17 lines
1.2 KiB
Plaintext
17 lines
1.2 KiB
Plaintext
|
|
rule TrojanDownloader_Win32_Cutwail_BW{
|
|
meta:
|
|
description = "TrojanDownloader:Win32/Cutwail.BW,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {6a 00 ff 75 08 6a 00 6a 00 68 00 00 00 80 68 00 00 00 80 68 00 00 00 80 68 00 00 00 80 68 00 00 cf 00 } //1
|
|
$a_03_1 = {81 c6 ca 01 00 00 90 09 0e 00 b9 00 90 01 03 c1 e9 02 90 00 } //1
|
|
$a_03_2 = {ff ff ad 33 85 90 01 02 ff ff ab e2 90 09 0a 00 05 90 01 04 50 8f 85 90 00 } //1
|
|
$a_03_3 = {04 83 e9 08 83 c3 08 0f b7 03 a9 00 30 00 00 74 90 01 01 25 ff 0f 00 00 03 90 04 01 02 45 65 08 03 c6 29 10 83 c3 02 83 e9 02 90 00 } //1
|
|
$a_03_4 = {c1 e3 10 b9 ff ff 00 00 53 e8 90 01 01 90 17 03 03 03 03 fe ff ff ff ff ff 01 00 00 90 03 01 03 3d 97 81 ff 90 01 04 75 90 04 01 02 03 06 89 90 17 04 02 02 02 05 5d c4 5d d4 5d fc 9d 78 fe ff ff 43 e2 90 04 01 03 ea eb ed 61 90 00 } //1
|
|
$a_03_5 = {58 bb 0d 66 19 00 33 d2 f7 e3 05 5f f3 6e 3c 89 45 90 01 01 ad 33 45 90 01 01 ab e2 e4 b8 00 90 04 01 02 6a 6e 00 00 90 00 } //1
|
|
$a_01_6 = {33 c0 f3 a4 5e 56 33 c9 66 8b 4e 06 81 c6 f8 00 00 00 8b } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*1+(#a_01_6 & 1)*1) >=4
|
|
|
|
} |