-
Notifications
You must be signed in to change notification settings - Fork 56
/
Copy pathEmotet.yar
16 lines (15 loc) · 1.2 KB
/
Emotet.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
//import "vt"
rule Emotet2
{
strings:
$0 = {44538BCA33FFE8C8FFFFFF85C076330FB7020FB70E8D58BF6683FB19770383C0208D59BF6683FB19770383C120663BC17516474242468BCA46E895FFFFFF3BF872CD33C05B5F5EC333C040EBF733D2EB10C1CA0D3C610FBEC07C0383E82003D0418A}
$1 = {43433B461872DAEBC80FB7033B461477C08B4E1C8D04818B042803C5EBBD5333DB3BF37468395E10740F8B0E8B46048B492853535003C8FFD1395E08742C5733FF395E0C7E1A8B46088D04B8}
$2 = {3E008BF80F84920000008A0B80F92575628A43013C317C043C397E143C417C533C5A7F4F3C397E080FBEC083E838EB060FBEC083E83143433B45147C06C6073F47EB4D8B4D108D34818B0685C074}
$3 = {662654636B6E7802300A00EE760768C178D876719AA8526856F25DE16E02301700E065D56CF95B2000250031002000DB8F4C88FB8BCD645C4F0CFF835BF25DCF7EAB887651D64EBA4E}
$4 = {650C00803E008BFE74618A0F80F925753F8A47013C317C043C397E143C417C303C5A7F2C3C397E080FBEC083E838EB060FBEC083E83147473B45147D268B048385C07422}
$5 = {48568B3003F58B461885C07431837E1400742B8BFAC1EF106685FF750E0FB7C18B4E103BC172172BC1EB4E8B7E208B5E24836424100003FD03DD85C077156A7F}
$6 = {76320FB70A8BD981E300F0FFFF81FB00300000750D8B5D0881E1FF0F000003CF01198B4804FF45FC83E90842D1E942394DFC72CE0340048B0885C977AD5F5B33}
condition:
// vt.metadata.new_file and
any of them
}