31 lines
1.8 KiB
Plaintext
31 lines
1.8 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Bagopos_A{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Bagopos.A,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {00 49 6e 73 74 61 6c 6c 48 6f 6f 6b 73 00 90 02 05 52 65 6d 6f 76 65 48 6f 6f 6b 73 00 90 00 } //01 00
|
|
$a_01_1 = {44 00 4c 00 4c 00 78 00 36 00 34 00 2e 00 64 00 6c 00 6c 00 } //01 00 DLLx64.dll
|
|
$a_03_2 = {8a 06 3c 3d 75 1a ba 01 00 00 00 8b ce e8 90 01 04 ba 02 00 00 00 8b ce e8 90 01 04 eb 3c 3c 5e 75 1d ba 01 00 00 00 90 00 } //01 00
|
|
$a_03_3 = {80 f9 30 72 0d 80 f9 39 77 08 40 83 f8 14 7c 90 01 01 eb 05 83 f8 0d 7c 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule TrojanSpy_Win32_Bagopos_A_2{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Bagopos.A,SIGNATURE_TYPE_PEHSTR_EXT,0f 00 0f 00 08 00 00 05 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {3a 00 5a 00 6f 00 6e 00 65 00 2e 00 49 00 64 00 65 00 6e 00 74 00 69 00 66 00 69 00 65 00 72 00 } //05 00 :Zone.Identifier
|
|
$a_00_1 = {54 00 69 00 67 00 65 00 72 00 56 00 4e 00 43 00 5c 00 57 00 69 00 6e 00 56 00 4e 00 43 00 34 00 } //05 00 TigerVNC\WinVNC4
|
|
$a_00_2 = {6c 00 73 00 6d 00 5c 00 6c 00 73 00 6d 00 2e 00 65 00 78 00 65 00 00 00 } //05 00
|
|
$a_00_3 = {64 00 77 00 6d 00 5c 00 64 00 77 00 6d 00 2e 00 65 00 78 00 65 00 00 00 } //05 00
|
|
$a_00_4 = {73 00 76 00 63 00 68 00 6f 00 73 00 74 00 5c 00 73 00 76 00 63 00 68 00 6f 00 73 00 74 00 2e 00 65 00 78 00 65 00 00 00 } //05 00
|
|
$a_00_5 = {52 00 75 00 6e 00 00 00 00 00 00 00 4a 00 61 00 76 00 61 00 20 00 55 00 70 00 64 00 61 00 74 00 65 00 20 00 4d 00 61 00 6e 00 61 00 67 00 65 00 72 00 } //0a 00
|
|
$a_00_6 = {26 76 3d 00 26 6d 3d 00 2b 00 00 00 63 73 3d 61 57 35 7a 5a 58 4a 30 26 70 3d 00 00 50 4f 53 54 } //0a 00
|
|
$a_02_7 = {5c 6a 73 64 5f 31 32 2e 32 5c 90 02 04 52 65 6c 65 61 73 65 5c 6a 73 64 5f 31 32 2e 32 2e 70 64 62 00 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |