13 lines
1.1 KiB
Plaintext
13 lines
1.1 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Trickbot_PHBC_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Trickbot.PHBC!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 03 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {41 42 4a 41 47 34 41 64 67 42 76 41 47 73 41 5a 51 41 74 41 46 63 41 5a 51 42 69 41 46 49 41 5a 51 42 78 41 48 55 41 5a 51 42 7a 41 48 51 41 49 41 41 74 [0-07] 41 46 55 41 63 67 42 70 41 43 41 41 49 67 42 6f 41 48 51 41 64 41 42 77 41 44 6f 41 4c 77 41 76 41 44 45 41 4f 51 41 31 41 43 34 41 4d 51 41 7a 41 44 4d 41 4c 67 41 78 [0-07] 41 } //1
|
|
$a_03_1 = {44 6b 41 4d 67 41 75 41 44 45 41 4d 41 41 78 41 43 38 41 61 51 42 74 41 47 45 41 5a 77 42 6c 41 48 4d 41 4c 77 42 79 41 47 55 41 5a 41 42 77 41 47 77 41 59 51 42 75 41 47 55 41 4c 67 42 77 41 47 34 41 5a 77 41 69 41 43 41 41 4c 51 [0-07] 42 } //1
|
|
$a_03_2 = {50 41 48 55 41 64 41 42 47 41 47 6b 41 62 41 42 6c 41 43 41 41 49 67 42 44 41 44 6f 41 58 41 42 51 41 48 49 41 62 77 42 6e 41 48 49 41 59 51 42 74 41 45 51 41 59 [0-07] 51 42 30 41 47 45 41 58 41 42 6a 41 47 77 41 59 67 41 75 41 47 51 41 62 41 42 73 41 43 49 [0-07] 41 } //1
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1) >=3
|
|
|
|
} |