14 lines
1.5 KiB
Plaintext
14 lines
1.5 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Emotet_ARA_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Emotet.ARA!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {77 22 26 22 77 22 26 22 77 2e 66 6c 22 26 22 61 73 22 26 22 68 2d 69 22 26 22 6e 22 26 22 63 2e 63 22 26 22 6f 6d 2f 67 22 26 22 72 6f 22 26 22 75 70 2f 69 22 26 22 67 69 22 26 22 72 6c 2f 63 22 26 22 73 73 2f 51 22 26 22 71 6f 22 26 22 56 } //01 00 w"&"w"&"w.fl"&"as"&"h-i"&"n"&"c.c"&"om/g"&"ro"&"up/i"&"gi"&"rl/c"&"ss/Q"&"qo"&"V
|
|
$a_01_1 = {69 70 22 26 22 61 62 22 26 22 6f 67 22 26 22 61 64 22 26 22 6f 73 2e 63 22 26 22 6c 2f 6a 22 26 22 73 2f 68 22 26 22 68 48 22 26 22 57 38 22 26 22 43 6c 22 26 22 44 32 22 26 22 6a 37 22 26 22 73 59 22 26 22 63 53 22 26 22 6b 4e 22 26 22 75 } //01 00 ip"&"ab"&"og"&"ad"&"os.c"&"l/j"&"s/h"&"hH"&"W8"&"Cl"&"D2"&"j7"&"sY"&"cS"&"kN"&"u
|
|
$a_01_2 = {68 6f 22 26 22 73 70 22 26 22 69 74 22 26 22 61 6c 22 26 22 64 22 26 22 73 69 22 26 22 74 67 22 26 22 65 73 2e 63 22 26 22 61 22 26 22 74 2f 4f 22 26 22 4c 22 26 22 44 5f 42 4f 22 26 22 52 52 22 26 22 41 52 2f 63 22 26 22 65 43 22 26 22 43 36 22 26 22 53 50 22 26 22 4d 75 22 26 22 65 } //01 00 ho"&"sp"&"it"&"al"&"d"&"si"&"tg"&"es.c"&"a"&"t/O"&"L"&"D_BO"&"RR"&"AR/c"&"eC"&"C6"&"SP"&"Mu"&"e
|
|
$a_01_3 = {6a 22 26 22 61 6e 22 26 22 6c 61 2e 64 22 26 22 6b 2f 49 22 26 22 6e 64 22 26 22 65 78 5f 68 22 26 22 74 6d 5f 66 69 22 26 22 6c 65 22 26 22 73 2f 48 22 26 22 6c 2f 22 2c } //00 00 j"&"an"&"la.d"&"k/I"&"nd"&"ex_h"&"tm_fi"&"le"&"s/H"&"l/",
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |