qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/EncDoc/TrojanDownloader_O97M_EncDo...

28 lines
2.4 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_O97M_EncDoc_PAY_MTB{
meta:
description = "TrojanDownloader:O97M/EncDoc.PAY!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 03 00 00 01 00 "
strings :
$a_01_0 = {76 62 5f 6e 61 6d 65 3d 22 76 6e 62 69 75 62 6e 69 37 67 68 62 37 6e 36 64 37 38 36 64 68 66 38 75 22 } //01 00
$a_01_1 = {2e 74 65 78 74 62 6f 78 34 2e 74 65 78 74 3d 22 77 67 6a 61 62 22 } //01 00
$a_03_2 = {2e 74 65 78 74 3d 6c 65 66 74 28 90 02 7f 2e 63 65 6c 6c 28 32 2c 31 29 2c 6c 65 6e 28 90 1b 00 2e 63 65 6c 6c 28 32 2c 31 29 29 2d 32 29 2b 76 62 63 72 6c 66 2b 6c 65 66 74 28 90 1b 00 2e 63 65 6c 6c 28 34 2c 31 29 2c 6c 65 6e 28 90 1b 00 2e 63 65 6c 6c 28 34 2c 31 29 29 2d 32 29 6f 70 65 6e 90 00 } //00 00
condition:
any of ($a_*)
}
rule TrojanDownloader_O97M_EncDoc_PAY_MTB_2{
meta:
description = "TrojanDownloader:O97M/EncDoc.PAY!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 06 00 00 01 00 "
strings :
$a_01_0 = {22 68 22 26 22 74 74 22 26 22 70 3a 2f 2f 74 22 26 22 68 61 6e 22 26 22 68 61 6e 22 26 22 68 6f 74 65 6c 2e 63 6f 6d 2f 4d 37 4e 76 62 6f 67 6e 49 6d 68 57 2f 68 6e 68 6b 6a 69 2e 68 22 26 22 74 22 26 22 6d 22 26 22 6c 22 } //01 00
$a_01_1 = {22 68 22 26 22 74 74 22 26 22 70 73 3a 2f 2f 67 75 61 72 22 26 22 64 73 22 26 22 6f 63 22 26 22 69 65 74 79 2e 6f 72 67 2f 34 54 4d 55 55 49 39 75 2f 68 6e 68 6b 6a 69 2e 68 22 26 22 74 22 26 22 6d 22 26 22 6c 22 } //01 00
$a_01_2 = {22 68 22 26 22 74 74 22 26 22 70 3a 2f 2f 62 72 6f 2e 6a 65 72 61 22 26 22 73 68 66 22 26 22 65 73 74 69 76 61 6c 2e 6a 6f 2f 32 6b 41 6c 41 4a 47 63 2f 68 6e 68 6b 6a 69 2e 68 22 26 22 74 22 26 22 6d 22 26 22 6c 22 } //01 00
$a_01_3 = {68 22 26 22 74 22 26 22 74 22 26 22 70 22 26 22 73 22 26 22 3a 2f 2f 61 72 22 26 22 61 6e 63 22 26 22 61 6c 2e 63 22 26 22 6f 22 26 22 6d 22 26 22 2f 48 67 4c 43 67 43 53 33 6d 2f 62 65 2e 68 22 26 22 74 22 26 22 6d 22 26 22 6c 22 2c } //01 00
$a_01_4 = {68 22 26 22 74 22 26 22 74 22 26 22 70 73 22 26 22 3a 2f 2f 69 22 26 22 70 65 72 22 26 22 64 65 22 26 22 73 6b 2e 63 22 26 22 6f 22 26 22 6d 22 26 22 2f 4a 57 71 6a 38 52 32 6e 74 2f 62 65 2e 68 22 26 22 74 22 26 22 6d 22 26 22 6c 22 2c } //01 00
$a_01_5 = {68 22 26 22 74 22 26 22 74 22 26 22 70 22 26 22 73 22 26 22 3a 2f 2f 67 72 61 6e 22 26 22 64 74 68 75 22 26 22 6d 2e 63 22 26 22 6f 2e 69 22 26 22 6e 2f 39 5a 22 26 22 36 44 22 26 22 48 35 22 26 22 68 35 67 2f 62 22 26 22 65 2e 68 22 26 22 74 22 26 22 6d 22 26 22 6c 22 2c } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink