16 lines
888 B
Plaintext
16 lines
888 B
Plaintext
|
|
rule TrojanSpy_Win32_Bancos_TO{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Bancos.TO,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {73 6d 74 70 2e 74 65 72 72 61 2e 63 6f 6d 2e 62 72 00 } //1 浳灴琮牥慲挮浯戮r
|
|
$a_01_1 = {40 4d 41 53 53 5f 4d 41 49 4c } //1 @MASS_MAIL
|
|
$a_01_2 = {5c 53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 5c 54 61 62 62 65 64 42 72 6f 77 73 69 6e 67 5c 00 } //1 卜景睴牡履楍牣獯景屴湉整湲瑥䔠灸潬敲屲慔扢摥牂睯楳杮\
|
|
$a_01_3 = {73 65 72 76 69 63 65 2e 64 6c 6c 7e 00 } //1
|
|
$a_01_4 = {62 61 6e 5f 67 65 74 76 61 6c 75 65 73 00 } //1 慢彮敧癴污敵s
|
|
$a_01_5 = {42 61 6e 63 6f 20 43 61 72 6f 6e 69 00 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=5
|
|
|
|
} |