rule ATMSpitter_CNG { meta: author = "Quoscient GmbH" date = "2018-01-24" description ="Rule for detecting ATMSpitter_CNG variant used by Cobalt group" sample = "4035d977202b44666885f9781ac8755c799350a03838ff782eb730c0d7069958" strings: $string_1 = "CNG_FRM_ERROR" $string_2 = "CNG_FRM_DEVICE_NOT_READY" $string_3 = "CNG_WARN_MONEY_NOT_REMOVED" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of ($string_*) }