Latentbot yara sig

1. rule Latentbot_bin
2. {
3. meta:
4. description = "Latentbot"
5. author = "James_inthe_box"
6. reference = "459bb35b47d71971fd34877c6ddf00be5a6ccd343856ae57098b5f67b7660ec3"
7. date = "2019/07"
8. maltype = "Bot"
9.  
10. strings:
11. $string1 = "Unknown" ascii
12. $string2 = "AnsiString" ascii
13. $string3 = "UnicodeString" ascii
14. $string4 = "Key not found !" wide
15. $string5 = "CONTENT-LENGTH" wide
16. $string6 = "TRANSFER-ENCODING" wide
17. $string7 = "USER-AGENT" wide
18. $string8 = "REFERER" wide
19. $string9 = "HTTPS/1." wide
20. $string10 = "COOKIE" wide
21. $string11 = "X-FORWARDED-FOR" wide
22. $string12 = "SET-COOKIE" wide
23. $string13 = "Content-Disposition: form-data; name=\"" wide
24. $string14 = "RTC Client" wide
25. $string15 = "LoginPassword"
26. $string16 = "LoginUserInfo"
27. $string17 = "HELLO" wide
28. $string18 = "ACTION" wide
29. $string19 = "START" wide
30.  
31. condition:
32. uint16(0) == 0x5A4D and all of ($string*) and filesize < 4000KB
33. }
34.  
35. rule Latentbot_mem
36. {
37. meta:
38. description = "Latentbot"
39. author = "James_inthe_box"
40. reference = "459bb35b47d71971fd34877c6ddf00be5a6ccd343856ae57098b5f67b7660ec3"
41. date = "2019/07"
42. maltype = "Bot"
43.  
44. strings:
45. $string1 = "Unknown" ascii
46. $string2 = "AnsiString" ascii
47. $string3 = "UnicodeString" ascii
48. $string4 = "Key not found !" wide
49. $string5 = "CONTENT-LENGTH" wide
50. $string6 = "TRANSFER-ENCODING" wide
51. $string7 = "USER-AGENT" wide
52. $string8 = "REFERER" wide
53. $string9 = "HTTPS/1." wide
54. $string10 = "COOKIE" wide
55. $string11 = "X-FORWARDED-FOR" wide
56. $string12 = "SET-COOKIE" wide
57. $string13 = "Content-Disposition: form-data; name=\"" wide
58. $string14 = "RTC Client" wide
59. $string15 = "LoginPassword"
60. $string16 = "LoginUserInfo"
61. $string17 = "HELLO" wide
62. $string18 = "ACTION" wide
63. $string19 = "START" wide
64.  
65. condition:
66. all of ($string*) and filesize > 4000KB
67. }