32 lines
1.1 KiB
Plaintext
32 lines
1.1 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_XlmMacro_gen_DG{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/XlmMacro.gen!DG,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 16 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {41 6f 00 08 } //01 00
|
|
$a_01_1 = {41 6f 00 03 } //01 00
|
|
$a_01_2 = {41 6f 00 04 } //01 00
|
|
$a_01_3 = {42 01 06 80 } //01 00
|
|
$a_01_4 = {42 02 60 80 } //01 00
|
|
$a_01_5 = {42 01 60 80 } //01 00
|
|
$a_01_6 = {42 01 11 80 } //01 00
|
|
$a_01_7 = {42 01 6e 00 } //01 00
|
|
$a_01_8 = {42 07 95 00 } //01 00
|
|
$a_01_9 = {42 06 96 00 } //01 00
|
|
$a_01_10 = {42 07 96 00 } //01 00
|
|
$a_01_11 = {42 08 96 00 } //01 00
|
|
$a_01_12 = {42 09 96 00 } //01 00
|
|
$a_01_13 = {08 41 01 01 } //01 00
|
|
$a_03_14 = {08 17 01 00 90 02 03 00 08 17 01 00 90 02 03 00 08 17 01 00 90 0a 20 00 00 00 17 01 00 90 02 03 00 17 01 00 90 02 03 00 90 00 } //01 00
|
|
$a_01_15 = {42 01 50 01 } //01 00
|
|
$a_01_16 = {42 02 50 01 } //01 00
|
|
$a_01_17 = {42 03 50 01 } //01 00
|
|
$a_01_18 = {42 04 50 01 } //01 00
|
|
$a_01_19 = {42 05 50 01 } //01 00
|
|
$a_01_20 = {42 06 50 01 } //01 00
|
|
$a_01_21 = {42 07 50 01 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |