Yara Rule - HXD의 합법적 인 버전이 아닌 PE 파일에서 무료 헥스 편집기 HXD의 아이콘의 의심스러운 사용을 감지
Yara 정의.
Yara Rule - Detects suspicious use of the the free hex editor HxD’s icon in PE files that don’t seem to be a legitimate version of HxD
Yara definition.
Author: Florian Roth
https://www.linkedin.com/feed/update/urn:li:activity:7068631930040188929/?utm_source
and uint8(12) != 0x00 /* Pixel Aspect Ratio != 0 */
and uint8(filesize-1) != 0x3b /* Trailer (trailes are often 0x00 byte padded and cannot server as sole indicator) */
date = "2023-05-29"
score = 65
$ac1 = { 99 00 77 0D DD 09 99 80 99 00 77 0D DD 09 99 80
$ac2 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF B9 DE
$s1 = { 00 4D 00 61 00 EB 00 6C 00 20 00 48 00 F6 00 72 00 7A } /* Developer: Maael Hoerz */
$s2 = "mh-nexus.de" ascii wide
$upx1 = "UPX0" ascii fullword
$xs1 = "terminator" ascii wide fullword // https://www.linkedin.com/feed/update/urn:li:activity:7068631930040188929/?utm_source=share&utm_medium=member_ios
$xs2 = "Terminator" ascii wide fullword // https://www.linkedin.com/feed/update/urn:li:activity:7068631930040188929/?utm_source=share&utm_medium=member_ios
uint16(0) == 0x5a4d```
[https://github.com/Neo23x0/signature-base/commit/08d48f5d9f10860324bbe6eb5d71b43cb3a5b522](https://github.com/Neo23x0/signature-base/commit/08d48f5d9f10860324bbe6eb5d71b43cb3a5b522)