17 lines
509 B
Text
17 lines
509 B
Text
|
rule evora {
|
||
|
meta:
|
||
|
author = "Brian Wallace @botnet_hunter"
|
||
|
date = "2015-10-20"
|
||
|
description = "Identify Evora"
|
||
|
strings:
|
||
|
$a1 = "{A872638D-DC2B9B23}"
|
||
|
$a2 = "Mozilla/4.0 (compatible; MSIE 8.0)" wide
|
||
|
$a3 = "/%x/thread_%02d%02d%02d%02d.html" wide
|
||
|
$a4 = "F95F6E38" wide
|
||
|
|
||
|
$b1 = "{A872638D-DC2B9B23}"
|
||
|
$b2 = "{F40150C7-B623-41bc-8693-0445343A3A69}" wide
|
||
|
$b3 = "Global\\%d" wide
|
||
|
condition:
|
||
|
all of ($a*) or all of ($b*)
|
||
|
}
|