rule lazarus_dtrack_unpacked {
	meta:
		author = "Withsecure Threat Intelligence"
		description = "Detects unpacked dtrack variant with smb data staging"
		date = "2023-01-01"
	strings:
		$str_mutex = "MTX_Global"
		$str_cmd_1 = "/c net use \\\\" wide
		$str_cmd_2 = "/c ping -n 3 127.0.01 > NUL % echo EEE > \"%s\"" wide
		$str_cmd_3 = "/c move /y %s \\\\" wide
		$str_cmd_4 = "/c systeminfo > \"%s\" & tasklist > \"%s\" & netstat -naop tcp > \"%s\"" wide
	condition:
		uint16(0) == 0x5A4D and all of them
}