16 lines
629 B
Text
16 lines
629 B
Text
|
rule AbaddonPOS
|
||
|
{
|
||
|
meta:
|
||
|
description = "AbaddonPOS"
|
||
|
author = "Darien Huss, Proofpoint"
|
||
|
reference = "md5,317f9c57f7983e2608d5b2f00db954ff"
|
||
|
strings:
|
||
|
$s1 = "devil_host" fullword ascii
|
||
|
$s2 = "Chrome" fullword ascii
|
||
|
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword ascii
|
||
|
|
||
|
$i1 = { 31 ?? 81 ?? 55 89 E5 8B 74 }
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and (all of ($s*) or $i1) and filesize <= 10KB
|
||
|
}
|