16 lines
1.0 KiB
Plaintext
16 lines
1.0 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Obfuse_PYRX_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.PYRX!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {28 30 2c 20 22 6f 70 65 6e 22 2c 20 6b 6f 6b 6f 2c 20 22 68 22 20 5f } //01 00 (0, "open", koko, "h" _
|
|
$a_01_1 = {2b 20 22 77 22 20 2b 20 22 2e 22 20 2b 20 22 62 22 20 2b 20 22 69 22 20 2b 20 22 74 22 20 2b 20 22 6c 22 20 2b 20 22 79 22 20 2b 20 22 2e 22 20 2b 20 22 63 22 20 2b 20 22 6f 22 20 2b 20 22 6d 2f 68 77 64 69 6e 6e 77 73 68 64 77 64 77 64 77 77 64 77 6d 71 77 68 64 61 22 2c 20 5f } //01 00 + "w" + "." + "b" + "i" + "t" + "l" + "y" + "." + "c" + "o" + "m/hwdinnwshdwdwdwwdwmqwhda", _
|
|
$a_01_2 = {22 25 70 75 62 6c 69 63 25 22 20 5f } //01 00 "%public%" _
|
|
$a_01_3 = {22 53 68 65 6c 6c 33 32 2e 64 6c 6c 22 20 5f } //01 00 "Shell32.dll" _
|
|
$a_01_4 = {41 6c 69 61 73 20 5f } //01 00 Alias _
|
|
$a_01_5 = {22 53 68 65 6c 6c 45 78 65 63 75 74 65 41 22 20 5f } //00 00 "ShellExecuteA" _
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |