67 lines
1.5 KiB
Text
67 lines
1.5 KiB
Text
rule executable_au3 : info compiler autit
|
|
{
|
|
meta:
|
|
// author = "@h3x2b <tracker _AT h3x.eu>"
|
|
description = "Match AU3 autoit executables"
|
|
|
|
strings:
|
|
$str_au3_01 = "AU3"
|
|
$str_au3_02 = { A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D }
|
|
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
|
|
|
|
rule vb_pcode : info compiler vb
|
|
{
|
|
meta:
|
|
// author = "@h3x2b <tracker _AT h3x.eu>"
|
|
description = "VisualBasic compiled to P-Code bytecode"
|
|
// http://waleedassar.blogspot.com/2012/03/visual-basic-malware-part-1.html
|
|
|
|
strings:
|
|
$str_vb_01 = "VB5"
|
|
$str_vb_pcode = { E9 E9 E9 E9 CC CC CC CC CC CC CC CC CC CC CC CC 9E 9E 9E 9E }
|
|
|
|
condition:
|
|
( $str_vb_01 )
|
|
and $str_vb_pcode
|
|
}
|
|
|
|
|
|
|
|
rule vb_native: info compiler vb
|
|
{
|
|
meta:
|
|
// author = "@h3x2b <tracker _AT h3x.eu>"
|
|
description = "VisualBasic compiled to Native code, http://waleedassar.blogspot.com/2012/03/visual-basic-malware-part-1.html"
|
|
|
|
strings:
|
|
$str_vb_01 = "VB5"
|
|
$str_vb_ncode = { E9 E9 E9 E9 CC CC CC CC CC CC CC CC CC CC CC CC 55 8B EC }
|
|
|
|
condition:
|
|
( $str_vb_01 )
|
|
and $str_vb_ncode
|
|
}
|
|
|
|
|
|
|
|
rule dotnet_libraries: info compiler dotnet
|
|
{
|
|
meta:
|
|
// author = "@h3x2b <tracker _AT h3x.eu>"
|
|
description = ".Net runtime mscoree.dll mscorwks.dll"
|
|
|
|
strings:
|
|
$str_dn_01 = "mscoree.dll"
|
|
$str_dn_02 = "_CorExeMain"
|
|
$str_dn_03 = "mscorwks.dll"
|
|
$str_dn_04 = "CoInitializeEE"
|
|
|
|
condition:
|
|
2 of ($str_dn_* )
|
|
|
|
}
|