Sneed-Reactivity/yara-Neo23x0/gen_nimpackt.yar

24 lines
787 B
Text
Raw Normal View History

rule HKTL_Nim_NimPackt : EXE FILE HKTL {
meta:
description = "Detects binaries generated with NimPackt v1"
author = "Cas van Cooten"
reference = "https://github.com/chvancooten/NimPackt-v1"
date = "2022-01-26"
score = 80
id = "3399d937-133f-5701-840e-eaf68b2f1ec9"
strings:
$nim1 = "fatal.nim" ascii fullword
$nim2 = "winim" ascii
$np1 = { 4E 69 6D 50 61 63 6B 74 }
$sus1 = { 61 6D 73 69 00 00 00 00 B8 57 00 07 80 C3 }
$sus2 = { 5B 2B 5D 20 49 6E 6A 65 63 74 65 64 }
$sus3 = { 5C 2D 2D 20 62 79 74 65 73 20 77 72 69 74 74 65 6E 3A }
condition:
uint16(0) == 0x5A4D and
filesize < 750KB and
1 of ($nim*) and (
$np1 or 2 of ($sus*)
)
}