modded netwire 04/2019

1. rule netwire_modded_04_2019 {
2. strings:
3. $s1="ping 192.0.2.2 -n 1 -w %d >nul 2>&1"
4. $s2="@echo off"
5. $s3="DEL /s \"%s\" >nul 2>&1"
6. $s4="call :deleteSelf&exit /b"
7. $s5=":deleteSelf"
8. $s6="start /b \"\" cmd /c del \"%%~f0\"&"
9. $s7="[Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
10. $s8="[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
11. $s9="%s%.2d-%.2d-%.4d"
12. $s10="Settings.ini"
13. $s11="GET %s HTTP/1.1"
14. $s12="%s\\%s.bat"
15. $s13="This is element 0: %s"
16. $s14="%.2d/%.2d/%d %.2d:%.2d:%.2d"
17. $s15="%c%.8x%s\\%s"
18. $s16="%c%.8x%s%s"
19. $s17="%c%.8x%s"
20. $s18="%s\\%s"
21. $s19="%d:%I64u:%s%s;"
22. $s20="Host: %s"
23. $strings_dec={C6 44 24 ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? 04 01 00 00 C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 44 24 ?? 00 00 00 00 EB}
24. condition:
25. ((17 of ($s*)) or $strings_dec)
26. }