(YARA) YARA_mac_detection

Download Raw

rule UNPROTECT_VM_Evasion_MACAddrComb {
    meta:
        author = "ditekSHen"
        description = "Detects executables referencing virtualization MAC addresses"
    strings:
        $s1 = "00:03:FF" ascii wide nocase
        $s2 = "00:05:69" ascii wide nocase
        $s3 = "00:0C:29" ascii wide nocase
        $s4 = "00:16:3E" ascii wide nocase
        $s5 = "00:1C:14" ascii wide nocase
        $s6 = "00:1C:42" ascii wide nocase
        $s7 = "00:50:56" ascii wide nocase
        $s8 = "08:00:27" ascii wide nocase
    condition:
         uint16(0) == 0x5a4d and 3 of them
}

Associated Techniques

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
al-khaser.exe 24 2024-11-13 1 month, 1 week ago
Pafish 0.6.exe 10 2024-11-13 1 month, 1 week ago
View All

Created

June 20, 2022

Last Revised

June 20, 2022