19 lines
1.0 KiB
Plaintext
19 lines
1.0 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Ambler_F{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Ambler.F,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 09 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {56 8b 74 24 08 56 e8 90 01 04 59 33 c9 85 c0 7e 09 80 34 31 90 01 01 41 3b c8 7c f7 5e c3 90 00 } //03 00
|
|
$a_01_1 = {99 4a ad 42 03 45 0c 50 e8 97 ff ff ff 39 d8 75 f1 } //03 00
|
|
$a_03_2 = {46 2d 2d 37 64 36 31 35 62 31 36 31 62 30 36 34 61 00 90 09 04 00 00 00 00 00 90 00 } //02 00
|
|
$a_03_3 = {4c 4f 41 44 58 4d 4c 00 90 03 01 01 3d 3e 00 00 90 02 05 76 61 6c 75 65 3d 90 00 } //02 00
|
|
$a_01_4 = {47 45 54 46 49 4c 45 53 00 00 00 00 4c 4f 41 44 58 4d 4c 00 63 69 64 00 } //02 00
|
|
$a_01_5 = {4c 4f 41 44 58 4d 4c 00 47 45 54 46 49 4c 45 53 00 } //02 00
|
|
$a_01_6 = {25 73 5c 25 73 5f 25 75 2e 62 6d 70 00 } //02 00
|
|
$a_01_7 = {25 00 53 00 5c 00 25 00 53 00 5f 00 25 00 53 00 25 00 53 00 2e 00 6a 00 70 00 67 00 00 00 } //02 00
|
|
$a_01_8 = {25 30 32 64 25 30 32 64 25 30 32 64 5f 25 30 34 64 00 00 00 25 30 32 64 25 30 32 64 25 64 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |