26 lines
No EOL
721 B
Text
26 lines
No EOL
721 B
Text
rule SpyGate
|
|
{
|
|
meta:
|
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
|
date = "2014/04"
|
|
ref = "http://malwareconfig.com/stats/SpyGate"
|
|
maltype = "Remote Access Trojan"
|
|
filetype = "exe"
|
|
|
|
strings:
|
|
$split = "abccba"
|
|
$a1 = "abccbaSpyGateRATabccba" //$a = Version 0.2.6
|
|
$a2 = "StubX.pdb"
|
|
$a3 = "abccbaDanabccb"
|
|
$b1 = "monikerString" nocase //$b = Version 2.0
|
|
$b2 = "virustotal1"
|
|
$b3 = "get_CurrentDomain"
|
|
$c1 = "shutdowncomputer" wide //$c = Version 2.9
|
|
$c2 = "shutdown -r -t 00" wide
|
|
$c3 = "set cdaudio door closed" wide
|
|
$c4 = "FileManagerSplit" wide
|
|
$c5 = "Chating With >> [~Hacker~]" wide
|
|
|
|
condition:
|
|
(all of ($a*) and #split > 40) or (all of ($b*) and #split > 10) or (all of ($c*))
|
|
} |