18 lines
1.1 KiB
Plaintext
18 lines
1.1 KiB
Plaintext
|
|
rule TrojanSpy_BAT_Stealer_MH_MTB{
|
|
meta:
|
|
description = "TrojanSpy:BAT/Stealer.MH!MTB,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 08 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {44 6f 77 6e 6c 6f 61 64 44 61 74 61 } //01 00
|
|
$a_01_1 = {53 6c 65 65 70 } //01 00
|
|
$a_01_2 = {53 74 72 52 65 76 65 72 73 65 } //01 00
|
|
$a_03_3 = {6c 00 6c 00 64 00 2e 00 78 00 2f 00 90 02 60 2f 00 73 00 74 00 6e 00 65 00 6d 00 68 00 63 00 61 00 74 00 74 00 61 00 2f 00 6d 00 6f 00 63 00 2e 00 70 00 70 00 61 00 64 00 72 00 6f 00 63 00 73 00 69 00 64 00 2e 00 6e 00 64 00 63 00 2f 00 2f 00 3a 00 73 00 70 00 74 00 74 00 68 00 90 00 } //01 00
|
|
$a_03_4 = {65 00 78 00 65 00 2e 00 90 02 70 2f 00 73 00 74 00 6e 00 65 00 6d 00 68 00 63 00 61 00 74 00 74 00 61 00 2f 00 6d 00 6f 00 63 00 2e 00 70 00 70 00 61 00 64 00 72 00 6f 00 63 00 73 00 69 00 64 00 2e 00 6e 00 64 00 63 00 2f 00 2f 00 3a 00 73 00 70 00 74 00 74 00 68 00 90 00 } //01 00
|
|
$a_01_5 = {43 72 65 61 74 65 5f 5f 49 6e 73 74 61 6e 63 65 } //01 00
|
|
$a_01_6 = {44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 } //01 00
|
|
$a_01_7 = {74 73 5f 54 72 61 6e 73 61 63 74 69 6f 6e } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |