(YARA) Detect XOR Encoded Malicious Patterns

Download Raw

rule XOR_hunt
{
  meta:
    author = "Thomas Roccia | @fr0gger_"
    description = "100DaysOfYara - An attempt to catch malicious/suspicious pe file using xor for some data"
    status = "experimental"

  strings:
    $s1 = "http://" xor
    $s2 = "https://" xor
    $s3 = "ftp://" xor
    $s4 = "This program cannot be run in DOS mode" xor
    $s5 = "Mozilla/5.0" xor
    $s6 = "cmd /c" xor
    $s7 = "-ep bypass" xor

  condition:
     uint16(0) == 0x5A4D and any of them
}

Associated Techniques

Technique Name Technique ID's Categories Snippet(s)
XOR Operation U0701 E1027.m02

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
888225.exe 4 2026-07-06 11 hours, 4 minutes ago
prestige.dll 8 2026-07-01 5 days ago
2m96.exe 6 2026-06-30 5 days, 20 hours ago
XerinFuscator G3.exe 4 2026-06-30 6 days, 2 hours ago
agent_FUD.exe 2 2026-06-29 6 days, 18 hours ago
30fb52e4bd3c4866a7b6ccedcfa7...3440ca022986a6781af669272639 8 2026-06-25 1 week, 4 days ago
KincoBuilderV85En.exe 4 2026-06-24 1 week, 5 days ago
OlkimollySurvival.dll 4 2026-06-18 2 weeks, 4 days ago
pdf2wmf.exe 2 2026-06-16 2 weeks, 6 days ago
Trickster.exe 3 2026-05-31 1 month ago
View All

Created

January 4, 2024

Last Revised

March 27, 2026