08e8d462fe
RED PILL 🔴 💊
23 lines
932 B
Text
23 lines
932 B
Text
rule Dridex_Trojan_XML {
|
|
meta:
|
|
description = "Dridex Malware in XML Document"
|
|
author = "Florian Roth (Nextron Systems) @4nc4p"
|
|
reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
|
|
date = "2015/03/08"
|
|
hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
|
|
hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
|
|
hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
|
|
hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
|
|
hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
|
|
id = "a8f3406c-f8b0-559f-be12-6b2a7d401ac2"
|
|
strings:
|
|
// can be ascii or wide formatted - therefore no restriction
|
|
$c_xml = "<?xml version="
|
|
$c_word = "<?mso-application progid=\"Word.Document\"?>"
|
|
$c_macro = "w:macrosPresent=\"yes\""
|
|
$c_binary = "<w:binData w:name="
|
|
$c_0_chars = "<o:Characters>0</o:Characters>"
|
|
$c_1_line = "<o:Lines>1</o:Lines>"
|
|
condition:
|
|
all of ($c*)
|
|
}
|