(YARA) YARA_NixImports_Loader2
rule MAL_NET_NixImports_Loader_Jan24 {
meta:
description = "Detects open-source NixImports .NET malware loader. A stealthy loader using dynamic import resolving to evade static detection"
author = "Jonathan Peters"
date = "2024-01-12"
reference = "https://github.com/dr4k0nia/NixImports/tree/master"
hash = "dd3f22871879b0bc4990c96d1de957848c7ed0714635bb036c73d8a989fb0b39"
score = 80
strings:
$op1 = { 1F 0A 64 06 1F 11 62 60 } // Hash algorithm
$op2 = { 03 20 4D 5A 90 00 94 4B 2A } // Magic
$op3 = { 20 DE 7A 1F F3 20 F7 1B 18 BC } // Hardcoded function hashes
$op4 = { 20 CE 1F BE 70 20 DF 1F 3E F8 14 } // Hardcoded function hashes
$sa1 = "OffsetToStringData" ascii
$sa2 = "GetRuntimeMethods" ascii
$sa3 = "netstandard" ascii
condition:
uint16(0) == 0x5a4d and
all of ($sa*) and
2 of ($op*)
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
NixImports | U1434 |
Created
January 14, 2024
Last Revised
January 14, 2024