Sneed-Reactivity/yara-mikesxrs/h3x2b/compiler.yara

68 lines
1.5 KiB
Text
Raw Normal View History

rule executable_au3 : info compiler autit
{
meta:
// author = "@h3x2b <tracker _AT h3x.eu>"
description = "Match AU3 autoit executables"
strings:
$str_au3_01 = "AU3"
$str_au3_02 = { A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D }
condition:
all of them
}
rule vb_pcode : info compiler vb
{
meta:
// author = "@h3x2b <tracker _AT h3x.eu>"
description = "VisualBasic compiled to P-Code bytecode"
// http://waleedassar.blogspot.com/2012/03/visual-basic-malware-part-1.html
strings:
$str_vb_01 = "VB5"
$str_vb_pcode = { E9 E9 E9 E9 CC CC CC CC CC CC CC CC CC CC CC CC 9E 9E 9E 9E }
condition:
( $str_vb_01 )
and $str_vb_pcode
}
rule vb_native: info compiler vb
{
meta:
// author = "@h3x2b <tracker _AT h3x.eu>"
description = "VisualBasic compiled to Native code, http://waleedassar.blogspot.com/2012/03/visual-basic-malware-part-1.html"
strings:
$str_vb_01 = "VB5"
$str_vb_ncode = { E9 E9 E9 E9 CC CC CC CC CC CC CC CC CC CC CC CC 55 8B EC }
condition:
( $str_vb_01 )
and $str_vb_ncode
}
rule dotnet_libraries: info compiler dotnet
{
meta:
// author = "@h3x2b <tracker _AT h3x.eu>"
description = ".Net runtime mscoree.dll mscorwks.dll"
strings:
$str_dn_01 = "mscoree.dll"
$str_dn_02 = "_CorExeMain"
$str_dn_03 = "mscorwks.dll"
$str_dn_04 = "CoInitializeEE"
condition:
2 of ($str_dn_* )
}