API tools faq
paste
Guest User

Untitled

a guest
Jul 16th, 2020
85
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.90 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. YARA Rule Set
  3. Author: yarGen Rule Generator
  4. Date: 2020-07-16
  5. Identifier: Sample
  6. Reference: https://github.com/Neo23x0/yarGen
  7. */
  8.  
  9. /* Rule Set ----------------------------------------------------------------- */
  10.  
  11. rule INV__No_4902_20200408_pdf {
  12. meta:
  13. description = "Sample - file INV_ No 4902_20200408_pdf.bin"
  14. author = "yarGen Rule Generator"
  15. reference = "https://github.com/Neo23x0/yarGen"
  16. date = "2020-07-16"
  17. hash1 = "668d6260d3045a7fec6df084c5c6a85842d13991e99210c95e4b2dee7d66dab4"
  18. strings:
  19. $s1 = "System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934" ascii /* score: '27.00'*/
  20. $s2 = "lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii /* score: '27.00'*/
  21. $s3 = "WinX.exe" fullword wide /* score: '22.00'*/
  22. $s4 = "2.1.1.1" fullword wide /* reversed goodware string '1.1.1.2' */ /* score: '16.00'*/
  23. $s5 = " <requestedExecutionLevel level="asInvoker" uiAccess="false"/>" fullword ascii /* score: '15.00'*/
  24. $s6 = " <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>" fullword ascii /* score: '11.00'*/
  25. $s7 = ".Beds Protector v1.4.1 | Public Version @Github" fullword ascii /* score: '10.00'*/
  26. $s8 = "}@l7Z<5!VYoAApF'2!!{s]f*w9#YO}yb's[ozE#Yd|9J$01!WLQ#DtET\e|}Lk3(!YYU0D<<lB"! [E:D z%_!M|_=L-vJi7~ \tpr;lH#;/!VMTVCs9[@N \KMUCh<" ascii /* score: '9.00'*/
  27. $s9 = "}@l7Z<5!VYoAApF'2!!{s]f*w9#YO}yb's[ozE#Yd|9J$01!WLQ#DtET\e|}Lk3(!YYU0D<<lB"! [E:D z%_!M|_=L-vJi7~ \tpr;lH#;/!VMTVCs9[@N \KMUCh<" ascii /* score: '9.00'*/
  28. $s10 = "ZfTPpix" fullword ascii /* score: '9.00'*/
  29. $s11 = "NXg9a>*2j8Ka1'!QSCUCtMf6)!^MA%Dx?$/M ]qn@;KV61!}n3C-<9V[D}mDX/%!]u+D;l;Y6&!XFI*Dnbo23jw4UA,!OXO0DlL'@&!RQF8D;Ed,3!XLG%Dpbt*5j~I" ascii /* score: '9.00'*/
  30. $s12 = "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>" fullword ascii /* score: '7.00'*/
  31. $s13 = "FrameworkDisplayNamejiHEBnfhUIMyDel" fullword ascii /* score: '7.00'*/
  32. $s14 = "WCU5.lov!" fullword ascii /* score: '7.00'*/
  33. $s15 = "jqUIC.Resource1.resources" fullword ascii /* score: '7.00'*/
  34. $s16 = " <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">" fullword ascii /* score: '7.00'*/
  35. $s17 = "jqUIC.Resource1" fullword wide /* score: '7.00'*/
  36. $s18 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD" fullword ascii /* score: '6.50'*/
  37. $s19 = "PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
  38. $s20 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
  39. condition:
  40. uint16(0) == 0x5a4d and filesize < 2000KB and
  41. 8 of them
  42. }
  43.  
  44. rule Sample_prof {
  45. meta:
  46. description = "Sample - file prof.bin"
  47. author = "yarGen Rule Generator"
  48. reference = "https://github.com/Neo23x0/yarGen"
  49. date = "2020-07-16"
  50. hash1 = "35725d1a4fe415f08442c86331ba22fe519673f53c8fed4391c0825bf2ff7d62"
  51. strings:
  52. $s1 = "System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934" ascii /* score: '27.00'*/
  53. $s2 = "lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii /* score: '27.00'*/
  54. $s3 = "WinX.exe" fullword wide /* score: '22.00'*/
  55. $s4 = "2.1.1.1" fullword wide /* reversed goodware string '1.1.1.2' */ /* score: '16.00'*/
  56. $s5 = " <requestedExecutionLevel level="asInvoker" uiAccess="false"/>" fullword ascii /* score: '15.00'*/
  57. $s6 = "}@l7_DI Z\oDA8KUC1!UDX3D"/{",^{m?f,i5j2!!!EH(DiA%6-!]]A(D""gH@[[WB1D|H$\9}hEi5~ WDqk@"+6wE[|cb *}f~zMgmHc]O}kep/0j7JV<,!cKITCyd=" ascii /* score: '14.00'*/
  58. $s7 = "}@l7_DI Z\oDA8KUC1!UDX3D"/{",^{m?f,i5j2!!!EH(DiA%6-!]]A(D""gH@[[WB1D|H$\9}hEi5~ WDqk@"+6wE[|cb *}f~zMgmHc]O}kep/0j7JV<,!cKITCyd=" ascii /* score: '14.00'*/
  59. $s8 = " <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>" fullword ascii /* score: '11.00'*/
  60. $s9 = ".Beds Protector v1.4.1 | Public Version @Github" fullword ascii /* score: '10.00'*/
  61. $s10 = "J|fq;VZ:}88h[J}~=d6'!WGS%Dne|&^i"+6|4[QLVVC9BYZO}ob!sqo<?j1I Rs[(<h7i:#!PSO#Di7l;1!XFL)DiCd15!`vg*<nEm</!}r@L-~e= Fj!~8egMSPY<Dn" ascii /* score: '9.00'*/
  62. $s11 = "}@l7_DI Z\oDA8KUC1!UDX3D"/{",^{m?f,i5j2!!!EH(DiA%6-!]]A(D""gH@[[WB1D|H$\9}hEi5~ WDqk@"+6wE[|cb *}f~zMgmHc]O}kep/0j7JV<,!cKITCyd=" ascii /* score: '9.00'*/
  63. $s12 = "bgvvvvvvvv" fullword ascii /* score: '8.00'*/
  64. $s13 = "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>" fullword ascii /* score: '7.00'*/
  65. $s14 = " <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">" fullword ascii /* score: '7.00'*/
  66. $s15 = "vDBAE.Resource1.resources" fullword ascii /* score: '7.00'*/
  67. $s16 = "KeywordsmdIPqHvmWUMyDel" fullword ascii /* score: '7.00'*/
  68. $s17 = "Tj%CvD:\Lq" fullword ascii /* score: '7.00'*/
  69. $s18 = "vDBAE.Resource1" fullword wide /* score: '7.00'*/
  70. $s19 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD" fullword ascii /* score: '6.50'*/
  71. $s20 = "PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
  72. condition:
  73. uint16(0) == 0x5a4d and filesize < 2000KB and
  74. 8 of them
  75. }
  76.  
  77. /* Super Rules ------------------------------------------------------------- */
  78.  
  79. rule _INV__No_4902_20200408_pdf_prof_0 {
  80. meta:
  81. description = "Sample - from files INV_ No 4902_20200408_pdf.bin, prof.bin"
  82. author = "yarGen Rule Generator"
  83. reference = "https://github.com/Neo23x0/yarGen"
  84. date = "2020-07-16"
  85. hash1 = "668d6260d3045a7fec6df084c5c6a85842d13991e99210c95e4b2dee7d66dab4"
  86. hash2 = "35725d1a4fe415f08442c86331ba22fe519673f53c8fed4391c0825bf2ff7d62"
  87. strings:
  88. $s1 = "System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934" ascii /* score: '27.00'*/
  89. $s2 = "lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii /* score: '27.00'*/
  90. $s3 = " <requestedExecutionLevel level="asInvoker" uiAccess="false"/>" fullword ascii /* score: '15.00'*/
  91. $s4 = " <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>" fullword ascii /* score: '11.00'*/
  92. $s5 = ".Beds Protector v1.4.1 | Public Version @Github" fullword ascii /* score: '10.00'*/
  93. $s6 = "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>" fullword ascii /* score: '7.00'*/
  94. $s7 = " <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">" fullword ascii /* score: '7.00'*/
  95. $s8 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD" fullword ascii /* score: '6.50'*/
  96. $s9 = "PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
  97. $s10 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
  98. $s11 = "PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
  99. $s12 = "<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">" fullword ascii /* score: '6.00'*/
  100. $s13 = "Reactor" fullword ascii /* score: '6.00'*/
  101. $s14 = " <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">" fullword ascii /* score: '5.00'*/
  102. $s15 = "System.IO.Compression" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.95'*/ /* Goodware String - occured 51 times */
  103. $s16 = "GetDomain" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.87'*/ /* Goodware String - occured 126 times */
  104. $s17 = "MemoryStream" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.58'*/ /* Goodware String - occured 420 times */
  105. $s18 = "EndInvoke" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.08'*/ /* Goodware String - occured 915 times */
  106. $s19 = "BeginInvoke" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.07'*/ /* Goodware String - occured 932 times */
  107. $s20 = "(ky^OQViGat" fullword ascii /* score: '4.00'*/
  108. condition:
  109. ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 8 of them )
  110. ) or ( all of them )
  111. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!