(YARA) YARA_XOR_Hunt
rule XOR_hunt
{
meta:
author = "Thomas Roccia | @fr0gger_"
description = "100DaysOfYara - An attempt to catch malicious/suspicious pe file using xor for some data"
status = "experimental"
strings:
$s1 = "http://" xor
$s2 = "https://" xor
$s3 = "ftp://" xor
$s4 = "This program cannot be run in DOS mode" xor
$s5 = "Mozilla/5.0" xor
$s6 = "cmd /c" xor
$s7 = "-ep bypass" xor
condition:
uint16(0) == 0x5A4D and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| XOR Operation | U0701 E1027.m02 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| mxie.exe | 6 | 2025-11-11 | 14 hours, 49 minutes ago |
| c09065e575639c63ee5e74b4def1...a5454d3a98302478f7840338.exe | 8 | 2025-11-05 | 1 week ago |
| ACTk.Runtime.dll | 7 | 2025-11-03 | 1 week, 2 days ago |
| steamcmd.exe | 5 | 2025-11-02 | 1 week, 2 days ago |
| frostygoop.exe | 7 | 2025-10-24 | 2 weeks, 4 days ago |
| Lightshot.exe | 10 | 2025-10-24 | 2 weeks, 4 days ago |
| download.exe | 5 | 2025-10-23 | 2 weeks, 5 days ago |
| Scalper_Telegram@Val1312q.dll | 8 | 2025-10-21 | 3 weeks, 1 day ago |
| NinzaCoUnlocker.dll | 1 | 2025-10-21 | 3 weeks, 1 day ago |
| cat.exe | 3 | 2025-10-20 | 3 weeks, 1 day ago |
Created
January 4, 2024
Last Revised
January 4, 2024