|
MalwareRules
Rules for detecting malware families.
Featured Here are some rules for detecting malware families. Keep in mind that they may not work on packed samples, they are intended to be used on unpacked or memory-dumped samples. rule xmlc : banker
{
strings:
$a = "/c del" fullword
$b = "PostDel" fullword
$c = ">> NUL" fullword
$d = "LOADXML"
$e = "lm.dat"
$f = "---------------%s----------------"
$g = /(\x00|\x20)([a-z0-9]{5,8}\.dll)\x00{1,8}\\\2/
condition:
filesize < 150KB and (3 of ($a,$b,$c,$d,$e,$f) or #g >= 2)
}
rule silent_banker : banker
{
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
rule zbot : banker
{
strings:
$a = "__SYSTEM__" wide
$b = "*tanentry*"
$c = "*<option"
$d = "*<select"
$e = "*<input"
condition:
($a and $b) or ($c and $d and $e)
}
rule banbra : banker
{
strings:
$a = "senha" fullword nocase
$b = "cartao" fullword nocase
$c = "caixa"
$d = "login" fullword nocase
$e = ".com.br"
condition:
#a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3
}
|
► Sign in to add a comment
There's a syntax error at ln 30: "$a = "SYSTEM" widechar ". It gives "unexpected IDENTIFIER, expecting CONDITION"
Fixed. This example was outdated, "widechar" was replaced by "wide".