rule veeam_dumper {
	meta:
		description = "Detects Veeam credential Dumper"
		author = "BlackBerry Threat Research Team"
		date = "August 15, 2021"
		license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
	strings:
		$s1 = "SqlCommand" ascii wide fullword
		$s2 = "SqlConnection" ascii wide fullword
		$s3 = "SqlDataReader" ascii wide fullword
		$s4 = "veeamp.exe" ascii wide fullword
		$s5 = "veeamp.pdb" ascii wide fullword
	condition:
		uint16be(0) == 0x4d5a and filesize < 60KB and 4 of them
}