Sneed-Reactivity/yara-mikesxrs/Niels Warnars/encoded_vbs.yar

rule encoded_vbs
{
	meta:
		author = "Niels Warnars"
		date = "2016/07/31"
		description = "Encoded .vbs detection"
		reference = "https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c"
	strings:
		$begin_tag1 = "#@~^" 
		$begin_tag2 = "=="
		$end_tag = "==^#~@"
	condition:
	   $begin_tag1 at 0 and $begin_tag2 at 10 and $end_tag
}