import "pe" rule ATM_Malware_ATMITCH { meta: description = "Detects ATM Malware ATMItch" author = "Frank Boldewin (@r3c0nst)" strings: $STRING1 = "SCREEN and think what does you DO" nocase ascii wide $STRING2 = "Receive CASH UNIT info first, then LOOK on" nocase ascii wide $STRING3 = "Unknown command mnemonic, check it and repeat again" nocase ascii wide $STRING4 = "Catch some money, bitch!" nocase ascii wide condition: (uint16(0) == 0x5A4D and 1 of them) or (pe.imphash() == "655ad5439db0832c5a3f86d0a68ddaac") }