65 lines
1.6 KiB
Text
65 lines
1.6 KiB
Text
rule wow32_exe
|
|
{
|
|
meta:
|
|
description = "wow32-exe"
|
|
thread_level = 3
|
|
in_the_wild = true
|
|
reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"
|
|
|
|
strings:
|
|
$a = "avsupport@autoitscript.com" wide ascii
|
|
$b = "compiled AutoIt script" wide ascii
|
|
|
|
condition:
|
|
$a and $b
|
|
}
|
|
|
|
rule cdosys_dll
|
|
{
|
|
meta:
|
|
description = "cdosys-dll"
|
|
thread_level = 3
|
|
in_the_wild = true
|
|
reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"
|
|
|
|
strings:
|
|
$a = "Microsoft CDO for Windows Library" wide ascii
|
|
$b = "CDOSYS.DLL" wide ascii
|
|
|
|
condition:
|
|
$a and $b
|
|
}
|
|
|
|
rule winhttp_exe
|
|
{
|
|
meta:
|
|
description = "winhttp-exe"
|
|
thread_level = 3
|
|
in_the_wild = true
|
|
reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"
|
|
|
|
strings:
|
|
$a = "SeDebugPrivilege" wide ascii
|
|
$b = "SearchInject" wide ascii
|
|
$c = "Searcher.dll" wide ascii
|
|
|
|
condition:
|
|
$a and $b and $c
|
|
}
|
|
|
|
rule Searcher_dll
|
|
{
|
|
meta:
|
|
description = "Searcher-dll"
|
|
thread_level = 3
|
|
in_the_wild = true
|
|
reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"
|
|
|
|
strings:
|
|
$a = "EncodePointer" wide ascii
|
|
$b = "CONOUT$" wide ascii
|
|
$c = "%s%i_%s_%i.log" wide ascii
|
|
|
|
condition:
|
|
$a and $b and $c
|
|
}
|