18 lines
1.9 KiB
Plaintext
18 lines
1.9 KiB
Plaintext
|
|
rule TrojanDownloader_Win32_Banload_AFI{
|
|
meta:
|
|
description = "TrojanDownloader:Win32/Banload.AFI,SIGNATURE_TYPE_PEHSTR_EXT,05 00 04 00 08 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {36 45 42 32 35 34 41 39 37 42 44 31 37 32 43 30 34 37 43 39 34 46 44 34 33 37 46 41 33 44 43 46 34 36 44 42 36 45 42 30 35 33 41 34 41 30 37 30 42 34 34 35 44 35 32 35 45 43 32 46 32 44 46 46 31 36 45 42 37 42 38 43 38 46 41 33 } //2 6EB254A97BD172C047C94FD437FA3DCF46DB6EB053A4A070B445D525EC2F2DFF16EB7B8C8FA3
|
|
$a_01_1 = {46 46 30 43 46 33 30 39 31 38 33 36 31 36 32 34 45 32 32 35 45 34 32 32 45 32 32 36 45 36 33 31 45 35 33 42 30 44 31 31 46 33 30 35 34 37 44 36 35 44 41 44 37 43 38 42 38 41 38 41 43 41 35 43 42 43 34 41 31 39 45 32 32 30 33 32 } //2 FF0CF30918361624E225E422E226E631E53B0D11F30547D65DAD7C8B8A8ACA5CBC4A19E22032
|
|
$a_01_2 = {30 38 30 30 33 37 43 37 34 41 44 42 33 41 46 45 30 39 31 43 46 43 33 44 45 33 33 39 43 41 35 34 43 36 35 35 45 37 33 35 44 37 35 42 } //1 080037C74ADB3AFE091CFC3DE339CA54C655E735D75B
|
|
$a_01_3 = {45 44 32 35 30 37 32 43 45 31 35 44 45 44 32 31 30 32 33 46 46 46 30 44 30 33 31 34 45 32 33 32 44 32 35 38 41 38 36 34 43 } //1 ED25072CE15DED21023FFF0D0314E232D258A864C
|
|
$a_01_4 = {34 39 46 38 33 42 45 30 35 34 43 46 36 32 44 35 37 46 42 41 37 42 38 30 39 30 36 32 42 30 34 30 44 43 32 32 46 32 32 45 46 } //1 49F83BE054CF62D57FBA7B809062B040DC22F22EF
|
|
$a_01_5 = {33 46 46 46 33 37 43 37 34 41 44 42 33 41 46 45 30 39 31 43 46 43 33 44 } //1 3FFF37C74ADB3AFE091CFC3D
|
|
$a_01_6 = {43 44 37 35 44 43 35 38 43 45 35 43 42 39 37 46 38 41 36 33 41 35 36 36 43 41 32 35 46 39 30 41 31 43 45 38 37 38 43 42 35 42 } //1 CD75DC58CE5CB97F8A63A566CA25F90A1CE878CB5B
|
|
$a_01_7 = {31 34 30 33 31 46 46 33 30 39 31 46 46 37 31 30 35 41 44 45 32 34 45 44 } //1 14031FF3091FF7105ADE24ED
|
|
condition:
|
|
((#a_01_0 & 1)*2+(#a_01_1 & 1)*2+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1) >=4
|
|
|
|
} |