rule TrojanSpy_Win32_Banker_ADT{
	meta:
		description = "TrojanSpy:Win32/Banker.ADT,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 "
		
	strings :
		$a_01_0 = {33 31 41 35 45 45 37 41 45 41 36 43 45 43 35 33 38 44 33 35 39 35 33 38 36 39 46 43 35 33 34 32 38 33 43 34 30 35 35 44 46 45 35 31 38 46 43 31 30 34 35 31 46 31 35 33 38 39 43 41 31 44 } //1 31A5EE7AEA6CEC538D35953869FC534283C4055DFE518FC10451F15389CA1D
		$a_01_1 = {33 44 41 31 43 31 33 39 42 43 32 35 35 37 39 38 45 43 37 38 46 34 30 46 36 33 38 34 45 32 30 37 36 37 39 43 43 31 32 46 42 37 33 30 34 46 41 32 43 30 32 39 34 44 39 38 45 41 37 31 46 32 37 34 38 38 45 37 30 44 35 32 41 36 43 39 32 43 34 34 41 32 43 31 32 46 42 30 33 37 42 34 } //1 3DA1C139BC255798EC78F40F6384E207679CC12FB7304FA2C0294D98EA71F27488E70D52A6C92C44A2C12FB037B4
		$a_03_2 = {89 82 5c 03 00 00 e8 ?? ?? ff ff 8d 45 f8 50 b9 ?? ?? 48 00 ba ?? ?? 48 00 b8 ?? ?? 48 00 e8 ?? ?? ff ff 8b 55 f8 8b 45 fc 05 38 03 00 00 e8 ?? ?? f8 ff 8b 45 fc 05 28 03 00 00 } //1
	condition:
		((#a_01_0  & 1)*1+(#a_01_1  & 1)*1+(#a_03_2  & 1)*1) >=3
 
}