Sneed-Reactivity/yara-mikesxrs/h3x2b/win_spora.yara

rule spora_pki : malware
{
    meta:
        description = "Identify Spora PKI"
        author = "tracker [_at] h3x.eu"

    strings:
        $spora_key1_1 = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6COfj49E0yjEopSpP5kbeCRQp"
        $spora_key1_2 = "WdpWvx5XJj5zThtBa7svs/RvX4ZPGyOG0DtbGNbLswOYKuRcRnWfW5897B8xWgD2"
        $spora_key1_3 = "AMQd4KGIeTHjsbkcSt1DUye/Qsu0jn4ZB7yKTEzKWeSyon5XmYwoFsh34ueErnNL"
        $spora_key1_4 = "LZQcL88hoRHo0TVqAwIDAQAB"

    condition:
         //file_type contains "MZ"
        uint16(0) == 0x5a4d
        and all of ( $spora_key1_* )
}