rule agenttesla_smtp_variant {
meta:
author = "J from THL <j@techhelplist.com> with thx to @Fumik0_ !!1!"
date = "2018/2"
reference1 = "https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection"
reference2 = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a"
reference3 = "Agent Tesla == negasteal -- @coldshell"
version = 1
maltype = "Stealer"
filetype = "memory"
strings:
$a = "type={"
$b = "hwid={"
$c = "time={"
$d = "pcname={"
$e = "logdata={"
$f = "screen={"
$g = "ipadd={"
$h = "webcam_link={"
$i = "screen_link={"
$j = "site_username={"
$k = "[passwords]"
condition:
6 of them
}