16 lines
779 B
Plaintext
16 lines
779 B
Plaintext
|
|
rule TrojanSpy_Win32_Seclining_gen_A{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Seclining.gen!A,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0a 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {50 68 d9 03 00 00 68 ?? ?? ?? ?? 8b 8d ?? ?? ff ff 51 8b 55 dc 52 ff 15 ?? ?? ?? ?? 85 c0 74 09 81 7d fc d9 03 00 00 74 07 } //5
|
|
$a_01_1 = {e8 00 00 00 00 5d 81 ed 05 00 00 00 b8 59 00 00 00 01 e8 50 b8 44 33 22 11 ff d0 93 b8 ed 00 00 00 } //5
|
|
$a_00_2 = {74 79 70 65 3d 70 61 73 73 77 6f 72 64 00 } //1 祴数瀽獡睳牯d
|
|
$a_00_3 = {4c 6f 67 53 65 6e 64 00 } //1 潌卧湥d
|
|
$a_00_4 = {47 52 42 4d 41 47 49 43 00 } //1
|
|
$a_00_5 = {64 6f 69 63 61 72 65 00 } //1 潤捩牡e
|
|
condition:
|
|
((#a_03_0 & 1)*5+(#a_01_1 & 1)*5+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1) >=10
|
|
|
|
} |