18 lines
1020 B
Plaintext
18 lines
1020 B
Plaintext
|
|
rule TrojanDownloader_Win32_Banload_BFR{
|
|
meta:
|
|
description = "TrojanDownloader:Win32/Banload.BFR,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 08 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {31 37 37 2e 35 34 2e 31 34 37 2e 39 31 2f 68 61 6e 6b 2f 76 69 73 75 61 6c 2e 70 68 70 } //3 177.54.147.91/hank/visual.php
|
|
$a_01_1 = {41 74 69 76 61 72 20 43 6f 6e 74 61 64 6f 72 } //1 Ativar Contador
|
|
$a_81_2 = {49 44 5f 4d 41 51 55 49 4e 41 3d } //1 ID_MAQUINA=
|
|
$a_81_3 = {56 45 52 53 41 4f 3d } //1 VERSAO=
|
|
$a_81_4 = {4e 41 56 45 47 41 44 4f 52 3d } //1 NAVEGADOR=
|
|
$a_03_5 = {26 00 41 00 56 00 3d 00 90 01 10 90 02 10 76 00 69 00 73 00 75 00 61 00 6c 00 2e 00 70 00 68 00 70 00 90 00 } //1
|
|
$a_03_6 = {61 70 70 64 61 74 61 90 01 10 90 02 10 4d 65 64 69 61 58 90 00 } //1
|
|
$a_03_7 = {61 70 70 64 61 74 61 90 01 10 90 02 10 50 6c 75 67 69 6e 50 6c 61 79 65 72 90 00 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*3+(#a_01_1 & 1)*1+(#a_81_2 & 1)*1+(#a_81_3 & 1)*1+(#a_81_4 & 1)*1+(#a_03_5 & 1)*1+(#a_03_6 & 1)*1+(#a_03_7 & 1)*1) >=5
|
|
|
|
} |