16 lines
No EOL
597 B
Text
16 lines
No EOL
597 B
Text
rule maazben
|
|
{
|
|
meta:
|
|
author = "Brian Wallace @botnet_hunter"
|
|
author_email = "bwall@ballastsecurity.net"
|
|
date = "2014-03-13"
|
|
description = "Identify Maazben"
|
|
strings:
|
|
$encrypted1 = {d4 2a 47 00 44 6d 47 00}
|
|
$encrypted2 = "__CxxFrameHandler"
|
|
$str1 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)"
|
|
$str2 = "%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats"
|
|
$str3 = "MCIDRV_VER"
|
|
condition:
|
|
($encrypted1 and $encrypted2) or ($str1 and $str2 and $str3)
|
|
} |