Skip to content

R
rules
Commit f87b4264 by mmorenog
Options

Update RomeoBravo.yara

parent f8cc4e9a
Showing with 2 additions and 23 deletions
malware/Operation_Blockbuster/RomeoBravo.yara
...@@ -30,28 +30,8 @@ rule RomeoBravo ...@@ -30,28 +30,8 @@ rule RomeoBravo
B8 02 00 00 00 mov eax, 2 B8 02 00 00 00 mov eax, 2
*/ */
$a = { $a = {E8 [4] 83 C4 10 85 C0 74 ?? B? 02 00 00 00 5? 83 C4 18 C3 6A 78 6A 01 8D [3] 6A 0C 5? 5? E8 [4] 83 C4 14 85 C0 74 ?? B8 02 00 00 00}
E8 [4]
83 C4 10
85 C0
74 ??
B? 02 00 00 00
5?
83 C4 18
C3
6A 78
6A 01
8D [3]
6A 0C
5?
5?
E8 [4]
83 C4 14
85 C0
74 ??
B8 02 00 00 00
}
condition: condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
} }
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment