18 lines
1.4 KiB
Plaintext
18 lines
1.4 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Xegumumune_SP_MTB{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Xegumumune.SP!MTB,SIGNATURE_TYPE_PEHSTR_EXT,12 00 12 00 08 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_81_0 = {2a 23 2a 31 37 32 2e 31 36 2e 38 39 2e 32 32 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 2a 23 2a } //03 00 *#*172.16.89.22XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX*#*
|
|
$a_81_1 = {2a 23 2a 61 62 75 32 30 32 30 35 38 35 38 40 67 6d 61 69 6c 2e 63 6f 6d 39 30 30 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2a 23 2a } //02 00 *#*abu20205858@gmail.com900------------------------------------*#*
|
|
$a_81_2 = {75 6e 69 6e 73 74 61 6c 6c 6d 73 66 69 6c 74 65 72 2e 65 78 65 } //02 00 uninstallmsfilter.exe
|
|
$a_81_3 = {75 6e 72 65 67 6d 61 69 6c 2e 62 61 74 } //02 00 unregmail.bat
|
|
$a_81_4 = {69 6d 6f 6e 6c 73 70 69 6e 73 36 34 2e 65 78 65 20 2d 70 20 2d 63 20 62 } //02 00 imonlspins64.exe -p -c b
|
|
$a_81_5 = {69 6e 73 74 61 6c 6c 5f 6c 73 70 2e 65 78 65 20 2d 70 } //02 00 install_lsp.exe -p
|
|
$a_81_6 = {6d 73 66 6c 74 74 72 61 6e 73 2e 65 78 65 20 49 4e 53 54 41 4c 4c 43 41 42 } //02 00 msflttrans.exe INSTALLCAB
|
|
$a_81_7 = {50 72 6f 63 47 75 61 72 64 2e 65 78 65 20 4e 4f 54 52 55 4e 45 58 45 } //00 00 ProcGuard.exe NOTRUNEXE
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |