34 lines
2.3 KiB
Plaintext
34 lines
2.3 KiB
Plaintext
|
|
rule VirTool_WinNT_Vanti{
|
|
meta:
|
|
description = "VirTool:WinNT/Vanti,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 07 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {68 08 03 01 00 50 ff d6 8b 55 08 6a 1b 59 b8 c0 03 01 00 8d 7a 38 f3 ab 8d 45 fc c7 42 70 d2 03 01 00 50 6a 00 6a 00 8d 45 f4 6a 22 50 6a 10 52 c7 42 34 c6 02 01 00 ff 15 6c 04 01 00 } //02 00
|
|
$a_00_1 = {8d 45 fc c7 42 70 a0 02 01 00 50 6a 00 6a 00 8d 45 f4 6a 22 50 6a 10 52 c7 42 34 28 04 01 00 ff 15 a4 04 01 00 85 c0 7c 19 } //04 00
|
|
$a_01_2 = {0f 20 c0 89 45 0c 25 ff ff fe ff 0f 22 c0 fa 8b c1 c1 e9 02 f3 a5 8b c8 83 e1 03 f3 a4 fb 8b 45 0c 0f 22 c0 } //01 00
|
|
$a_00_3 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 4d 00 49 00 41 00 4e 00 59 00 49 00 } //01 00
|
|
$a_00_4 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 4d 00 49 00 41 00 4e 00 59 00 49 00 } //01 00
|
|
$a_00_5 = {44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 58 00 52 00 57 00 30 00 30 00 35 00 } //01 00
|
|
$a_00_6 = {44 00 65 00 76 00 69 00 63 00 65 00 5c 00 58 00 52 00 57 00 30 00 30 00 35 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule VirTool_WinNT_Vanti_2{
|
|
meta:
|
|
description = "VirTool:WinNT/Vanti,SIGNATURE_TYPE_PEHSTR_EXT,16 00 0b 00 08 00 00 0a 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {55 8b ec 51 51 53 8b 5d 0c 56 57 8b 43 60 89 45 f8 8b 48 0c 81 e9 07 00 22 00 74 4d 83 e9 04 74 2f 83 e9 04 74 1d 83 e9 04 75 6b 60 0f 20 e2 89 55 fc 61 8b 45 f8 8b 4d fc 8b 5d 0c 8b 40 10 89 08 eb 53 } //0a 00
|
|
$a_01_1 = {0f 20 c0 89 45 0c 25 ff ff fe ff 0f 22 c0 fa 8b c1 c1 e9 02 f3 a5 8b c8 83 e1 03 f3 a4 fb 8b 45 0c 0f 22 c0 } //01 00
|
|
$a_00_2 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 43 00 4f 00 4b 00 35 00 36 00 38 00 } //01 00
|
|
$a_00_3 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 43 00 4f 00 4b 00 35 00 36 00 38 00 } //01 00
|
|
$a_00_4 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 58 00 42 00 42 00 4f 00 39 00 39 00 } //01 00
|
|
$a_00_5 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 58 00 42 00 42 00 4f 00 39 00 39 00 } //01 00
|
|
$a_00_6 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 56 00 58 00 50 00 30 00 30 00 35 00 } //01 00
|
|
$a_00_7 = {5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 56 00 58 00 50 00 30 00 30 00 35 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |