15 lines
1.2 KiB
Plaintext
15 lines
1.2 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Keylogger_BQ{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Keylogger.BQ,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {45 32 32 41 46 43 31 32 45 36 34 34 31 35 32 33 45 34 33 31 46 38 30 31 31 45 31 31 31 30 30 45 30 36 30 36 34 37 44 44 33 46 44 38 33 38 31 43 30 39 31 30 34 36 38 42 43 46 30 32 34 34 39 32 43 35 30 46 42 43 32 37 36 36 41 41 34 31 43 35 34 44 41 37 37 41 42 43 37 34 38 30 39 41 36 42 42 37 37 37 42 34 39 32 37 32 41 38 36 41 00 } //2
|
|
$a_01_1 = {37 35 41 39 37 42 38 32 39 32 36 46 42 36 34 45 44 42 35 31 46 34 33 32 46 38 30 35 31 42 46 45 31 46 46 37 31 46 30 46 31 33 30 41 30 30 31 45 46 41 31 39 46 35 36 33 39 34 33 39 39 46 32 37 42 41 31 45 41 41 33 38 41 44 34 31 44 36 32 33 46 36 30 30 33 41 45 42 30 39 31 45 00 } //2
|
|
$a_01_2 = {46 41 37 41 41 42 41 38 37 41 38 38 39 42 39 42 36 36 41 36 37 43 46 30 33 46 43 46 32 44 45 36 32 44 33 46 44 33 38 37 38 34 39 33 37 41 41 35 36 35 41 44 39 45 38 46 00 } //2
|
|
$a_01_3 = {7b 50 52 49 4e 54 20 53 43 52 45 45 4e 7d } //1 {PRINT SCREEN}
|
|
$a_01_4 = {7b 43 54 52 4c 2b 43 7d } //1 {CTRL+C}
|
|
condition:
|
|
((#a_01_0 & 1)*2+(#a_01_1 & 1)*2+(#a_01_2 & 1)*2+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=6
|
|
|
|
} |