rule apt_IAmTheKing_KingOfHearts_json {
	meta:
		description = "Matches IAmTheKing's KingOfHearts JSON C++ implant"
		author = "Kaspersky Lab"
		copyright = "Kaspersky Lab"
		version = "1.0"
		type = "APT"
		filetype = "PE"
		last_modified = "2020-01-20"
	strings:
		$user_agent = "Mozilla/4.0 (compatible; )"
		$error = "write info fail!!! GetLastError-->%u"
		$multipart = "Content-Type: multipart/form-data; boundary=--MULTI-PARTS-FORM-DATA-BOUNDARY\x0D\x0A"
	condition:
		uint16(0) == 0x5A4D and filesize < 1MB and all of them
}