Sneed-Reactivity/yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar

31 lines
1.1 KiB
Text
Raw Normal View History

import "pe"
rule SUSP_VCRuntime_Sideloading_Indicators_Aug23 {
meta:
description = "Detects indicators of .NET based malware sideloading as VCRUNTIME140 with .NET DLL imports"
author = "Jonathan Peters"
date = "2023-08-30"
hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
score = 75
id = "00400122-1343-5051-af31-880a3ef1745d"
condition:
(filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
and pe.imports("mscoree.dll", "_CorDllMain")
}
// rule SUSP_VCRuntime_Sideloading_Indicators_1_Aug23 {
// meta:
// description = "Detects indicators of .NET based malware sideloading as an unsigned VCRUNTIME140"
// author = "Jonathan Peters"
// date = "2023-08-30"
// hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
// score = 75
// strings:
// $fp1 = "Wine builtin DLL" ascii
// condition:
// (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
// and not pe.number_of_signatures == 0
// and not pe.signatures[0].issuer contains "Microsoft Corporation"
// and not $fp1
// }