rule Syrian_Malware_Team_Blackworm { meta: Author = "@X0RC1SM" Description = "Looking for unique strings" Reference = "https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html" Date = "2017-10-28" strings: $BWE1 = "_CorExeMain" $BWE2 = "mscoree.dll" $BWE3 = "syrian Malware" $BWE4 = "AppData" $BWE5 = "Temporary Projects" $BWE6 = "ali2.pdb" $BE1 = "aliallosh.sytes.net" $BE2 = "Syrian Malware" $BE3 = "Restart" $BE4 = "Microsoft" $BE5 = "Windows" $BE6 = "[endof]" $BE7 = "To Array" $BE8 = "Length" condition: all of ($BWE*) or all of ($BE*) }