19 lines
974 B
Plaintext
19 lines
974 B
Plaintext
|
|
rule TrojanDownloader_Win32_Banload_BFR{
|
|
meta:
|
|
description = "TrojanDownloader:Win32/Banload.BFR,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 08 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {31 37 37 2e 35 34 2e 31 34 37 2e 39 31 2f 68 61 6e 6b 2f 76 69 73 75 61 6c 2e 70 68 70 } //01 00 177.54.147.91/hank/visual.php
|
|
$a_01_1 = {41 74 69 76 61 72 20 43 6f 6e 74 61 64 6f 72 } //01 00 Ativar Contador
|
|
$a_81_2 = {49 44 5f 4d 41 51 55 49 4e 41 3d } //01 00 ID_MAQUINA=
|
|
$a_81_3 = {56 45 52 53 41 4f 3d } //01 00 VERSAO=
|
|
$a_81_4 = {4e 41 56 45 47 41 44 4f 52 3d } //01 00 NAVEGADOR=
|
|
$a_03_5 = {26 00 41 00 56 00 3d 00 90 01 10 90 02 10 76 00 69 00 73 00 75 00 61 00 6c 00 2e 00 70 00 68 00 70 00 90 00 } //01 00
|
|
$a_03_6 = {61 70 70 64 61 74 61 90 01 10 90 02 10 4d 65 64 69 61 58 90 00 } //01 00
|
|
$a_03_7 = {61 70 70 64 61 74 61 90 01 10 90 02 10 50 6c 75 67 69 6e 50 6c 61 79 65 72 90 00 } //00 00
|
|
$a_00_8 = {80 10 00 00 } //d2 64
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |