rule M_Hunting_Downloader_SHARPENTRY_1 {
	meta:
		author = "Mandiant"
		description = "Detects code fragments connected to the payload decoding and mining routines found within SHARPENTRY."
	strings:
		$decode_routine = { 0F B6 ?? ?? 0F B6 ?? ?? 33 C2 88 ?? ?? 0F B6 ?? ?? 83 ?? 4D }
		$payload_mine = { 8B ?? ?? 03 ?? ?? 81 ?? 89 C3 81 C3 }
	condition:
		uint16(0) == 0x5A4D and $decode_routine and $payload_mine
}