qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Emotet/TrojanDownloader_O97M_Emote...

21 lines
4.7 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_O97M_Emotet_RVS_MTB{
meta:
description = "TrojanDownloader:O97M/Emotet.RVS!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 0b 00 00 01 00 "
strings :
$a_01_0 = {2f 2f 62 22 26 22 79 72 22 26 22 64 6e 22 26 22 65 73 22 26 22 74 33 2e 63 22 26 22 6f 22 26 22 6d 2f 63 22 26 22 67 22 26 22 69 2d 62 22 26 22 69 22 26 22 6e 2f 54 22 26 22 45 22 26 22 71 2f 22 2c 22 } //01 00 //b"&"yr"&"dn"&"es"&"t3.c"&"o"&"m/c"&"g"&"i-b"&"i"&"n/T"&"E"&"q/","
$a_01_1 = {2f 2f 63 22 26 22 61 72 22 26 22 62 6f 22 26 22 6e 62 22 26 22 72 6f 22 26 22 73 2e 63 22 26 22 6f 2e 7a 22 26 22 61 2f 6c 22 26 22 6f 67 22 26 22 73 2f 4b 22 26 22 53 54 22 26 22 4a 4e 22 26 22 64 78 22 26 22 5a 37 22 26 22 33 68 22 26 22 49 5a 22 26 22 50 4b 22 26 22 64 64 22 26 22 45 44 22 26 22 54 2f 22 2c 22 } //01 00 //c"&"ar"&"bo"&"nb"&"ro"&"s.c"&"o.z"&"a/l"&"og"&"s/K"&"ST"&"JN"&"dx"&"Z7"&"3h"&"IZ"&"PK"&"dd"&"ED"&"T/","
$a_01_2 = {2f 2f 77 22 26 22 77 22 26 22 77 2e 62 75 22 26 22 62 62 22 26 22 6c 65 66 22 26 22 6f 6f 74 22 26 22 62 61 22 26 22 6c 6c 65 22 26 22 75 72 22 26 22 6f 22 26 22 70 65 2e 64 22 26 22 65 2f 77 22 26 22 70 2d 61 22 26 22 64 6d 22 26 22 69 6e 2f 33 22 26 22 61 4d 22 26 22 4d 6e 22 26 22 59 50 2f 22 2c 22 } //01 00 //w"&"w"&"w.bu"&"bb"&"lef"&"oot"&"ba"&"lle"&"ur"&"o"&"pe.d"&"e/w"&"p-a"&"dm"&"in/3"&"aM"&"Mn"&"YP/","
$a_01_3 = {2f 2f 63 61 22 26 22 73 6f 22 26 22 76 2e 63 22 26 22 6f 22 26 22 6d 2f 70 22 26 22 72 6f 22 26 22 78 79 2f 6b 22 26 22 6b 30 22 26 22 4f 57 22 26 22 63 73 74 22 26 22 71 50 22 26 22 4f 4f 22 26 22 79 65 22 26 22 47 2f 22 2c 22 } //01 00 //ca"&"so"&"v.c"&"o"&"m/p"&"ro"&"xy/k"&"k0"&"OW"&"cst"&"qP"&"OO"&"ye"&"G/","
$a_01_4 = {2f 22 26 22 2f 22 26 22 63 22 26 22 68 22 26 22 61 22 26 22 6c 22 26 22 6b 22 26 22 69 22 26 22 65 2e 6d 22 26 22 65 2e 75 22 26 22 6b 2f 63 22 26 22 67 22 26 22 69 2d 62 22 26 22 69 22 26 22 6e 2f 67 22 26 22 4d 22 26 22 4c 75 22 26 22 65 62 22 26 22 7a 47 22 26 22 32 52 22 26 22 73 6b 22 26 22 6b 4a 22 26 22 58 22 26 22 77 22 26 22 59 2f 22 2c 22 } //01 00 /"&"/"&"c"&"h"&"a"&"l"&"k"&"i"&"e.m"&"e.u"&"k/c"&"g"&"i-b"&"i"&"n/g"&"M"&"Lu"&"eb"&"zG"&"2R"&"sk"&"kJ"&"X"&"w"&"Y/","
$a_01_5 = {2f 22 26 22 2f 63 22 26 22 65 22 26 22 6e 22 26 22 74 22 26 22 61 22 26 22 75 22 26 22 72 22 26 22 75 22 26 22 73 22 26 22 73 69 74 73 2e 63 22 26 22 6f 22 26 22 6d 2f 61 22 26 22 73 22 26 22 73 22 26 22 65 22 26 22 74 22 26 22 73 2f 46 22 26 22 4c 2f 22 2c 22 } //01 00 /"&"/c"&"e"&"n"&"t"&"a"&"u"&"r"&"u"&"s"&"sits.c"&"o"&"m/a"&"s"&"s"&"e"&"t"&"s/F"&"L/","
$a_01_6 = {2f 22 26 22 2f 22 26 22 77 22 26 22 77 22 26 22 77 2e 63 22 26 22 65 63 22 26 22 61 6d 22 26 22 62 72 22 26 22 69 6c 22 26 22 73 2e 63 22 26 22 61 22 26 22 74 2f 77 22 26 22 70 2d 63 22 26 22 6f 6e 22 26 22 74 65 22 26 22 6e 74 2f 30 22 26 22 4b 77 22 26 22 4f 53 22 26 22 66 4e 22 26 22 44 45 22 26 22 53 6c 22 26 22 7a 56 22 26 22 4d 6f 22 26 22 63 2f 22 2c 22 } //01 00 /"&"/"&"w"&"w"&"w.c"&"ec"&"am"&"br"&"il"&"s.c"&"a"&"t/w"&"p-c"&"on"&"te"&"nt/0"&"Kw"&"OS"&"fN"&"DE"&"Sl"&"zV"&"Mo"&"c/","
$a_01_7 = {2f 22 26 22 2f 22 26 22 63 22 26 22 61 22 26 22 6e 22 26 22 73 22 26 22 61 22 26 22 6c 2e 63 22 26 22 6c 2f 63 22 26 22 67 22 26 22 69 2d 62 22 26 22 69 22 26 22 6e 2f 62 22 26 22 65 73 22 26 22 53 49 22 26 22 4a 54 66 22 26 22 4f 6b 22 26 22 30 44 22 26 22 74 48 22 26 22 5a 52 2f 22 2c 22 } //01 00 /"&"/"&"c"&"a"&"n"&"s"&"a"&"l.c"&"l/c"&"g"&"i-b"&"i"&"n/b"&"es"&"SI"&"JTf"&"Ok"&"0D"&"tH"&"ZR/","
$a_01_8 = {2f 2f 61 22 26 22 6e 69 22 26 22 6d 61 2d 74 22 26 22 65 72 22 26 22 61 70 22 26 22 69 65 2e 63 22 26 22 7a 2f 6c 22 26 22 61 6e 22 26 22 67 75 22 26 22 61 67 22 26 22 65 2f 7a 22 26 22 5a 47 22 26 22 47 4b 22 26 22 67 2f 22 2c 22 } //01 00 //a"&"ni"&"ma-t"&"er"&"ap"&"ie.c"&"z/l"&"an"&"gu"&"ag"&"e/z"&"ZG"&"GK"&"g/","
$a_01_9 = {2f 2f 77 22 26 22 69 6c 22 26 22 75 73 22 26 22 7a 2e 70 22 26 22 6c 2f 66 22 26 22 35 61 22 26 22 30 32 22 26 22 63 30 22 26 22 62 2f 62 22 26 22 44 2f 22 2c 22 } //01 00 //w"&"il"&"us"&"z.p"&"l/f"&"5a"&"02"&"c0"&"b/b"&"D/","
$a_01_10 = {2f 22 26 22 2f 77 22 26 22 77 22 26 22 77 2e 74 22 26 22 68 22 26 22 75 22 26 22 79 22 26 22 62 22 26 22 61 22 26 22 6f 22 26 22 68 22 26 22 75 22 26 22 79 2e 63 22 26 22 6f 22 26 22 6d 2f 77 22 26 22 70 2d 63 22 26 22 6f 22 26 22 6e 22 26 22 74 22 26 22 65 22 26 22 6e 22 26 22 74 2f 72 22 26 22 75 22 26 22 7a 22 26 22 57 22 26 22 51 22 26 22 51 22 26 22 6b 22 26 22 71 22 26 22 6e 22 26 22 33 22 26 22 6f 22 26 22 63 22 26 22 49 22 26 22 4b 22 26 22 56 22 26 22 6f 22 26 22 50 22 26 22 77 22 26 22 42 2f 22 2c 22 } //00 00 /"&"/w"&"w"&"w.t"&"h"&"u"&"y"&"b"&"a"&"o"&"h"&"u"&"y.c"&"o"&"m/w"&"p-c"&"o"&"n"&"t"&"e"&"n"&"t/r"&"u"&"z"&"W"&"Q"&"Q"&"k"&"q"&"n"&"3"&"o"&"c"&"I"&"K"&"V"&"o"&"P"&"w"&"B/","
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink