21 lines
1.4 KiB
Plaintext
21 lines
1.4 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Bancos_AMZ{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Bancos.AMZ,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 0a 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {33 00 43 00 37 00 43 00 34 00 42 00 34 00 35 00 35 00 39 00 34 00 32 00 34 00 46 00 34 00 31 00 35 00 32 00 34 00 34 00 37 00 43 00 33 00 45 00 } //01 00 3C7C4B4559424F4152447C3E
|
|
$a_01_1 = {36 00 32 00 36 00 43 00 36 00 46 00 36 00 33 00 36 00 42 00 32 00 45 00 37 00 34 00 37 00 38 00 37 00 34 00 } //01 00 626C6F636B2E747874
|
|
$a_01_2 = {33 00 43 00 37 00 43 00 34 00 46 00 34 00 42 00 37 00 43 00 33 00 45 00 } //01 00 3C7C4F4B7C3E
|
|
$a_01_3 = {33 00 43 00 37 00 43 00 35 00 30 00 34 00 39 00 34 00 45 00 34 00 37 00 37 00 43 00 33 00 45 00 } //01 00 3C7C50494E477C3E
|
|
$a_01_4 = {33 00 43 00 37 00 43 00 34 00 45 00 34 00 46 00 35 00 33 00 36 00 35 00 36 00 45 00 36 00 38 00 36 00 31 00 37 00 43 00 33 00 45 00 } //01 00 3C7C4E4F53656E68617C3E
|
|
$a_01_5 = {33 00 43 00 37 00 43 00 34 00 33 00 34 00 43 00 34 00 39 00 35 00 30 00 37 00 43 00 33 00 45 00 } //01 00 3C7C434C49507C3E
|
|
$a_01_6 = {36 00 33 00 36 00 43 00 36 00 39 00 36 00 33 00 36 00 42 00 } //01 00 636C69636B
|
|
$a_01_7 = {3c 00 7c 00 67 00 65 00 74 00 73 00 7c 00 3e 00 } //01 00 <|gets|>
|
|
$a_01_8 = {3c 00 7c 00 54 00 41 00 4d 00 41 00 4e 00 48 00 4f 00 7c 00 3e 00 } //01 00 <|TAMANHO|>
|
|
$a_01_9 = {3c 7c 43 6c 6f 73 65 43 68 61 74 7c 3e } //00 00 <|CloseChat|>
|
|
$a_00_10 = {5d 04 00 00 } //e4 95
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |