14 lines
1.2 KiB
Plaintext
14 lines
1.2 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Powdow_MF_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Powdow.MF!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {28 22 35 37 20 35 33 20 36 33 20 37 32 20 36 39 20 37 30 20 37 34 20 32 45 20 35 33 20 36 38 20 36 35 20 36 43 20 36 43 22 29 29 2e 52 75 6e } //01 00 ("57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run
|
|
$a_00_1 = {4c 6f 61 64 65 72 22 61 48 52 30 63 44 6f 76 4c 32 4a 79 59 57 35 6b 62 33 52 76 5a 47 46 35 4c 6d 4e 76 62 53 39 54 59 57 31 77 62 47 55 7a 4c 6d 56 34 5a 51 3d 3d } //01 00 Loader"aHR0cDovL2JyYW5kb3RvZGF5LmNvbS9TYW1wbGUzLmV4ZQ==
|
|
$a_00_2 = {42 61 73 65 36 34 44 65 63 6f 64 65 28 22 63 47 39 33 5a 58 4a 7a 61 47 56 73 62 43 35 6c 65 47 55 67 4c 57 56 34 5a 57 4e 31 64 47 6c 76 62 6e 42 76 62 47 6c 6a 65 53 42 69 65 58 42 68 63 33 4d } //01 00 Base64Decode("cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3M
|
|
$a_00_3 = {55 32 68 6c 62 47 77 75 51 58 42 77 62 47 6c 6a 59 58 52 70 62 32 34 70 4c 6c 4e 6f 5a 57 78 73 52 58 68 6c 59 33 56 30 5a 53 67 6b 5a 57 35 32 4f 6c 52 6c 62 58 41 72 4a 31 78 7a 64 6d 4e 6f 62 33 4e 30 4c 6d 56 34 5a 53 63 70 } //00 00 U2hlbGwuQXBwbGljYXRpb24pLlNoZWxsRXhlY3V0ZSgkZW52OlRlbXArJ1xzdmNob3N0LmV4ZScp
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |