(YARA) YARA_XOR_Hunt
rule XOR_hunt
{
meta:
author = "Thomas Roccia | @fr0gger_"
description = "100DaysOfYara - An attempt to catch malicious/suspicious pe file using xor for some data"
status = "experimental"
strings:
$s1 = "http://" xor
$s2 = "https://" xor
$s3 = "ftp://" xor
$s4 = "This program cannot be run in DOS mode" xor
$s5 = "Mozilla/5.0" xor
$s6 = "cmd /c" xor
$s7 = "-ep bypass" xor
condition:
uint16(0) == 0x5A4D and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| XOR Operation | U0701 E1027.m02 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| aTikTok.exe | 4 | 2025-06-15 | 21 hours, 6 minutes ago |
| SEZCheat.exe | 4 | 2025-06-15 | 21 hours, 10 minutes ago |
| LockApp.exe | 4 | 2025-06-14 | 1 day, 18 hours ago |
| DellDockFirmwarePackage_WD19_WD22_Series_HD22_01.00.31.exe | 6 | 2025-06-12 | 3 days, 20 hours ago |
| wireguard-installer.exe | 7 | 2025-06-12 | 3 days, 20 hours ago |
| 131da83b521f610819141d5c7403...abb22ef504a7593955a65f07.exe | 9 | 2025-06-12 | 3 days, 22 hours ago |
| MSBuild.exe | 10 | 2024-11-15 | 4 days, 3 hours ago |
| main.exe | 4 | 2025-06-10 | 6 days, 1 hour ago |
| RuntimeBroker.exe | 11 | 2025-06-05 | 1 week, 3 days ago |
| ExileCore2.dll | 4 | 2025-06-03 | 1 week, 6 days ago |
Created
January 4, 2024
Last Revised
January 4, 2024