13 lines
1.1 KiB
Plaintext
13 lines
1.1 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Banker_ADT{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Banker.ADT,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {33 31 41 35 45 45 37 41 45 41 36 43 45 43 35 33 38 44 33 35 39 35 33 38 36 39 46 43 35 33 34 32 38 33 43 34 30 35 35 44 46 45 35 31 38 46 43 31 30 34 35 31 46 31 35 33 38 39 43 41 31 44 } //01 00 31A5EE7AEA6CEC538D35953869FC534283C4055DFE518FC10451F15389CA1D
|
|
$a_01_1 = {33 44 41 31 43 31 33 39 42 43 32 35 35 37 39 38 45 43 37 38 46 34 30 46 36 33 38 34 45 32 30 37 36 37 39 43 43 31 32 46 42 37 33 30 34 46 41 32 43 30 32 39 34 44 39 38 45 41 37 31 46 32 37 34 38 38 45 37 30 44 35 32 41 36 43 39 32 43 34 34 41 32 43 31 32 46 42 30 33 37 42 34 } //01 00 3DA1C139BC255798EC78F40F6384E207679CC12FB7304FA2C0294D98EA71F27488E70D52A6C92C44A2C12FB037B4
|
|
$a_03_2 = {89 82 5c 03 00 00 e8 90 01 02 ff ff 8d 45 f8 50 b9 90 01 02 48 00 ba 90 01 02 48 00 b8 90 01 02 48 00 e8 90 01 02 ff ff 8b 55 f8 8b 45 fc 05 38 03 00 00 e8 90 01 02 f8 ff 8b 45 fc 05 28 03 00 00 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |