11 lines
379 B
Plaintext
11 lines
379 B
Plaintext
|
|
rule TrojanDownloader_Win64_Snojan_DL_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:Win64/Snojan.DL!MTB,SIGNATURE_TYPE_PEHSTR_EXT,01 00 01 00 01 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {48 8b c1 48 8b 8c 24 90 01 04 48 f7 f1 48 8b c2 0f be 84 04 90 01 04 8b 8c 24 90 01 04 33 c8 8b c1 48 63 4c 24 40 48 8b 15 90 01 04 88 04 0a e9 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |