30 31 31 31 30 31 31 30 2c 30 31 31 30 31 30 30 31 2c 30 31 31 30 31 31 31 30 2c 30 30 31 30 31 31 31 30 2c 30 31 31 30 30 31 30 31 2c 30 31 31 31 31 30 30 30 2c 30 31 31 30 30 31 30 31 } //1 00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110,00110001,00110001,00110000,00101111,01101101,01100001,01110110,01101001,01101110,00101110,01100101,01111000,01100101
		$a_01_1 = {50 6f 77 65 72 73 68 65 6c 6c 2e 65 78 65 } //1 Powershell.exe
	condition:
		((#a_01_0  & 1)*1+(#a_01_1  & 1)*1) >=2
 
}
rule TrojanDownloader_O97M_Obfuse_PRS_MTB_2{
	meta:
		description = "TrojanDownloader:O97M/Obfuse.PRS!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 "
		
	strings :
		$a_00_0 = {53 75 62 20 41 75 74 6f 5f 4f 70 65 6e 28 29 } //1 Sub Auto_Open()
		$a_00_1 = {44 48 6c 62 4b 55 49 4b 59 55 47 6b 67 6a 48 56 46 49 75 6d 20 3d 20 50 72 6f 67 72 61 6d 44 61 74 61 } //1 DHlbKUIKYUGkgjHVFIum = ProgramData
		$a_00_2 = {3d 20 45 6e 76 69 72 6f 6e 24 28 22 55 73 65 72 50 72 6f 66 69 6c 65 22 29 20 26 20 22 5c 22 20 26 20 } //1 = Environ$("UserProfile") & "\" & 
		$a_00_3 = {3d 20 44 48 6c 62 4b 55 49 4b 59 55 47 6b 67 6a 48 56 46 49 75 6d 28 22 66 79 66 2f 6a 6a 73 75 22 29 } //1 = DHlbKUIKYUGkgjHVFIum("fyf/jjsu")
		$a_00_4 = {70 72 71 68 68 71 72 61 62 63 20 3d 20 22 66 61 64 7a 6a 67 64 69 6c 61 7a 75 22 } //1 prqhhqrabc = "fadzjgdilazu"
		$a_00_5 = {22 6f 70 65 6e 22 2c 20 6d 71 51 45 43 77 4f 4c 69 44 63 47 44 48 47 46 53 44 78 78 66 67 73 58 48 46 48 58 66 72 78 68 66 78 66 63 6a 46 4b 2c 20 22 22 2c 20 76 62 4e 75 6c 6c 53 74 72 69 6e 67 2c 20 76 62 4e 6f 72 6d 61 6c 46 6f 63 75 73 } //1 "open", mqQECwOLiDcGDHGFSDxxfgsXHFHXfrxhfxfcjFK, "", vbNullString, vbNormalFocus
	condition:
		((#a_00_0  & 1)*1+(#a_00_1  & 1)*1+(#a_00_2  & 1)*1+(#a_00_3  & 1)*1+(#a_00_4  & 1)*1+(#a_00_5  & 1)*1) >=6
 
}