rule Agrius_Webshells {
	meta:
		description = "Detects variations of webshells used by Agrius"
		author = "Amitai B @ SentinelOne"
		version = "1.0"
		TLP = "White"
		last_modified = "2021-05-11"
	strings:
		$s1 = "public string base64ToStr(string instr)"
		$s2 = "Process prcsss=new Process()"
		$s3 = "<form id=\"PRIVATECode\" runat=\"server\">"
	condition:
		(filesize > 1KB and filesize < 150KB and any of them)
}