Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- YARA Rule Set
- Author: yarGen Rule Generator
- Date: 2020-07-16
- Identifier: Sample
- Reference: https://github.com/Neo23x0/yarGen
- */
- /* Rule Set ----------------------------------------------------------------- */
- rule INV__No_4902_20200408_pdf {
- meta:
- description = "Sample - file INV_ No 4902_20200408_pdf.bin"
- author = "yarGen Rule Generator"
- reference = "https://github.com/Neo23x0/yarGen"
- date = "2020-07-16"
- hash1 = "668d6260d3045a7fec6df084c5c6a85842d13991e99210c95e4b2dee7d66dab4"
- strings:
- $s1 = "System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934" ascii /* score: '27.00'*/
- $s2 = "lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii /* score: '27.00'*/
- $s3 = "WinX.exe" fullword wide /* score: '22.00'*/
- $s4 = "2.1.1.1" fullword wide /* reversed goodware string '1.1.1.2' */ /* score: '16.00'*/
- $s5 = " <requestedExecutionLevel level="asInvoker" uiAccess="false"/>" fullword ascii /* score: '15.00'*/
- $s6 = " <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>" fullword ascii /* score: '11.00'*/
- $s7 = ".Beds Protector v1.4.1 | Public Version @Github" fullword ascii /* score: '10.00'*/
- $s8 = "}@l7Z<5!VYoAApF'2!!{s]f*w9#YO}yb's[ozE#Yd|9J$01!WLQ#DtET\e|}Lk3(!YYU0D<<lB"! [E:D z%_!M|_=L-vJi7~ \tpr;lH#;/!VMTVCs9[@N \KMUCh<" ascii /* score: '9.00'*/
- $s9 = "}@l7Z<5!VYoAApF'2!!{s]f*w9#YO}yb's[ozE#Yd|9J$01!WLQ#DtET\e|}Lk3(!YYU0D<<lB"! [E:D z%_!M|_=L-vJi7~ \tpr;lH#;/!VMTVCs9[@N \KMUCh<" ascii /* score: '9.00'*/
- $s10 = "ZfTPpix" fullword ascii /* score: '9.00'*/
- $s11 = "NXg9a>*2j8Ka1'!QSCUCtMf6)!^MA%Dx?$/M ]qn@;KV61!}n3C-<9V[D}mDX/%!]u+D;l;Y6&!XFI*Dnbo23jw4UA,!OXO0DlL'@&!RQF8D;Ed,3!XLG%Dpbt*5j~I" ascii /* score: '9.00'*/
- $s12 = "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>" fullword ascii /* score: '7.00'*/
- $s13 = "FrameworkDisplayNamejiHEBnfhUIMyDel" fullword ascii /* score: '7.00'*/
- $s14 = "WCU5.lov!" fullword ascii /* score: '7.00'*/
- $s15 = "jqUIC.Resource1.resources" fullword ascii /* score: '7.00'*/
- $s16 = " <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">" fullword ascii /* score: '7.00'*/
- $s17 = "jqUIC.Resource1" fullword wide /* score: '7.00'*/
- $s18 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD" fullword ascii /* score: '6.50'*/
- $s19 = "PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
- $s20 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
- condition:
- uint16(0) == 0x5a4d and filesize < 2000KB and
- 8 of them
- }
- rule Sample_prof {
- meta:
- description = "Sample - file prof.bin"
- author = "yarGen Rule Generator"
- reference = "https://github.com/Neo23x0/yarGen"
- date = "2020-07-16"
- hash1 = "35725d1a4fe415f08442c86331ba22fe519673f53c8fed4391c0825bf2ff7d62"
- strings:
- $s1 = "System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934" ascii /* score: '27.00'*/
- $s2 = "lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii /* score: '27.00'*/
- $s3 = "WinX.exe" fullword wide /* score: '22.00'*/
- $s4 = "2.1.1.1" fullword wide /* reversed goodware string '1.1.1.2' */ /* score: '16.00'*/
- $s5 = " <requestedExecutionLevel level="asInvoker" uiAccess="false"/>" fullword ascii /* score: '15.00'*/
- $s6 = "}@l7_DI Z\oDA8KUC1!UDX3D"/{",^{m?f,i5j2!!!EH(DiA%6-!]]A(D""gH@[[WB1D|H$\9}hEi5~ WDqk@"+6wE[|cb *}f~zMgmHc]O}kep/0j7JV<,!cKITCyd=" ascii /* score: '14.00'*/
- $s7 = "}@l7_DI Z\oDA8KUC1!UDX3D"/{",^{m?f,i5j2!!!EH(DiA%6-!]]A(D""gH@[[WB1D|H$\9}hEi5~ WDqk@"+6wE[|cb *}f~zMgmHc]O}kep/0j7JV<,!cKITCyd=" ascii /* score: '14.00'*/
- $s8 = " <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>" fullword ascii /* score: '11.00'*/
- $s9 = ".Beds Protector v1.4.1 | Public Version @Github" fullword ascii /* score: '10.00'*/
- $s10 = "J|fq;VZ:}88h[J}~=d6'!WGS%Dne|&^i"+6|4[QLVVC9BYZO}ob!sqo<?j1I Rs[(<h7i:#!PSO#Di7l;1!XFL)DiCd15!`vg*<nEm</!}r@L-~e= Fj!~8egMSPY<Dn" ascii /* score: '9.00'*/
- $s11 = "}@l7_DI Z\oDA8KUC1!UDX3D"/{",^{m?f,i5j2!!!EH(DiA%6-!]]A(D""gH@[[WB1D|H$\9}hEi5~ WDqk@"+6wE[|cb *}f~zMgmHc]O}kep/0j7JV<,!cKITCyd=" ascii /* score: '9.00'*/
- $s12 = "bgvvvvvvvv" fullword ascii /* score: '8.00'*/
- $s13 = "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>" fullword ascii /* score: '7.00'*/
- $s14 = " <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">" fullword ascii /* score: '7.00'*/
- $s15 = "vDBAE.Resource1.resources" fullword ascii /* score: '7.00'*/
- $s16 = "KeywordsmdIPqHvmWUMyDel" fullword ascii /* score: '7.00'*/
- $s17 = "Tj%CvD:\Lq" fullword ascii /* score: '7.00'*/
- $s18 = "vDBAE.Resource1" fullword wide /* score: '7.00'*/
- $s19 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD" fullword ascii /* score: '6.50'*/
- $s20 = "PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
- condition:
- uint16(0) == 0x5a4d and filesize < 2000KB and
- 8 of them
- }
- /* Super Rules ------------------------------------------------------------- */
- rule _INV__No_4902_20200408_pdf_prof_0 {
- meta:
- description = "Sample - from files INV_ No 4902_20200408_pdf.bin, prof.bin"
- author = "yarGen Rule Generator"
- reference = "https://github.com/Neo23x0/yarGen"
- date = "2020-07-16"
- hash1 = "668d6260d3045a7fec6df084c5c6a85842d13991e99210c95e4b2dee7d66dab4"
- hash2 = "35725d1a4fe415f08442c86331ba22fe519673f53c8fed4391c0825bf2ff7d62"
- strings:
- $s1 = "System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934" ascii /* score: '27.00'*/
- $s2 = "lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii /* score: '27.00'*/
- $s3 = " <requestedExecutionLevel level="asInvoker" uiAccess="false"/>" fullword ascii /* score: '15.00'*/
- $s4 = " <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>" fullword ascii /* score: '11.00'*/
- $s5 = ".Beds Protector v1.4.1 | Public Version @Github" fullword ascii /* score: '10.00'*/
- $s6 = "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>" fullword ascii /* score: '7.00'*/
- $s7 = " <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">" fullword ascii /* score: '7.00'*/
- $s8 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD" fullword ascii /* score: '6.50'*/
- $s9 = "PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
- $s10 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
- $s11 = "PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii /* score: '6.50'*/
- $s12 = "<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">" fullword ascii /* score: '6.00'*/
- $s13 = "Reactor" fullword ascii /* score: '6.00'*/
- $s14 = " <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">" fullword ascii /* score: '5.00'*/
- $s15 = "System.IO.Compression" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.95'*/ /* Goodware String - occured 51 times */
- $s16 = "GetDomain" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.87'*/ /* Goodware String - occured 126 times */
- $s17 = "MemoryStream" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.58'*/ /* Goodware String - occured 420 times */
- $s18 = "EndInvoke" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.08'*/ /* Goodware String - occured 915 times */
- $s19 = "BeginInvoke" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.07'*/ /* Goodware String - occured 932 times */
- $s20 = "(ky^OQViGat" fullword ascii /* score: '4.00'*/
- condition:
- ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 8 of them )
- ) or ( all of them )
- }
Add Comment
Please, Sign In to add comment