JohnGalt14

YARA Rule - AutoIt Malware

Jun 21st, 2013
275
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. rule AutoIt_Script {
  2.     meta:
  3.     description = "AutoIt Script - used by attackers"
  4.    
  5.     strings:    
  6.     $keyword1 = "#include <FTPEX.au3>"
  7.     $keyword2 = "#include <updateftp.au3>"
  8.     $keyword3 = "#include <WinAPI.au3>"
  9.     $keyword4 = "Global $FTPServer" fullword
  10.     $keyword5 = "Global $FTPUser" fullword
  11.     $keyword6 = "= _FTP_Connect"
  12.    
  13.     condition:
  14.     1 of ($keyword*)
  15. }
RAW Paste Data