rule AgentTesla { meta: author = "InQuest Labs" source = "http://blog.inquest.net/blog/2018/05/22/field-notes-agent-tesla-open-directory/" created = "05/18/2018" TLP = "WHITE" strings: $s0 = "SecretId1" ascii $s1 = "#GUID" ascii $s2 = "#Strings" ascii $s3 = "#Blob" ascii $s4 = "get_URL" ascii $s5 = "set_URL" ascii $s6 = "DecryptIePassword" ascii $s8 = "GetURLHashString" ascii $s9 = "DoesURLMatchWithHash" ascii $f0 = "GetSavedPasswords" ascii $f1 = "IESecretHeader" ascii $f2 = "RecoveredBrowserAccount" ascii $f4 = "PasswordDerivedBytes" ascii $f5 = "get_ASCII" ascii $f6 = "get_ComputerName" ascii $f7 = "get_WebServices" ascii $f8 = "get_UserName" ascii $f9 = "get_OSFullName" ascii $f10 = "ComputerInfo" ascii $f11 = "set_Sendwebcam" ascii $f12 = "get_Clipboard" ascii $f13 = "get_TotalFreeSpace" ascii $f14 = "get_IsAttached" ascii $x0 = "IELibrary.dll" ascii wide $x1 = "webpanel" ascii wide nocase $x2 = "smtp" ascii wide nocase $v5 = "vmware" ascii wide nocase $v6 = "VirtualBox" ascii wide nocase $v7 = "vbox" ascii wide nocase $v9 = "avghookx.dll" ascii wide nocase $pdb = "IELibrary.pdb" ascii condition: ( ( 5 of ($s*) or 7 of ($f*) ) and all of ($x*) and all of ($v*) and $pdb ) }