rule M_Hunting_SigFlip_SigLoader_Native {
	meta:
		author = "Mandiant"
		disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
		description = "Rule looks for strings present in SigLoader (Native)"
		md5 = "a3ccc48db9eabfed7245ad6e3a5b203f"
	strings:
		$s1 = "[*]: Basic Loader..." ascii wide
		$s2 = "[!]: Missing PE path or Encryption Key..." ascii wide
		$s3 = "[!]: Usage: %s <PE_PATH> <Encryption_Key>" ascii wide
		$s4 = "[*]: Loading/Parsing PE File '%s'" ascii wide
		$s5 = "[!]: Could not read file %s" ascii wide
		$s6 = "[!]: '%s' is not a valid PE file" ascii wide
		$s7 = "[+]: Certificate Table RVA %x" ascii wide
		$s8 = "[+]: Certificate Table Size %d" ascii wide
		$s9 = "[*]: Tag Found 0x%x%x%x%x" ascii wide
		$s10 = "[!]: Could not locate data/shellcode" ascii wide
		$s11 = "[+]: Encrypted/Decrypted Data Size %d" ascii wide
	condition:
		filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and 4 of ($s*)
}