API tools faq
paste
Advertisement
FirehaK

YARA Example Hex Rule

FirehaK
Jul 31st, 2020 (edited)
1,518
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.86 KB | None | 0 0
raw download clone embed print report
  1. import "pe"
  2.  
  3. rule Echelon : echelon stealer dotnet
  4. {
  5. meta:
  6. author = "Stephan Simon <[email protected]>"
  7. date = "2020-07-30"
  8. description = "An example YARA rule for learning how to use code-based hexadecimal rules"
  9. modified = "2020-07-30"
  10. hash = "b52d4177277851b95c5cdf08bf2e3261c7ac80af449da00741c83bcf6c181d67"
  11. tlp = "WHITE"
  12. strings:
  13. $main_1 = { 00 7E [4] 72 [4] 7E [4] 28 [4] 28 [4] 0B 07 2C }
  14. $main_2 = { 00 7E [4] 72 [4] 7E [4] 28 [4] 28 [4] 7E [4] 6F [4] 16 FE 01 0C 08 2C }
  15. $configuration = { 72 [4] 80 [4] 72 [4] 80 [4] 72 [4] 80 [4] 20 [4] 80 [4] (1? | 20 ?? ?? ?? ??) 8D [4] 25 16 72 [4] A2 }
  16. condition:
  17. uint16(0) == 0x5a4d
  18. and filesize <= 1MB
  19. and pe.imports("mscoree.dll")
  20. and (
  21. $configuration
  22. or 2 of ($main_*)
  23. )
  24. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!