qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Obfuse/TrojanDownloader_O97M_Obfus...

16 lines
2.4 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_O97M_Obfuse_AZ_MTB{
meta:
description = "TrojanDownloader:O97M/Obfuse.AZ!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 01 00 "
strings :
$a_01_0 = {36 33 36 44 36 34 32 30 32 46 36 33 32 30 37 33 36 33 36 38 37 34 36 31 37 33 36 42 37 33 32 30 32 46 37 32 37 35 36 45 32 30 32 46 37 34 36 45 32 30 35 43 34 44 36 39 36 33 37 32 36 46 37 33 36 46 36 36 37 34 35 43 35 37 36 39 36 45 36 34 36 46 37 37 37 33 35 43 34 34 36 39 37 33 36 42 34 33 36 43 36 35 36 31 36 45 37 35 37 30 35 43 35 33 36 39 36 43 36 35 36 45 37 34 34 33 36 43 36 35 36 31 36 45 37 35 37 30 32 30 32 46 34 39 } //01 00 636D64202F63207363687461736B73202F72756E202F746E205C4D6963726F736F66745C57696E646F77735C4469736B436C65616E75705C53696C656E74436C65616E7570202F49
$a_01_1 = {34 38 34 42 34 33 35 35 35 43 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 43 37 37 36 39 36 45 36 34 36 39 37 32 } //01 00 484B43555C456E7669726F6E6D656E745C77696E646972
$a_01_2 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 } //01 00 CreateObject("WScript.Shell")
$a_01_3 = {32 37 35 43 36 34 35 32 34 43 35 32 36 44 32 45 36 35 37 38 36 35 32 37 32 39 33 42 35 33 37 34 36 31 37 32 37 34 32 44 35 33 36 43 36 35 36 35 37 30 32 30 33 32 33 42 32 30 35 33 37 34 36 31 37 32 37 34 32 44 35 30 37 32 36 46 36 33 36 35 37 33 37 33 32 30 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 35 43 36 34 35 32 34 43 35 32 36 44 32 45 36 35 37 38 36 35 33 42 32 36 35 32 34 35 34 44 } //01 00 275C64524C526D2E65786527293B53746172742D536C65657020323B2053746172742D50726F636573732024656E763A617070646174615C64524C526D2E6578653B2652454D
$a_01_4 = {36 38 37 34 37 34 37 30 33 41 32 46 32 46 33 32 33 31 33 33 32 45 33 32 33 32 33 37 32 45 33 31 33 35 33 35 32 45 33 31 33 35 33 34 33 41 33 38 33 30 33 38 33 30 32 46 36 35 37 38 36 35 35 46 35 34 32 45 36 35 37 38 36 35 32 37 32 43 32 38 32 34 36 35 36 45 37 36 33 41 36 31 37 30 37 30 36 34 36 31 37 34 36 31 32 39 32 42 } //01 00 687474703A2F2F3231332E3232372E3135352E3135343A383038302F6578655F542E657865272C2824656E763A61707064617461292B
$a_01_5 = {2e 52 65 67 44 65 6c 65 74 65 20 71 77 64 77 77 78 71 28 22 34 38 34 42 34 33 35 35 35 43 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 43 37 37 36 39 36 45 36 34 36 39 37 32 22 29 } //00 00 .RegDelete qwdwwxq("484B43555C456E7669726F6E6D656E745C77696E646972")
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink