FirehaK

YARA Example Hex Rule

Jul 31st, 2020 (edited)
606
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import "pe"
  2.  
  3. rule Echelon : echelon stealer dotnet
  4. {
  5. meta:
  6. author = "Stephan Simon <stephan.simon@binarydefense.com>"
  7. date = "2020-07-30"
  8. description = "An example YARA rule for learning how to use code-based hexadecimal rules"
  9. modified = "2020-07-30"
  10. hash = "b52d4177277851b95c5cdf08bf2e3261c7ac80af449da00741c83bcf6c181d67"
  11. tlp = "WHITE"
  12. strings:
  13. $main_1 = { 00 7E [4] 72 [4] 7E [4] 28 [4] 28 [4] 0B 07 2C }
  14. $main_2 = { 00 7E [4] 72 [4] 7E [4] 28 [4] 28 [4] 7E [4] 6F [4] 16 FE 01 0C 08 2C }
  15. $configuration = { 72 [4] 80 [4] 72 [4] 80 [4] 72 [4] 80 [4] 20 [4] 80 [4] (1? | 20 ?? ?? ?? ??) 8D [4] 25 16 72 [4] A2 }
  16. condition:
  17. uint16(0) == 0x5a4d
  18. and filesize <= 1MB
  19. and pe.imports("mscoree.dll")
  20. and (
  21. $configuration
  22. or 2 of ($main_*)
  23. )
  24. }
RAW Paste Data