rule apt_IAmTheKing_KingOfHearts {
	meta:
		description = "Matches IAmTheKing's KingOfHearts C++ implant"
		author = "Kaspersky Lab"
		copyright = "Kaspersky Lab"
		version = "1.0"
		type = "APT"
		filetype = "PE"
		last_modified = "2020-01-20"
	strings:
		$payload_fmt = "cookie=%s;type=%s;length=%s;realdata=%send"
		$cmd1 = "HEART"
		$cmd2 = "CMDINFO"
		$cmd3 = "PROCESSINFO"
		$cmd4 = "LISTDRIVE"
		$cmd5 = "LISTFILE"
		$cmd6 = "DOWNLOAD"
	condition:
		uint16(0) == 0x5A4D and filesize < 1MB and ($payload_fmt or all of ($cmd*))
}