13 lines
419 B
Plaintext
13 lines
419 B
Plaintext
|
|
rule Backdoor_Win32_ShadowHammer__ShadowHammer{
|
|
meta:
|
|
description = "Backdoor:Win32/ShadowHammer!!ShadowHammer.C!dha,SIGNATURE_TYPE_ARHSTR_EXT,1e 00 1e 00 03 00 00 0a 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {da b6 ac e6 c7 90 02 05 c2 5c 37 99 90 00 } //0a 00
|
|
$a_03_1 = {59 77 ba a3 c7 90 02 05 f8 ce 0c a1 90 00 } //0a 00
|
|
$a_03_2 = {ad e6 2a 25 c7 90 02 05 7a df 11 84 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |