qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Emotet/TrojanDownloader_O97M_Emote...

16 lines
2.0 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_O97M_Emotet_PPD_MTB{
meta:
description = "TrojanDownloader:O97M/Emotet.PPD!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 06 00 00 01 00 "
strings :
$a_01_0 = {3a 2f 2f 63 22 26 22 6f 6e 22 26 22 74 72 22 26 22 69 64 2e 63 22 26 22 6f 22 26 22 6d 2f 36 76 22 26 22 77 22 26 22 6b 51 6d 22 26 22 52 22 26 22 55 2f } //01 00 ://c"&"on"&"tr"&"id.c"&"o"&"m/6v"&"w"&"kQm"&"R"&"U/
$a_01_1 = {3a 2f 2f 63 74 22 26 22 66 69 6c 22 26 22 6d 73 2e 63 22 26 22 6f 6d 2f 6b 22 26 22 73 2f 32 79 22 26 22 67 4a 75 22 26 22 47 56 22 26 22 30 2f } //01 00 ://ct"&"fil"&"ms.c"&"om/k"&"s/2y"&"gJu"&"GV"&"0/
$a_01_2 = {3a 2f 2f 63 6f 22 26 22 72 64 22 26 22 63 6c 69 70 22 26 22 73 6f 22 26 22 72 67 22 26 22 61 22 26 22 6e 69 7a 22 26 22 65 72 2e 63 22 26 22 6f 22 26 22 6d 2f 63 22 26 22 61 22 26 22 62 6c 22 26 22 65 2d 68 22 26 22 6f 6c 22 26 22 64 65 22 26 22 72 2d 32 22 26 22 65 2f 61 2f } //01 00 ://co"&"rd"&"clip"&"so"&"rg"&"a"&"niz"&"er.c"&"o"&"m/c"&"a"&"bl"&"e-h"&"ol"&"de"&"r-2"&"e/a/
$a_01_3 = {3a 2f 2f 64 22 26 22 61 68 22 26 22 69 61 22 26 22 6b 22 26 22 61 2e 63 22 26 22 6f 6d 2f 44 22 26 22 4e 22 26 22 44 2f 4a 22 26 22 75 42 22 26 22 6c 22 26 22 4f 22 26 22 69 54 38 22 26 22 49 78 22 26 22 6a 2f } //01 00 ://d"&"ah"&"ia"&"k"&"a.c"&"om/D"&"N"&"D/J"&"uB"&"l"&"O"&"iT8"&"Ix"&"j/
$a_01_4 = {3a 2f 2f 77 22 26 22 77 22 26 22 77 2e 63 22 26 22 6f 6c 22 26 22 66 69 6e 22 26 22 63 61 22 26 22 73 2e 63 22 26 22 6f 22 26 22 6d 2f 74 22 26 22 6d 70 2f 46 76 22 26 22 79 4c 22 26 22 73 2f } //01 00 ://w"&"w"&"w.c"&"ol"&"fin"&"ca"&"s.c"&"o"&"m/t"&"mp/Fv"&"yL"&"s/
$a_01_5 = {3a 2f 22 26 22 2f 63 22 26 22 6f 22 26 22 6e 22 26 22 74 22 26 22 65 22 26 22 6e 22 26 22 74 22 26 22 75 6e 69 22 26 22 6f 22 26 22 6e 2e 6e 22 26 22 65 74 2f 6e 65 22 26 22 77 22 26 22 77 22 26 22 65 62 73 22 26 22 69 74 22 26 22 65 2f 55 58 22 26 22 6b 6b 22 26 22 6b 2f } //00 00 :/"&"/c"&"o"&"n"&"t"&"e"&"n"&"t"&"uni"&"o"&"n.n"&"et/ne"&"w"&"w"&"ebs"&"it"&"e/UX"&"kk"&"k/
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink