08e8d462fe
RED PILL 🔴 💊
21 lines
743 B
Text
21 lines
743 B
Text
rule TrojanDropperWin32Gamarue_A_Andromeda
|
|
{
|
|
meta:
|
|
Description = "Trojan.Andromeda.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = { 66 8B 10 66 3B 11 75 1E 66 3B D3 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 3B D3 75 DE 33 C0 EB 05 1B C0 83 D8 FF 3B C3 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? ?? 56 FF D7 85 C0 75 ?? }
|
|
$a = "ldr\\CUSTOM\\local\\local\\Release\\ADropper.pdb" ascii wide
|
|
$ = "EpisodeNorth.exe" ascii wide
|
|
$ = "HandballChampionship.exe" ascii wide
|
|
$ = "\\#MSI" ascii wide
|
|
$ = "\\MSI" ascii wide
|
|
$ = "\\msiexec.exe" ascii wide
|
|
$ = "avp.exe" ascii wide
|
|
$ = "\\(empty).lnk" ascii wide
|
|
$b = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or $a or $b
|
|
}
|