Sneed-Reactivity/yara-mikesxrs/evild3ad/contains_ascii_hex_encoded_pe_file.yara

20 lines
682 B
Text
Raw Normal View History

import "pe"
rule Contains_ASCII_Hex_encoded_PE_file
{
meta:
author = "Martin Willing (https://evild3ad.com)"
description = "Detect an ASCII Hex encoded executable"
reference = "https://blogs.mcafee.com/mcafee-labs/w97m-downloader-serving-vawtrak/"
hash = "e56a57acf528b8cd340ae039519d5150"
date = "2016-03-28"
strings:
$MZ = "4D5A" nocase // DOS header signature in e_magic
$DOS = "21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6f64652E" nocase // !This program cannot be run in DOS mode. (DOS stub)
$PE = "50450000" nocase // PE signature at start of PE header (NtHeader)
condition:
$MZ and $DOS and $PE
}