19 lines
641 B
Text
19 lines
641 B
Text
|
rule AdGholas_mem_MIME
|
||
|
{
|
||
|
meta:
|
||
|
malfamily = "AdGholas"
|
||
|
author = "Proofpoint"
|
||
|
reference = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
|
||
|
reference2 = "https://blog.malwarebytes.com/cybercrime/exploits/2016/12/adgholas-malvertising-business-as-usual/"
|
||
|
|
||
|
strings:
|
||
|
$b1=".300000000" ascii nocase wide fullword
|
||
|
$b2=".saz" ascii nocase wide fullword
|
||
|
$b3=".py" ascii nocase wide fullword
|
||
|
$b4=".pcap" ascii nocase wide fullword
|
||
|
$b5=".chls" ascii nocase wide fullword
|
||
|
|
||
|
condition:
|
||
|
all of ($b*)
|
||
|
}
|