16 lines
1.6 KiB
Plaintext
16 lines
1.6 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Hisbucken_A{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Hisbucken.A,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0a 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {38 00 35 00 38 00 34 00 36 00 34 00 31 00 34 00 32 00 34 00 34 00 37 00 39 00 31 00 39 00 36 00 39 00 34 00 37 00 34 00 36 00 34 00 37 00 33 00 30 00 30 00 32 00 31 00 45 00 35 00 38 00 34 00 41 00 35 00 32 00 35 00 } //4 8584641424479196947464730021E584A525
|
|
$a_01_1 = {35 00 38 00 35 00 38 00 34 00 36 00 34 00 31 00 34 00 32 00 34 00 34 00 37 00 39 00 31 00 39 00 36 00 39 00 34 00 37 00 34 00 36 00 34 00 37 00 33 00 30 00 30 00 32 00 31 00 45 00 35 00 38 00 34 00 41 00 35 00 32 00 } //4 58584641424479196947464730021E584A52
|
|
$a_01_2 = {53 00 4f 00 55 00 52 00 43 00 45 00 3d 00 4b 00 52 00 41 00 4b 00 45 00 4e 00 3b 00 55 00 49 00 44 00 3d 00 73 00 61 00 3b 00 44 00 41 00 54 00 41 00 42 00 41 00 53 00 45 00 3d 00 6b 00 72 00 61 00 6b 00 65 00 6e 00 3b 00 50 00 57 00 44 00 3d 00 73 00 61 00 } //4 SOURCE=KRAKEN;UID=sa;DATABASE=kraken;PWD=sa
|
|
$a_01_3 = {39 00 30 00 36 00 33 00 37 00 44 00 37 00 33 00 36 00 36 00 36 00 30 00 30 00 32 00 36 00 34 00 30 00 33 00 36 00 43 00 37 00 43 00 35 00 39 00 32 00 30 00 34 00 33 00 35 00 46 00 34 00 33 00 35 00 36 00 35 00 36 00 } //2 90637D7366600264036C7C5920435F435656
|
|
$a_01_4 = {31 00 32 00 35 00 45 00 35 00 44 00 35 00 38 00 35 00 37 00 37 00 45 00 30 00 37 00 } //2 125E5D58577E07
|
|
$a_01_5 = {38 00 34 00 34 00 35 00 44 00 34 00 35 00 35 00 44 00 } //2 8445D455D
|
|
condition:
|
|
((#a_01_0 & 1)*4+(#a_01_1 & 1)*4+(#a_01_2 & 1)*4+(#a_01_3 & 1)*2+(#a_01_4 & 1)*2+(#a_01_5 & 1)*2) >=10
|
|
|
|
} |