08e8d462fe
RED PILL 🔴 💊
49 lines
2.5 KiB
Text
49 lines
2.5 KiB
Text
rule RogueWin32SystemDoctorA
|
|
{
|
|
meta:
|
|
Description = "Rogue.SysDoct.rc"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$hex0 = { 55 8b ec 83 ec 7c a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 56 68 90 d0 47 00 8d ?? ?? e8 ?? ?? ?? ?? 83 ?? ?? ?? 8b ?? ?? 73 ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? 83 f8 ff 74 ?? 6a 00 6a 01 e8 ?? ?? ?? ?? 33 c0 8b ?? ?? 33 cd 5e e8 ?? ?? ?? ?? c9 c3 53 57 33 db 53 6a 01 e8 ?? ?? ?? ?? be a4 d0 47 00 8d ?? ?? a5 a4 be ac d0 47 00 8d ?? ?? a5 a4 be b4 d0 47 00 8d ?? ?? a5 66 ?? a4 be bc d0 47 00 8d ?? ?? a5 a5 66 ?? a4 be 90 88 45 00 8d ?? ?? a5 a5 a5 a5 be 00 10 00 00 56 e8 ?? ?? ?? ?? 59 6a 02 53 89 ?? ?? 53 8d ?? ?? 50 c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b f8 83 ff ff 0f ?? ?? ?? ?? ?? 8d ?? ?? 50 53 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 50 56 8b ?? ?? 56 8d ?? ?? 50 6a 0c 8d ?? ?? 50 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 ff ?? ?? ?? ?? ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 74 ?? 33 db 43 56 e8 ?? ?? ?? ?? 59 5f 8b c3 5b e9 ?? ?? ?? ?? 8b ?? ?? eb ?? }
|
|
$ = "http://sys-doctor.com" ascii wide
|
|
$ = "AA39754E-715219CE" ascii wide
|
|
$ = "System Doctor" ascii wide
|
|
$ = "C:\\sd.dbg" ascii wide
|
|
$ = "C:\\sd1.dbg" ascii wide
|
|
condition:
|
|
(2 of them) or (any of ($hex*))
|
|
}
|
|
|
|
rule RogueWin32FufelAVA
|
|
{
|
|
meta:
|
|
Description = "Rogue.FufelAV.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$ = "avp:buy" ascii wide
|
|
$ = "avp:scan" ascii wide
|
|
$ = "Protection software" ascii wide
|
|
$ = "Invalid registration key!" ascii wide
|
|
$ = "Unprotected mode request" ascii wide
|
|
$ = "Are you sure want to continue in unprotected mode?" ascii wide
|
|
$ = "I have serial key" ascii wide
|
|
$ = "Continue unprotected" ascii wide
|
|
$ = "trying to infect your files" ascii wide
|
|
$ = "Your computer was attacked from" ascii wide
|
|
$ = "Attack was blocked" ascii wide
|
|
$ = "Please register product to block hackers attack" ascii wide
|
|
$ = "Scanning completed. No threads found." ascii wide
|
|
$ = "Scanning completed. Cleanup is required." ascii wide
|
|
$ = "Warning! %d Infections found!" ascii wide
|
|
$ = "Registered version" ascii wide
|
|
$ = "Unregistered version (Please register)" ascii wide
|
|
$ = "Cured" ascii wide
|
|
$ = "Infected process" ascii wide
|
|
$str_0 = "Sinergia Cleaner" ascii wide
|
|
$str_1 = "Sinergia software.lnk" ascii wide
|
|
|
|
$str_2 = "fufel-av-2.com" ascii wide
|
|
$str_3 = "fufel-av.com" ascii wide
|
|
condition:
|
|
(3 of them) or (any of ($str_*))
|
|
}
|