16 lines
828 B
Plaintext
16 lines
828 B
Plaintext
|
|
rule TrojanDownloader_Win32_Spycos_E{
|
|
meta:
|
|
description = "TrojanDownloader:Win32/Spycos.E,SIGNATURE_TYPE_PEHSTR,06 00 04 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {69 6e 73 74 61 6c 65 72 7a 65 63 70 6c 2e 63 70 6c 00 } //1
|
|
$a_01_1 = {65 6d 33 63 79 34 4c 6d 53 6f 50 52 44 50 76 56 34 74 54 51 74 41 3d 3d 00 } //1
|
|
$a_01_2 = {51 33 62 74 61 50 43 6c 64 49 62 77 2b 62 6f 63 7a 37 36 43 77 4a 64 65 36 70 78 62 5a 52 41 61 63 53 77 65 74 2b 59 70 7a 35 38 3d 00 } //1
|
|
$a_01_3 = {4c 59 61 79 67 71 63 37 66 6b 66 78 70 42 68 34 5a 37 77 77 6a 77 3d 3d 00 } //1
|
|
$a_01_4 = {49 6e 74 65 72 6e 65 74 4f 70 65 6e 55 72 6c 41 00 } //1
|
|
$a_01_5 = {49 4e 4f 56 41 4e 44 4f 4f 4f 4f 2e 2e 2e 00 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=4
|
|
|
|
} |