15 lines
1.7 KiB
Plaintext
15 lines
1.7 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Powdow_JB_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Powdow.JB!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {43 68 72 24 28 56 61 6c 28 22 26 48 22 20 26 20 4d 69 64 24 28 [0-0f] 2c 20 [0-0f] 2c 20 32 29 29 29 } //1
|
|
$a_03_1 = {41 73 63 28 4d 69 64 28 [0-19] 2c 20 69 2c 20 31 29 29 } //1
|
|
$a_01_2 = {37 30 36 66 37 37 36 35 37 32 37 33 36 38 36 35 36 63 36 63 32 65 36 35 37 38 36 35 32 30 32 64 34 65 36 66 34 35 37 38 36 39 37 34 32 30 32 64 36 33 32 30 34 37 36 35 37 34 32 64 35 33 36 35 37 32 37 36 36 39 36 33 36 35 32 30 32 64 34 34 36 39 37 33 37 30 36 63 36 31 37 39 34 65 36 31 36 64 36 35 32 30 32 37 32 61 36 65 36 35 37 34 37 37 36 66 37 32 36 62 32 61 32 37 } //1 706f7765727368656c6c2e657865202d4e6f45786974202d63204765742d53657276696365202d446973706c61794e616d6520272a6e6574776f726b2a27
|
|
$a_01_3 = {34 34 36 66 37 37 36 65 36 63 36 66 36 31 36 34 35 33 37 34 37 32 36 39 36 65 36 37 32 38 32 37 36 38 37 34 37 34 37 30 33 61 32 66 32 66 33 31 33 35 33 39 32 65 33 36 33 35 32 65 33 31 33 34 33 36 32 65 33 33 33 38 32 66 37 32 36 35 37 36 32 65 37 30 37 33 33 31 32 37 32 39 } //1 446f776e6c6f6164537472696e672827687474703a2f2f3135392e36352e3134362e33382f7265762e7073312729
|
|
$a_01_4 = {37 30 36 66 37 37 36 35 37 32 37 33 36 38 36 35 36 63 36 63 32 65 36 35 37 38 36 35 32 30 32 64 36 65 36 66 36 35 37 38 36 39 37 34 32 30 32 64 36 35 37 30 32 30 36 32 37 39 37 30 36 31 37 33 37 33 32 30 32 64 36 33 32 30 34 39 34 35 35 38 } //1 706f7765727368656c6c2e657865202d6e6f65786974202d657020627970617373202d6320494558
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=5
|
|
|
|
} |