17 lines
769 B
Plaintext
17 lines
769 B
Plaintext
|
|
rule VirTool_Win64_Injector_SA{
|
|
meta:
|
|
description = "VirTool:Win64/Injector.SA,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {b8 6b 00 00 00 66 89 84 24 ?? 01 00 00 b8 65 00 00 00 66 89 84 24 ?? 01 00 00 b8 72 00 00 00 66 89 84 24 ?? 01 00 00 b8 6e 00 00 00 } //3
|
|
$a_01_1 = {66 00 00 00 c7 44 24 48 0c 09 3d 00 } //2
|
|
$a_03_2 = {48 c7 84 24 ?? 01 00 00 00 00 00 00 48 c7 84 24 ?? 01 00 00 00 00 00 00 48 c7 84 24 ?? 01 00 00 00 00 00 00 c6 44 24 70 } //1
|
|
$a_01_3 = {ba 6e 09 1a 00 } //1
|
|
$a_01_4 = {ba 56 0c 38 00 } //1
|
|
$a_01_5 = {ba 56 60 0d 00 } //1
|
|
$a_01_6 = {ba c6 9e 46 03 } //1
|
|
condition:
|
|
((#a_03_0 & 1)*3+(#a_01_1 & 1)*2+(#a_03_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1) >=6
|
|
|
|
} |