16 lines
593 B
Plaintext
16 lines
593 B
Plaintext
|
|
rule HackTool_Win32_Vncpwdump_dha{
|
|
meta:
|
|
description = "HackTool:Win32/Vncpwdump!dha,SIGNATURE_TYPE_PEHSTR,64 00 64 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {5c 5c 2e 5c 70 69 70 65 5c 76 6e 63 64 75 6d 70 2d 25 64 } //01 00 \\.\pipe\vncdump-%d
|
|
$a_01_1 = {76 6e 63 64 75 6d 70 64 6c 6c 2e 64 6c 6c } //01 00 vncdumpdll.dll
|
|
$a_01_2 = {49 6e 6a 65 63 74 44 6c 6c } //01 00 InjectDll
|
|
$a_01_3 = {76 6e 63 5f 68 61 78 78 6f 72 } //01 00 vnc_haxxor
|
|
$a_01_4 = {56 4e 43 50 77 64 75 6d 70 } //00 00 VNCPwdump
|
|
$a_01_5 = {00 5d 04 00 00 } //9b 36
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |