19 lines
1.8 KiB
Plaintext
19 lines
1.8 KiB
Plaintext
|
|
rule TrojanDownloader_Win32_AceLog_A_dha{
|
|
meta:
|
|
description = "TrojanDownloader:Win32/AceLog.A!dha,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 09 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {69 64 3d 25 73 90 01 01 25 73 23 25 75 26 63 6d 64 3d 79 00 90 00 } //2
|
|
$a_03_1 = {69 64 3d 25 73 23 25 73 23 25 90 01 01 26 63 75 72 72 65 6e 74 3d 25 73 26 74 6f 74 61 6c 3d 90 01 01 73 26 64 61 74 61 3d 00 90 00 } //2
|
|
$a_03_2 = {64 6d 63 62 6a 90 01 01 2e 64 6c 6c 00 00 64 00 6d 00 63 00 62 00 6a 00 65 90 01 01 2e 00 64 00 6c 00 6c 00 00 00 00 00 90 00 } //1
|
|
$a_03_3 = {43 4d 44 00 2d 00 2d 00 2d 00 2d 90 01 01 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 00 00 00 00 0d 00 0a 00 00 00 90 00 } //1
|
|
$a_03_4 = {69 6e 74 5f 6d 6f 64 2e 64 6c 90 01 01 00 52 75 6e 4d 6f 64 00 00 90 00 } //1
|
|
$a_03_5 = {54 00 45 00 53 00 54 00 00 90 01 01 00 00 50 00 4f 00 53 00 54 00 00 00 00 00 00 00 00 00 43 00 6f 00 6e 00 74 00 65 00 6e 00 74 00 2d 00 54 00 79 00 70 00 65 00 3a 00 20 00 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2f 00 78 00 2d 00 77 00 77 00 77 00 2d 00 90 00 } //1
|
|
$a_03_6 = {43 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 90 01 01 20 00 46 00 69 00 6c 00 65 00 73 00 00 00 00 00 2a 00 00 00 2e 00 00 00 2e 00 2e 00 00 00 00 00 90 00 } //1
|
|
$a_03_7 = {2a 00 00 00 2e 00 00 00 2e 00 2e 90 01 01 00 00 00 00 73 79 73 74 65 6d 69 6e 66 6f 00 00 74 61 73 6b 6c 69 73 74 00 00 00 00 90 00 } //1
|
|
$a_03_8 = {52 00 55 00 4e 00 44 00 4c 00 90 01 01 00 33 00 32 00 2e 00 45 00 58 00 45 00 20 00 22 00 25 00 73 00 22 00 2c 00 20 00 23 00 31 00 00 00 63 6d 64 20 2f 90 01 01 20 44 45 4c 20 00 20 22 00 00 90 00 } //-10
|
|
condition:
|
|
((#a_03_0 & 1)*2+(#a_03_1 & 1)*2+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*1+(#a_03_6 & 1)*1+(#a_03_7 & 1)*1+(#a_03_8 & 1)*-10) >=2
|
|
|
|
} |