16 lines
No EOL
449 B
Text
16 lines
No EOL
449 B
Text
private rule APT1_RARSilent_EXE_PDF
|
|
{
|
|
meta:
|
|
author = "AlienVault Labs"
|
|
info = "CommentCrew-threat-apt1"
|
|
|
|
strings:
|
|
$winrar1 = "WINRAR.SFX" wide ascii
|
|
$winrar2 = ";The comment below contains SFX script commands" wide ascii
|
|
$winrar3 = "Silent=1" wide ascii
|
|
|
|
$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
|
|
$str2 = "Steup=\"" wide ascii
|
|
condition:
|
|
all of ($winrar*) and 1 of ($str*)
|
|
} |