Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule Expiro_bin
- {
- meta:
- description = "Expiro"
- author = "James_inthe_box"
- reference = "https://app.any.run/tasks/c3c02897-5069-45d2-8add-2b3e194754ff"
- date = "2019/10"
- maltype = "Trojan"
- strings:
- $string1 = "wscsvc|WinDefend|MsMpSvc|NisSrv|gupdate|gupdatem|wuauserv"
- $string2 = "%s%c%c%c%c-%c%c%c%c%c.com"
- $string3 = "\\*.dat"
- $string4 = "User-Agent: %cozilla/%u.%u (%compatible; msie %u; %s; .NET CLR %s/%s)"
- $string5 = "No space left on device"
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 900KB
- }
- rule Expiro_mem
- {
- meta:
- description = "Expiro"
- author = "James_inthe_box"
- reference = "https://app.any.run/tasks/c3c02897-5069-45d2-8add-2b3e194754ff"
- date = "2019/10"
- maltype = "Trojan"
- strings:
- $string1 = "wscsvc|WinDefend|MsMpSvc|NisSrv|gupdate|gupdatem|wuauserv"
- $string2 = "%s%c%c%c%c-%c%c%c%c%c.com"
- $string3 = "\\*.dat"
- $string4 = "User-Agent: %cozilla/%u.%u (%compatible; msie %u; %s; .NET CLR %s/%s)"
- $string5 = "No space left on device"
- condition:
- all of ($string*) and filesize > 900KB
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement