Sneed-Reactivity/yara-mikesxrs/Novetta/IndiaHotel.yara

import "pe"

rule IndiaHotel
{
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		Source = "8a4fc5007faf85e07710dca705108df9fd6252fe3d57dfade314120d72f6d83f"

	strings:
	/*
		6A 0A              push    0Ah             ; int
		8D 85 C4 E4 FF FF  lea     eax, [ebp+Source]
		68 10 02 00 00     push    210h            ; unsigned int
		50                 push    eax             ; void *
		E8 FA 60 00 00     call    ??_L@YGXPAXIHP6EX0@Z1@Z; `eh vector constructor iterator'(void *,uint,int,void (*)(void *),void (*)(void *))
	*/

	$fileExtractorArraySetup = {
			6A 0A 
			8D [5-6]
			68 10 02 00 00 
			50 
			E8
		}

	condition:
		$fileExtractorArraySetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`import "pe"`

			`rule IndiaHotel`
			`{`
			`meta:`
			`copyright = "2015 Novetta Solutions"`
			`author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"`
			`Source = "8a4fc5007faf85e07710dca705108df9fd6252fe3d57dfade314120d72f6d83f"`

			`strings:`
			`/*`
			`6A 0A push 0Ah ; int`
			`8D 85 C4 E4 FF FF lea eax, [ebp+Source]`
			`68 10 02 00 00 push 210h ; unsigned int`
			`50 push eax ; void *`
			E8 FA 60 00 00 call ??_L@YGXPAXIHP6EX0@Z1@Z; `eh vector constructor iterator'(void ,uint,int,void ()(void ),void ()(void *))
			`*/`

			`$fileExtractorArraySetup = {`
			`6A 0A`
			`8D [5-6]`
			`68 10 02 00 00`
			`50`
			`E8`
			`}`

			`condition:`
			`$fileExtractorArraySetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))`
			`}`