Adding yara rules for AgentTesla SMTP variant and fortis mawlare.

malware/MALW_AgentTesla_SMTP.yar

+rule agenttesla_smtp_variant {
+
+    meta:
+        author = "J from THL <j@techhelplist.com> with thx to @Fumik0_ !!1!"
+        date = "2018/2"
+	reference1 = "https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection"
+	reference2 = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a"
+	reference3 = "Agent Tesla == negasteal -- @coldshell"
+	version = 1
+        maltype = "Stealer"
+        filetype = "memory"
+
+    strings:
+		$a = "type={"
+		$b = "hwid={"
+		$c = "time={"
+		$d = "pcname={"
+		$e = "logdata={"
+		$f = "screen={"
+		$g = "ipadd={"
+		$h = "webcam_link={"
+		$i = "screen_link={"
+		$j = "site_username={"
+		$k = "[passwords]"
+
+    condition:
+        6 of them
+}

malware/MALW_sitrof_fortis_scar.yar

+rule sitrof_fortis_scar {
+
+    meta:
+        author = "J from THL <j@techhelplist.com>"
+        date = "2018/23"
+        reference1 = "https://www.virustotal.com/#/file/59ab6cb69712d82f3e13973ecc7e7d2060914cea6238d338203a69bac95fd96c/community"
+	reference2 = "ETPRO rule 2806032, ETPRO TROJAN Win32.Scar.hhrw POST"
+	version = 2
+        maltype = "Stealer"
+        filetype = "memory"
+
+    strings:
+	
+	$a = "?get&version"
+	$b = "?reg&ver="
+	$c = "?get&exe"
+	$d = "?get&download"
+	$e = "?get&module"
+	$f = "&ver="
+	$g = "&comp="
+	$h = "&addinfo="
+	$i = "%s@%s; %s %s \"%s\" processor(s)"
+	$j = "User-Agent: fortis"
+
+    condition:
+        6 of them
+}