14 lines
1.4 KiB
Plaintext
14 lines
1.4 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Emotet_PDED_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Emotet.PDED!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {3a 2f 2f 63 61 73 68 6d 61 69 6c 73 79 73 74 65 6d 2e 63 6f 6d 2f 75 70 6c 6f 61 64 2f 58 6d 50 53 47 4c 63 79 67 52 37 2f } //01 00 ://cashmailsystem.com/upload/XmPSGLcygR7/
|
|
$a_01_1 = {3a 22 26 22 2f 22 26 22 2f 69 22 26 22 6e 67 22 26 22 65 6c 22 26 22 73 65 2e 6e 22 26 22 65 22 26 22 74 2f 6e 22 26 22 64 4d 22 26 22 6d 71 22 26 22 78 68 2f } //01 00 :"&"/"&"/i"&"ng"&"el"&"se.n"&"e"&"t/n"&"dM"&"mq"&"xh/
|
|
$a_01_2 = {3a 22 26 22 2f 22 26 22 2f 6b 22 26 22 77 69 22 26 22 63 6b 22 26 22 63 6f 22 26 22 6e 6e 22 26 22 65 63 22 26 22 74 2e 63 22 26 22 6f 22 26 22 6d 2f 69 22 26 22 6d 2d 6d 22 26 22 65 73 22 26 22 73 65 22 26 22 6e 67 22 26 22 65 72 2f 53 22 26 22 7a 72 22 26 22 62 39 22 26 22 45 74 22 26 22 68 4f 22 26 22 58 39 22 26 22 31 2f } //01 00 :"&"/"&"/k"&"wi"&"ck"&"co"&"nn"&"ec"&"t.c"&"o"&"m/i"&"m-m"&"es"&"se"&"ng"&"er/S"&"zr"&"b9"&"Et"&"hO"&"X9"&"1/
|
|
$a_01_3 = {3a 22 26 22 2f 22 26 22 2f 6d 22 26 22 61 6e 22 26 22 63 68 22 26 22 65 73 22 26 22 74 65 22 26 22 72 73 22 26 22 6c 74 2e 63 22 26 22 6f 2e 75 22 26 22 6b 2f 61 2d 74 6f 2d 7a 2d 6f 66 2d 73 22 26 22 6c 22 26 22 74 2f 78 22 26 22 4f 67 22 26 22 77 2f } //00 00 :"&"/"&"/m"&"an"&"ch"&"es"&"te"&"rs"&"lt.c"&"o.u"&"k/a-to-z-of-s"&"l"&"t/x"&"Og"&"w/
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |