14 lines
1.6 KiB
Plaintext
14 lines
1.6 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Emotet_AZPD_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Emotet.AZPD!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {3a 2f 2f 77 22 26 22 65 62 22 26 22 6f 63 75 22 26 22 6c 74 22 26 22 61 2e 63 22 26 22 6f 22 26 22 6d 2f 63 22 26 22 73 22 26 22 73 2f 62 22 26 22 33 4c 22 26 22 66 6f 22 26 22 6f 71 22 26 22 33 37 22 26 22 47 6c 22 26 22 34 44 2f } //01 00 ://w"&"eb"&"ocu"&"lt"&"a.c"&"o"&"m/c"&"s"&"s/b"&"3L"&"fo"&"oq"&"37"&"Gl"&"4D/
|
|
$a_01_1 = {3a 2f 2f 77 22 26 22 77 22 26 22 77 2e 69 22 26 22 6e 67 22 26 22 72 6f 22 26 22 75 70 22 26 22 63 6f 22 26 22 6e 73 22 26 22 75 6c 22 26 22 74 2e 63 22 26 22 6f 22 26 22 6d 2f 69 22 26 22 6d 61 22 26 22 67 65 22 26 22 73 2f 72 22 26 22 31 55 22 26 22 41 37 22 26 22 5a 52 22 26 22 52 52 22 26 22 30 36 2f } //01 00 ://w"&"w"&"w.i"&"ng"&"ro"&"up"&"co"&"ns"&"ul"&"t.c"&"o"&"m/i"&"ma"&"ge"&"s/r"&"1U"&"A7"&"ZR"&"RR"&"06/
|
|
$a_01_2 = {3a 2f 2f 63 22 26 22 68 6f 22 26 22 62 65 22 26 22 6d 61 22 26 22 73 74 22 26 22 65 72 2e 63 22 26 22 6f 22 26 22 6d 2f 63 22 26 22 6f 6d 22 26 22 70 6f 22 26 22 6e 65 22 26 22 6e 74 22 26 22 73 2f 48 22 26 22 4b 53 22 26 22 52 6a 22 26 22 65 59 22 26 22 42 2f } //01 00 ://c"&"ho"&"be"&"ma"&"st"&"er.c"&"o"&"m/c"&"om"&"po"&"ne"&"nt"&"s/H"&"KS"&"Rj"&"eY"&"B/
|
|
$a_01_3 = {3a 2f 2f 70 22 26 22 72 69 22 26 22 6d 65 22 26 22 66 69 22 26 22 6e 64 2e 63 22 26 22 6f 22 26 22 6d 2f 6d 22 26 22 79 5f 70 22 26 22 69 63 22 26 22 74 75 22 26 22 72 65 22 26 22 73 2f 64 22 26 22 6f 22 26 22 68 2f } //00 00 ://p"&"ri"&"me"&"fi"&"nd.c"&"o"&"m/m"&"y_p"&"ic"&"tu"&"re"&"s/d"&"o"&"h/
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |