rule TrojanSpy_Win32_Banker_ABT{
	meta:
		description = "TrojanSpy:Win32/Banker.ABT,SIGNATURE_TYPE_PEHSTR_EXT,05 00 04 00 0c 00 00 "
		
	strings :
		$a_01_0 = {37 39 46 41 30 46 31 33 31 33 31 44 33 36 33 45 43 35 } //2 79FA0F13131D363EC5
		$a_01_1 = {30 36 30 36 31 38 31 45 32 38 41 41 32 38 33 30 31 39 } //2 0606181E28AA283019
		$a_01_2 = {41 45 42 37 36 46 39 33 34 46 46 31 31 44 31 37 33 36 32 44 44 38 31 41 33 33 } //2 AEB76F934FF11D17362DD81A33
		$a_01_3 = {36 36 38 33 39 31 42 41 36 30 38 39 41 41 35 44 45 39 31 35 33 34 45 31 30 42 37 34 41 36 35 30 39 34 } //1 668391BA6089AA5DE91534E10B74A65094
		$a_01_4 = {41 41 34 36 43 43 37 46 41 38 34 42 43 41 30 36 32 35 31 41 43 34 37 36 41 36 } //1 AA46CC7FA84BCA06251AC476A6
		$a_01_5 = {44 46 36 33 45 36 37 36 46 44 30 38 31 44 31 39 32 46 43 41 34 36 44 46 36 } //1 DF63E676FD081D192FCA46DF6
		$a_01_6 = {43 36 34 38 43 42 35 39 44 38 36 44 38 36 38 30 38 36 39 33 39 } //1 C648CB59D86D868086939
		$a_01_7 = {34 32 43 35 34 35 44 30 35 30 44 41 36 38 45 45 37 35 38 30 38 42 39 32 39 41 39 } //1 42C545D050DA68EE75808B929A9
		$a_01_8 = {45 38 36 41 45 39 37 42 46 41 30 46 32 34 32 32 33 38 43 35 34 44 44 30 35 39 44 33 36 } //1 E86AE97BFA0F242238C54DD059D36
		$a_01_9 = {41 45 42 30 41 38 34 36 43 33 37 33 41 32 35 46 38 30 42 46 36 35 39 33 46 46 32 39 43 } //1 AEB0A846C373A25F80BF6593FF29C
		$a_01_10 = {43 43 35 44 33 46 44 35 37 42 41 43 35 37 38 31 42 30 36 44 43 37 36 36 39 38 42 36 36 38 39 39 } //1 CC5D3FD57BAC5781B06DC76698B66899
		$a_01_11 = {31 46 43 36 37 39 41 45 35 42 44 30 34 36 33 32 44 43 30 46 33 30 44 37 37 35 } //1 1FC679AE5BD04632DC0F30D775
	condition:
		((#a_01_0  & 1)*2+(#a_01_1  & 1)*2+(#a_01_2  & 1)*2+(#a_01_3  & 1)*1+(#a_01_4  & 1)*1+(#a_01_5  & 1)*1+(#a_01_6  & 1)*1+(#a_01_7  & 1)*1+(#a_01_8  & 1)*1+(#a_01_9  & 1)*1+(#a_01_10  & 1)*1+(#a_01_11  & 1)*1) >=4
 
}