(YARA) YARA_XOR_Hunt

Download Raw

rule XOR_hunt
{
  meta:
    author = "Thomas Roccia | @fr0gger_"
    description = "100DaysOfYara - An attempt to catch malicious/suspicious pe file using xor for some data"
    status = "experimental"

  strings:
    $s1 = "http://" xor
    $s2 = "https://" xor
    $s3 = "ftp://" xor
    $s4 = "This program cannot be run in DOS mode" xor
    $s5 = "Mozilla/5.0" xor
    $s6 = "cmd /c" xor
    $s7 = "-ep bypass" xor

  condition:
     uint16(0) == 0x5A4D and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
XOR Operation U0701 E1027.m02

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
test.exe 7 2025-06-20 15 hours, 57 minutes ago
ArtifactDLL.x64.dll 5 2025-06-20 1 day ago
Artifact.exe 5 2025-06-20 1 day ago
Bootstrapper_v2,23.exe 3 2025-06-19 1 day, 11 hours ago
AmazingService.exe 4 2025-06-19 2 days, 3 hours ago
aTikTok.exe 4 2025-06-15 5 days, 22 hours ago
SEZCheat.exe 4 2025-06-15 5 days, 22 hours ago
LockApp.exe 4 2025-06-14 6 days, 19 hours ago
DellDockFirmwarePackage_WD19_WD22_Series_HD22_01.00.31.exe 6 2025-06-12 1 week, 1 day ago
wireguard-installer.exe 7 2025-06-12 1 week, 1 day ago
View All

Created

January 4, 2024

Last Revised

January 4, 2024