rule Suceful { strings: $s1 = "vcl60.bpl" wide ascii nocase $s2 = "Project1.exe" wide ascii nocase $s3 = "SUCEFUL" wide ascii nocase $s4 = "msxfs.dll" wide ascii nocase condition: all of them and // MZ signature at offset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C uint32(uint32(0x3C)) == 0x00004550 }