rule MALW_KeyBase
{
meta:
	description = "Identifies KeyBase aka Kibex."
	author = "@bartblaze"
	date = "2019-02"
	tlp = "White"

strings:	
	$s1 = " End:]" ascii wide
	$s2 = "Keystrokes typed:" ascii wide
	$s3 = "Machine Time:" ascii wide
	$s4 = "Text:" ascii wide
	$s5 = "Time:" ascii wide
	$s6 = "Window title:" ascii wide
	
	$x1 = "&application=" ascii wide
	$x2 = "&clipboardtext=" ascii wide
	$x3 = "&keystrokestyped=" ascii wide
	$x4 = "&link=" ascii wide
	$x5 = "&username=" ascii wide
	$x6 = "&windowtitle=" ascii wide
	$x7 = "=drowssap&" ascii wide
	$x8 = "=emitenihcam&" ascii wide

condition:
	uint16(0) == 0x5a4d and (
		5 of ($s*) or 6 of ($x*) or
		( 4 of ($s*) and 4 of ($x*) )
	)
}