18 lines
1.5 KiB
Plaintext
18 lines
1.5 KiB
Plaintext
|
|
rule Backdoor_Win32_Refpron_D{
|
|
meta:
|
|
description = "Backdoor:Win32/Refpron.D,SIGNATURE_TYPE_PEHSTR_EXT,0b 00 0a 00 08 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {c7 40 7c 88 13 00 00 8b 45 90 01 01 c7 40 78 35 00 00 00 8b 45 90 01 01 83 c0 74 8b 55 f8 e8 90 00 } //07 00
|
|
$a_01_1 = {56 62 42 45 36 6c 35 4f 55 6a 55 4c 45 33 52 4b 43 71 45 55 50 70 67 6f 64 35 48 79 39 63 36 71 68 4e 35 6e 58 75 34 66 43 52 38 65 38 72 49 72 4f 6e 49 6a 62 5a 34 58 7a 33 5a 36 4a 66 71 52 79 64 6e 42 6d 32 43 48 2b 44 62 57 7a 36 48 00 ff ff ff ff 12 00 00 00 57 61 72 6e 4f 6e 5a 6f 6e 65 43 72 6f 73 73 69 6e 67 00 00 ff ff ff ff 12 00 00 00 57 61 72 6e 4f 6e 50 6f 73 74 52 65 64 69 72 65 63 74 00 00 } //02 00
|
|
$a_01_2 = {56 62 42 45 36 6c 35 4f 55 6a 55 4c 45 33 52 4b 43 71 45 55 50 70 67 6f 64 42 6d 48 53 35 6d 4e 75 58 73 4b 39 64 64 64 68 38 51 38 4c 31 67 75 69 74 32 74 75 6e 4c } //01 00 VbBE6l5OUjULE3RKCqEUPpgodBmHS5mNuXsK9dddh8Q8L1guit2tunL
|
|
$a_00_3 = {00 44 69 73 61 62 6c 65 20 53 63 72 69 70 74 20 44 65 62 75 67 67 65 72 00 } //01 00
|
|
$a_00_4 = {00 6e 65 74 73 74 61 74 20 2d 61 20 2d 6e 20 2d 70 20 74 63 70 20 7c 20 66 69 6e 64 73 74 72 20 4c 49 53 54 45 4e 49 4e 47 00 } //01 00
|
|
$a_00_5 = {00 45 52 52 4f 61 52 3a 6d } //01 00
|
|
$a_00_6 = {52 3a 46 65 6e 62 58 69 41 64 73 5f 50 61 63 6b 61 5f 67 65 3a 00 } //01 00 㩒敆扮楘摁彳慐正彡敧:
|
|
$a_00_7 = {4f 52 3a 52 5f 55 5f 4e 5f 41 5f 44 5f 53 3a 00 } //00 00 剏刺啟也䅟䑟卟:
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |