rule Lazarus_2020 { meta: copyright = "Intezer Labs" author = "Intezer Labs" reference = "https://analyze.intezer.com" date = "2020-06-11" strings: $s1 = "Can't create file %s, errno = %d, nCreateRetryCount = %d" fullword wide ascii $s2 = "ExploreDirectory, csDirectoryPath = %s, dwError=%d" fullword wide ascii $s3 = "CreateProcess %s failure, errno = %d" fullword wide ascii $s4 = "Can't create file %s, errno = %d, nCreateRetryCount = %d" fullword wide ascii $s5 = "Can't create file %s, errno = %d" fullword wide ascii $s6 = "Can't open user32.dll, %d" fullword wide ascii $s7 = "Unable to GetProcAddress of GetProcAddress" fullword wide ascii $s8 = "Can't find address of function Id = %d, %s" fullword wide ascii $s9 = "Unable to GetProcAddress of VirtualProtect" fullword wide ascii $s10 = "Unable to GetProcAddress of GetTickCount64" fullword wide ascii $s11 = "Unable to GetProcAddress of GetTickCount" fullword wide ascii $s12 = "Unable to GetProcAddress of FreeLibrary" fullword wide ascii $s13 = "Receive disconnect command from trojan" fullword wide ascii $s14 = "Receive Uninstall command from Trojan" fullword wide ascii $s15 = "Receive Update command from trojan" fullword wide ascii $l1 = "For more information visit . Alternative build from ." fullword wide ascii $l2 = "\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\OneNote.lnk" fullword wide ascii $l3 = "C:\\Windows\\System32\\rundll32.exe \"%s\", CtrlPanel %s 0 0 %s 1" fullword wide ascii $l4 = "H@@__SWPJEIVJxJzObRdTd]eH~FqClew~;x&a,k-x6y6!7!5$-91>N6L\"P-\\)2V*L8D'[3S0N-M/K]K_NGS=T>\\8H G" fullword wide ascii condition: 7 of ($s*) or all of ($l*) }