import "hash"

rule RedditC2_ImplaintWin {
	meta:
		description = "RedditC2 - RedditAgent.exe"
		sha256 = "8b534d0f9f699d6a02aca559f2699d914b0b3f8749e0d206bece0fe09b92ccc6"
	strings:
		$s1 = "RedditAgent.exe" wide fullword
		$s2 = "set_UseShellExecute" ascii fullword
		$s3 = "[+] Created agent session: " wide fullword
		$s4 = "run hostname" wide fullword
		$s5 = "powershell" wide fullword
		$s6 = "myPassword" wide fullword
		$s7 = "myxorkey" wide fullword
		$s8 = ".NETFramework,Version=v4.7.2" ascii fullword
		$s9 = ".NET Framework 4.7.2" ascii fullword
		$s10 = "E:\\Work\\Analysis\\" ascii fullword
		$s11 = "[+] File uploaded successfully" wide fullword
		$s12 = "createPost" ascii fullword
		$s13 = "encryptedMessage" ascii fullword
		$s14 = "RedditAgent" wide fullword
		$s15 = "SubmitTextPost" ascii fullword
		$s16 = "GetSubreddit" ascii fullword
		$s17 = "postText" ascii fullword
		$s18 = "xorkey" ascii fullword
		$s19 = "listenerID" ascii fullword
		$s20 = "RedditSharp.Things" ascii fullword
	condition:
		hash.sha256(0, filesize) == "8b534d0f9f699d6a02aca559f2699d914b0b3f8749e0d206bece0fe09b92ccc6" or uint16(0) == 0x5a4d and filesize < 20KB and 8 of them
}