rule Trojan_HIKIT { meta: Author = "HB" Date = "26 Sep 2013" Project = "Orion" MD5 = "7D4F241428A2496142DF1C4A376CEC88" MD5 = "A5F07E00D3EEF7A16ECFEC03E94677E3" Reference = "https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf" strings: $b1 = {63006F006E006E006500630074002000250064002E00250064002E00250064002E002500640020002500640000000000680069006B00690074003E} $b2 = {68006900740078002E0073007900730000006D00610074007200690078005F00700061007300730077006F007200} $b3 = {700072006F0078007900000063006F006E006E006500630074000000660069006C006500000000007300680065006C006C} $a1 = "Open backdoor error" wide $a2 = "data send err..." wide condition: any of ($b*) or all of ($a*) }