Sneed-Reactivity/yara-Neo23x0/gen_net_xorstrings.yar

29 lines
851 B
Text
Raw Normal View History

rule MSIL_SUSP_OBFUSC_XorStringsNet {
meta:
description = "Detects XorStringsNET string encryption, and other obfuscators derived from it"
author = "dr4k0nia"
version = "1.0"
reference = "https://github.com/dr4k0nia/yara-rules"
score = 75
date = "26/03/2023"
id = "f0724ca6-4bfe-5b88-9396-a58aa7461fd6"
strings:
$pattern = { 06 1E 58 07 8E 69 FE 17 }
// .NET marker
$a1 = "_CorDllMain" ascii
$a2 = "_CorExeMain" ascii
$a3 = "mscorlib" ascii fullword
$a4 = ".cctor" ascii fullword
$a5 = "System.Private.Corlib" ascii
$a6 = "<Module>" ascii fullword
$a7 = "<PrivateImplementationsDetails{" ascii
condition:
uint16(0) == 0x5a4d
and filesize < 25MB
and $pattern
and 2 of ($a*)
}