rule malware_multi_pupy_rat { meta: description = "pupy - opensource cross platform rat and post-exploitation tool" reference = "https://github.com/n1nj4sec/pupy" author = "@mimeframe" strings: $a1 = "dumping lsa secrets" nocase wide ascii $a2 = "dumping cached domain passwords" nocase wide ascii $a3 = "the keylogger is already started" nocase wide ascii $a4 = "pupyutils.dns" wide ascii $a5 = "pupwinutils.security" wide ascii $a6 = "-PUPY_CONFIG_COMES_HERE-" wide ascii condition: 3 of ($a*) }