17 lines
987 B
Plaintext
17 lines
987 B
Plaintext
|
|
rule TrojanDownloader_O97M_SilverMob_A_dha{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/SilverMob.A!dha,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {43 68 72 28 34 36 20 2b 20 28 41 73 63 28 } //01 00
|
|
$a_00_1 = {29 20 2d 20 34 36 20 2d 20 32 30 20 2b 20 28 31 32 32 20 2d 20 34 36 29 29 20 4d 6f 64 20 28 31 32 32 20 2d 20 34 36 29 29 } //01 00
|
|
$a_00_2 = {22 61 31 77 3a 37 3b 37 2e 3c 42 6c 61 60 5c 68 68 64 22 } //01 00
|
|
$a_00_3 = {22 55 58 63 58 56 42 67 3c 3a 79 75 35 22 } //01 00
|
|
$a_00_4 = {22 67 77 3a 31 38 3c 31 36 2f 42 5a 31 34 79 67 41 3b 3c 79 35 63 76 32 79 77 3c 22 } //01 00
|
|
$a_00_5 = {56 42 41 2e 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 22 20 2b 20 22 53 63 22 20 2b 20 22 72 22 20 2b 20 22 69 70 22 20 2b 20 22 74 22 20 2b 20 22 2e 53 22 20 2b 20 22 68 22 20 2b 20 22 65 6c 22 20 2b 20 22 6c 22 29 } //01 00
|
|
$a_00_6 = {22 70 3b 3e 77 30 37 3b 3c 42 79 40 79 22 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |