rule Zoomer_Stealer_Malware {
	meta:
		description = "YARA rule for detecting this Zoomer stealer malware based on provided IOCs and User-Agent"
		author = "Oluwatomiwa Amuda"
		date = "20241210"
		reference = "IOC Collection"
		threat_level = "High"
		malware_family = "Stealer Malware"
	strings:
		$ip1 = "149.154.167.220"
		$ip2 = "3.5.70.162"
		$ip3 = "52.92.162.90"
		$ip4 = "52.216.41.65"
		$ip5 = "83.149.72.49"
		$ip6 = "3.5.68.152"
		$ip7 = "34.204.254.212"
		$ip8 = "104.26.9.44"
		$ip9 = "3.5.30.214"
		$ip10 = "3.5.25.23"
		$ip11 = "52.216.50.153"
		$ip12 = "3.5.25.22"
		$ip13 = "52.217.4.28"
		$ip14 = "3.5.28.162"
		$ip15 = "3.5.24.151"
		$ip16 = "3.5.17.191"
		$url1 = " https://carsight.s3.amazonaws.com "
		$url2 = " https://api.telegram.org "
		$url3 = " https://comfucios.s3.us-west-2.amazonaws.com "
		$md5_1 = "f7903ddbf7c0aa570c3e6db19ec4df8c"
		$md5_2 = "b8b9307c1aff8c9c2273987c509779e2"
		$md5_3 = "7649d0acf3ef3475010b611311605543"
		$md5_4 = "179ba30884f0b8508d6a58a0390ef065"
		$md5_5 = "5e6db038cc6564999fb8dead56a8b253"
		$md5_6 = "f9dbd8870fbba439143ece4f18a6a0f5"
		$sha1_1 = "deea562d593975ce6763e63d627f06407910cb94"
		$sha1_2 = "6e095dd4c824d04a256e5f4b5a588e0224dd0b48"
		$sha1_3 = "322816adfd4a3867fe9d54210c122e306698e792"
		$sha1_4 = "5fee4209d604f219cccda8260d5702636e4860e1"
		$sha1_5 = "3f9439dae261c497c389e8d3ebbe35429d695990"
		$sha256_1 = "9f439d1d1789c661b9b1e7fbc861637b4aa573337072d2bbdf043b6711140fb1"
		$sha256_2 = "66e5597e0efa4fb7f042acf8bb0beb85ce7aa07cb9c3cc049f7e7ea76d299e2a"
		$sha256_3 = "28b2511978695d81939e846347d6a8718f60737dc59f43c215d3e67e65e5256a"
		$sha256_4 = "93c5e90688d426fa2e01c84780e87fac862f7f9e7bffd797c2be471fa86f3e15"
		$sha256_5 = "babe574bef561df025c8686128bc6a8d84da93a412e7513ee0c221b6358e35db"
		$user_agent = "Zoomer"
	condition:
		any of ($ip*) or any of ($url*) or any of ($md5_*) or any of ($sha1_*) or any of ($sha256_*) or $user_agent
}