Merge pull request #371 from utkonos/patch-1

Add detection for hex encoded text PEs

utils/suspicious_strings.yar

@@ -1324,3 +1324,17 @@ rule BITS_CLSID
     condition:
         any of them
 }
+
+rule HexEncodedTextPE
+{
+    meta:
+        author = "Malware Utkonos"
+        date = "2020-01-28"
+        reference = "https://blog.reversinglabs.com/blog/rats-in-the-library"
+        description = "Text string with hexadecimal encoded MZ/PE and comma+ separation"
+    strings:
+        $mz = /4D,.{0,6}5A/ nocase
+        $pe = /50,.{0,6}45/
+    condition:
+        all of them
+}