(YARA) YARA_OBF_NET_ConfuserEx
rule SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24 {
meta:
description = "Detects Naming Pattern used by ConfuserEx. ConfuserEx is a widely used open source obfuscator often found in malware"
author = "Jonathan Peters"
date = "2024-01-03"
reference = "https://github.com/yck1509/ConfuserEx/tree/master"
hash = "2f67f590cabb9c79257d27b578d8bf9d1a278afa96b205ad2b4704e7b9a87ca7"
score = 60
strings:
$s1 = "mscoree.dll" ascii
$s2 = "mscorlib" ascii
$s3 = "System.Private.Corlib" ascii
$s4 = "#Strings" ascii
$s5 = { 5F 43 6F 72 [3] 4D 61 69 6E }
$name_pattern = { E2 ( 80 8? | 81 AA ) E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 80 AE}
condition:
uint16(0) == 0x5a4d
and 2 of ($s*)
and #name_pattern > 5
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
ConfuserEx | U1417 |
Created
January 4, 2024
Last Revised
January 4, 2024