rule Bolonyokte : rat { meta: description = "UnknownDotNet RAT - Bolonyokte" author = "Jean-Philippe Teissier / @Jipe_" date = "2013-02-01" filetype = "memory" version = "1.0" strings: $campaign1 = "Bolonyokte" ascii wide $campaign2 = "donadoni" ascii wide $decoy1 = "nyse.com" ascii wide $decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide $decoy3 = "bf13-5d45cb40" ascii wide $artifact1 = "Backup.zip" ascii wide $artifact2 = "updates.txt" ascii wide $artifact3 = "vdirs.dat" ascii wide $artifact4 = "default.dat" $artifact5 = "index.html" $artifact6 = "mime.dat" $func1 = "FtpUrl" $func2 = "ScreenCapture" $func3 = "CaptureMouse" $func4 = "UploadFile" $ebanking1 = "Internet Banking" wide $ebanking2 = "(Online Banking)|(Online banking)" $ebanking3 = "(e-banking)|(e-Banking)" nocase $ebanking4 = "login" $ebanking5 = "en ligne" wide $ebanking6 = "bancaires" wide $ebanking7 = "(eBanking)|(Ebanking)" wide $ebanking8 = "Anmeldung" wide $ebanking9 = "internet banking" nocase wide $ebanking10 = "Banking Online" nocase wide $ebanking11 = "Web Banking" wide $ebanking12 = "Power" condition: any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*) }