rule M_Hunting_AscensionEngine_gotunnelme_1 {
	meta:
		author = "Mandiant"
		description = "Rule looks for binaries that use gotunnelme."
		md5 = "35fcc4b19946d1bc9c21add1f42d2b63"
	strings:
		$anchor = "gotunnelme" ascii wide nocase
		$func1 = "NewTunnelConn" ascii wide nocase
		$func2 = "Tunnel" ascii wide nocase
		$func3 = "StopTunnel" ascii wide nocase
		$func4 = "ConnectRemote" ascii wide nocase
		$func5 = "NewTunnel" ascii wide nocase
		$func6 = "GetUrl" ascii wide nocase
	condition:
		((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesize < 20MB and $anchor and (1 of ($func*))
}