19 lines
646 B
Text
19 lines
646 B
Text
|
rule trickbot_maldoc_embedded_dll_september_2020 {
|
||
|
meta:
|
||
|
author = "HP-Bromium Threat Research"
|
||
|
reference = "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/"
|
||
|
date = "2020-10-03"
|
||
|
sharing = "TLP:WHITE"
|
||
|
|
||
|
strings:
|
||
|
$magic = { D0 CF 11 E0 A1 B1 1A E1 }
|
||
|
$s1 = "EncryptedPackage" wide
|
||
|
$s2 = "{FF9A3F03-56EF-4613-BDD5-5A41C1D07246}" wide
|
||
|
$s3 = { FF FF FF FF FF FF FF FF FF FF ( 90 90 | 10 10 | E2 E2 | 17 17 ) FF FF FF FF FF FF FF FF FF FF }
|
||
|
|
||
|
condition:
|
||
|
$magic at 0 and
|
||
|
all of ($s*) and
|
||
|
(filesize > 500KB and filesize < 1000KB)
|
||
|
}
|