Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- MUCH BETTER rule below:
- rule Possible_Cobint_mem
- {
- meta:
- description = "Cobint"
- author = "James_inthe_box"
- reference = "7e82aa131fd92a4d0aec5086e036be544be0dd84a20ba25ffda633a9fbb69c32"
- date = "2019/02"
- maltype = "Tool"
- strings:
- $regex1 = /https:\/\/[a-zA-Z0-9]{4,}\.[a-zA-Z0-9]{2,}\/[a-z]{21,}/ wide
- $string1 = "User-Agent:"
- $string2 = "Host:"
- $string3 = "tls-server-end-point:"
- condition:
- all of ($regex*) and all of ($string*) and filesize > 800KB
- }
- this previous rule sucks:
- rule Cobint_bin_memory
- {
- meta:
- author = " James_inthe_box"
- date = "2018/10"
- maltype = "Cobint"
- strings:
- $string1 = "SystemFunction0"
- $string2 = "ObtainUserAgentString"
- $string3 = "GetCurrentProcessId"
- $string4 = "Sleep"
- $string5 = "urlmon.dll"
- $string6 = "POST"
- condition:
- all of them
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement