14 lines
760 B
Plaintext
14 lines
760 B
Plaintext
|
|
rule TrojanDropper_Win32_Protux_A{
|
|
meta:
|
|
description = "TrojanDropper:Win32/Protux.A,SIGNATURE_TYPE_PEHSTR,04 00 04 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {5c 52 65 67 69 73 74 72 79 5c 4d 61 63 68 69 6e 65 5c 53 79 73 74 65 6d 5c 4e 4f 44 33 32 4c 65 61 64 69 6e 67 00 } //01 00 剜来獩牴屹慍档湩履祓瑳浥乜䑏㈳敌摡湩g
|
|
$a_01_1 = {5c 52 65 67 69 73 74 72 79 5c 4d 61 63 68 69 6e 65 5c 53 4f 46 54 57 41 52 45 5c 4e 6f 64 33 32 41 6e 64 52 75 6e 00 } //01 00
|
|
$a_01_2 = {25 73 20 25 73 20 31 00 25 73 20 25 73 20 30 00 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 22 25 73 22 2c 54 53 74 61 72 74 55 70 20 30 78 31 31 } //01 00
|
|
$a_01_3 = {5c 68 6f 6e 67 00 00 00 68 6f 6e 67 7a 69 6e 73 74 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |