rule SmallNet { meta: author = " Kevin Breen " date = "2014/04" ref = "http://malwareconfig.com/stats/SmallNet" maltype = "Remote Access Trojan" filetype = "exe" strings: $split1 = "!!<3SAFIA<3!!" $split2 = "!!ElMattadorDz!!" $a1 = "stub_2.Properties" $a2 = "stub.exe" wide $a3 = "get_CurrentDomain" condition: ($split1 or $split2) and (all of ($a*)) }