17 lines
932 B
Plaintext
17 lines
932 B
Plaintext
|
|
rule TrojanSpy_Win32_Banker_AMQ{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Banker.AMQ,SIGNATURE_TYPE_PEHSTR_EXT,09 00 07 00 07 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {43 00 6f 00 6d 00 70 00 61 00 6e 00 79 00 4e 00 61 00 6d 00 65 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 4f 00 70 00 65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 73 00 00 00 } //01 00
|
|
$a_01_1 = {61 6d 69 64 61 6c 61 73 2e 74 6d 70 00 } //02 00
|
|
$a_01_2 = {61 74 6d 31 2e 65 78 65 00 } //01 00
|
|
$a_01_3 = {44 69 73 70 6f 73 69 74 69 76 6f 20 64 65 20 c1 75 64 69 6f 20 64 6f 20 57 69 6e 64 6f 77 73 } //01 00
|
|
$a_01_4 = {42 63 4c 75 50 47 00 } //01 00
|
|
$a_01_5 = {4d 72 50 31 4b 61 62 31 4c 61 4c 39 4b 71 7a 42 4e 47 00 } //01 00
|
|
$a_01_6 = {31 d2 f7 f1 4e 80 c2 30 80 fa 3a 72 03 80 c2 07 88 16 09 c0 75 ea 59 5a 29 f1 29 ca 76 10 01 d1 b0 30 29 d6 eb 03 88 04 32 4a 75 fa 88 06 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |