08e8d462fe
RED PILL 🔴 💊
19 lines
No EOL
603 B
Text
19 lines
No EOL
603 B
Text
import "pe"
|
|
|
|
|
|
rule apt_c16_win_memory_pcclient : Memory APT
|
|
{
|
|
meta:
|
|
author = "@dragonthreatlab"
|
|
md5 = "ec532bbe9d0882d403473102e9724557"
|
|
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
|
|
date = "2015/01/11"
|
|
reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
|
|
strings:
|
|
$str1 = "Kill You" ascii
|
|
$str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
|
|
$str3 = "%4.2f KB" ascii
|
|
$encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}
|
|
condition:
|
|
all of them
|
|
} |