import "hash"

rule AM0NEye_EtwX86 {
	meta:
		description = "AM0NEye - etw.x86.o"
		sha256 = "a14d6a30e886a19d47fad3e66b8dd5a6ead3e3a0bd7f8d3a6e001542740e9190"
	strings:
		$s1 = "__imp__KERNEL32$GetCurrentProcess@0" ascii fullword
		$s2 = "__imp__KERNEL32$ReadProcessMemory@20" ascii fullword
		$s3 = "ReadProcessMemory failed" ascii fullword
		$s4 = "__imp__KERNEL32$GetProcAddress@8" ascii fullword
		$s5 = "Failed to find function address" ascii fullword
		$s6 = "__imp__KERNEL32$LoadLibraryA@4" ascii fullword
		$s7 = "__imp__KERNEL32$VirtualProtect@16" ascii fullword
		$s8 = "__imp__BeaconDataExtract" ascii fullword
		$s9 = "__imp__MSVCRT$strcmp" ascii fullword
		$s10 = "__imp__BeaconPrintf" ascii fullword
		$s11 = "__imp__BeaconDataParse" ascii fullword
		$s12 = "Could not load library" ascii fullword
		$s13 = "__imp__MSVCRT$memcpy" ascii fullword
		$s14 = "Working with 32-bit." ascii fullword
		$s15 = "0`.data" ascii fullword
		$s16 = "GCC: (GNU) 10-win32 20220324" ascii fullword
	condition:
		hash.sha256(0, filesize) == "a14d6a30e886a19d47fad3e66b8dd5a6ead3e3a0bd7f8d3a6e001542740e9190" or uint16(0) == 0x014c and filesize < 6KB and 8 of them
}