14 lines
957 B
Plaintext
14 lines
957 B
Plaintext
|
|
rule VirTool_Win64_LzDump_A_MTB{
|
|
meta:
|
|
description = "VirTool:Win64/LzDump.A!MTB,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {48 c7 45 28 00 00 00 00 ff 15 ?? ?? ?? ?? 4c 8d ?? ?? ba 08 00 00 00 48 8b c8 ff 15 ?? ?? ?? ?? 85 c0 74 77 c7 45 64 04 00 00 00 48 8d ?? ?? 48 89 44 24 20 41 b9 04 00 00 00 4c 8d ?? ?? ba 14 00 00 00 48 8b 4d 28 ff } //1
|
|
$a_02_1 = {48 8b f8 33 c0 b9 38 02 00 00 f3 aa c7 45 50 38 02 00 00 48 8d ?? ?? ?? ?? ?? 48 89 85 a8 02 00 00 48 8d ?? ?? 48 8b 4d 28 e8 } //1
|
|
$a_02_2 = {c7 85 f8 00 00 00 00 00 00 00 c7 85 fc 00 00 00 00 00 00 00 c6 85 14 01 00 00 01 ff 15 ?? ?? ?? ?? 4c 8d ?? ?? ?? ?? ?? ba 20 00 00 00 48 8b c8 ff } //1
|
|
$a_00_3 = {48 c7 44 24 30 00 00 00 00 48 c7 44 24 28 00 00 00 00 48 c7 44 24 20 00 00 00 00 41 b9 02 00 00 00 4c 8b 85 28 01 00 00 8b 55 64 48 8b 8d 68 01 00 00 e8 } //1
|
|
condition:
|
|
((#a_02_0 & 1)*1+(#a_02_1 & 1)*1+(#a_02_2 & 1)*1+(#a_00_3 & 1)*1) >=4
|
|
|
|
} |