22 lines
735 B
Text
22 lines
735 B
Text
|
|
import "pe"
|
|
|
|
rule SUSP_THOR_Unsigned_Oct23_1 {
|
|
meta:
|
|
description = "Detects unsigned version of THOR scanner, which could be a backdoored / modified version of the scanner"
|
|
author = "Florian Roth"
|
|
reference = "Internal Research"
|
|
date = "2023-10-28"
|
|
score = 75
|
|
id = "2ca6a192-675e-5f02-a7b1-40369eeb9904"
|
|
strings:
|
|
$s1 = "THOR APT Scanner" wide fullword
|
|
$s2 = "Nextron Systems GmbH" wide fullword
|
|
|
|
/* OriginalFilename\x00thor */
|
|
$sc1 = { 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 74 00 68 00 6F 00 72 }
|
|
condition:
|
|
uint16(0) == 0x5a4d
|
|
and all of them
|
|
and pe.number_of_signatures == 0
|
|
}
|