14 lines
862 B
Plaintext
14 lines
862 B
Plaintext
|
|
rule Backdoor_Win32_Refpron_K{
|
|
meta:
|
|
description = "Backdoor:Win32/Refpron.K,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {8a 54 2a ff 0f b7 cf c1 e9 08 32 d1 88 54 28 ff 8b 06 0f b6 44 28 ff 66 03 f8 66 69 c7 6d ce 66 05 bf 58 8b f8 43 66 ff 0c 24 75 } //02 00
|
|
$a_02_1 = {00 53 65 74 20 90 0e 04 00 46 69 6c 65 20 90 0e 04 00 54 69 6d 65 20 90 0e 04 00 53 75 63 63 65 73 73 66 75 6c 6c 79 21 21 21 00 90 00 } //01 00
|
|
$a_03_2 = {03 00 68 00 10 00 00 90 02 04 6a 00 6a 06 a1 90 00 } //01 00
|
|
$a_01_3 = {63 00 00 00 02 00 00 00 5c 00 00 00 02 00 00 00 50 00 00 00 02 00 00 00 68 00 00 00 02 00 00 00 79 00 00 00 02 00 00 00 73 00 00 00 02 00 00 00 61 00 00 00 02 00 00 00 6c 00 00 00 02 00 00 00 4d 00 00 00 02 00 00 00 6d 00 00 00 02 00 00 00 6f 00 00 00 02 00 00 00 72 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |