import "pe" rule apt_c16_win_memory_pcclient : Memory APT { meta: author = "@dragonthreatlab" md5 = "ec532bbe9d0882d403473102e9724557" description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check." date = "2015/01/11" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" strings: $str1 = "Kill You" ascii $str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii $str3 = "%4.2f KB" ascii $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4} condition: all of them }