Update Miscelanea.yar

New rule: Base64_encoded_Executable

malware/Miscelanea.yar

@@ -1516,3 +1516,18 @@ rule SmallNet
 	condition:
 		($split1 or $split2) and (all of ($a*))
 }
+rule Base64_encoded_Executable {
+	meta:
+		description = "Detects an base64 encoded executable (often embedded)"
+		author = "Florian Roth"
+		date = "2015-05-28"
+		score = 50
+	strings:
+		$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" // 14 samples in goodware archive
+		$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" // 26 samples in goodware archive
+		$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" // 75 samples in goodware archive
+		$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" // 168 samples in goodware archive
+		$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" // 28,529 samples in goodware archive
+	condition:
+		1 of them
+}