Sneed-Reactivity/yara-mikesxrs/symantec/remsec_executable_blob_32.yar

rule remsec_executable_blob_32
{
meta:
copyright = "Symantec"
strings:
$code =
/*
31 06                       l0: xor     [esi], eax
83 C6 04                        add     esi, 4
D1 E8                           shr     eax, 1
73 05              
jnb     short l1
35 01 00 00 D0                  xor     eax, 0D0000001h
E2 F0                       l1: loop    l0
*/
{
31 06
83 C6 04
D1 E8
73 05
35 01 00 00 D0
E2 F0
}
condition:
all of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule remsec_executable_blob_32`
			`{`
			`meta:`
			`copyright = "Symantec"`
			`strings:`
			`$code =`
			`/*`
			`31 06 l0: xor [esi], eax`
			`83 C6 04 add esi, 4`
			`D1 E8 shr eax, 1`
			`73 05`
			`jnb short l1`
			`35 01 00 00 D0 xor eax, 0D0000001h`
			`E2 F0 l1: loop l0`
			`*/`
			`{`
			`31 06`
			`83 C6 04`
			`D1 E8`
			`73 05`
			`35 01 00 00 D0`
			`E2 F0`
			`}`
			`condition:`
			`all of them`
			`}`