rule agent_tesla { meta: description = "Detecting HTML strings used by Agent Tesla malware" author = "Stormshield" version = "1.0" reference = "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/" strings: $html_username = "
UserName      : " wide ascii $html_pc_name = "
PC Name       : " wide ascii $html_os_name = "
OS Full Name  : " wide ascii $html_os_platform = "
OS Platform   : " wide ascii $html_clipboard = "
[clipboard]" wide ascii condition: 3 of them }