TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

```yara
rule LATAM_Financial_Cybercrime_Competitors_in_Crime_TTPs_202311 {
    meta:
        author = "YARA Expert AI"
        date = "2023-11-20"
        description = "Detects files associated with LATAM financial cybercrime, specifically referencing competitors sharing TTPs, based on identified network IOCs and descriptive text patterns from ESET research."
        reference = "ESET Research white papers"
        tlp = "white"

    strings:
        // --- Network Indicators of Compromise (IOCs) ---
        // These strings identify domains and URLs known to be associated with the threat.
        // Both ASCII and wide (UTF-16) representations are included for broader detection.

        // Domains
        $network_domain_imgengine_dl_ascii = "imgengine.dl"
        $network_domain_imgengine_dl_wide = "i.m.g.e.n.g.i.n.e...d.l" wide

        $network_domain_spy_amavaldo_ascii = "spy.amavaldo"
        $network_domain_spy_amavaldo_wide = "s.p.y...a.m.a.v.a.l.d.o" wide

        $network_domain_spy_casbaneiro_aj_ascii = "spy.casbaneiro.aj"
        $network_domain_spy_casbaneiro_aj_wide = "s.p.y...c.a.s.b.a.n.e.i.r.o...a.j" wide

        $network_domain_spy_grandoreiro_aj_ascii = "spy.grandoreiro.aj"
        $network_domain_spy_grandoreiro_aj_wide = "s.p.y...g.r.a.n.d.o.r.e.i.r.o...a.j" wide

        $network_domain_spy_guildma_bs_ascii = "spy.guildma.bs"
        $network_domain_spy_guildma_bs_wide = "s.p.y...g.u.i.l.d.m.a...b.s" wide

        // URLs
        $network_url_howtogeek_ascii = "https://www.howtogeek.com/howto/windows-vista/what-is-dwmexe-and-why-is-it-"
        $network_url_howtogeek_wide = "h.t.t.p.s.:././.w.w.w...h.o.w.t.o.g.e.e.k...c.o.m./.h.o.w.t.o./.w.i.n.d.o.w.s.-.v.i.s.t.a./.w.h.a.t.-.i.s.-.d.w.m.e.x.e.-.a.n.d.-.w.h.y.-.i.s.-.i.t.-" wide

        $network_url_gasantifraud_ascii = "https://diagnostico.gasantifraud.com/"
        $network_url_gasantifraud_wide = "h.t.t.p.s.:././.d.i.a.g.n.o.s.t.i.c.o...g.a.s.a.n.t.i.f.r.a.u.d...c.o.m./" wide

        // --- Unique Text Patterns (TTPs and descriptive terms) ---
        // These strings are derived from the provided ESET research white paper text sample.
        // They help identify documents or binaries discussing or implementing the described TTPs.
        // Both ASCII and wide (UTF-16) representations are included.
        $string_latam_financial_cybercrime = "LATAM FINANCIAL CYBERCRIME" ascii wide
        $string_competitors_in_crime = "COMPETITORS-IN-CRIME SHARING TTPS" ascii wide
        $string_eset_research = "ESET Research white papers" ascii wide
        $string_banking_trojan = "banking trojan" ascii wide
        $string_script_obfuscation = "Script obfuscation" ascii wide
        $string_dll_sideloading = "DLL side-loading" ascii wide
        $string_autoit_interpreter = "AutoIt interpreter" ascii wide
        $string_implementation_detail_similarities = "Implementation detail similarities" ascii wide
        $string_string_encryption_obfuscation = "String encryption and obfuscation" ascii wide
        $string_binary_obfuscation = "Binary obfuscation" ascii wide
        $string_targeted_countries = "Targeted countries" ascii wide
        $string_direct_execution = "Direct execution" ascii wide

        // --- Placeholder for other IOC types (none provided in context) ---
        // $hash_* : No file hashes were provided in the context.
        // $api_* : No Windows API calls were provided in the context.
        // $registry_* : No registry keys were provided in the context.

    condition:
        // Detection logic:
        // The rule triggers if a significant number of network IOCs are present,
        // OR if a substantial number of unique text patterns (TTPs/descriptive terms) are found.
        // This allows for detection of both active malware (via network communication indicators)
        // and related threat intelligence documents or scripts (via TTP descriptions).
        (3 of ($network_*)) or (4 of ($string_*))
}
```