Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule FF49PreemUp_mem
- {
- meta:
- description = "FF infostealer"
- author = " James_inthe_box"
- reference = "https://app.any.run/tasks/4e438c30-34b4-4219-98f4-db396ec19565"
- date = "2018/12"
- maltype = "Infostealer"
- strings:
- $string1 = "ff49preemup_dll" ascii
- $string2 = "RS=" wide
- $string3 = "FF_V=" wide
- $string4 = "FF_S_Domain_brand=" wide
- $string5 = "FF_installed_admin=" wide
- $string6 = "FF_H=" wide
- $string7 = "FF_S=" wide
- $string8 = "FF_S_Domain=" wide
- $string9 = "FF_H_BRAND=" wide
- $string10 = "AC=" wide
- $string11 = "ff_bit64=" wide
- condition:
- all of ($string*)
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
