import "hash"

rule PoshC2_Fcomm {
	meta:
		description = "PoshC2 - fcomm.exe"
		sha256 = "f770e4b68e8d911e51a4de4cd84b36f290b7fcabe866063e26cee47afd98ba6c"
	strings:
		$s1 = "fcomm.exe" ascii fullword
		$s2 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword
		$s3 = "ParseCommandLineArgs" ascii fullword
		$s4 = "run-dll-background" wide fullword
		$s5 = "  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword
		$s6 = "HostInfo" ascii fullword
		$s7 = "GetCurrentTasking" ascii fullword
		$s8 = "objContents" ascii fullword
		$s9 = "get_Actioned" ascii fullword
		$s10 = "CreateEncryptionAlgorithm" ascii fullword
		$s11 = "run-dll" wide fullword
		$s12 = "run-exe Core.Program Core " wide fullword
		$s13 = "initialised" ascii fullword
		$s14 = "loadmodule" wide fullword
		$s15 = "[!] This is not implemented yet in FComm implant types." wide fullword
		$s16 = "Microsoft.CodeAnalysis" ascii fullword
		$s17 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword
		$s18 = "SafeFileRead" ascii fullword
		$s19 = "FCommConnect" ascii fullword
		$s20 = "GzipCompress" ascii fullword
	condition:
		hash.sha256(0, filesize) == "f770e4b68e8d911e51a4de4cd84b36f290b7fcabe866063e26cee47afd98ba6c" or uint16(0) == 0x5a4d and filesize < 40KB and 8 of them
}