18 lines
1.8 KiB
Plaintext
18 lines
1.8 KiB
Plaintext
|
|
rule TrojanDownloader_Win32_Radrawtion_A{
|
|
meta:
|
|
description = "TrojanDownloader:Win32/Radrawtion.A,SIGNATURE_TYPE_PEHSTR_EXT,0a 00 0a 00 08 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {80 74 0c 14 90 01 01 8d 44 24 14 83 c1 01 8d 70 01 8a 10 83 c0 01 84 d2 75 f7 2b c6 3b c8 72 e2 90 00 } //1
|
|
$a_01_1 = {6d 71 71 75 3f 2a 2a 72 72 72 2b 6f 6f 64 6b 63 6c 69 60 2b 66 6a 2b 6e 77 2a } //1 mqqu?**rrr+oodkcli`+fj+nw*
|
|
$a_11_2 = {74 74 70 3a 2f 2f 77 77 77 2e 6a 6a 61 6e 66 69 6c 65 2e 63 6f 2e 6b 72 2f 01 } //2
|
|
$a_70_3 = {61 } //4608 a
|
|
$a_2a_4 = {6c 6b 71 77 64 77 6a 64 61 2a 02 00 12 11 75 70 64 61 74 65 2f 77 69 6e 74 72 61 72 6f 61 64 2f 02 00 0e 01 43 77 69 6e 74 72 61 72 6f 61 64 41 70 70 02 00 0b 01 77 69 6e 74 72 61 72 6f 61 64 00 01 00 17 01 68 cc ea 43 00 51 ff 15 18 90 43 00 68 d0 07 00 00 ff 15 bc 92 43 00 00 00 5d 04 } //29028
|
|
$a_44_5 = {80 5c 27 00 00 7c 44 02 80 00 00 01 00 22 00 11 00 cc 21 56 42 49 6e 6a 65 63 74 2e 67 65 6e 21 44 48 00 00 01 40 05 82 31 00 04 00 78 75 00 00 03 00 03 00 04 00 00 01 00 0c 01 ff 94 08 00 28 02 aa 99 08 00 50 01 01 00 0f 03 f3 c3 00 fc 0d 90 02 30 f3 cc 00 fc 0d 90 00 01 00 1c 03 80 0c 00 fc 90 90 fd d0 08 00 90 01 01 00 fb 11 94 08 00 90 01 01 00 80 0c 00 90 00 } //0
|
|
$a_03_6 = {ff f5 f8 00 00 00 aa f5 28 00 00 00 6c 90 01 01 ff b2 aa f5 90 04 01 02 0c 14 00 00 00 aa 90 09 02 00 6c 90 00 } //1
|
|
$a_04_7 = {00 00 7c 44 02 80 5c 21 00 00 7d 44 02 80 00 00 01 00 05 00 0b 00 a4 21 50 72 6f 6c 61 63 6f 2e 4f 00 00 01 40 05 82 64 00 04 00 67 16 00 00 91 c6 65 75 73 bf 8f 60 37 d3 94 b6 00 60 08 00 01 20 15 2b 60 dc 5d 04 00 00 7d 44 02 80 5c 22 00 00 80 44 02 80 00 00 01 00 05 00 0c 00 } //1
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_01_1 & 1)*1+(#a_11_2 & 1)*2+(#a_70_3 & 1)*4608+(#a_2a_4 & 1)*29028+(#a_44_5 & 1)*0+(#a_03_6 & 1)*1+(#a_04_7 & 1)*1) >=10
|
|
|
|
} |