From ae4503c488fc7ef30f07d3cebd33184ecf0a5e01 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 28 Apr 2018 13:16:22 +0200
Subject: [PATCH] new pattern

---
 malware5.pl  | 2 ++
 malwaresh.pl | 1 +
 2 files changed, 3 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index 1088a02..0354184 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -335,6 +335,8 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20}).+?strtoupper.+?isset\(.+?eval\(.+?\[\'([A-z0-9]{1,20})\'\].+?\?>/is,
     qr/<\?php\s+\$.+?\'gzu\'.+?array\(.+?eval\(.+?\?>/is,
     qr/<\?php\s+\$.+?\'bas\'.+?array\(.+?eval\(.+?\?>/is,
+    qr/<\?php\s+\@eval\(base64\_decode\(([A-z0-9]{20,})\)\)\;\?>/is,
+    
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 72012a8..b1b5253 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -816,6 +816,7 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20}).+?strtoupper.+?isset\(.+?eval\(.+?\[\'([A-z0-9]{1,20})\'\].+?\?>/is,
     qr/<\?php\s+\$.+?\'gzu\'.+?array\(.+?eval\(.+?\?>/is,
     qr/<\?php\s+\$.+?\'bas\'.+?array\(.+?eval\(.+?\?>/is,
+    qr/<\?php\s+\@eval\(base64\_decode\(([A-z0-9]{20,})\)\)\;\?>/is,
 
 );