Sneed-Reactivity/yara-Neo23x0/gen_susp_xor.yar

45 lines
1.5 KiB
Text
Raw Permalink Normal View History

/* requires YARA 3.8 or higher */
import "pe"
rule SUSP_XORed_URL_In_EXE {
meta:
description = "Detects an XORed URL in an executable"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/stvemillertime/status/1237035794973560834"
date = "2020-03-09"
modified = "2022-09-16"
score = 50
id = "f83991c8-f2d9-5583-845a-d105034783ab"
strings:
$s1 = "http://" xor
$s2 = "https://" xor
$f1 = "http://" ascii
$f2 = "https://" ascii
$fp01 = "3Com Corporation" ascii /* old driver */
$fp02 = "bootloader.jar" ascii /* DeepGit */
$fp03 = "AVAST Software" ascii wide
$fp04 = "smartsvn" wide ascii fullword
$fp05 = "Avira Operations GmbH" wide fullword
$fp06 = "Perl Dev Kit" wide fullword
$fp07 = "Digiread" wide fullword
$fp08 = "Avid Editor" wide fullword
$fp09 = "Digisign" wide fullword
$fp10 = "Microsoft Corporation" wide fullword
$fp11 = "Microsoft Code Signing" ascii wide
$fp12 = "XtraProxy" wide fullword
$fp13 = "A Sophos Company" wide
$fp14 = "http://crl3.digicert.com/" ascii
$fp15 = "http://crl.sectigo.com/SectigoRSACodeSigningCA.crl" ascii
$fp16 = "HitmanPro.Alert" wide fullword
condition:
uint16(0) == 0x5a4d and
filesize < 2000KB and (
( $s1 and #s1 > #f1 ) or
( $s2 and #s2 > #f2 )
)
and not 1 of ($fp*)
and not pe.number_of_signatures > 0
}