17 lines
1.2 KiB
Plaintext
17 lines
1.2 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_SilverMob_A_dha{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/SilverMob.A!dha,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {43 68 72 28 34 36 20 2b 20 28 41 73 63 28 } //1 Chr(46 + (Asc(
|
|
$a_00_1 = {29 20 2d 20 34 36 20 2d 20 32 30 20 2b 20 28 31 32 32 20 2d 20 34 36 29 29 20 4d 6f 64 20 28 31 32 32 20 2d 20 34 36 29 29 } //1 ) - 46 - 20 + (122 - 46)) Mod (122 - 46))
|
|
$a_00_2 = {22 61 31 77 3a 37 3b 37 2e 3c 42 6c 61 60 5c 68 68 64 22 } //1 "a1w:7;7.<Bla`\hhd"
|
|
$a_00_3 = {22 55 58 63 58 56 42 67 3c 3a 79 75 35 22 } //1 "UXcXVBg<:yu5"
|
|
$a_00_4 = {22 67 77 3a 31 38 3c 31 36 2f 42 5a 31 34 79 67 41 3b 3c 79 35 63 76 32 79 77 3c 22 } //1 "gw:18<16/BZ14ygA;<y5cv2yw<"
|
|
$a_00_5 = {56 42 41 2e 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 22 20 2b 20 22 53 63 22 20 2b 20 22 72 22 20 2b 20 22 69 70 22 20 2b 20 22 74 22 20 2b 20 22 2e 53 22 20 2b 20 22 68 22 20 2b 20 22 65 6c 22 20 2b 20 22 6c 22 29 } //1 VBA.CreateObject("W" + "Sc" + "r" + "ip" + "t" + ".S" + "h" + "el" + "l")
|
|
$a_00_6 = {22 70 3b 3e 77 30 37 3b 3c 42 79 40 79 22 } //1 "p;>w07;<By@y"
|
|
condition:
|
|
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1) >=4
|
|
|
|
} |