14 lines
552 B
Plaintext
14 lines
552 B
Plaintext
|
|
rule TrojanSpy_Win32_Keatep_E{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Keatep.E,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {74 17 8b 55 f8 81 e2 ff ff 00 00 d1 fa 81 f2 01 a0 00 00 } //2
|
|
$a_01_1 = {6a 65 6f 52 33 57 71 31 00 } //2
|
|
$a_02_2 = {7c 24 70 61 73 73 3d 00 90 09 24 00 66 61 63 65 62 6f 6f 6b 2e } //1
|
|
$a_02_3 = {26 72 65 64 69 72 65 63 74 5f 74 6f 3d 00 00 00 50 4f 53 54 [0-8f] 77 70 2d 6c 6f 67 69 6e 2e } //1
|
|
condition:
|
|
((#a_00_0 & 1)*2+(#a_01_1 & 1)*2+(#a_02_2 & 1)*1+(#a_02_3 & 1)*1) >=5
|
|
|
|
} |