rule Miner_Linux_Qubitstrike {
	meta:
		description = "Detects Qubitstrike primary payload (mi.sh)"
		author = " [email protected] "
		date = "2023-10-10"
		attack = "T1496"
		license = "Apache License 2.0"
		hash1 = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
	strings:
		$const1 = "miner_url="
		$const2 = "miner_name="
		$const3 = "killer_url="
		$const4 = "kill_url2="
		$creds = "\"credentials\" \"cloud\" \".s3cfg\" \".passwd-s3fs\" \"authinfo2\" \".s3backer_passwd\" \".s3b_config\" \"s3proxy.conf\""
		$log1 = "Begin disable security"
		$log2 = "Begin proccess kill"
		$log3 = "setup hugepages"
		$log4 = "SSH setup"
		$log5 = "Get Data && sent stats"
		$diam1 = "H4sIAAAAAAAAA+0ba3PbNjJfxV+BKq2HVGRbshW1jerMuLLi6PyQR7bb3ORyGJqEJJ4oksOHE7f1"
		$diam2 = "I2RlZmluZSBfR05VX1NPVVJDRQoKI2luY2x1ZGUgPHN0ZGlvLmg"
		$wallet = "49qQh9VMzdJTP1XA2yPDSx1QbYkDFupydE5AJAA3jQKTh3xUYVyutg28k2PtZGx8z3P2SS7VWKMQUb9Q4WjZ3jdmHPjoJRo"
	condition:
		3 of ($const*) and $creds and 3 of ($log*) and all of ($diam*) and $wallet
}