[\\s\\S]*?)\\</title\\>" ascii wide $z3 = "MagicConstants.kSessionTerminate = ByteString.CopyFrom" ascii wide $z4 = "StartRalay" $d1 = "csharp-streamer.pdb" condition: uint16(0) == 0x5a4d and (3 of ($y*) or all of ($z*) or $d1) }

rule win_csharpstreamer_w0 {
    meta:
        description = "Detects decrypted csharp_streamer"
        author = "HiSolutions AG"
        reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer"
        sharing = "TLP:CLEAR"
        date = "2023-12-18"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer"
        malpedia_rule_date = "20240628"
        malpedia_hash = ""
        malpedia_version = "20240628"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $y1 = "csharp_streamer.Properties"
        $y2 = "csharp_streamer.Utils"
        $y3 = "csharp_streamer.ms17_10"
        $y4 = "csharp-streamer"
        $z1 = "iphlpapi.dll" ascii wide
        $z2 = "\\<title\\b[^>]*\\>\\s*(?<Title>[\\s\\S]*?)\\</title\\>" ascii wide
        $z3 = "MagicConstants.kSessionTerminate = ByteString.CopyFrom" ascii wide
        $z4 = "StartRalay"
        $d1 = "csharp-streamer.pdb"
    condition:
        uint16(0) == 0x5a4d and (3 of ($y*) or all of ($z*) or $d1)
}