[ SEA-GHOST MINI SHELL]

rule infected_05_26_18_tekel {
   meta:
      description = "05-26-18 - file tekel.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-05-29"
      hash1 = "56ce193a3ce784d11ce95ca3f887dffc5bef65b634c6977628b2cafe97f6b2aa"
   strings:
      $s1 = "$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}" ascii
      $s2 = "#solevisible@gmail.com" fullword ascii
      $s3 = "G/QGxJgggfQH9DUmpBTIBKN1M2TaFAVWldEABQTXWxoGleU05wVWo/NVM1awYEUGM1TXRAgOkAPm1WUmNqekB2UQQIUnA0SUJ8wH5zbFVBXUtATVVmAEBtRVVQamNzYk" ascii
      $s4 = "BAQSABalYFUFBAPkheNWNdUmpjMwoAAAJdUjRJclRrTURRQndUY8oAUEIQa5GQUmA2XUEAVTdzUROAcFZrQQMETGJsQW1TJIA+AH5Sbj5F0QBsVhQANzYzScFdswBWNT" ascii
      $s5 = "AAN0FSZn1sNVJRUWZdNzZBUAAAaUVRUEJVbF02UTNMNVVFXQEAbEE0TH1FdLRAbFJAQUFJX1EAAFJlN11DVEFRRFI0Y0llQmMAAEheN01PVW1GM1BBVn1VNVEgETJUfU" ascii
      $s6 = "9scVR9gABagGpRd1V9RU1MN1FoZUFNVAAISzRvaVVRUWpiQU4zJ0FRQmuEANZAb3VRayhAU0VMUVJocGNCPggETWNCVUbASUBmQl1AUlFPAGtJBIBvVFNON5bAQl6OIF" ascii
      $s7 = "fCwANAC8BTQUhWUlE3Y1BNThAiVWpzcUBdN1BqMzcBQE9WacEAbQQAUVddQlIMAE5+Y0BrbWM3TUtIglEFAEo3w0Bsf0i2gH5UbFFBF2BBoADqQDQLgEtdN2N9SUBjQl" ascii
      $s8 = "VOfUlQf0lVQe8Bd1Biak1BkAJCgVRBAIBDRWZKQVJ9Vl9vdwFTpSIOgDfVAEJVGgJjlwBjUEiQfklSm1BDAsBrcFNQc1WRgEI0QBwAYDJQQ0lsAAhmalZwZU93bEptUU" ascii
      $s9 = "NBSFJRRWlQUW8AAERKUE1yU2prTGJfY0lTT2sAYElVQkF3ZDddbNTAAgBjVGRqQQgETlJqa3nANkVIQmNMZjcLQGldAABvVjVJaVN9TjZmQFVfUGlBAABdZlBWcF1BY1" ascii
      $s10 = "VWfUFWTYBAAFFzFkBTgADFgEtefUFBSmtNaFNrRUFKQwAAb1JRT29IVEBJUVE3QUhibgAAPzZQQH9VVEJWfUlSf0RjNwIANldWUlV+eEA0VlNdMWJpTVZIAFMWAElpJo" ascii
      $s11 = "Y2VV5KX0FsSkNrvYBJaGUBkFBOcEhAPmo0AAQAY00VAHNlQjJYUEnCQDMHgKsANkJQaq8AahRBSWhQQCgETU56AFOjAFJda1Y2XWtF2QBJSoFA0gRBSzVWcFTaAEowwF" ascii
      $s12 = "JDSWMgPkvAgEtwQABAf0pBa09JQk1S/EBvVEJ3cF5AADTYQDU+X2ZSQUxjNT5xVn1FWABJc8BP+sDHAElWXlJdfmM3czVJIABQawgBMV1qb1ZKNU1fUG4/MoABRQBSSU" ascii
      $s13 = "NFZH1vQ2JpY0pVAABAczRWUj5VVX1Rc1NDb0RTAYFBbzFRbHdDIWCGQGNQVVFNckAAAIRuUFJJSVU0SUwAUV9IUFUwbHeYEMeAY0VfAGoASXZjN3NWNABrVVJdAMAzVE" ascii
      $s14 = "YzECBTQD7IgHNFXVNvROIAbVY3QW0AAEpANnNLfWtNVTUyTWZsb2gJAWNSd0KAgEtSEYBRUn90VF93SoAAAEFtXUAyTGRsb0tWbUlmZVICADZWSTZjSBgAX1ZRVjdQX0" ascii
      $s15 = "p/SGM1TVEDgElQUVJKaZvAzAEKAWxBbkprUn4AgV41f1BkNzZepABSSmp0f10SIEBAURQBa11TUTd3NYAAVFVRTU5QIoBsMoUAaHVeGQBQGAFrSVBlalVNQABdHgBdak" ascii
      $s16 = "o2d05JAQFrUn9jQwAATW5WUmNVUGxJS1ZQVVZSaiIAY2ziADFmNSFANlVmUlNdVmZqAQA2VWRfY2lJGoBUU0lpVEFCNAgiVmtWM44ARVBPd00JAHFdQDIBRQIEU159QU" ascii
      $s17 = "9VX1FBvABSGYBdUlJdXwIAVGpvbVRBZAB9bzJWbFFoVlIgGElVNAFVVD5RVm1VQw9AmuBRclMAAEFJbUs3dzJJQkEyXWledVVABFMEgE9jVWVPY0NlUlFNDQBBUQEFNl" ascii
      $s18 = "FJa2MyUW1vX2JSNjRWGAE3b2zfgDWAPk1Vam8yXUFjNwICQJBT78BDRjRUN2NBgEFJK0BBY1J3AABVXm1NTGRCVXZUUl03SmlVAgA2XlFjNGVxAFFqPk9lUU0zUAAQUG" ascii
      $s19 = "GToFZrAABRdlBrY2xKQGNAVlFSMmZswgIlAHMAZUJOcXAAaVZQVU9QagLAQAAAVUlSbF1QSlFvU1ZsQV5KaQKAY0NjN11RAQB0fgBsYzZ3RFBBIRBdRHLAX1BsUREAd2" ascii
      $s20 = "AMQFkAU1FCMgAAdFZRUXJlVD52UlFdRVFRQQBAMlJQf31dN1Y1DkBVVEI+XkkAgEFJQFY3QWpSwYBmakEyVlFNAIBzSEJNTlRPayFgPlRlUGB1XgKAUmA2UzRVrgFUDw" ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 900KB and
         ( 8 of them )
      ) or ( all of them )
}