18 lines
1.4 KiB
Plaintext
18 lines
1.4 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Alinaos_gen_A{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Alinaos.gen!A,SIGNATURE_TYPE_PEHSTR_EXT,09 00 09 00 07 00 00 05 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {41 6c 69 6e 61 20 76 90 0f 01 00 2e 90 0f 01 00 00 90 00 } //02 00
|
|
$a_01_1 = {61 63 74 3d 25 73 26 62 3d 25 73 26 63 3d 25 73 26 76 3d 25 73 26 25 73 3d 00 } //02 00 捡㵴猥戦┽♳㵣猥瘦┽♳猥=
|
|
$a_01_2 = {28 28 28 25 3f 5b 42 62 ef bf bd 60 5d 3f 29 5b 5e 5b 41 2d 5a 61 2d 7a 5c 73 5d 7b 30 2c 32 36 7d 2f 5b 41 2d 5a 61 2d 7a 5c 73 5d 7b 30 2c 32 36 7d 5c 5e 28 31 5b 32 2d 39 5d 29 28 30 5b 31 2d 39 5d 7c 31 5b 30 2d 32 5d 29 5b 30 2d 39 5c 73 5d 7b 33 2c 35 30 7d 5c 3f 29 } //02 00
|
|
$a_01_3 = {28 28 25 3f 5b 42 62 5d 3f 29 5b 30 2d 39 5d 7b 31 33 2c 31 39 7d 5c 5e 5b 41 2d 5a 61 2d 7a 5c 73 5d 7b 30 2c 32 36 7d 2f 5b 41 2d 5a 61 2d 7a 5c 73 5d 7b 30 2c 32 36 7d 5c 5e 28 31 5b 32 2d 39 5d 29 28 30 5b 31 2d 39 5d 7c 31 5b 30 2d 32 5d 29 5b 30 2d 39 5c 73 5d 7b 33 2c 35 30 7d 5c 3f 29 } //02 00 ((%?[Bb]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}/[A-Za-z\s]{0,26}\^(1[2-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)
|
|
$a_00_4 = {61 6c 69 6e 61 3d 00 } //02 00
|
|
$a_01_5 = {2f 75 70 6c 6f 61 64 2e 70 68 70 00 } //02 00
|
|
$a_01_6 = {77 6f 6e 74 20 6b 69 6c 6c 20 72 65 67 69 73 74 72 79 20 72 65 63 6f 72 64 20 66 6f 72 20 6e 6f 77 00 } //00 00
|
|
$a_00_7 = {5d 04 00 00 27 2d 03 } //80 5c
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |