From 8ddf49a364060ce7563187794eaacd61dbe65535 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Sat, 28 Dec 2019 19:20:17 +0100
Subject: [PATCH] Update Yara_Rule_SideWinder_Dec19.yar

---
 .../SideWinder/25-12-19/Yara/Yara_Rule_SideWinder_Dec19.yar   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Indian/APT/SideWinder/25-12-19/Yara/Yara_Rule_SideWinder_Dec19.yar b/Indian/APT/SideWinder/25-12-19/Yara/Yara_Rule_SideWinder_Dec19.yar
index 0131620..223731a 100644
--- a/Indian/APT/SideWinder/25-12-19/Yara/Yara_Rule_SideWinder_Dec19.yar
+++ b/Indian/APT/SideWinder/25-12-19/Yara/Yara_Rule_SideWinder_Dec19.yar
@@ -28,6 +28,7 @@ rule APT_SideWinder_RTF_Dec19_1 {
       hash1 = "87882b884afd4bd6d4da1fb5e3f87d728f128f75fae32a2720fe899ac7f23f5d"
    strings:
       $s1 = "\\par 5.\\tab }{\\rtlch\\fcs1 \\af1 \\ltrch\\fcs0 \\insrsid6948592 Command and Operational Authorities are to ensure that these " ascii
+      $s2 = "39336e486c627250655a7738307456722b3649366a6577775a466a653841387032583934783952785075583934616839706e62724d504c5a543937686d4f7078" ascii /* hex encoded string '93nHlbrPeZw80tVr+6I6jewwZFje8A8p2X94x9RxPuX94ah9pnbrMPLZT97hmOpx' */
       $s3 = "2b39423552767779557174752f545941752f6f2b3937534874785179466546702b7456546f616659366975774b344c4b4730483273736e4b584c39367751637a" ascii /* hex encoded string '+9B5RvwyUqtu/TYAu/o+97SHtxQyFeFp+tVToafY6iuwK4LKG0H2ssnKXL96wQcz' */
       $s4 = "2f2b563762424544636c4137522b74427339495574346c646267482f452b70544d542f68694f4c446c2b416b634f3438594c736b47756f6c6672505669747679" ascii /* hex encoded string '/+V7bBEDclA7R+tBs9IUt4ldbgH/E+pTMT/hiOLDl+AkcO48YLskGuolfrPVitvy' */
       $s5 = "793431527173426e6a334f2b545653415030466b3367727546414b766a6f456f3643714944526d6d41565658506a4d7a4d4959534776475753536c7752727a44" ascii /* hex encoded string 'y41RqsBnj3O+TVSAP0Fk3gruFAKvjoEo6CqIDRmmAVVXPjMzMIYSGvGWSSlwRrzD' */
@@ -45,8 +46,7 @@ rule APT_SideWinder_RTF_Dec19_1 {
       $s17 = "41546d683864756a52315036673030324d72704f79424f4575557572426443555951444f5677615a7447594454673376365766334e494f734d6f4c66657a7571" ascii /* hex encoded string 'ATmh8dujR1P6g002MrpOyBOEuUurBdCUYQDOVwaZtGYDTg3v6Wf3NIOsMoLfezuq' */
       $s18 = "333662544c4f743272576e354e78766839562f306a472b583555766642394e4d37666f2b6e6c7944682f6a3659376b33482b486f76656c497a7a39316a30546d" ascii /* hex encoded string '36bTLOt2rWn5Nxvh9V/0jG+X5UvfB9NM7fo+nlyDh/j6Y7k3H+HovelIzz91j0Tm' */
       $s19 = "382b394d79702f514f6e502f6e4f5030682b6164562f2b736f722f33627a667a6a35796c2f6538612f2f356b38472f2b57662f626e3953722f782f4276326975" ascii /* hex encoded string '8+9Myp/QOnP/nOP0h+adV/+sor/3bzfzj5yl/e8a//5k8G/+Wf/bn9Sr/x/Bv2iu' */
-      $s20 = "39336e486c627250655a7738307456722b3649366a6577775a466a653841387032583934783952785075583934616839706e62724d504c5a543937686d4f7078" ascii /* hex encoded string '93nHlbrPeZw80tVr+6I6jewwZFje8A8p2X94x9RxPuX94ah9pnbrMPLZT97hmOpx' */
-   condition:
+         condition:
       uint16(0) == 0x5c7b and filesize < 5000KB and 8 of them
 }