Add detection for hex encoded text PEs

References: https://blog.reversinglabs.com/blog/rats-in-the-library https://twitter.com/ItsReallyNick/status/1222985472139579392

Add detection for hex encoded text PEs
References: https://blog.reversinglabs.com/blog/rats-in-the-library https://twitter.com/ItsReallyNick/status/1222985472139579392
6d3fa171 · Malware Utkonos · GitHub · 00994cbf · 6d3fa171
Unverified Commit 6d3fa171 authored Feb 01, 2020 by Malware Utkonos Committed by GitHub Feb 01, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 0 deletions

suspicious_strings.yar utils/suspicious_strings.yar +14 -0

No files found.
--- a/utils/suspicious_strings.yar
+++ b/utils/suspicious_strings.yar
@@ -1324,3 +1324,17 @@ rule BITS_CLSID
    condition:
        any of them
 }
+rule HexEncodedTextPE
+{
+    meta:
+        author = "Malware Utkonos"
+        date = "2020-01-28"
+        reference = "https://blog.reversinglabs.com/blog/rats-in-the-library"
+        description = "Text string with hexadecimal encoded MZ/PE and comma+ separation"
+    strings:
+        $mz = /4D,.{0,6}5A/ nocase
+        $pe = /50,.{0,6}45/
+    condition:
+        all of them
+}