rule TrojanSpy_BAT_Stelega_AVP_MTB{
	meta:
		description = "TrojanSpy:BAT/Stelega.AVP!MTB,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 01 00 "
		
	strings :
		$a_01_0 = {57 00 69 00 6e 00 46 00 6f 00 72 00 6d 00 73 00 5f 00 52 00 65 00 63 00 75 00 72 00 73 00 69 00 76 00 65 00 46 00 6f 00 72 00 6d 00 43 00 72 00 65 00 61 00 74 00 65 00 } //01 00 
		$a_01_1 = {57 00 69 00 6e 00 46 00 6f 00 72 00 6d 00 73 00 5f 00 53 00 65 00 65 00 49 00 6e 00 6e 00 65 00 72 00 45 00 78 00 63 00 65 00 70 00 74 00 69 00 6f 00 6e 00 } //01 00 
		$a_01_2 = {49 00 6d 00 61 00 67 00 69 00 6e 00 65 00 72 00 2e 00 6d 00 61 00 6c 00 68 00 65 00 75 00 72 00 65 00 75 00 78 00 } //01 00 
		$a_01_3 = {51 00 68 00 32 00 2f 00 4a 00 70 00 52 00 39 00 55 00 41 00 49 00 72 00 4c 00 6f 00 50 00 35 00 32 00 77 00 57 00 61 00 75 00 72 00 4b 00 6e 00 36 00 52 00 79 00 68 00 37 00 44 00 6e 00 53 00 37 00 68 00 44 00 4a 00 48 00 6f 00 58 00 51 00 4c 00 42 00 31 00 65 00 34 00 51 00 79 00 42 00 36 00 46 00 30 00 53 00 51 00 42 00 56 00 65 00 6a 00 32 00 37 00 33 00 6f 00 78 00 47 00 61 00 6d 00 63 00 59 00 7a 00 57 00 72 00 35 00 4f 00 31 00 58 00 33 00 31 00 7a 00 48 00 48 00 31 00 54 00 78 00 70 00 6b 00 35 00 64 00 39 00 38 00 78 00 52 00 39 00 55 00 63 00 4b 00 5a 00 65 00 39 00 43 00 6b 00 49 00 5a 00 48 00 33 00 41 00 2f 00 6f 00 66 00 47 00 48 00 47 00 33 00 6d 00 38 00 48 00 6f 00 41 00 2f 00 } //01 00 
		$a_81_4 = {61 37 63 38 64 36 35 39 2d 34 65 34 63 2d 34 63 34 64 2d 39 64 31 39 2d 66 39 37 35 62 65 33 35 37 64 35 34 } //00 00 
	condition:
		any of ($a_*)
 
}