14 lines
939 B
Plaintext
14 lines
939 B
Plaintext
|
|
rule TrojanDownloader_Linux_Bartallex_L{
|
|
meta:
|
|
description = "TrojanDownloader:Linux/Bartallex.L,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 03 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {73 74 72 55 6e 71 75 6f 74 65 32 33 20 3d 20 56 61 6c 54 6f 44 69 63 42 69 6e 28 43 68 72 28 37 37 29 20 26 20 43 68 72 28 31 30 35 29 20 26 20 43 68 72 28 36 30 29 20 26 20 22 63 22 20 26 20 43 68 72 28 31 31 34 29 } //01 00
|
|
$a_01_1 = {73 74 72 55 6e 71 75 6f 74 65 32 33 2e 4f 70 65 6e 20 43 68 72 28 37 31 29 20 26 20 43 68 72 28 36 39 29 20 26 20 43 68 72 28 38 34 29 2c 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 22 74 22 20 26 20 43 68 72 28 31 31 32 29 20 26 20 43 68 72 28 35 38 29 20 26 20 22 2f 22 20 26 20 22 2f 22 } //01 00
|
|
$a_01_2 = {50 61 72 61 6d 73 54 6f 42 79 74 65 73 34 2e 42 28 31 29 20 3d 20 30 20 27 66 75 6b 20 65 6d 2e 2e 2e } //00 00
|
|
$a_00_3 = {5d 04 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |