rule agent_tesla
{
meta:
description = "Detecting HTML strings used by Agent Tesla malware"
author = "Stormshield"
version = "1.0"
reference = "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/"
strings:
$html_username = "
UserName : " wide ascii
$html_pc_name = "
PC Name : " wide ascii
$html_os_name = "
OS Full Name : " wide ascii
$html_os_platform = "
OS Platform : " wide ascii
$html_clipboard = "
[clipboard]" wide ascii
condition:
3 of them
}