18 lines
1.4 KiB
Plaintext
18 lines
1.4 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Banker_AFF{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Banker.AFF,SIGNATURE_TYPE_PEHSTR_EXT,37 00 32 00 08 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {36 31 34 33 35 45 35 36 34 32 35 31 35 43 37 37 35 45 35 44 35 34 34 30 } //20 61435E5642515C775E5D5440
|
|
$a_01_1 = {37 36 35 33 36 31 35 44 34 35 35 37 35 38 35 46 } //20 7653615D4557585F
|
|
$a_01_2 = {31 46 31 44 31 46 31 46 31 39 31 46 30 41 31 31 37 46 37 30 37 42 } //10 1F1D1F1F191F0A117F707B
|
|
$a_01_3 = {36 41 31 31 37 38 37 46 37 36 37 35 37 32 36 35 31 37 36 37 37 38 37 32 31 31 36 35 36 46 36 35 31 30 31 31 36 35 37 38 36 34 37 45 31 31 31 36 30 42 31 30 } //10 6A11787F767572651767787211656F6510116578647E11160B10
|
|
$a_01_4 = {37 41 35 30 34 32 34 31 35 35 34 32 34 32 35 41 34 45 31 31 37 44 35 32 35 33 34 32 } //5 7A5042415542425A4E117D525342
|
|
$a_01_5 = {36 32 34 38 35 43 35 30 35 45 34 34 35 34 35 32 31 37 37 30 35 46 34 37 35 38 36 37 35 45 34 33 34 35 34 32 } //5 62485C505E44545217705F4758675E434542
|
|
$a_01_6 = {37 46 35 45 34 33 34 35 35 46 35 45 31 31 37 30 35 39 34 35 35 38 36 35 35 38 34 33 34 32 34 32 } //5 7F5E43455F5E11705945586558434242
|
|
$a_01_7 = {37 43 37 30 37 32 31 31 37 31 37 34 36 33 37 34 36 34 36 32 31 46 31 44 31 46 31 46 31 39 31 46 30 41 } //5 7C7072117174637464621F1D1F1F191F0A
|
|
condition:
|
|
((#a_01_0 & 1)*20+(#a_01_1 & 1)*20+(#a_01_2 & 1)*10+(#a_01_3 & 1)*10+(#a_01_4 & 1)*5+(#a_01_5 & 1)*5+(#a_01_6 & 1)*5+(#a_01_7 & 1)*5) >=50
|
|
|
|
} |