15 lines
1.1 KiB
Plaintext
15 lines
1.1 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Banker_AJU{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Banker.AJU,SIGNATURE_TYPE_PEHSTR_EXT,15 00 15 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {54 4d 30 31 54 69 6d 65 72 } //1 TM01Timer
|
|
$a_01_1 = {54 4d 52 56 65 66 69 63 61 43 6f 6e 65 78 61 6f } //1 TMRVeficaConexao
|
|
$a_01_2 = {5c 00 6c 00 6f 00 67 00 77 00 69 00 6e 00 2e 00 69 00 6e 00 69 00 } //1 \logwin.ini
|
|
$a_01_3 = {41 00 38 00 39 00 37 00 42 00 45 00 37 00 34 00 39 00 44 00 } //10 A897BE749D
|
|
$a_01_4 = {38 00 35 00 41 00 30 00 41 00 46 00 35 00 36 00 38 00 30 00 42 00 30 00 39 00 36 00 39 00 38 00 34 00 46 00 46 00 31 00 31 00 46 00 43 00 33 00 36 00 39 00 39 00 36 00 42 00 43 00 34 00 32 00 45 00 34 00 30 00 35 00 33 00 45 00 45 00 33 00 31 00 31 00 32 00 42 00 44 00 41 00 31 00 36 00 32 00 42 00 32 00 33 00 43 00 42 00 30 00 35 00 35 00 31 00 38 00 32 00 44 00 34 00 37 00 37 00 44 00 35 00 36 00 34 00 46 00 36 00 35 00 42 00 38 00 36 00 } //10 85A0AF5680B096984FF11FC36996BC42E4053EE3112BDA162B23CB055182D477D564F65B86
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*10+(#a_01_4 & 1)*10) >=21
|
|
|
|
} |