(YARA) YARA_TrueCrypt_crypter
Created the . Updated 9 months, 3 weeks ago.
rule TrueCrypt_crypter {
meta:
author = "RussianPanda"
description = "Detects TrueCrypt crypter"
date = "1/6/2024"
hash = "167637397fb45ea19bafcf208d8f27dceec82caa7ab19d40ecdb08eb1b7d4f60"
strings:
$s1_crpt1 = {77 69 6E 65 5F 67 65 74}
$s2_crpt1 = {49 3B 66 10 76}
$s2_crpt2 = {3B 55 48 89 E5 48 83 EC 10 90 8B 0D [22] E8 [3] FF}
$s3_crpt1 = {49 3B 66 10 76 43}
$s3_crpt2 = {55 48 89 E5 48 83 EC 10 [5] E8 [4] 48 85 FF 75 18}
$s4_crpt1 = {40 C0 EE 04 [16] 48 83}
$s4_crpt2 = {FA 20 [0-22] 48 83 FE 20}
$a_crpt = {61 2E 6F 75 74 2E 65 78 65 00 5F 63 67}
$s_crpt = {6F 5F 64 75 6D 6D 79 5F 65 78 70 6F 72 74}
condition:
uint16(0) == 0x5A4D
and $s1_crpt1
and $s2_crpt1 and $s2_crpt2
and $s3_crpt1 and $s3_crpt2
and $s4_crpt1 and $s4_crpt2
and $a_crpt and $s_crpt
and filesize < 7MB
}