import "pe"

rule APT28_mvtband_dat_dll {
	meta:
		description = "Yara Rule for mvtband_dat_dll (2017)"
		author = "ZLAB Yoroi-Cybaze"
		last_updated = "2019-04-16"
		tlp = "white"
		category = "informational"
	strings:
		$a = "DGMNOEP"
		$b = { C7 45 94 0A 25 73 30 8D 45 94 }
	condition:
		all of them and pe.sections[2].raw_data_size == 0 and pe.version_info["OriginalFilename"] contains "mvtband"
}