13 lines
1008 B
Plaintext
13 lines
1008 B
Plaintext
|
|
rule TrojanSpy_Win32_Bancos_MI{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Bancos.MI,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {43 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 5c 64 72 69 76 65 73 5c 78 73 65 72 76 69 63 65 2e 65 78 65 } //1 C:\WINDOWS\system\drives\xservice.exe
|
|
$a_01_1 = {34 30 42 43 33 30 46 42 30 34 30 42 45 33 32 31 46 35 37 42 38 39 38 37 44 30 31 37 41 35 32 43 42 31 33 33 38 32 46 41 36 38 46 31 37 46 44 39 36 46 43 34 31 35 35 38 45 44 30 41 37 32 41 30 35 35 45 34 30 39 35 31 38 45 33 41 36 41 38 46 32 38 42 38 30 35 35 34 45 36 36 43 46 45 37 42 38 44 44 43 36 42 46 46 32 37 42 36 37 31 42 31 35 42 39 43 35 46 45 34 37 35 } //1 40BC30FB040BE321F57B8987D017A52CB13382FA68F17FD96FC41558ED0A72A055E409518E3A6A8F28B80554E66CFE7B8DDC6BFF27B671B15B9C5FE475
|
|
$a_01_2 = {8b 45 f8 8b 55 e4 0f b6 44 10 ff 03 c7 b9 ff 00 00 00 99 f7 f9 8b da 3b 75 f0 7d 03 46 eb 05 } //1
|
|
condition:
|
|
((#a_00_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1) >=3
|
|
|
|
} |