rule M_Hunting_FASTREVERSEPROXY {
	meta:
		author = "Mandiant"
		disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
		md5 = "19dbffec4e359a198daf4ffca1ab9165"
	strings:
		$ss1 = "Go build ID:" fullword
		$ss2 = "Go buildinf:" fullword
		$ss3 = "net/http/httputil.(*ReverseProxy)."
		$ss4 = "github.com/fatedier/frp/client"
		$ss5 = "\"server_port\""
		$ss6 = "github.com/armon/go-socks5.proxy"
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
}