16 lines
1.3 KiB
Plaintext
16 lines
1.3 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Banker_IB{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Banker.IB,SIGNATURE_TYPE_PEHSTR,1f 00 1f 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {77 00 6f 00 72 00 6d 00 28 00 3c 00 } //10 worm(<
|
|
$a_01_1 = {52 00 75 00 6e 00 2d 00 54 00 69 00 6d 00 65 00 20 00 45 00 72 00 72 00 6f 00 72 00 20 00 48 00 78 00 30 00 30 00 30 00 30 00 30 00 31 00 46 00 } //10 Run-Time Error Hx000001F
|
|
$a_01_2 = {37 00 38 00 45 00 31 00 42 00 44 00 44 00 31 00 2d 00 39 00 39 00 34 00 31 00 2d 00 31 00 31 00 63 00 66 00 2d 00 39 00 37 00 35 00 36 00 2d 00 30 00 30 00 41 00 41 00 30 00 30 00 43 00 30 00 30 00 39 00 30 00 38 00 } //10 78E1BDD1-9941-11cf-9756-00AA00C00908
|
|
$a_01_3 = {5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 6c 00 6f 00 67 00 75 00 6e 00 2e 00 65 00 78 00 65 00 } //1 \System32\logun.exe
|
|
$a_01_4 = {5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 77 00 69 00 6e 00 61 00 70 00 70 00 2e 00 65 00 78 00 65 00 } //1 \System32\winapp.exe
|
|
$a_01_5 = {5c 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00 5c 00 41 00 64 00 6f 00 62 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 2e 00 65 00 78 00 65 00 } //1 \Startup\AdobeUpdate.exe
|
|
condition:
|
|
((#a_01_0 & 1)*10+(#a_01_1 & 1)*10+(#a_01_2 & 1)*10+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=31
|
|
|
|
} |