Sneed-Reactivity/yara-Neo23x0/gen_susp_xor.yar

/* requires YARA 3.8 or higher */
import "pe"

rule SUSP_XORed_URL_In_EXE {
   meta:
      description = "Detects an XORed URL in an executable"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/stvemillertime/status/1237035794973560834"
      date = "2020-03-09"
      modified = "2022-09-16"
      score = 50
      id = "f83991c8-f2d9-5583-845a-d105034783ab"
   strings:
      $s1 = "http://" xor
      $s2 = "https://" xor
      $f1 = "http://" ascii
      $f2 = "https://" ascii

      $fp01 = "3Com Corporation" ascii  /* old driver */
      $fp02 = "bootloader.jar" ascii  /* DeepGit */
      $fp03 = "AVAST Software" ascii wide
      $fp04 = "smartsvn" wide ascii fullword
      $fp05 = "Avira Operations GmbH" wide fullword
      $fp06 = "Perl Dev Kit" wide fullword
      $fp07 = "Digiread" wide fullword
      $fp08 = "Avid Editor" wide fullword
      $fp09 = "Digisign" wide fullword
      $fp10 = "Microsoft Corporation" wide fullword
      $fp11 = "Microsoft Code Signing" ascii wide
      $fp12 = "XtraProxy" wide fullword
      $fp13 = "A Sophos Company" wide
      $fp14 = "http://crl3.digicert.com/" ascii
      $fp15 = "http://crl.sectigo.com/SectigoRSACodeSigningCA.crl" ascii
      $fp16 = "HitmanPro.Alert" wide fullword
   condition:
      uint16(0) == 0x5a4d and
      filesize < 2000KB and (
         ( $s1 and #s1 > #f1 ) or
         ( $s2 and #s2 > #f2 )
      )
      and not 1 of ($fp*)
      and not pe.number_of_signatures > 0
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`/* requires YARA 3.8 or higher */`
			`import "pe"`

			`rule SUSP_XORed_URL_In_EXE {`
			`meta:`
			`description = "Detects an XORed URL in an executable"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://twitter.com/stvemillertime/status/1237035794973560834"`
			`date = "2020-03-09"`
			`modified = "2022-09-16"`
			`score = 50`
			`id = "f83991c8-f2d9-5583-845a-d105034783ab"`
			`strings:`
			`$s1 = "http://" xor`
			`$s2 = "https://" xor`
			`$f1 = "http://" ascii`
			`$f2 = "https://" ascii`

			`$fp01 = "3Com Corporation" ascii /* old driver */`
			`$fp02 = "bootloader.jar" ascii /* DeepGit */`
			`$fp03 = "AVAST Software" ascii wide`
			`$fp04 = "smartsvn" wide ascii fullword`
			`$fp05 = "Avira Operations GmbH" wide fullword`
			`$fp06 = "Perl Dev Kit" wide fullword`
			`$fp07 = "Digiread" wide fullword`
			`$fp08 = "Avid Editor" wide fullword`
			`$fp09 = "Digisign" wide fullword`
			`$fp10 = "Microsoft Corporation" wide fullword`
			`$fp11 = "Microsoft Code Signing" ascii wide`
			`$fp12 = "XtraProxy" wide fullword`
			`$fp13 = "A Sophos Company" wide`
			`$fp14 = "http://crl3.digicert.com/" ascii`
			`$fp15 = "http://crl.sectigo.com/SectigoRSACodeSigningCA.crl" ascii`
			`$fp16 = "HitmanPro.Alert" wide fullword`
			`condition:`
			`uint16(0) == 0x5a4d and`
			`filesize < 2000KB and (`
			`( $s1 and #s1 > #f1 ) or`
			`( $s2 and #s2 > #f2 )`
			`)`
			`and not 1 of ($fp*)`
			`and not pe.number_of_signatures > 0`
			`}`