rule encrypted_zip_emotet{ strings: $re1 = /Mot de p

1. rule encrypted_zip_emotet
2. {
3. strings:
4. $re1 = /Mot de passe: [0-9a-zA-Z]{5,7}/
5. $re2 = /Password - [0-9a-zA-Z]{5,7}/
6. $re3 = /Password: [0-9a-zA-Z]{5,7}/
7. $re4 = /The password for the document is/
8. $attachment = ".zip" nocase
9. condition:
10. ($re1 or $re2 or $re3 or $re4) and $attachment
11. }