08e8d462fe
RED PILL 🔴 💊
14 lines
348 B
Text
14 lines
348 B
Text
rule Hancidoc : Dropper
|
|
{
|
|
meta:
|
|
author="moutonplacide"
|
|
date="2016-11-23"
|
|
description="Hancitor document dropper"
|
|
|
|
strings:
|
|
$doc = {d0 cf 11 e0 a1 b1 1a e1 00 00} /* DOC Header */
|
|
$author = "Kimberly"
|
|
$pe_marker = /[A-Z]{8}\x08\x00/ /*STARFALL / FORTINET marker*/
|
|
condition:
|
|
($doc at 0) and ($author and $pe_marker)
|
|
}
|