/* Yara Rule Set Author: YarGen Rule Generator Date: 2016-11-14 Identifier: */ /* Rule Set ----------------------------------------------------------------- */ rule dimsmifs_exe { meta: description = "Auto-generated rule - file dimsmifs.exe.malware" author = "YarGen Rule Generator" reference = "not set" date = "2016-11-14" hash1 = "a6830427d8b818ac690af6f3a6fa974bc286d9e5861550279267280594284f5d" strings: $s1 = "G:\\DOCS!!!\\MyProg\\FREELANCE\\CURRENT\\Krypton\\Krypton_15.0\\Bin\\StubNew.pdb" fullword ascii /* score: '29.00' */ $s2 = "LoaderPE: CreateProcess error:0x%X" fullword ascii /* score: '26.00' */ $s3 = "zero.exe" fullword ascii /* score: '21.00' */ $s4 = "RtlComputeCrc32=%d, PostCRC32=%d" fullword ascii /* score: '20.50' */ $s5 = "GetProcAddressNt: %s - OK" fullword ascii /* score: '17.00' */ $s6 = "FromBase64Crypto: PostCRC32 - OK" fullword ascii /* score: '16.00' */ $s7 = "GetProcAddressNt#%d: %s: %s" fullword ascii /* score: '15.50' */ $s8 = "LoaderPE: Error CRC GO Exit1" fullword ascii /* score: '14.00' */ $s9 = "FromBase64Crypto: MemAllOk: %d, fun 0x%X" fullword ascii /* score: '13.50' */ $s10 = "8\"x:\"5.)|z~" fullword ascii /* score: '7.00' */ $s7 = "!Lyyyyyyyy+!" fullword ascii /* score: '7.00' */ $s8 = "\\;.TuU" fullword ascii /* score: '7.00' */ $s9 = "mpress" fullword wide /* score: '7.00' */ $s10 = "o\"f&i\"Richg&i\"" fullword ascii /* score: '5.00' */ $s11 = "qg&i\"g&i\"g&i\"9" fullword ascii /* score: '5.00' */ $s12 = "m\"e&i\"g&i\"_&i\"g&h\"" fullword ascii /* score: '5.00' */ $s13 = "MATCODE Software" fullword wide /* score: '5.00' */ condition: ( uint16(0) == 0x5a4d and filesize < 500KB and ( 10 of ($s*) ) ) or ( all of them ) } rule FakturaVAT_6587_pdf_scr { meta: description = "Auto-generated rule - file FakturaVAT_6587.pdf.scr.txt" author = "YarGen Rule Generator" reference = "not set" date = "2016-11-14" hash1 = "031d175a52280e5da95a0265d7156ed67d63d5c9d79e4ea972586045e44dec11" strings: $s1 = "$$$$$$$$$$$$,,,,,,4444444<<<<<