rule icedid { meta: author = "Elastic Security" creation_date = "2022-03-01" last_modified = "2022-03-01" os = "Windows" category_type = "Trojan" family = "IcedID" threat_name = "Windows.Trojan.IcedID" strings: $a1 = "loader_dll_64.dll" ascii fullword $config_decryption = { 00 42 8A 44 01 ?? 42 32 04 01 88 44 0D ?? 48 FF C1 48 83 F9 } condition: all of them }