22 lines
2.1 KiB
Plaintext
22 lines
2.1 KiB
Plaintext
|
|
rule TrojanSpy_Win32_VB_LA{
|
|
meta:
|
|
description = "TrojanSpy:Win32/VB.LA,SIGNATURE_TYPE_PEHSTR_EXT,54 00 53 00 0c 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 41 00 64 00 76 00 61 00 6e 00 63 00 65 00 64 00 5c 00 53 00 68 00 6f 00 77 00 53 00 75 00 70 00 65 00 72 00 48 00 69 00 64 00 64 00 65 00 6e 00 } //10 Explorer\Advanced\ShowSuperHidden
|
|
$a_00_1 = {45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 41 00 64 00 76 00 61 00 6e 00 63 00 65 00 64 00 5c 00 48 00 69 00 64 00 65 00 46 00 69 00 6c 00 65 00 45 00 78 00 74 00 } //10 Explorer\Advanced\HideFileExt
|
|
$a_01_2 = {49 6e 74 65 72 6e 65 74 47 65 74 43 6f 6e 6e 65 63 74 65 64 53 74 61 74 65 } //10 InternetGetConnectedState
|
|
$a_00_3 = {55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 43 61 63 68 65 46 69 6c 65 41 } //10 URLDownloadToCacheFileA
|
|
$a_01_4 = {6d 6f 64 4b 65 79 73 00 } //10 潭䭤祥s
|
|
$a_00_5 = {47 65 74 41 73 79 6e 63 4b 65 79 53 74 61 74 65 } //10 GetAsyncKeyState
|
|
$a_00_6 = {6b 65 79 62 64 5f 65 76 65 6e 74 } //10 keybd_event
|
|
$a_01_7 = {53 00 74 00 61 00 72 00 74 00 20 00 4c 00 6f 00 67 00 3a 00 20 00 } //10 Start Log:
|
|
$a_01_8 = {43 6f 70 69 61 20 64 65 20 65 78 70 6c 6f 72 65 72 } //1 Copia de explorer
|
|
$a_01_9 = {4b 00 65 00 79 00 6c 00 67 00 67 00 72 00 } //1 Keylggr
|
|
$a_01_10 = {7b 00 47 00 54 00 44 00 43 00 36 00 44 00 4a 00 30 00 2d 00 4f 00 54 00 52 00 57 00 2d 00 55 00 35 00 47 00 48 00 2d 00 53 00 31 00 45 00 45 00 2d 00 45 00 30 00 41 00 43 00 31 00 30 00 42 00 34 00 45 00 36 00 36 00 36 00 7d 00 } //1 {GTDC6DJ0-OTRW-U5GH-S1EE-E0AC10B4E666}
|
|
$a_01_11 = {7b 00 46 00 31 00 34 00 36 00 43 00 39 00 42 00 31 00 2d 00 56 00 4d 00 56 00 51 00 2d 00 41 00 39 00 52 00 43 00 2d 00 46 00 4c 00 55 00 4b 00 2d 00 44 00 30 00 42 00 41 00 38 00 36 00 42 00 34 00 45 00 39 00 39 00 39 00 7d 00 } //1 {F146C9B1-VMVQ-A9RC-FLUK-D0BA86B4E999}
|
|
condition:
|
|
((#a_01_0 & 1)*10+(#a_00_1 & 1)*10+(#a_01_2 & 1)*10+(#a_00_3 & 1)*10+(#a_01_4 & 1)*10+(#a_00_5 & 1)*10+(#a_00_6 & 1)*10+(#a_01_7 & 1)*10+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1) >=83
|
|
|
|
} |