rule wow32_exe
{
       meta:
              description = "wow32-exe"
              thread_level = 3
              in_the_wild = true
              reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"

       strings:
              $a = "avsupport@autoitscript.com" wide ascii
              $b = "compiled AutoIt script" wide ascii

       condition:
              $a and $b
}

rule cdosys_dll
{
       meta:
              description = "cdosys-dll"
              thread_level = 3
              in_the_wild = true
              reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"

       strings:
              $a = "Microsoft CDO for Windows Library" wide ascii
              $b = "CDOSYS.DLL" wide ascii

       condition:
              $a and $b
}

rule winhttp_exe
{
       meta:
              description = "winhttp-exe"
              thread_level = 3
              in_the_wild = true
              reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"

       strings:
              $a = "SeDebugPrivilege" wide ascii
              $b = "SearchInject" wide ascii
              $c = "Searcher.dll" wide ascii

       condition:
              $a and $b and $c
}

rule Searcher_dll
{
       meta:
              description = "Searcher-dll"
              thread_level = 3
              in_the_wild = true
              reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"

       strings:
              $a = "EncodePointer" wide ascii
              $b = "CONOUT$" wide ascii
              $c = "%s%i_%s_%i.log" wide ascii

       condition:
              $a and $b and $c
}