Sneed-Reactivity/yara-mikesxrs/GoDaddy/upx.yara

19 lines
345 B
Text
Raw Normal View History

rule upx {
meta:
description = "UPX packed file"
block = false
quarantine = false
strings:
$mz = "MZ"
$upx1 = {55505830000000}
$upx2 = {55505831000000}
$upx_sig = "UPX!"
condition:
$mz at 0 and $upx1 in (0..1024) and $upx2 in (0..1024) and $upx_sig in (0..1024)
}