19 lines
1.2 KiB
Plaintext
19 lines
1.2 KiB
Plaintext
|
|
rule VirTool_WinNT_Cutwail_F{
|
|
meta:
|
|
description = "VirTool:WinNT/Cutwail.F,SIGNATURE_TYPE_PEHSTR_EXT,06 00 05 00 09 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {45 00 58 00 45 00 52 00 45 00 53 00 4f 00 55 00 52 00 43 00 45 00 } //01 00 EXERESOURCE
|
|
$a_01_1 = {5c 72 75 6e 74 69 6d 65 33 } //01 00 \runtime3
|
|
$a_01_2 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 52 00 6e 00 74 00 6d 00 33 00 } //01 00 \DosDevices\Rntm3
|
|
$a_01_3 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 52 00 6e 00 74 00 6d 00 33 00 } //01 00 \Device\Rntm3
|
|
$a_01_4 = {5c 00 46 00 69 00 6c 00 65 00 53 00 79 00 73 00 74 00 65 00 6d 00 } //01 00 \FileSystem
|
|
$a_01_5 = {57 00 4c 00 43 00 74 00 72 00 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 } //01 00 WLCtrl32.dll
|
|
$a_02_6 = {8b 51 18 83 c2 30 52 e8 90 01 02 ff ff 89 45 f0 83 7d f0 00 74 07 c7 45 f4 22 00 00 c0 90 00 } //02 00
|
|
$a_01_7 = {c6 45 e4 43 c6 45 e5 72 c6 45 e6 65 c6 45 e7 61 c6 45 e8 74 c6 45 e9 65 c6 45 ea 54 c6 45 eb 68 c6 45 ec 72 c6 45 ed 65 c6 45 ee 61 c6 45 ef 64 c6 45 f0 00 e8 } //04 00
|
|
$a_02_8 = {eb ae 8b 85 e8 fc ff ff 50 68 90 01 02 01 00 8b 4d cc 51 e8 90 01 02 00 00 83 c4 0c 8d 55 d0 52 ff 15 90 01 02 01 00 68 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |