(YARA) Detect XOR Encoded Malicious Patterns
rule XOR_hunt
{
meta:
author = "Thomas Roccia | @fr0gger_"
description = "100DaysOfYara - An attempt to catch malicious/suspicious pe file using xor for some data"
status = "experimental"
strings:
$s1 = "http://" xor
$s2 = "https://" xor
$s3 = "ftp://" xor
$s4 = "This program cannot be run in DOS mode" xor
$s5 = "Mozilla/5.0" xor
$s6 = "cmd /c" xor
$s7 = "-ep bypass" xor
condition:
uint16(0) == 0x5A4D and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Categories | Snippet(s) |
|---|---|---|---|
| XOR Operation | U0701 E1027.m02 |
|
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| 888225.exe | 4 | 2026-07-06 | 11 hours, 4 minutes ago |
| prestige.dll | 8 | 2026-07-01 | 5 days ago |
| 2m96.exe | 6 | 2026-06-30 | 5 days, 20 hours ago |
| XerinFuscator G3.exe | 4 | 2026-06-30 | 6 days, 2 hours ago |
| agent_FUD.exe | 2 | 2026-06-29 | 6 days, 18 hours ago |
| 30fb52e4bd3c4866a7b6ccedcfa7...3440ca022986a6781af669272639 | 8 | 2026-06-25 | 1 week, 4 days ago |
| KincoBuilderV85En.exe | 4 | 2026-06-24 | 1 week, 5 days ago |
| OlkimollySurvival.dll | 4 | 2026-06-18 | 2 weeks, 4 days ago |
| pdf2wmf.exe | 2 | 2026-06-16 | 2 weeks, 6 days ago |
| Trickster.exe | 3 | 2026-05-31 | 1 month ago |
Created
January 4, 2024
Last Revised
March 27, 2026