Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule QuakBot_XLS_MalDocs
- {
- meta:
- author = "Joe Slowik, DomainTools"
- description = "Identify metadata characteristics for recent QuakBot XLS maldocs."
- strings:
- $s1 = "C:\\Flopers" ascii
- $s2 = "C:\\Flopers\\Flopers2" ascii
- $s3 = "Admin" ascii fullword
- $s4 = "Friner" ascii fullword
- $s5 = "DocuSign" ascii fullword
- condition:
- uint16(0) == 0xcfd0 and 3 of ($s*)
- }
Advertisement
Add Comment
Please, Sign In to add comment
