rule UsesDiscordWebhook {
    meta:
        description = "Detects Discord webhook usage"
        author = "Malware Researcher"
        severity = "Medium"
        date = "2023-01-01"
    strings:
        $webhook1 = "https://discord.com/api/webhooks/" ascii wide
        $webhook2 = "https://discordapp.com/api/webhooks/" ascii wide
        $webhook3 = "https://ptb.discord.com/api/webhooks/" ascii wide
        $webhook4 = "https://canary.discord.com/api/webhooks/" ascii wide
        $func1 = "requests.post" ascii wide
        $func2 = "httpx.post" ascii wide
        $func3 = "aiohttp" ascii wide
        $func4 = "urllib" ascii wide
    condition:
        1 of ($webhook*) and 1 of ($func*)
}

rule DiscordPyFramework {
    meta:
        description = "Detects Discord.py bot framework usage"
        author = "Malware Researcher"
        severity = "Medium"
        date = "2023-01-01"
    strings:
        $import1 = "import discord" ascii wide
        $import2 = "from discord.ext import commands" ascii wide
        $class1 = "discord.Client" ascii wide
        $class2 = "commands.Bot" ascii wide
        $func1 = "bot.run" ascii wide
        $func2 = "client.run" ascii wide
        $token = /['"][A-Za-z\d]{24}\.[\w-]{6}\.[\w-]{27}['"]/ ascii wide
    condition:
        (1 of ($import*) or 1 of ($class*)) and 
        (1 of ($func*) or $token)
}

rule PythonSMTPUsage {
    meta:
        description = "Detects Python SMTP mail sending functionality"
        author = "Malware Researcher"
        severity = "Medium"
        date = "2023-01-01"
    strings:
        $import1 = "import smtplib" ascii wide
        $import2 = "from email" ascii wide
        $func1 = "smtplib.SMTP" ascii wide
        $func2 = "smtp.send_message" ascii wide
        $func3 = "smtp.sendmail" ascii wide
        $auth1 = "smtp.login" ascii wide
        $provider1 = "smtp.gmail.com" ascii wide
        $provider2 = "smtp-mail.outlook.com" ascii wide
        $provider3 = "smtp.mail.yahoo.com" ascii wide
    condition:
        $import1 and 
        (1 of ($func*)) and 
        ($auth1 or 1 of ($provider*))
}

rule HTTPRequests {
    meta:
        description = "Detects HTTP request libraries usage for data exfiltration"
        author = "Malware Researcher"
        severity = "Low"
        date = "2023-01-01"
    strings:
        $import1 = "import requests" ascii wide
        $import2 = "import httpx" ascii wide
        $import3 = "import aiohttp" ascii wide
        $import4 = "from urllib" ascii wide
        $func1 = ".post(" ascii wide
        $func2 = ".get(" ascii wide
        $func3 = "urlopen(" ascii wide
        $data1 = "json=" ascii wide
        $data2 = "data=" ascii wide
        $data3 = "files=" ascii wide
    condition:
        1 of ($import*) and 
        1 of ($func*) and 
        1 of ($data*)
}

rule TelegramBotAPI {
    meta:
        description = "Detects Telegram Bot API usage"
        author = "Malware Researcher"
        severity = "Medium"
        date = "2023-01-01"
    strings:
        $url1 = "api.telegram.org/bot" ascii wide
        $token = /[0-9]{8,10}:[A-Za-z0-9_-]{35}/ ascii wide
        $method1 = "/sendMessage" ascii wide
        $method2 = "/sendDocument" ascii wide
        $method3 = "/sendPhoto" ascii wide
        $import1 = "telebot" ascii wide
        $import2 = "telegram.ext" ascii wide
    condition:
        ($url1 and 1 of ($method*)) or 
        ($token and 1 of ($method*)) or
        1 of ($import*)
}