test

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}

rule InvisiDoor_Backdoor : backdoor windows
{
    meta:
        description = "Identifies the InvisiDoor stealth backdoor malware."
        author = "AI Security Bot"
        date = "2025-11-06"
        version = "1.0"
        severity = "High"

    strings:
        // Text string often used in the malware's command-and-control communication
        $c2_ip = "192.168.42.10" fullword ascii

        // Unique mutex name the malware creates to ensure only one instance runs
        $mutex = "InvisiDoor_Global_Mutex_01" wide ascii

        // A specific sequence of binary instructions (hex pattern) in the code
        // '??' represents a wildcard (any single byte)
        $code_pattern = { 55 8B EC 83 E4 F8 FF 75 ?? 6A 00 }

        // A regular expression to find an obfuscated configuration file path
        $config_resgex = /%APPDATA%\\Roaming\\[a-z]{4}\.dat/ nocase

    condition:
        // The file must contain the unique mutex string ($mutex)
        // AND it must contain either the C2 IP ($c2_ip) OR the code pattern ($code_pattern)
        // AND the file size must be between 10 KB and 500 KB
        $mutex and ($c2_ip or $code_pattern) and filesize > 10KB and filesize < 500KB
}