rule M_Dropper_MUSKYBEAT_1 {
	meta:
		author = "Mandiant"
		date_created = "2023-04-06"
		description = "Detects the RC4 encryption algorithm used in MUSKYBEAT"
		version = "1"
		weight = "100"
		disclaimer = "This rule is meant for hunting and is not tested to run in a production environment."
	strings:
		$ = { 42 8A 14 04 48 8D ?? ?? ?? ?? ?? 8A C2 41 02 04 08 44 02 D0 41 0F B6 CA }
		$ = { 41 B9 04 00 00 00 41 B8 00 30 00 00 48 8B D3 33 C9 }
	condition:
		all of them
}