Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule legionloader
- {
- strings:
- $s1_1 = {67 61 74 65 (31|32|33|34) 2E 70 68 70 3F 61 3D 7B [2-20] 2D [2-20] 2D [2-20] 2D [2-20] 2D [2-20] 7D 69 64 3D (31|32|33|34|35|36|37|38|39|30)} //gate?.php?a={.....-.....-.....-.....-.....}id=?
- $s1_2 = {67 61 74 65 (31|32|33|34) 2E 70 68 70 3F 61 3D 7B [2-20] 2D [2-20] 2D [2-20] 2D [2-20] 7D 69 64 3D (31|32|33|34|35|36|37|38|39|30)} //gate?.php?a={.....-.....-.....-.....}id=?
- $s2 = {67 61 74 65 (31|32|33|34) 2E 70 68 70 3F 61 3D 74 72 75 65} //gate?.php?a=true
- $s3 = "cmd.exe /c start /B powershell -windowstyle hidden -command"
- condition:
- ($s1_1 or $s1_2) and $s2 and $s3
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
