rule Supposed_Grasshopper_Downloader {
	meta:
		description = "Detects the Nim downloader from the Supposed Grasshopper campaign."
		references = "TRR240601"
		date = "2024-06-20"
		author = "HarfangLab"
		context = "file,memory"
	strings:
		$pdb_path = "C:\\Users\\or\\Desktop\\nim-"
		$code = "helo.nim"
		$function_1 = "DownloadExecute" ascii fullword
		$function_2 = "toByteSeq" ascii fullword
	condition:
		uint16(0) == 0x5a4d and all of them
}