15 lines
1.5 KiB
Plaintext
15 lines
1.5 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Powdow_PRZ_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Powdow.PRZ!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {61 48 52 30 63 44 6f 76 4c 32 4e 76 62 57 46 33 61 47 6c 74 63 47 78 6c 64 43 35 6a 62 32 30 76 62 6e 68 34 64 43 35 6c 65 47 55 3d } //1 aHR0cDovL2NvbWF3aGltcGxldC5jb20vbnh4dC5leGU=
|
|
$a_00_1 = {35 37 20 35 33 20 36 33 20 37 32 20 36 39 20 37 30 20 37 34 20 32 45 20 35 33 20 36 38 20 36 35 20 36 43 20 36 43 22 29 29 2e 52 75 6e } //1 57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run
|
|
$a_00_2 = {42 61 73 65 36 34 44 65 63 6f 64 65 28 22 63 47 39 33 5a 58 4a 7a 61 47 56 73 62 43 35 6c 65 47 55 67 4c 57 56 34 5a 57 4e 31 64 47 6c 76 62 6e 42 76 62 47 6c 6a 65 53 42 69 65 58 42 68 63 33 4d 67 4c 56 63 67 53 47 6c 6b 5a 47 56 75 49 43 31 6a 62 32 31 74 59 57 35 6b 49 } //1 Base64Decode("cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVcgSGlkZGVuIC1jb21tYW5kI
|
|
$a_00_3 = {43 68 75 5a 58 63 74 62 32 4a 71 5a 57 4e 30 49 46 4e 35 63 33 52 6c 62 53 35 4f 5a 58 51 75 56 32 56 69 51 32 78 70 5a 57 35 30 4b 53 35 45 62 33 64 75 62 47 39 68 5a 45 5a 70 62 47 55 6f 4a 77 3d 3d } //1 ChuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJw==
|
|
$a_00_4 = {61 47 56 73 62 45 56 34 5a 57 4e 31 64 47 55 6f 4a 47 56 75 64 6a 70 55 5a 57 31 77 4b 79 64 63 63 48 56 30 64 48 6b 75 5a 58 68 6c 4a 79 6b 3d } //1 aGVsbEV4ZWN1dGUoJGVudjpUZW1wKydccHV0dHkuZXhlJyk=
|
|
condition:
|
|
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=5
|
|
|
|
} |