import "pe"
rule warsaw_downloader_august_2021 {
meta:
    description = "Yara rule for warsaw trojan banker (loader) - August version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2021-08-05"
    tlp = "white"
    category = "informational"
	
	strings:
    $s_a = {53 61 6E 74 61 6E 64 65 72 4D 6F 64 75 6C 6F 2E 77 61 72 73 61 77}
    $s_b = {53 61 6E 74 61 6E 64 65 72 4D 6F 64 75 6C 6F 5C 53 61 6E 74 61 6E 64 65 72 4D 6F 64 75 6C 6F 5C 6F 62 6A 5C 44 65 62 75 67 5C 53 61 6E 74 61 6E 64 65 72 4D 6F 64 75 6C 6F 2E 70 64 62}
    condition:
        filesize < 1000KB
		and all of ($s_*)
}


rule warsaw_2nd_stage_horus_eyes_rat_august_2021 {
meta:
    description = "Yara rule for warsaw 2nd stage aka Horus Eyes RAT - August version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2021-08-05"
    tlp = "white"
    category = "informational"
	
	strings:
    $s_a = {63 6F 73 74 75 72 61 2E 64 6C 6C 2E 63 6F 6D 70 72 65 73 73 65 64}
    $s_b = {63 6F 73 74 75 72 61 2E 6F 70 74 69 6F 6E 73 2E 64 6C 6C 2E 63 6F 6D 70 72 65 73 73 65 64}
	$s_c = {53 00 61 00 6E 00 74 00 61 00 6E 00 64 00 65 00 72}
	$s_d = {2D 00 35 00 30 00 37 00 30 00 37 00 35 00 33 00 35 00 33 00}
    condition:
        filesize < 1000KB
		and all of ($s_*)
}