Sneed-Reactivity/yara-mikesxrs/evild3ad/contains_ascii_hex_encoded_pe_file.yara

import "pe"

rule Contains_ASCII_Hex_encoded_PE_file
{
    meta:
        author = "Martin Willing (https://evild3ad.com)"
        description = "Detect an ASCII Hex encoded executable"
		reference = "https://blogs.mcafee.com/mcafee-labs/w97m-downloader-serving-vawtrak/"
		hash = "e56a57acf528b8cd340ae039519d5150"
		date = "2016-03-28"
		
    strings:
		$MZ = "4D5A" nocase // DOS header signature in e_magic
		$DOS = "21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6f64652E" nocase // !This program cannot be run in DOS mode. (DOS stub)
		$PE = "50450000" nocase // PE signature at start of PE header (NtHeader)
		
    condition:
		$MZ and $DOS and $PE

}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`import "pe"`

			`rule Contains_ASCII_Hex_encoded_PE_file`
			`{`
			`meta:`
			`author = "Martin Willing (https://evild3ad.com)"`
			`description = "Detect an ASCII Hex encoded executable"`
			`reference = "https://blogs.mcafee.com/mcafee-labs/w97m-downloader-serving-vawtrak/"`
			`hash = "e56a57acf528b8cd340ae039519d5150"`
			`date = "2016-03-28"`

			`strings:`
			`$MZ = "4D5A" nocase // DOS header signature in e_magic`
			`$DOS = "21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6f64652E" nocase // !This program cannot be run in DOS mode. (DOS stub)`
			`$PE = "50450000" nocase // PE signature at start of PE header (NtHeader)`

			`condition:`
			`$MZ and $DOS and $PE`

			`}`