18 lines
963 B
Plaintext
18 lines
963 B
Plaintext
|
|
rule TrojanSpy_BAT_Stealer_MK_MTB{
|
|
meta:
|
|
description = "TrojanSpy:BAT/Stealer.MK!MTB,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 08 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {11 01 16 11 01 8e 69 28 1a 00 00 0a 13 90 01 01 38 90 01 01 00 00 00 90 02 18 11 90 01 01 16 11 90 01 01 8e 69 28 90 01 04 13 04 38 90 01 01 ff ff ff 90 00 } //01 00
|
|
$a_03_1 = {02 8e 69 8d 09 00 00 01 13 90 01 01 38 12 00 00 00 fe 0c 90 01 01 00 45 01 00 00 00 90 01 01 00 00 00 38 90 01 01 00 00 00 11 90 01 01 11 90 01 01 16 11 90 01 01 8e 69 90 02 1f 26 20 00 00 00 00 90 00 } //01 00
|
|
$a_01_2 = {52 65 70 6c 61 63 65 } //01 00
|
|
$a_01_3 = {46 72 6f 6d 42 61 73 65 36 34 43 68 61 72 41 72 72 61 79 } //01 00
|
|
$a_01_4 = {43 72 65 61 74 65 44 65 63 72 79 70 74 6f 72 } //01 00
|
|
$a_01_5 = {4d 65 6d 6f 72 79 53 74 72 65 61 6d } //01 00
|
|
$a_01_6 = {53 6c 65 65 70 } //01 00
|
|
$a_01_7 = {62 61 73 65 36 34 45 6e 63 6f 64 65 64 44 61 74 61 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |