Sneed-Reactivity/yara-Neo23x0/gen_net_xorstrings.yar


rule MSIL_SUSP_OBFUSC_XorStringsNet {
    meta:
        description = "Detects XorStringsNET string encryption, and other obfuscators derived from it"
        author = "dr4k0nia"
        version = "1.0"
        reference = "https://github.com/dr4k0nia/yara-rules"
        score = 75
        date = "26/03/2023"
        id = "f0724ca6-4bfe-5b88-9396-a58aa7461fd6"
    strings:
        $pattern = { 06 1E 58 07 8E 69 FE 17 }

        // .NET marker
        $a1 = "_CorDllMain" ascii
        $a2 = "_CorExeMain" ascii
        $a3 = "mscorlib" ascii fullword
        $a4 = ".cctor" ascii fullword
        $a5 = "System.Private.Corlib" ascii
        $a6 = "<Module>" ascii fullword
        $a7 = "<PrivateImplementationsDetails{" ascii
    condition:
        uint16(0) == 0x5a4d
        and filesize < 25MB
        and $pattern 
        and 2 of ($a*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule MSIL_SUSP_OBFUSC_XorStringsNet {`
			`meta:`
			`description = "Detects XorStringsNET string encryption, and other obfuscators derived from it"`
			`author = "dr4k0nia"`
			`version = "1.0"`
			`reference = "https://github.com/dr4k0nia/yara-rules"`
			`score = 75`
			`date = "26/03/2023"`
			`id = "f0724ca6-4bfe-5b88-9396-a58aa7461fd6"`
			`strings:`
			`$pattern = { 06 1E 58 07 8E 69 FE 17 }`

			`// .NET marker`
			`$a1 = "_CorDllMain" ascii`
			`$a2 = "_CorExeMain" ascii`
			`$a3 = "mscorlib" ascii fullword`
			`$a4 = ".cctor" ascii fullword`
			`$a5 = "System.Private.Corlib" ascii`
			`$a6 = "<Module>" ascii fullword`
			`$a7 = "<PrivateImplementationsDetails{" ascii`
			`condition:`
			`uint16(0) == 0x5a4d`
			`and filesize < 25MB`
			`and $pattern`
			`and 2 of ($a*)`
			`}`