DefenderYara/TrojanDownloader/O97M/Donoff/TrojanDownloader_O97M_Donoff_DD.yar

rule TrojanDownloader_O97M_Donoff_DD{
	meta:
		description = "TrojanDownloader:O97M/Donoff.DD,SIGNATURE_TYPE_MACROHSTR_EXT,08 00 08 00 06 00 00 02 00 "
		
	strings :
		$a_02_0 = {20 41 73 20 4c 6f 6e 67 0d 0a 90 1d 20 00 20 3d 20 90 10 09 00 0d 0a 49 66 20 90 1b 00 20 90 04 01 03 3c 3e 3d 20 90 1b 01 20 54 68 65 6e 0d 0a 45 6e 64 20 49 66 90 00 } //02 00 
		$a_02_1 = {20 41 73 20 49 6e 74 65 67 65 72 0d 0a 46 6f 72 20 90 1d 20 00 20 3d 20 30 20 54 6f 20 2d 90 10 09 00 0d 0a 4e 65 78 74 20 90 1b 00 0d 0a 27 20 90 00 } //02 00 
		$a_02_2 = {20 3d 20 47 65 74 4f 62 6a 65 63 74 28 90 1d 20 00 28 22 90 04 20 04 2c 30 2d 39 90 05 ff 04 2c 30 2d 39 22 29 29 90 00 } //01 00 
		$a_00_3 = {2e 52 75 6e 28 22 73 74 61 72 74 22 29 } //01 00 
		$a_00_4 = {2e 41 64 64 43 6f 64 65 20 } //01 00 
		$a_02_5 = {29 20 58 6f 72 20 90 10 03 00 29 90 00 } //00 00 
		$a_00_6 = {8f f8 00 00 08 } //00 08 
	condition:
		any of ($a_*)
 
}
rule TrojanDownloader_O97M_Donoff_DD_2{
	meta:
		description = "TrojanDownloader:O97M/Donoff.DD,SIGNATURE_TYPE_MACROHSTR_EXT,08 00 08 00 06 00 00 02 00 "
		
	strings :
		$a_02_0 = {20 41 73 20 4c 6f 6e 67 0d 0a 90 1d 20 00 20 3d 20 90 10 09 00 0d 0a 49 66 20 90 1b 00 20 90 04 01 03 3c 3e 3d 20 90 1b 01 20 54 68 65 6e 0d 0a 45 6e 64 20 49 66 90 00 } //02 00 
		$a_02_1 = {20 41 73 20 49 6e 74 65 67 65 72 0d 0a 46 6f 72 20 90 1d 20 00 20 3d 20 30 20 54 6f 20 2d 90 10 09 00 0d 0a 4e 65 78 74 20 90 1b 00 90 00 } //02 00 
		$a_02_2 = {44 69 6d 20 90 1d 20 00 20 41 73 20 53 74 72 69 6e 67 0d 0a 90 1b 00 20 3d 20 90 1d 20 00 28 22 90 10 03 00 2c 90 10 03 00 2c 90 10 03 00 2c 90 10 03 00 2c 90 10 03 00 2c 90 04 ff 04 2c 30 2d 39 90 05 ff 04 2c 30 2d 39 22 29 90 00 } //01 00 
		$a_00_3 = {2e 52 75 6e 20 22 73 74 61 72 74 22 } //01 00 
		$a_00_4 = {2e 41 64 64 43 6f 64 65 20 } //01 00 
		$a_02_5 = {29 20 58 6f 72 20 90 10 03 00 29 90 00 } //00 00 
		$a_00_6 = {5d 04 00 00 d4 } //96 03 
	condition:
		any of ($a_*)
 
}