15 lines
890 B
Plaintext
15 lines
890 B
Plaintext
|
|
rule VirTool_Win64_Meteremulaprz_A_MTB{
|
|
meta:
|
|
description = "VirTool:Win64/Meteremulaprz.A!MTB,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {48 81 ec 78 01 00 00 48 c7 84 24 58 01 00 00 00 00 00 00 48 c7 84 24 68 01 00 00 00 00 00 00 c7 84 24 60 01 00 00 00 00 00 00 e8 ?? ?? ?? ?? 85 c0 } //1
|
|
$a_02_1 = {48 89 44 24 38 48 c7 44 24 28 00 00 00 00 b9 ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 89 44 24 28 } //1
|
|
$a_02_2 = {8b 84 24 50 01 00 00 4c 8d ?? ?? ?? ?? ?? ?? 41 b8 20 00 00 00 8b d0 48 8b 8c 24 58 01 00 00 ff } //1
|
|
$a_00_3 = {48 89 84 24 58 01 00 00 8b 84 24 50 01 00 00 44 8b c0 48 8d 54 24 30 48 8b 8c 24 58 01 00 00 e8 } //1
|
|
$a_00_4 = {48 c7 44 24 28 00 00 00 00 c7 44 24 20 00 00 00 00 45 33 c9 4c 8b 84 24 58 01 00 00 33 d2 33 c9 ff } //1
|
|
condition:
|
|
((#a_02_0 & 1)*1+(#a_02_1 & 1)*1+(#a_02_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=5
|
|
|
|
} |