qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Obfusmacro/TrojanDownloader_O97M_Obfus...

33 lines
2.3 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_O97M_Obfusmacro_GB_MTB{
meta:
description = "TrojanDownloader:O97M/Obfusmacro.GB!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,06 00 06 00 06 00 00 01 00 "
strings :
$a_80_0 = {3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 77 73 63 72 69 70 74 2e 73 68 65 6c 6c 22 29 } //= CreateObject("wscript.shell") 01 00
$a_02_1 = {53 75 62 20 41 75 74 6f 4f 70 65 6e 28 29 90 02 64 28 22 63 90 02 02 3a 90 02 02 5c 90 02 1e 5c 90 02 0f 2e 90 01 01 6a 90 01 01 70 90 02 01 67 90 01 01 22 29 90 00 } //01 00
$a_02_2 = {53 75 62 20 41 75 74 6f 4f 70 65 6e 28 29 90 02 af 2c 20 90 02 0a 2e 90 02 0a 28 90 02 0a 28 22 68 90 01 01 74 90 01 01 74 90 01 01 70 90 01 01 3a 90 01 01 2f 90 01 01 2f 90 02 0f 2e 90 02 0a 2f 90 02 1e 2f 90 02 0c 2e 90 01 01 70 90 01 01 68 90 01 01 70 90 01 01 3f 90 01 01 6c 90 01 01 3d 90 02 14 2e 90 02 0a 22 29 29 90 00 } //01 00
$a_02_3 = {2e 65 78 65 63 20 90 02 0a 20 26 20 22 20 22 20 26 90 00 } //01 00
$a_80_4 = {50 72 69 6e 74 20 23 } //Print # 01 00
$a_80_5 = {43 6c 6f 73 65 20 23 } //Close # 00 00
condition:
any of ($a_*)
}
rule TrojanDownloader_O97M_Obfusmacro_GB_MTB_2{
meta:
description = "TrojanDownloader:O97M/Obfusmacro.GB!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 08 00 00 01 00 "
strings :
$a_02_0 = {3d 00 20 00 52 00 65 00 70 00 6c 00 61 00 63 00 65 00 28 00 90 02 14 2c 00 20 00 90 02 14 2c 00 20 00 22 00 22 00 29 00 90 00 } //01 00
$a_02_1 = {3d 20 52 65 70 6c 61 63 65 28 90 02 14 2c 20 90 02 14 2c 20 22 22 29 90 00 } //01 00
$a_02_2 = {3d 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 4f 00 62 00 6a 00 65 00 63 00 74 00 28 00 90 02 14 28 00 90 02 14 28 00 43 00 53 00 74 00 72 00 28 00 90 02 1e 29 00 20 00 2b 00 20 00 22 00 90 00 } //01 00
$a_02_3 = {3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 90 02 14 28 90 02 14 28 43 53 74 72 28 90 02 1e 29 20 2b 20 22 90 00 } //01 00
$a_02_4 = {2e 00 43 00 72 00 65 00 61 00 74 00 65 00 28 00 90 02 14 2c 00 20 00 90 02 14 2c 00 20 00 90 02 14 2c 00 20 00 90 02 14 29 00 90 00 } //01 00
$a_02_5 = {2e 43 72 65 61 74 65 28 90 02 14 2c 20 90 02 14 2c 20 90 02 14 2c 20 90 02 14 29 90 00 } //ff ff
$a_80_6 = {44 65 62 75 67 50 72 69 6e 74 46 69 6c 65 } //DebugPrintFile ff ff
$a_80_7 = {44 65 62 75 67 2e 50 72 69 6e 74 } //Debug.Print 00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink