rule VirTool_BAT_Obfuscator_BF{
	meta:
		description = "VirTool:BAT/Obfuscator.BF,SIGNATURE_TYPE_PEHSTR_EXT,64 00 03 00 03 00 00 "
		
	strings :
		$a_01_0 = {02 06 02 06 91 03 07 91 61 d2 9c 07 17 58 0b 07 03 8e 69 32 } //1
		$a_03_1 = {0c 1a 07 6f ?? ?? ?? ?? 5a 07 6f ?? ?? ?? ?? 5a 8d } //1
		$a_01_2 = {50 69 78 65 6c 46 6f 72 6d 61 74 } //1 PixelFormat
	condition:
		((#a_01_0  & 1)*1+(#a_03_1  & 1)*1+(#a_01_2  & 1)*1) >=3
 
}
rule VirTool_BAT_Obfuscator_BF_2{
	meta:
		description = "VirTool:BAT/Obfuscator.BF,SIGNATURE_TYPE_PEHSTR_EXT,ffffffe8 03 65 00 14 00 00 "
		
	strings :
		$a_01_0 = {02 06 02 06 91 03 07 91 61 d2 9c 07 17 58 0b 07 03 8e 69 32 } //100
		$a_03_1 = {2e 72 65 73 6f 75 72 63 65 73 00 [0-0c] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_2 = {2e 72 65 73 6f 75 72 63 65 73 00 [0-0c] 45 00 [0-06] 45 00 [0-06] 45 00 [0-06] 45 00 [0-06] 45 00 [0-06] 45 00 [0-06] 45 00 [0-06] 45 } //1
		$a_03_3 = {2e 72 65 73 6f 75 72 63 65 73 00 [0-0c] 46 00 [0-06] 46 00 [0-06] 46 00 [0-06] 46 00 [0-06] 46 00 [0-06] 46 00 [0-06] 46 00 [0-06] 46 } //1
		$a_03_4 = {2e 72 65 73 6f 75 72 63 65 73 00 [0-0c] 51 00 [0-06] 51 00 [0-06] 51 00 [0-06] 51 00 [0-06] 51 00 [0-06] 51 00 [0-06] 51 00 [0-06] 51 } //1
		$a_03_5 = {2e 72 65 73 6f 75 72 63 65 73 00 [0-0c] 50 00 [0-06] 50 00 [0-06] 50 00 [0-06] 50 00 [0-06] 50 00 [0-06] 50 00 [0-06] 50 00 [0-06] 50 } //1
		$a_03_6 = {2e 72 65 73 6f 75 72 63 65 73 00 [0-0c] 59 00 [0-06] 59 00 [0-06] 59 00 [0-06] 59 00 [0-06] 59 00 [0-06] 59 00 [0-06] 59 00 [0-06] 59 } //1
		$a_03_7 = {2e 72 65 73 6f 75 72 63 65 73 00 [0-0c] 5a 00 [0-06] 5a 00 [0-06] 5a 00 [0-06] 5a 00 [0-06] 5a 00 [0-06] 5a 00 [0-06] 5a 00 [0-06] 5a } //1
		$a_03_8 = {2e 72 65 73 6f 75 72 63 65 73 00 [0-0c] 63 00 [0-06] 63 00 [0-06] 63 00 [0-06] 63 00 [0-06] 63 00 [0-06] 63 00 [0-06] 63 00 [0-06] 63 } //1
		$a_03_9 = {53 79 73 74 65 6d 00 4f 62 6a 65 63 74 00 61 [0-03] 61 [0-03] 61 [0-03] 61 [0-03] 61 [0-03] 61 [0-03] 61 [0-03] 61 } //1
		$a_03_10 = {30 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_11 = {31 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_12 = {32 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_13 = {33 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_14 = {34 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_15 = {35 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_16 = {36 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_17 = {37 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_18 = {38 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
		$a_03_19 = {39 00 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 00 [0-06] 23 } //1
	condition:
		((#a_01_0  & 1)*100+(#a_03_1  & 1)*1+(#a_03_2  & 1)*1+(#a_03_3  & 1)*1+(#a_03_4  & 1)*1+(#a_03_5  & 1)*1+(#a_03_6  & 1)*1+(#a_03_7  & 1)*1+(#a_03_8  & 1)*1+(#a_03_9  & 1)*1+(#a_03_10  & 1)*1+(#a_03_11  & 1)*1+(#a_03_12  & 1)*1+(#a_03_13  & 1)*1+(#a_03_14  & 1)*1+(#a_03_15  & 1)*1+(#a_03_16  & 1)*1+(#a_03_17  & 1)*1+(#a_03_18  & 1)*1+(#a_03_19  & 1)*1) >=101
 
}