(YARA) YARA_XOR_Hunt

Download Raw 

rule XOR_hunt
{
  meta:
    author = "Thomas Roccia | @fr0gger_"
    description = "100DaysOfYara - An attempt to catch malicious/suspicious pe file using xor for some data"
    status = "experimental"

  strings:
    $s1 = "http://" xor
    $s2 = "https://" xor
    $s3 = "ftp://" xor
    $s4 = "This program cannot be run in DOS mode" xor
    $s5 = "Mozilla/5.0" xor
    $s6 = "cmd /c" xor
    $s7 = "-ep bypass" xor

  condition:
     uint16(0) == 0x5A4D and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
XOR Operation U0701 E1027.m02

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
ngen.exe 7 2026-03-20 7 hours, 12 minutes ago
write.exe 5 2026-03-20 7 hours, 14 minutes ago
UnPackMe_VMProtect_1.53.exe 7 2026-03-19 1 day, 10 hours ago
hello.exe 6 2026-03-18 1 day, 17 hours ago
Crane3d.exe 2 2026-03-16 4 days, 4 hours ago
loader.exe 5 2026-03-14 5 days, 14 hours ago
BBHloader.exe 6 2026-03-10 1 week, 2 days ago
_vmp_d5b8_cache.tmp 1 2026-03-08 1 week, 4 days ago
greeze_dupe.exe 1 2026-03-08 1 week, 4 days ago
library2.dll 6 2026-03-06 1 week, 6 days ago
View All
Created

January 4, 2024

Last Revised

January 4, 2024