rule REGEORG_Tuneller_generic

{

    meta:

        author = "Mandiant"
        
        reference = "https://www.mandiant.com/resources/unc3524-eye-spy-email"

        date_created = "2021-12-20"

        date_modified = "2021-12-20"

        md5 = "ba22992ce835dadcd06bff4ab7b162f9"

    strings:

        $s1 = "System.Net.IPEndPoint"

        $s2 = "Response.AddHeader"

        $s3 = "Request.InputStream.Read"

        $s4 = "Request.Headers.Get"

        $s5 = "Response.Write"

        $s6 = "System.Buffer.BlockCopy"

        $s7 = "Response.BinaryWrite"

        $s8 = "SocketException soex"

    condition:

        filesize < 1MB and 7 of them

}