(YARA) YARA_XOR_Hunt
rule XOR_hunt
{
meta:
author = "Thomas Roccia | @fr0gger_"
description = "100DaysOfYara - An attempt to catch malicious/suspicious pe file using xor for some data"
status = "experimental"
strings:
$s1 = "http://" xor
$s2 = "https://" xor
$s3 = "ftp://" xor
$s4 = "This program cannot be run in DOS mode" xor
$s5 = "Mozilla/5.0" xor
$s6 = "cmd /c" xor
$s7 = "-ep bypass" xor
condition:
uint16(0) == 0x5A4D and any of them
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
XOR Operation | U0701 E1027.m02 |
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
nonagon_staff.exe | 1 | 2025-09-05 | 8 hours, 58 minutes ago |
VNC-Viewer-7.15.0-Windows-64bit.exe | 5 | 2025-09-04 | 1 day, 10 hours ago |
pack.dll | 5 | 2025-09-03 | 2 days, 5 hours ago |
DelphinDesktop.dll | 9 | 2025-08-31 | 5 days, 6 hours ago |
avbox.exe | 9 | 2025-08-31 | 5 days, 18 hours ago |
xor.exe | 6 | 2025-08-30 | 6 days, 1 hour ago |
Apple Music Installer.exe | 4 | 2025-08-27 | 1 week, 2 days ago |
cert_upx2.exe | 1 | 2025-08-26 | 1 week, 2 days ago |
LINTools.exe | 4 | 2025-08-26 | 1 week, 3 days ago |
OnlineFix64.dll | 1 | 2025-08-24 | 1 week, 5 days ago |
Created
January 4, 2024
Last Revised
January 4, 2024