import "hash"

rule AM0NEye_CurlX86 {
	meta:
		description = "AM0NEye - curl.x86.o"
		sha256 = "21d2d2a5068827890e30ec5438de5ef22401cd67e5aab69e2a76881c842bd4a4"
	strings:
		$s1 = "User Agent: %s" ascii fullword
		$s2 = "__imp__KERNEL32$lstrlenA@4" ascii fullword
		$s3 = "Retrieving HTTP Request info failed" ascii fullword
		$s4 = "__imp__WININET$HttpSendRequestA@20" ascii fullword
		$s5 = "__imp__WININET$InternetReadFile@16" ascii fullword
		$s6 = "__imp__WININET$HttpQueryInfoA@20" ascii fullword
		$s7 = "__imp__WININET$HttpOpenRequestA@32" ascii fullword
		$s8 = "%s %s:%i %s" ascii fullword
		$s9 = "Response Code: %s" ascii fullword
		$s10 = "entry.c" ascii fullword
		$s11 = "No response." ascii fullword
		$s12 = "__imp__BeaconDataInt" ascii fullword
		$s13 = "__imp__WININET$InternetCloseHandle@4" ascii fullword
		$s14 = "__imp__WININET$InternetOpenA@20" ascii fullword
		$s15 = "__imp__BeaconDataExtract" ascii fullword
		$s16 = "__imp__WININET$InternetConnectA@32" ascii fullword
		$s17 = "__imp__MSVCRT$strtok" ascii fullword
		$s18 = "__imp__MSVCRT$strcmp" ascii fullword
		$s19 = "__imp__BeaconPrintf" ascii fullword
		$s20 = "__imp__BeaconDataParse" ascii fullword
	condition:
		hash.sha256(0, filesize) == "21d2d2a5068827890e30ec5438de5ef22401cd67e5aab69e2a76881c842bd4a4" or uint16(0) == 0x014c and filesize < 9KB and 8 of them
}