08e8d462fe
RED PILL 🔴 💊
27 lines
845 B
Text
27 lines
845 B
Text
rule BackdoorLiudoor
|
|
{
|
|
meta:
|
|
author = "RSA FirstWatch"
|
|
date = "2015-07-23"
|
|
Description = "Backdoor.Liudoor.sm"
|
|
ThreatLevel = "5"
|
|
hash0 = "78b56bc3edbee3a425c96738760ee406"
|
|
hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
|
|
hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
|
|
hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
|
|
hash4 = "6093505c7f7ec25b1934d3657649ef07"
|
|
type = "Win32 DLL"
|
|
|
|
strings:
|
|
$string0 = "Succ" ascii wide
|
|
$string1 = "Fail" ascii wide
|
|
$string2 = "pass" ascii wide
|
|
$string3 = "exit" ascii wide
|
|
$string4 = "svchostdllserver.dll" ascii wide
|
|
$string5 = "L$,PQR" ascii wide
|
|
$string6 = "0/0B0H0Q0W0k0" ascii wide
|
|
$string7 = "QSUVWh" ascii wide
|
|
$string8 = "Ht Hu[" ascii wide
|
|
condition:
|
|
all of them
|
|
}
|