rule M_APT_Dropper_NEWRETURN_2 {
	meta:
		author = "Mandiant"
		description = "Detects strings in the NEWRETURN payloads"
	strings:
		$a1 = "GetLists"
		$a2 = "GetBuffer"
		$a3 = "Delays"
		$a4 = "InvokeMember"
		$a5 = "Array"
		$o1 = { 1F 8B 08 00 00 00 00 00 04 00 }
		$o2 = "http://"
		$a6 = "Form1"
		$a7 = "mscoree.dll"
	condition:
		all of ($a*) and ($o1 or $o2)
}