id: pony-stealer-malware

info:
  name: Windows Pony Stealer Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_pony_stealer.yara
  tags: malware,file,pony,stealer

file:
  - extensions:
      - all

    matchers:
      - type: word
        part: raw
        words:
          - "signons.sqlite"
          - "signons.txt"
          - "signons2.txt"
          - "signons3.txt"
          - "WininetCacheCredentials"
          - "moz_logins"
          - "encryptedPassword"
          - "FlashFXP"
          - "BulletProof"
          - "CuteFTP"
        condition: and
        case-insensitive: true