17 lines
1.4 KiB
Plaintext
17 lines
1.4 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Banker_ADX{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Banker.ADX,SIGNATURE_TYPE_PEHSTR_EXT,07 00 06 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {44 39 36 35 46 30 30 34 30 30 31 46 33 37 32 42 33 35 33 45 41 42 43 41 30 37 35 33 46 44 35 41 46 35 35 43 39 31 34 39 45 43 30 44 33 43 45 36 30 30 32 38 44 39 30 37 32 46 33 39 45 30 30 32 33 36 41 38 34 30 45 31 37 46 41 39 34 41 46 45 35 42 46 38 35 34 } //1 D965F004001F372B353EABCA0753FD5AF55C9149EC0D3CE60028D9072F39E00236A840E17FA94AFE5BF854
|
|
$a_01_1 = {45 41 31 36 33 37 44 45 30 34 33 39 44 46 } //2 EA1637DE0439DF
|
|
$a_01_2 = {32 36 43 45 30 45 43 31 41 35 34 35 46 35 33 39 45 45 31 34 34 43 38 41 38 42 44 37 37 46 44 42 } //1 26CE0EC1A545F539EE144C8A8BD77FDB
|
|
$a_01_3 = {31 36 44 31 37 33 41 44 35 39 43 43 37 31 42 33 36 39 44 43 37 38 44 35 30 45 34 34 38 31 43 32 43 38 30 35 32 34 43 35 } //1 16D173AD59CC71B369DC78D50E4481C2C80524C5
|
|
$a_01_4 = {44 39 30 32 33 31 45 43 35 31 38 41 41 41 37 37 41 46 35 35 46 30 32 44 41 33 32 41 41 46 } //1 D90231EC518AAA77AF55F02DA32AAF
|
|
$a_01_5 = {38 35 41 41 36 41 39 37 34 36 46 31 31 36 44 42 34 32 45 31 36 30 46 46 31 43 42 31 31 39 42 37 31 39 42 45 } //1 85AA6A9746F116DB42E160FF1CB119B719BE
|
|
$a_01_6 = {33 36 46 39 33 39 45 36 31 31 43 45 37 35 42 34 41 41 34 41 38 38 43 37 } //1 36F939E611CE75B4AA4A88C7
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*2+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1) >=6
|
|
|
|
} |