rule targeted_SyncScheduler_Malware {
	meta:
		description = "Rule detecting Sync-Scheduler malware used for extracting documents"
		author = " The BlackBerry Threat Research and Intelligence Team"
		distribution = "TLP:AMBER+STRICT"
		date = "2024-10-21"
		version = "1.0"
	strings:
		$a1 = "docx" ascii wide
		$a2 = "xlsx" ascii wide
		$a3 = "pptx" ascii wide
		$a4 = "POST"
		$a5 = "C:/Users/All Users" ascii wide
		$a6 = "C:/Users/Default" ascii wide
		$a7 = "C:/Users/Public" ascii wide
		$a8 = "ReadFile"
		$a9 = "CreateMutexA"
		$a10 = "GetConsoleWindow"
		$b1 = "Content-Type: application/x-www-form-urlencoded"
		$b2 = "SELECT * FROM Win32_ComputerSystemProduct"
	condition:
		uint16(0) == 0x5a4d and all of ($a*) and 1 of ($b*)
}