rule TrojanDownloader_Win32_Banload_DC{
	meta:
		description = "TrojanDownloader:Win32/Banload.DC,SIGNATURE_TYPE_PEHSTR_EXT,41 00 41 00 05 00 00 "
		
	strings :
		$a_02_0 = {40 00 2a 00 5c 00 41 00 43 00 3a 00 5c 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 20 00 61 00 6e 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6e 00 67 00 73 00 5c 00 90 02 20 5c 00 44 00 65 00 73 00 6b 00 74 00 6f 00 70 00 5c 00 90 02 40 5c 00 69 00 6e 00 73 00 74 00 61 00 6c 00 61 00 64 00 6f 00 72 00 20 00 62 00 6f 00 6d 00 5c 00 50 00 72 00 6f 00 79 00 65 00 63 00 74 00 6f 00 31 00 2e 00 76 00 62 00 70 00 90 00 } //50
		$a_02_1 = {43 00 3a 00 5c 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 90 02 20 2e 00 65 00 78 00 65 00 90 00 } //10
		$a_02_2 = {43 00 3a 00 5c 00 41 00 72 00 71 00 75 00 69 00 76 00 6f 00 73 00 20 00 64 00 65 00 20 00 70 00 72 00 6f 00 67 00 72 00 61 00 6d 00 61 00 73 00 5c 00 90 02 10 2e 00 63 00 6d 00 64 00 90 00 } //10
		$a_02_3 = {68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 90 05 40 08 61 2d 7a 30 2d 39 2e 00 2f 00 90 02 20 2e 00 6a 00 70 00 67 00 90 00 } //10
		$a_00_4 = {55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 } //5 URLDownloadToFileA
	condition:
		((#a_02_0  & 1)*50+(#a_02_1  & 1)*10+(#a_02_2  & 1)*10+(#a_02_3  & 1)*10+(#a_00_4  & 1)*5) >=65
 
}