HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 153,
"next": "https://unprotect.it/api/detection_rules/?format=api&page=3",
"previous": "https://unprotect.it/api/detection_rules/?format=api",
"results": [
{
"id": 134,
"key": "hunting_rule_shikataganai",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "Hunting_Rule_ShikataGaNai",
"rule": "// Mandiant's Yara rule to detect \"some of the current common permutations created by vanilla x86-SGN in Metasploit\"\r\nrule Hunting_Rule_ShikataGaNai\r\n{\r\n meta:\r\n author = \"Steven Miller\"\r\n company = \"FireEye\"\r\n reference = \"https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\"\r\n strings:\r\n $varInitializeAndXorCondition1_XorEAX = { B8 ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 59 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 40 | 41 | 42 | 43 | 45 | 46 | 47 ) ?? }\r\n $varInitializeAndXorCondition1_XorEBP = { BD ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5B | 5C | 5E | 5F ) [0-50] 31 ( 68 | 69 | 6A | 6B | 6D | 6E | 6F ) ?? }\r\n $varInitializeAndXorCondition1_XorEBX = { BB ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5C | 5D | 5E | 5F ) [0-50] 31 ( 58 | 59 | 5A | 5B | 5D | 5E | 5F ) ?? }\r\n $varInitializeAndXorCondition1_XorECX = { B9 ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 48 | 49 | 4A | 4B | 4D | 4E | 4F ) ?? }\r\n $varInitializeAndXorCondition1_XorEDI = { BF ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5B | 5C | 5D | 5E ) [0-50] 31 ( 78 | 79 | 7A | 7B | 7D | 7E | 7F ) ?? }\r\n $varInitializeAndXorCondition1_XorEDX = { BA ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 50 | 51 | 52 | 53 | 55 | 56 | 57 ) ?? }\r\n $varInitializeAndXorCondition2_XorEAX = { D9 74 24 F4 [0-30] B8 ?? ?? ?? ?? [0-10] ( 59 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 40 | 41 | 42 | 43 | 45 | 46 | 47 ) ?? }\r\n $varInitializeAndXorCondition2_XorEBP = { D9 74 24 F4 [0-30] BD ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5B | 5C | 5E | 5F ) [0-50] 31 ( 68 | 69 | 6A | 6B | 6D | 6E | 6F ) ?? }\r\n $varInitializeAndXorCondition2_XorEBX = { D9 74 24 F4 [0-30] BB ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5C | 5D | 5E | 5F ) [0-50] 31 ( 58 | 59 | 5A | 5B | 5D | 5E | 5F ) ?? }\r\n $varInitializeAndXorCondition2_XorECX = { D9 74 24 F4 [0-30] B9 ?? ?? ?? ?? [0-10] ( 58 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 48 | 49 | 4A | 4B | 4D | 4E | 4F ) ?? }\r\n $varInitializeAndXorCondition2_XorEDI = { D9 74 24 F4 [0-30] BF ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5B | 5C | 5D | 5E ) [0-50] 31 ( 78 | 79 | 7A | 7B | 7D | 7E | 7F ) ?? }\r\n $varInitializeAndXorCondition2_XorEDX = { D9 74 24 F4 [0-30] BA ?? ?? ?? ?? [0-10] ( 58 | 59 | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 50 | 51 | 52 | 53 | 55 | 56 | 57 ) ?? }\r\n condition:\r\n any of them\r\n}"
},
{
"id": 18,
"key": "sigma_anti_vm",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_ANTI_VM",
"rule": "title: AntiVM\r\nstatus: experimental\r\ndescription: Detect virtual environment \"VirtualBox|VMware|KVM|HVM\" \r\nauthor: Joe Security\r\ndate: 2019-11-06\r\nid: 200020\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack: T1497\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*IlZpcnR1YWxCb3h8Vk13YXJlfEtWTXxIVk0i*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 119,
"key": "sigma_hook_injection",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_Hook_Injection",
"rule": "title: Hook Injection Detection\r\ndescription: Detects instances of hook injection in Windows\r\nauthor: Unprotect\r\nreferences:\r\n- https://en.wikipedia.org/wiki/Hooking\r\n- https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowhookexe\r\n- https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-unhookwindowshookex\r\n- https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-callnexthookex\r\ntags:\r\n- attack.persistence\r\n- attack.t1179\r\n- malware.generic\r\n\r\n# Check for the presence of the SetWindowsHookEx function, which is often used to install hooks\r\n- 'SetWindowsHookExA'\r\n- 'SetWindowsHookExW'\r\n\r\n# Check for the presence of the UnhookWindowsHookEx function, which is often used to remove hooks\r\n- 'UnhookWindowsHookEx'\r\n\r\n# Check for the presence of the CallNextHookEx function, which is often used in hook functions\r\n- 'CallNextHookEx'\r\nThis rule uses string matching to look for the presence of specific functions that are commonly used in hook injection. If any of these functions are found in a scanned file, the rule will match and the code will be detected as potentially using hook injection. As with the YARA rule, this is just an example and more advanced rules may be needed for more robust detection."
},
{
"id": 52,
"key": "sigma_base64_download",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_base64_download",
"rule": "title: Powershell download file from base64 url\r\nstatus: experimental\r\ndescription: Powershell download file from base64 url\r\nauthor: Joe Security\r\ndate: 2020-04-13\r\nid: 200072\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n CommandLine:\r\n - '*.downloadfile([system.text.encoding]::ascii.getstring([system.convert]::frombase64string(*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 61,
"key": "sigma_bitsadmin",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_bitsadmin",
"rule": "title: bitsadmin download and execute\r\nstatus: experimental\r\ndescription: Detect bitsadmin download and execute activity\r\nauthor: Joe Security\r\ndate: 2019-11-25\r\nid: 200031\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*bitsadmin /transfer*http*start %APPDATA%*'\r\n - '*/transfer*http*.dll&& rundll32*'\r\n - '*powershell*start-bitstransfer*start-process*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 55,
"key": "sigma_bypass_applocker",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_bypass_applocker",
"rule": "title: AppLocker Bypass via Regsvr32\r\nstatus: experimental\r\ndescription: AppLocker Bypass via Regsvr32\r\nauthor: Joe Security\r\ndate: 2020-03-04\r\nid: 200059\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*regsvr32*/s /u /n /i:http*scrobj*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 9,
"key": "sigma_check_external_ip",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_check_external_ip",
"rule": "title: Check external IP via Powershell\r\nstatus: experimental\r\ndescription: Check external IP via Powershell\r\nauthor: Joe Security\r\ndate: 2020-07-20\r\nid: 200081\r\nthreatname:\r\nbehaviorgroup: 8\r\nclassification: 6\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*powershell*api.ipify.org*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 43,
"key": "sigma_decode_string_findstr",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_decode_string_findstr",
"rule": "title: Decode strings from lnk via findstr.exe\r\nstatus: experimental\r\ndescription: uses findstr.exe to decode strings from lnk file\r\nauthor: Joe Security\r\ndate: 2019-11-11\r\nid: 200024\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*findstr /b /i *.lnk*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 33,
"key": "sigma_delete_shadow_copy",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_delete_shadow_copy",
"rule": "title: Delete Shadow Copy Via Powershell\r\nstatus: experimental\r\ndescription: Delete Shadow Copy Via Powershell\r\nauthor: Joe Security\r\ndate: 2019-10-25\r\nid: 200011\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack: T1490\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*powershell*RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 54,
"key": "sigma_detect_region",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_detect_region",
"rule": "title: Geofenced Ru\r\nstatus: experimental\r\ndescription: Detect region and exit if matched with harcoded country list Get-UICulture).Name -match \"CN|RO|RU|UA|BY \r\nauthor: Joe Security\r\ndate: 2019-11-06\r\nid: 200019\r\nthreatname:\r\nbehaviorgroup: 8\r\nclassification: 8\r\nmitreattack: T1241\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*R2V0LVVJQ3VsdHVyZSkuTmFtZSAtbWF0Y2ggIkNOfFJPfFJVfFVBfEJZI*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 51,
"key": "sigma_hide_copy_melt",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_hide_copy_melt",
"rule": "title: Hide copy and delete itself\r\nstatus: experimental\r\ndescription: Hide copy via attrib.exe and delete itself\r\nauthor: Joe Security\r\ndate: 2019-11-12\r\nid: 200025\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*attrib +s +h *timeout /t *del /f /q*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 59,
"key": "sigma_hide_in_appdata",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_hide_in_appdata",
"rule": "title: Copy itself to suspicious location via type command \r\nstatus: experimental\r\ndescription: Copy itself to suspicious location via type command\r\nauthor: Joe Security\r\ndate: 2020-02-13\r\nid: 200052\r\nthreatname:\r\nbehaviorgroup: 10\r\nclassification: 1\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*cmd*type*>*\\AppData*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 36,
"key": "sigma_kill_process",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_kill_process",
"rule": "title: Kill multiple process\r\nstatus: experimental\r\ndescription: Kill multiple process\r\nauthor: Joe Security\r\ndate: 2019-12-30\r\nid: 200039\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*cmd*taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 29,
"key": "sigma_lolbins",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_lolbins",
"rule": "attack_technique: T1197\r\ndisplay_name: BITS Jobs\r\natomic_tests:\r\n- name: Bitsadmin Download (cmd)\r\n auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421\r\n description: |\r\n This test simulates an adversary leveraging bitsadmin.exe to download\r\n and execute a payload\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n remote_file:\r\n description: Remote file to download\r\n type: url\r\n default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n local_file:\r\n description: Local file path to save downloaded file\r\n type: path\r\n default: '%temp%\\bitsadmin1_flag.ps1'\r\n executor:\r\n command: |\r\n bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}\r\n cleanup_command: |\r\n del #{local_file} >nul 2>&1\r\n name: command_prompt\r\n- name: Bitsadmin Download (PowerShell)\r\n auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc\r\n description: |\r\n This test simulates an adversary leveraging bitsadmin.exe to download\r\n and execute a payload leveraging PowerShell\r\n\r\n Upon execution you will find a github markdown file downloaded to the Temp directory\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n remote_file:\r\n description: Remote file to download\r\n type: url\r\n default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n local_file:\r\n description: Local file path to save downloaded file\r\n type: path\r\n default: $env:TEMP\\bitsadmin2_flag.ps1\r\n executor:\r\n command: |\r\n Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}\r\n cleanup_command: |\r\n Remove-Item #{local_file} -ErrorAction Ignore\r\n name: powershell\r\n- name: Persist, Download, & Execute\r\n auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae\r\n description: |\r\n This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.\r\n Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable.\r\n This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of \"svchost.exe\" and an Initiating Process Command Line of \"svchost.exe -k netsvcs -p -s BITS\"\r\n This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n command_path:\r\n description: Path of command to execute\r\n type: path\r\n default: C:\\Windows\\system32\\notepad.exe\r\n bits_job_name:\r\n description: Name of BITS job\r\n type: string\r\n default: AtomicBITS\r\n local_file:\r\n description: Local file path to save downloaded file\r\n type: path\r\n default: '%temp%\\bitsadmin3_flag.ps1'\r\n remote_file:\r\n description: Remote file to download\r\n type: url\r\n default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n executor:\r\n command: |\r\n bitsadmin.exe /create #{bits_job_name}\r\n bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}\r\n bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} \"\"\r\n bitsadmin.exe /resume #{bits_job_name}\r\n timeout 5\r\n bitsadmin.exe /complete #{bits_job_name}\r\n cleanup_command: |\r\n del #{local_file} >nul 2>&1\r\n name: command_prompt\r\n- name: Bits download using destktopimgdownldr.exe (cmd)\r\n auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114\r\n description: |\r\n This test simulates using destopimgdwnldr.exe to download a malicious file\r\n instead of a desktop or lockscreen background img. The process that actually makes \r\n the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) \r\n and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n remote_file:\r\n description: Remote file to download\r\n type: url\r\n default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n download_path:\r\n description: Local file path to save downloaded file\r\n type: path\r\n default: 'SYSTEMROOT=C:\\Windows\\Temp'\r\n cleanup_path:\r\n description: path to delete file as part of cleanup_command\r\n type: path\r\n default: C:\\Windows\\Temp\\Personalization\\LockScreenImage\r\n cleanup_file:\r\n description: file to remove as part of cleanup_command\r\n type: string\r\n default: \"*.md\"\r\n executor:\r\n command: |\r\n set \"#{download_path}\" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr\r\n cleanup_command: |\r\n del #{cleanup_path}\\#{cleanup_file} >null 2>&1\r\n name: command_prompt"
},
{
"id": 44,
"key": "sigma_onset_delay",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_onset_delay",
"rule": "title: Powershell delayed execution via ping command\r\nstatus: experimental\r\ndescription: Powershell delayed execution via ping command\r\nauthor: Joe Security\r\ndate: 2020-03-17\r\nid: 200066\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*ping -n * & powershell.exe -executionpolicy bypass -noninteractive -windowstyle hidden*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 34,
"key": "sigma_posh_pc_delete_volume_shadow_copies",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_posh_pc_delete_volume_shadow_copies",
"rule": "title: Delete Volume Shadow Copies Via WMI With PowerShell\r\nid: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1\r\ndescription: Shadow Copies deletion using operating systems utilities via PowerShell\r\nreferences:\r\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md\r\n - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml\r\n - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\r\ntags:\r\n - attack.impact\r\n - attack.t1490\r\nstatus: experimental\r\nauthor: frack113\r\ndate: 2021/06/03\r\nmodified: 2021/10/16\r\nlogsource:\r\n product: windows\r\n category: ps_classic_start\r\n definition: fields have to be extract from event\r\ndetection:\r\n selection_obj:\r\n HostApplication|contains|all:\r\n - 'Get-WmiObject'\r\n - ' Win32_Shadowcopy'\r\n selection_del:\r\n HostApplication|contains:\r\n - 'Delete()'\r\n - 'Remove-WmiObject'\r\n condition: selection_obj and selection_del\r\nfields:\r\n - HostApplication\r\nfalsepositives:\r\n - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\r\nlevel: critical"
},
{
"id": 37,
"key": "sigma_proc_creation_win_shadow_copies_deletion",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_proc_creation_win_shadow_copies_deletion",
"rule": "title: Shadow Copies Deletion Using Operating Systems Utilities\r\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\r\nstatus: stable\r\ndescription: Shadow Copies deletion using operating systems utilities\r\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)\r\ndate: 2019/10/22\r\nmodified: 2021/10/24\r\nreferences:\r\n - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\r\n - https://blog.talosintelligence.com/2017/05/wannacry.html\r\n - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\r\n - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\r\n - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\r\n - https://github.com/Neo23x0/Raccine#the-process\r\n - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar\r\n - https://redcanary.com/blog/intelligence-insights-october-2021/\r\ntags:\r\n - attack.defense_evasion\r\n - attack.impact\r\n - attack.t1070\r\n - attack.t1490\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection1:\r\n Image|endswith:\r\n - '\\powershell.exe'\r\n - '\\wmic.exe'\r\n - '\\vssadmin.exe'\r\n - '\\diskshadow.exe'\r\n CommandLine|contains|all:\r\n - shadow # will match \"delete shadows\" and \"shadowcopy delete\" and \"shadowstorage\"\r\n - delete\r\n selection2:\r\n Image|endswith:\r\n - '\\wbadmin.exe'\r\n CommandLine|contains|all:\r\n - delete\r\n - catalog\r\n - quiet # will match -quiet or /quiet\r\n selection3:\r\n Image|endswith: '\\vssadmin.exe'\r\n CommandLine|contains|all:\r\n - resize\r\n - shadowstorage\r\n - unbounded\r\n condition: 1 of selection*\r\nfields:\r\n - CommandLine\r\n - ParentCommandLine\r\nfalsepositives:\r\n - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\r\nlevel: critical"
},
{
"id": 40,
"key": "sigma_process_reimaging",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_process_reimaging",
"rule": "action: global\r\ntitle: Defense evasion via process reimaging\r\nid: 7fa4f550-850e-4117-b543-428c86ebb849\r\ndescription: Detects process reimaging defense evasion technique\r\nstatus: experimental\r\nauthor: Alexey Balandin, oscd.community\r\nreferences:\r\n - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/\r\ntags:\r\n - attack.defense_evasion\r\ndate: 2019/10/25\r\ndetection:\r\n condition: all of them\r\nfalsepositives:\r\n - unknown\r\nlevel: high\r\n---\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection1:\r\n category: process_creation\r\nfields:\r\n - Image\r\n - OriginalFileName\r\n - ParentProcessGuid\r\nnew_fields:\r\n - ImageFileName\r\n---\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection2:\r\n EventID: 11\r\nfields:\r\n - ProcessGuid\r\n - TargetFilename"
},
{
"id": 48,
"key": "sigma_spoofed_extension",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_spoofed_extension",
"rule": "title: Execute DLL with spoofed extension\r\nstatus: experimental\r\ndescription: Execute DLL with spoofed extension\r\nauthor: Joe Security\r\ndate: 2020-03-24\r\nid: 200068\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*rundll32*.html,DllRegisterServer*'\r\n - '*rundll32*.htm,DllRegisterServer*'\r\n - '*rundll32*.txt,DllRegisterServer*'\r\n - '*rundll32*.png,DllRegisterServer*'\r\n - '*rundll32*.jpeg,DllRegisterServer*'\r\n - '*rundll32*.jpg,DllRegisterServer*'\r\n - '*regsvr32 c:\\programdata\\\\*.pdf*'\r\n - '*regsvr32 c:\\programdata\\\\*.txt*'\r\n - '*regsvr32 c:\\users\\public\\\\*.pdf*'\r\n - '*regsvr32 c:\\users\\public\\\\*.txt*'\r\n \r\n condition: selection\r\nlevel: critical"
},
{
"id": 23,
"key": "sigma_stop_service",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_stop_service",
"rule": "title: Stop multiple services\r\nstatus: experimental\r\ndescription: Stop multiple services\r\nauthor: Joe Security\r\ndate: 2019-12-30\r\nid: 200040\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*cmd*net stop*& net stop*& net stop*& net stop*& net stop*& net stop*& net stop*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 24,
"key": "sigma_uac_bypass",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_uac_bypass",
"rule": "title: Fodhelper UAC Bypass\r\nstatus: experimental\r\ndescription: Fodhelper UAC Bypass\r\nauthor: Joe Security\r\ndate: 2020-07-30\r\nid: 200082\r\nthreatname:\r\nbehaviorgroup: 26\r\nclassification: 7\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*reg add*hkcu\\software\\classes\\ms-settings\\shell\\open\\command*'\r\n condition: selection\r\nlevel: critical\r\nattack_technique: T1548.002\r\ndisplay_name: 'Abuse Elevation Control Mechanism: Bypass User Access Control'\r\natomic_tests:\r\n- name: Bypass UAC using Event Viewer (cmd)\r\n auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9\r\n description: |\r\n Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n Upon execution command prompt should be launched with administrative privelages\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n cmd.exe /c eventvwr.msc\r\n cleanup_command: |\r\n reg.exe delete hkcu\\software\\classes\\mscfile /f >nul 2>&1\r\n name: command_prompt\r\n- name: Bypass UAC using Event Viewer (PowerShell)\r\n auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b\r\n description: |\r\n PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n Upon execution command prompt should be launched with administrative privelages\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n New-Item \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Force\r\n Set-ItemProperty \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n Start-Process \"C:\\Windows\\System32\\eventvwr.msc\"\r\n cleanup_command: |\r\n Remove-Item \"HKCU:\\software\\classes\\mscfile\" -force -Recurse -ErrorAction Ignore\r\n name: powershell\r\n- name: Bypass UAC using Fodhelper\r\n auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182\r\n description: |\r\n Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n Upon execution, \"The operation completed successfully.\" will be shown twice and command prompt will be opened.\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\r\n fodhelper.exe\r\n cleanup_command: |\r\n reg.exe delete hkcu\\software\\classes\\ms-settings /f >nul 2>&1\r\n name: command_prompt\r\n- name: Bypass UAC using Fodhelper - PowerShell\r\n auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa\r\n description: |\r\n PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n Upon execution command prompt will be opened.\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n Start-Process \"C:\\Windows\\System32\\fodhelper.exe\"\r\n cleanup_command: |\r\n Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n name: powershell\r\n- name: Bypass UAC using ComputerDefaults (PowerShell)\r\n auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f\r\n description: |\r\n PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10\r\n Upon execution administrative command prompt should open\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n Start-Process \"C:\\Windows\\System32\\ComputerDefaults.exe\"\r\n cleanup_command: |\r\n Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n name: powershell\r\n elevation_required: true\r\n- name: Bypass UAC by Mocking Trusted Directories\r\n auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1\r\n description: |\r\n Creates a fake \"trusted directory\" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems\r\n Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n mkdir \"\\\\?\\C:\\Windows \\System32\\\"\r\n copy \"#{executable_binary}\" \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n mklink c:\\testbypass.exe \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n cleanup_command: |\r\n rd \"\\\\?\\C:\\Windows \\\" /S /Q >nul 2>nul\r\n del \"c:\\testbypass.exe\" >nul 2>nul\r\n name: command_prompt\r\n elevation_required: true\r\n- name: Bypass UAC using sdclt DelegateExecute\r\n auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7\r\n description: |\r\n Bypasses User Account Control using a fileless method, registry only. \r\n Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\r\n [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\r\n Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n command.to.execute:\r\n description: Command to execute\r\n type: string\r\n default: cmd.exe /c notepad.exe\r\n executor:\r\n command: |\r\n New-Item -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Value '#{command.to.execute}'\r\n New-ItemProperty -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Name \"DelegateExecute\"\r\n Start-Process -FilePath $env:windir\\system32\\sdclt.exe\r\n Start-Sleep -s 3\r\n cleanup_command: |\r\n Remove-Item -Path \"HKCU:\\Software\\Classes\\Folder\" -Recurse -Force -ErrorAction Ignore\r\n name: powershell"
},
{
"id": 146,
"key": "yara_base64",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Base64",
"rule": "rule golang_base64_enc {\r\n\tmeta:\r\n\t\tauthor = \"RussianPanda\"\r\n\t\tdecription = \"Detects Base64 Encoding and Decoding patterns in Golang binaries\"\r\n \treference = \"https://unprotect.it/technique/base64/\"\r\n\t\tdate = \"1/10/2024\"\r\n\t\thash = \"509a359b4d0cd993497671b91255c3775628b078cde31a32158c1bc3b2ce461c\"\r\n\tstrings:\r\n\t $s1 = {62 61 73 65 36 34 2e 53 74 64 45 6e 63 6f 64 69 6e 67 2e 45 6e 63 6f 64 65 54 6f 53 74 72 69 6e 67 28 [0-15] 29}\r\n\t $s2 = {62 61 73 65 36 34 2e 53 74 64 45 6e 63 6f 64 69 6e 67 2e 44 65 63 6f 64 65 53 74 72 69 6e 67 28 [0-15] 29}\r\n\t $s3 = {69 66 20 65 72 72 20 21 3D 20 6E 69 6C 20 7B}\r\n\t\t$s4 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n \tcondition:\r\n\t\tall of ($s*) \r\n \tand uint16(0) == 0x5A4D\r\n}\r\n\r\n\r\nrule base64_enc {\r\n\tmeta:\r\n\t\tauthor = \"RussianPanda\"\r\n\t\tdecription = \"Detects Base64 Encoding\"\r\n \treference = \"https://unprotect.it/technique/base64/\"\r\n\t\tdate = \"1/10/2024\"\r\n\t\thash = \"09506d1af5d8e6570b2b7d05143f444f5685d2a9f3304780ef376edf7b2d79e6\"\r\n\tstrings:\r\n\t\t$s2 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n \t$s3 = {83 E? 3F}\r\n \tcondition:\r\n\t\tall of ($s*) \r\n \tand uint16(0) == 0x5A4D\r\n\t\t\r\n}"
},
{
"id": 156,
"key": "yara_buildcommdcbandtimeouts",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_BuildCommDCBAndTimeouts",
"rule": "rule BuildCommDCBAndTimeouts \r\n{\r\n meta:\r\n author = \"Unprotect\"\r\n contributors = \"Huntress Research Team | Unprotect Project\"\r\n description = \"Detects usage of BuildCommDCBAndTimeouts function call\"\r\n status = \"experimental\"\r\n\r\n strings:\r\n $s1 = \"jhl46745fghb\" ascii wide nocase\r\n $s2 = \"BuildCommDCBAndTimeouts\" ascii wide nocase\r\n\r\n condition:\r\n uint16(0) == 0x5a4d and ($s2 or ($s2 and $s1))\r\n}"
},
{
"id": 138,
"key": "yara_crypt_hxor",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_CRYPT_hXOR",
"rule": "rule SI_CRYPT_hXOR_Jan24 : Crypter {\r\n\r\n meta:\r\n version = \"1.0\"\r\n date = \"2024-01-04\"\r\n modified = \"2024-01-18\"\r\n status = \"RELEASED\"\r\n sharing = \"TLP:CLEAR\"\r\n source = \"SECUINFRA Falcon Team\"\r\n author = \"Marius Genheimer @ Falcon Team\"\r\n description = \"Detects executables packed/encrypted with the hXOR-Packer open-source crypter.\"\r\n category = \"TOOL\"\r\n mitre_att = \"T1027.002\"\r\n actor_type = \"CRIMEWARE\"\r\n reference = \"https://github.com/akuafif/hXOR-Packer\"\r\n hash = \"7712186f3e91573ea1bb0cc9f85d35915742b165f9e8ed3d3e795aa5e699230f\"\r\n minimum_yara = \"2.0.0\"\r\n best_before = \"2025-01-04\"\r\n\r\n strings:\r\n //This rule has been validated for the compression, encryption and compression+encryption modes of hXOR\r\n\r\n //Signature to locate the payload\r\n $binSignature = {46 49 46 41} \r\n\r\n //Strings likely to be removed in attempts to conceal crypter\r\n $s_1 = \"hXOR Un-Packer by Afif, 2012\"\r\n $s_2 = \"C:\\\\Users\\\\sony\\\\Desktop\\\\Packer\\\\\"\r\n $s_3 = \"H:\\\\Libraries\\\\My Documents\\\\Dropbox\\\\Ngee Ann Poly\\\\Semester 5\\\\Packer\"\r\n $s_4 = \"Scanning for Sandboxie...\"\r\n $s_5 = \"Scanning for VMware...\"\r\n $s_6 = \"Executing from Memory >>>>\"\r\n $s_7 = \"Extracting >>>>\"\r\n $s_8 = \"Decompressing >>>>\"\r\n $s_9 = \"Decrypting >>>>\"\r\n\r\n //Anti-Analysis\r\n $aa_1 = \"SbieDll.dll\"\r\n $aa_2 = \"VMwareUser.exe\"\r\n $aa_3 = \"GetTickCount\"\r\n $aa_4 = \"CreateToolhelp32Snapshot\"\r\n\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and uint16(0x28) != 0x0000 //IMAGE_DOS_HEADER.e_res2[0] contains offset for payload\r\n and $binSignature in (200000..filesize)\r\n and for all of ($s_*): (# >= 0) //these strings are optional\r\n and 3 of ($aa_*)\r\n}"
},
{
"id": 129,
"key": "yara_checkname",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_CheckName",
"rule": "rule MalwareNameEvasion\r\n{\r\n strings:\r\n // Check for the GetModuleFileName() function call\r\n $get_module_filename = \"GetModuleFileName\"\r\n\r\n // Check for the find_last_of() method call\r\n $find_last_of = \"find_last_of\"\r\n\r\n // Check for the std::string data type\r\n $string = \"std::string\"\r\n\r\n // Check for the \"\\\\/\" string\r\n $backslash_slash = \"\\\\\\\\/\"\r\n\r\n // Check for the \"sample.exe\" string\r\n $sample_exe = \"sample.exe\"\r\n\r\n // Check for the \"malware.exe\" string\r\n $malware_exe = \"malware.exe\"\r\n\r\n condition:\r\n // Check if all the required strings are present in the code\r\n all of them\r\n}"
},
{
"id": 153,
"key": "yara_check_install_software",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Check_Install_software",
"rule": "rule check_installed_software {\r\n\r\n meta:\r\n author = \"RussianPanda\"\r\n date = \"1/14/2024\"\r\n reference = \"https://unprotect.it/technique/checking-installed-software/\"\r\n hash = \"db44d4cd1ea8142790a6b26880b41ee23de5db5c2a63afb9ee54585882f1aa07\"\r\n\r\n strings:\r\n $d1 = \"DisplayVersion\"\r\n $u1 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\"\r\n $reg = \"RegOpenKeyExA\"\r\n $h = {68 (01|02) 00 00 80}\r\n\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and for any i in (1..#u1) : ($d1 in (@u1[i] - 200..@u1[i] + 200))\r\n and $reg and $h\r\n\r\n}"
},
{
"id": 2,
"key": "yara_check_installed_software",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Check_installed_software",
"rule": "import \"pe\"\r\n\r\nrule check_installed_software {\r\n meta:\r\n description = \"Detect check installed software through registry\"\r\n author = \"Thomas Roccia | @fr0gger_\"\r\n strings:\r\n $s1 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\" wide\r\n\r\n condition:\r\n uint16(0) == 0x5A4D and $s1 or\r\n pe.imports(\"Advapi32.dll\", \"RegQueryValueEx\")\r\n}"
},
{
"id": 124,
"key": "yara_dllproxying",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DLLProxying",
"rule": "rule DLLProxying {\r\n condition:\r\n // Check for presence of DLL_PROCESS_ATTACH in DllMain function\r\n uint16(0) == 0x6461 and (\r\n // Check for the presence of LoadLibrary, which is used to load the legitimate DLL\r\n uint32(2) == 0x6C6C6100 and uint32(6) == 0x6574726F and\r\n \r\n // Check for the presence of GetProcAddress, which is used to retrieve the addresses of the functions in the legitimate DLL\r\n uint32(10) == 0x72630067 and uint32(14) == 0x61647079 and uint32(18) == 0x61636F00 and uint32(22) == 0x0072696E and\r\n \r\n // Check for the presence of a function that will be used to redirect function calls to the legitimate DLL\r\n // This example uses a function named \"ProxyFunction\", but the function name can be anything\r\n uint32(26) == 0x646E6900 and uint32(30) == 0x00667379\r\n )\r\n // Check for presence of dllexport attribute on the function that redirects calls to the legitimate DLL\r\n // This example uses a function named \"ProxyFunction\", but the function name can be anything\r\n and (pe.exports(\"ProxyFunction\") or pe.exports(\"ProxyFunction@0\"))\r\n}"
},
{
"id": 123,
"key": "yara_dllsearchorderhijacking",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DLLSearchOrderHijacking",
"rule": "rule DLLHijacking {\r\n condition:\r\n // Check for presence of DLL_PROCESS_ATTACH in DllMain function\r\n uint16(0) == 0x6461 and (\r\n // Check for the presence of CreateThread, which is used to start the main function\r\n uint32(2) == 0x74006872 and uint32(6) == 0x00006563 and uint32(10) == 0x74616843 and\r\n \r\n // Check for the presence of Main function\r\n uint32(14) == 0x6E69006D and uint32(18) == 0x0064614D\r\n )\r\n // Check for presence of dllexport attribute\r\n and (pe.exports(\"DnsFreeConfigStructure\") or pe.exports(\"DnsFreeConfigStructure@0\"))\r\n}"
},
{
"id": 4,
"key": "yara_debuggercheck_globalflags",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DebuggerCheck_GlobalFlags",
"rule": "rule DebuggerCheck__GlobalFlags {\r\n meta:\r\n\tdescription = \"Rule to detect NtGlobalFlags debugger check\"\r\n author = \"Thibault Seret\"\r\n date = \"2020-09-26\"\r\n strings:\r\n $s1 = \"NtGlobalFlags\"\r\n condition:\r\n any of them\r\n}"
},
{
"id": 6,
"key": "yara_debuggercheck__remoteapi",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DebuggerCheck__RemoteAPI",
"rule": "rule DebuggerCheck__RemoteAPI {\r\n meta:\r\n description = \"Rule to RemoteAPI debugger check\"\r\n author = \"Thibault Seret\"\r\n date = \"2020-09-26\"\r\n strings:\r\n $s1 =\"CheckRemoteDebuggerPresent\"\r\n condition:\r\n any of them"
},
{
"id": 127,
"key": "yara_detectparentprocess",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DetectParentProcess",
"rule": "rule ParentProcessEvasion\r\n{\r\n strings:\r\n // Check for the CreateToolhelp32Snapshot() function call\r\n $create_snapshot = \"CreateToolhelp32Snapshot\"\r\n\r\n // Check for the Process32First() function call\r\n $process32_first = \"Process32First\"\r\n\r\n // Check for the Process32Next() function call\r\n $process32_next = \"Process32Next\"\r\n\r\n // Check for the GetCurrentProcessId() function call\r\n $get_current_pid = \"GetCurrentProcessId\"\r\n\r\n condition:\r\n // Check if all the required strings are present in the code\r\n all of them\r\n}"
},
{
"id": 8,
"key": "yara_detect_antivmwithtemperature",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_AntiVMWithTemperature",
"rule": "rule Detect_AntiVMWithTemperature {\r\n meta:\r\n description = \"Rue to detect AntiVMwithTemperature technique\"\r\n author = \"Thibault Seret\"\r\n date = \"2020-09-26\"\r\n strings:\r\n $s1 = {72 6f 6f 74 5c 57 4d 49}\r\n // root\\WMI\r\n $s2 = {53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 4d 53 41 63 70 69 5f 54 68 65 72 6d 61 6c 5a 6f 6e 65 54 65 6d 70 65 72 61 74 75 72 65}\r\n // SELECT * FROM MSAcpi_ThermalZoneTemperature\r\n $s3 = {43 75 72 72 65 6e 74 54 65 6d 70 65 72 61 74 75 72 65}\r\n // CurrentTemperature\r\n \r\n condition:\r\n all of them"
},
{
"id": 109,
"key": "yara_detect_aspack",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Aspack",
"rule": "rule ASPack_v107b_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 75 }\r\n $b = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPAck_1061b: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 70 05 ?? ?? EB }\r\n $b = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v21_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_102b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 2B 85 7D 7C 43 00 89 85 89 7C 43 00 80 BD 74 7C 43 00 00 75 15 FE 85 74 7C 43 00 E8 1D 00 00 00 E8 F7 01 00 00 E8 8E 02 00 00 8B 85 75 7C 43 00 03 85 89 7C 43 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v21: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 3D }\r\n $b = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PackerAspack_v212_wwwaspackcom: PEiD\r\n{\r\n strings:\r\n $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? ?? ?D ?? ?? ?? ?? 5? }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211c_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v104b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED CE 3A 44 00 B8 C8 3A 44 00 03 C5 2B 85 B5 3E 44 00 89 85 C1 3E 44 00 80 BD AC 3E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Aspack_v212_wwwaspackcom_additional: PEiD\r\n{\r\n strings:\r\n $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? ?? ?D ?? ?? ?? ?? 5? }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_ASPack_212_FEUERRADER: PEiD\r\n{\r\n strings:\r\n $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_211d_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 70 05 00 00 EB 4C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_211d_emadicius_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_by_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_1083: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E 44 00 0F 85 17 05 00 00 8D 85 D1 50 44 00 50 FF 95 94 51 44 00 89 85 CD 50 44 00 8B F8 8D 9D DE 50 44 00 53 50 FF 95 90 51 44 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 01 FF E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_102a_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 3E D9 43 00 B8 38 ?? ?? 00 03 C5 2B 85 0B DE 43 00 89 85 17 DE 43 00 80 BD 01 DE 43 00 00 75 15 FE 85 01 DE 43 00 E8 1D 00 00 00 E8 79 02 00 00 E8 12 03 00 00 8B 85 03 DE 43 00 03 85 17 DE 43 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v106b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 ?? ?? ?? E9 EB 04 5D 45 55 C3 E8 }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 ?? ?? ?? EB 09 5D 55 81 ED 39 39 44 ?? C3 E9 3D }\r\n $b = { 60 E9 3D 04 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_101b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED D2 2A 44 00 B8 CC 2A 44 00 03 C5 2B 85 A5 2E 44 00 89 85 B1 2E 44 00 80 BD 9C 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Aspack_v212_wwwaspackcom: PEiD\r\n{\r\n strings:\r\n $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2001_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 00 00 EB 4C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_212_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic_Anorganix_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v100b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211c_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_by: PEiD\r\n{\r\n strings:\r\n $a = { 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2001_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D B8 03 }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_100b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 92 1A 44 00 B8 8C 1A 44 00 03 C5 2B 85 CD 1D 44 00 89 85 D9 1D 44 00 80 BD C4 1D 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10801_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx_additional: PEiD\r\n{\r\n strings:\r\n $a = { A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED 3E D9 43 B8 38 03 C5 2B 85 0B DE 43 89 85 17 DE 43 80 BD 01 DE 43 75 15 FE 85 01 DE 43 E8 1D E8 79 02 E8 12 03 8B }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10803_additional: PEiD\r\n{\r\n strings:\r\n $a = { 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_104b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? 00 B8 ?? ?? ?? 00 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? 00 80 BD 08 9D ?? 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_107b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 ?? E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED CE 3A 44 B8 C8 3A 44 03 C5 2B 85 B5 3E 44 89 85 C1 3E 44 80 BD AC 3E }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_102b_or_10803: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 ?? ?? ?? E9 EB 04 5D 45 55 C3 E8 01 ?? ?? ?? EB 5D BB ED FF FF FF 03 DD 81 }\r\n $b = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 ?? ?? ?? EB 09 5D 55 81 ED 39 39 44 ?? C3 E9 59 }\r\n $b = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211c: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 ?? ?? ?? EB 09 5D }\r\n $b = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v105b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_212_emadicius_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 01 FF E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v1061b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_2xwithouth_Poly_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { ?? 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB EC FF FF FF 03 DD 81 EB 00 40 1C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_1061b_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED EA A8 43 00 B8 E4 A8 43 00 03 C5 2B 85 78 AD 43 00 89 85 84 AD 43 00 80 BD 6E AD 43 00 00 75 15 FE 85 6E AD 43 00 E8 1D 00 00 00 E8 73 02 00 00 E8 0A 03 00 00 8B 85 70 AD 43 00 03 85 84 AD 43 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804: PEiD\r\n{\r\n strings:\r\n $a = { A8 03 61 75 08 B8 01 C2 0C 68 C3 8B 85 26 04 8D 8D 3B 04 51 50 FF }\r\n $b = { 60 E8 41 06 00 00 EB 41 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v100b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_10801_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 ?? 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_101b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED D2 2A 44 00 B8 CC 2A 44 00 03 C5 2B 85 A5 2E 44 00 89 85 B1 2E 44 00 80 BD 9C 2E 44 00 00 75 15 FE 85 9C 2E 44 00 E8 1D 00 00 00 E8 E4 01 00 00 E8 7A 02 00 00 8B 85 9D 2E 44 00 03 85 B1 2E 44 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 41 06 00 00 EB 41 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_103b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED AE 98 43 00 B8 A8 98 43 00 03 C5 2B 85 18 9D 43 00 89 85 24 9D 43 00 80 BD 0E 9D 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b: PEiD\r\n{\r\n strings:\r\n $a = { 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_ASPack_2xx_Heuristic: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_1061b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED EA A8 43 00 B8 E4 A8 43 00 03 C5 2B 85 78 AD 43 00 89 85 84 AD 43 00 80 BD 6E AD 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v21_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 48 11 00 00 C3 83 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_106b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 ?? ?? EB }\r\n $b = { 60 E8 70 05 00 00 EB 4C }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v2001: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 ?? ?? EB 33 87 DB }\r\n $b = { 60 E8 72 05 00 00 EB 4C }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_211d_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108x: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D BB 03 }\r\n $b = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v1061b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED B8 03 C5 2B 85 0B DE 89 85 17 DE 80 BD 01 }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10801: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 44 BB 10 44 03 DD 2B }\r\n $b = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10802: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 ?? BB 10 6A 44 ?? 03 DD 2B 9D }\r\n $b = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10803: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 4A 44 ?? BB 04 4A 44 ?? 03 }\r\n $b = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_107b_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 3E D9 43 00 B8 38 D9 43 00 03 C5 2B 85 0B DE 43 00 89 85 17 DE 43 00 80 BD 01 DE 43 00 00 75 15 FE 85 01 DE 43 00 E8 1D 00 00 00 E8 79 02 00 00 E8 12 03 00 00 8B 85 03 DE 43 00 03 85 17 DE 43 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_DLL_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 F9 11 00 00 C3 83 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Hint_WIN_EP_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_212withouth_Poly_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { ?? E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10803_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v104b: PEiD\r\n{\r\n strings:\r\n $a = { 75 ?? }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v105b: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 ?? }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_211d_emadicius_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 00 00 00 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 75 01 FF }\r\n $b = { 90 75 01 FF E9 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v106b: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 75 ?? }\r\n $b = { 90 90 90 75 00 E9 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v104b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_V22_Alexey_Solodovnikov_StarForce_2009408: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD ?? ?? ?? ?? ?? ?? 83 BD 7D 04 00 00 00 89 9D 7D 04 00 00 0F 85 C0 03 00 00 8D 85 89 04 00 00 50 FF 95 09 0F 00 00 89 85 81 04 00 00 8B F0 8D 7D 51 57 56 FF 95 05 0F 00 00 AB B0 00 AE 75 FD 38 07 75 EE 8D 45 7A FF E0 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 56 69 72 74 75 61 6C 46 72 65 65 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 8B 9D 8D 05 00 00 0B DB 74 0A 8B 03 87 85 91 05 00 00 89 03 8D B5 BD 05 00 00 83 3E 00 0F 84 15 01 00 00 6A 04 68 00 10 00 00 68 00 18 00 00 6A 00 FF 55 51 89 85 53 01 00 00 8B 46 04 05 0E 01 00 00 6A 04 68 00 10 00 00 50 6A 00 FF 55 51 89 85 4F 01 00 00 56 8B 1E 03 9D 7D 04 00 00 FF B5 53 01 00 00 FF 76 04 50 53 E8 2D 05 00 00 B3 00 80 FB 00 75 5E FE 85 E9 00 00 00 8B 3E 03 BD 7D 04 00 00 FF 37 C6 07 C3 FF D7 8F 07 50 51 56 53 8B C8 83 E9 06 8B B5 4F 01 00 00 33 DB 0B C9 74 2E 78 2C AC 3C E8 74 0A EB 00 3C E9 74 04 43 49 EB EB 8B 06 EB 00 ?? ?? ?? 75 F3 24 00 C1 C0 18 2B C3 89 06 83 C3 05 83 C6 04 83 E9 05 EB CE 5B 5E 59 58 EB 08 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108x_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10801_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }\r\n $b = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v100b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED D2 2A 44 B8 CC 2A 44 03 C5 2B 85 A5 2E 44 89 85 B1 2E 44 80 BD 9C 2E }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_102b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 2B 85 7D 7C 43 00 89 85 89 7C 43 00 80 BD 74 7C 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED 96 78 43 B8 90 78 43 03 C5 2B 85 7D 7C 43 89 85 89 7C 43 80 BD 74 7C }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v102b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 }\r\n $b = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v108x_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v105b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_211_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 3D 04 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_212b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { ?? 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB EC FF FF FF 03 DD 81 EB 00 ?? ?? 00 83 BD 22 04 00 00 00 89 9D 22 04 00 00 0F 85 65 03 00 00 8D 85 2E 04 00 00 50 FF 95 4C 0F 00 00 89 85 26 04 00 00 8B F8 8D 5D 5E 53 50 FF 95 48 0F 00 00 89 85 4C 05 00 00 8D 5D 6B 53 57 FF 95 48 0F }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v1061b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_DLL_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 112,
"key": "yara_detect_asprotect",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Asprotect",
"rule": "rule ASProtect_v123_RC1: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_130824_beta: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov_h1: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_vxx: PEiD\r\n{\r\n strings:\r\n $a = { 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_vxx_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect_Anorganix_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_23_SKE_build_0426_Beta_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 60 40 00 E8 01 00 00 00 C3 C3 0D 6C 65 3E 09 84 BB 91 89 38 D0 5A 1D 60 6D AF D5 51 2D A9 2F E1 62 D8 C1 5A 8D 6B 6E 94 A7 F9 1D 26 8C 8E FB 08 A8 7E 9D 3B 0C DF 14 5E 62 14 7D 78 D0 6E }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x_New_Strain_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_BRS_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? 05 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x_additional: PEiD\r\n{\r\n strings:\r\n $a = { 00 00 68 01 ?? ?? ?? C3 AA }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_V2X_DLL_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v132: PEiD\r\n{\r\n strings:\r\n $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_h2_additional: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_12_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov_h1_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 ?? 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v20_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v20: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n $b = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2C }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v12x_New_Strain: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_BRS: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 }\r\n $b = { 60 E9 ?? 05 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_10_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 01 00 00 00 90 5D 81 ED ?? ?? ?? 00 BB ?? ?? ?? 00 03 DD 2B 9D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n $c = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_V2X_Registered_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC1_additional: PEiD\r\n{\r\n strings:\r\n $a = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_MTE_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_h2: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n $c = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_ASProtect: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v21x: PEiD\r\n{\r\n strings:\r\n $a = { BB E9 60 9C FC BF B9 F3 AA 9D 61 C3 55 8B }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_ASProtect_10_FEUERRADER: PEiD\r\n{\r\n strings:\r\n $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 01 00 00 00 90 5D 81 ED 00 00 00 00 BB 00 00 00 00 03 DD 2B 9D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEb_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E9 ?? 04 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_133_21_Registered_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_20: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_23_SKE_build_0426_Beta: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 60 40 00 E8 01 00 00 00 C3 C3 0D 6C 65 3E 09 84 BB 91 89 38 D0 5A 1D 60 6D AF D5 51 2D A9 2F E1 62 D8 C1 5A 8D 6B 6E 94 A7 F9 1D 26 8C 8E FB 08 A8 7E 9D 3B 0C DF 14 5E 62 14 7D 78 D0 6E }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B ?? ?? ?? E9 FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEc: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B ?? ?? ?? E9 FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEb: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B E9 }\r\n $b = { 90 60 E9 ?? 04 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_20_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_BRS_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? 05 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v10_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x: PEiD\r\n{\r\n strings:\r\n $a = { 00 00 68 01 ?? ?? ?? C3 AA }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_V2X_DLL_Alexey_Solodovnikov_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_ASProtect: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_ASProtect_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTE: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v10: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 C3 AA ?? }\r\n $b = { 68 01 ?? ?? ?? C3 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? 04 00 00 E9 ?? ?? ?? ?? ?? ?? ?? EE }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_130824_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEc_additional: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 BE ?? ?? 8B D8 B9 ?? ?? BF ?? ?? BA ?? ?? 47 4A 74 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_133_21_Registered_Alexey_Solodovnikov_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 F0 58 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_ASProtect_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_ASProtect_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_122_123_Beta_21_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 E0 46 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTE_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 117,
"key": "yara_detect_bobsoft",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Bobsoft",
"rule": "rule PEiD_Bundle_v100_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v102_v104_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Splash_Bitmap_v100_With_Unpack_Code_BoB_Bobsoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 6A 40 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V102_DLL_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v102_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00 }\r\n $b = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEiD_Bundle_v102_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v104_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V101_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_102_DLL_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Imploder_v104_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V100_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V102_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v101_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 00 00 00 C7 47 20 00 08 00 00 C7 47 18 01 00 00 00 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ?? ?? 00 00 FF D3 83 C4 10 83 BD 71 40 40 00 00 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00 }\r\n $b = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule BobPack_v100_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule BobSoft_Mini_Delphi_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule BobSoft_Mini_Delphi_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_v101_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule BobPack_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v102_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v101_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Splash_Bitmap_v100_BoB_Bobsoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v102_v103_DLL_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v100_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?? ?? ?? 00 FF D3 83 C4 10 FF 95 B0 40 40 00 }\r\n $b = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEiD_Bundle_v102_v103_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 73,
"key": "yara_detect_closehandle",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_CloseHandle",
"rule": "rule Detect_CloseHandle: AntiDebug {\r\n meta: \r\n description = \"Detect CloseHandle as anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"NtClose\" fullword ascii\r\n $2 = \"CloseHandle\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and any of them\r\n}"
},
{
"id": 111,
"key": "yara_detect_crinkler",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Crinkler",
"rule": "rule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD\r\n{\r\n strings:\r\n $a = { B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD\r\n{\r\n strings:\r\n $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD\r\n{\r\n strings:\r\n $a = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD\r\n{\r\n strings:\r\n $a = { B8 00 00 42 00 31 DB 43 EB 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 74,
"key": "yara_detect_csrgetprocessid",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_CsrGetProcessID",
"rule": "rule Detect_CsrGetProcessID: AntiDebug {\r\n meta: \r\n description = \"Detect CsrGetProcessID as anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"CsrGetProcessID\" fullword ascii\r\n $2 = \"GetModuleHandle\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and 2 of them \r\n}"
},
{
"id": 83,
"key": "yara_detect_eventlogtampering",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_EventLogTampering",
"rule": "rule Detect_EventLogTampering: AntiForensic {\r\n meta: \r\n description = \"Detect NtLoadDriver and other as anti-forensic\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"NtLoadDriver \" fullword ascii\r\n $2 = \"NdrClientCall2\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and any of them \r\n}"
},
{
"id": 75,
"key": "yara_detect_eventpairhandles",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_EventPairHandles",
"rule": "rule Detect_EventPairHandles: AntiDebug {\r\n meta: \r\n description = \"Detect EventPairHandlesas anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"EventPairHandles\" fullword ascii\r\n $2 = \"RtlCreateQueryDebugBuffer\" fullword ascii\r\n $3 = \"RtlQueryProcessHeapInformation\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and 2 of them \r\n}"
},
{
"id": 71,
"key": "yara_detect_exceptionhandler",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_ExceptionHandler",
"rule": "rule Detect_SuspendThread: AntiDebug {\r\n meta: \r\n description = \"Detect SuspendThread as anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"UnhandledExcepFilter\" fullword ascii\r\n $2 = \"SetUnhandledExceptionFilter\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and any of them \r\n}"
},
{
"id": 104,
"key": "yara_detect_exestealth",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Exestealth",
"rule": "rule ExeStealth_WebToolMaster: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 90 60 90 E8 00 00 00 00 5D 81 ED F7 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 74 28 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_275_WebtoolMaster_additional: PEiD\r\n{\r\n strings:\r\n $a = { 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_276_Unregistered_WebtoolMaster_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_276_Unregistered_WebtoolMaster: PEiD\r\n{\r\n strings:\r\n $a = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_275_WebtoolMaster: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 90 60 90 E8 00 00 00 00 5D 81 ED F7 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 74 28 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ExeStealth_WebToolMaster_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster_h: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 82,
"key": "yara_detect_findwindow",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_FindWindow",
"rule": "rule Detect_FindWindowA_iat {\r\n\tmeta:\r\n\t\tAuthor = \"http://twitter.com/j0sm1\"\r\n\t\tDescription = \"it's checked if FindWindowA() is imported\"\r\n\t\tDate = \"20/04/2015\"\r\n\t\tReference = \"http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow\"\r\n\tstrings:\r\n\t\t$ollydbg = \"OLLYDBG\"\r\n\t\t$windbg = \"WinDbgFrameClass\"\r\n\tcondition:\r\n\t\tpe.imports(\"user32.dll\",\"FindWindowA\") and ($ollydbg or $windbg)\r\n}"
},
{
"id": 68,
"key": "yara_detect_guardpages",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_GuardPages",
"rule": "rule Detect_GuardPages: AntiDebug {\r\n meta: \r\n description = \"Detect Guard Pages as anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"GetSystemInfo\" fullword ascii\r\n $2 = \"VirtualAlloc\" fullword ascii\r\n $3 = \"RtlFillMemory\" fullword ascii\r\n $4 =\"VirtualProtect\" fullword ascii\r\n $5 =\"VirtualFree\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and 4 of them \r\n}"
},
{
"id": 125,
"key": "yara_detect_interrupts",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Interrupts",
"rule": "rule AntiDebugging_Interrupt {\r\n condition:\r\n // Check for presence of __try and __except blocks\r\n uint32(0) == 0x00646120 and uint32(4) == 0x00646120 and\r\n // Check for presence of __debugbreak or interrupt instructions such as INT 3 or UD2\r\n (uint8(8) == 0xCC or uint8(8) == 0xF1 or uint8(8) == 0xCC)\r\n}"
},
{
"id": 67,
"key": "yara_detect_isdebuggerpresent",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_IsDebuggerPresent",
"rule": "rule Detect_IsDebuggerPresent : AntiDebug {\r\n meta:\r\n author = \"naxonez\"\r\n reference = \"https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara\"\r\n strings:\r\n\t$ =\"IsDebugged\"\r\n condition:\r\n uint16(0) == 0x5A4D and filesize < 1000KB and any of them\r\n}"
},
{
"id": 81,
"key": "yara_detect_localsize",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_LocalSize",
"rule": "rule Detect_LocalSize: AntiDebug {\r\n meta: \r\n description = \"Detect LocalSize as anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"LocalSize\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and $1\r\n}"
},
{
"id": 103,
"key": "yara_detect_mpress",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_MPRESS",
"rule": "rule MPRESS_V097_V099_MATCODE_Softwarenbsp_nbsp_SignByfly_20080416: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 49 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 60 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 69 FF FF FF B0 E9 AA B8 45 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V107_V125_MATCODE_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 9E 02 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 9A 02 00 00 AB E8 00 00 00 00 58 05 1C 02 00 00 E9 0C 02 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V107_V125_MATCODE_Software_20080730: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 9E 02 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 9A 02 00 00 AB E8 00 00 00 00 58 05 1C 02 00 00 E9 0C 02 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V200_V20X_MATCODE_Software_20090423: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 ?? ?? ?? ?? 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 88 04 31 75 F6 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V085_V092_MATCODE_Softwarenbsp_nbsp_SignByfly_20080414: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 48 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 5F 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 25 8B D9 AC 41 24 FE 3C E8 75 F2 83 C1 04 AD 0B C0 78 06 3B C2 73 E6 EB 06 03 C3 78 E0 03 C2 2B C3 89 46 FC EB D7 E8 00 00 00 00 5F 81 C7 6A FF FF FF B0 E9 AA B8 44 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V071a_V075b_MATCODE_Softwarenbsp_nbsp_SignByfly_20080310: PEiD\r\n{\r\n strings:\r\n $a = { 57 56 53 51 52 55 E8 10 00 00 00 E8 7A 00 00 00 5D 5A 59 5B 5E 5F E9 84 01 00 00 E8 00 00 00 00 58 05 84 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 AC 0A C0 74 37 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1E F6 C1 40 75 0A 8B C8 2B C0 F3 AA 75 FC EB D9 8B D6 8B CF 03 F0 E8 8F 00 00 00 03 F8 EB CA 8B C8 F3 A4 75 FC EB C2 C3 E8 00 00 00 00 5F 81 C7 71 FF FF FF B0 E9 AA B8 9A 01 00 00 AB 2B FF E8 00 00 00 00 58 05 FE 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 53 8B 30 03 F0 2B F2 8B EE 8B C2 8B 45 3C 03 C5 8B 48 34 2B CD 74 3D E8 00 00 00 00 58 05 DD 00 00 00 8B 10 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V097_V099_MATCODE_Software_20080416: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 49 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 60 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 69 FF FF FF B0 E9 AA B8 45 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V085_V092_MATCODE_Software_20080414: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 48 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 5F 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 25 8B D9 AC 41 24 FE 3C E8 75 F2 83 C1 04 AD 0B C0 78 06 3B C2 73 E6 EB 06 03 C3 78 E0 03 C2 2B C3 89 46 FC EB D7 E8 00 00 00 00 5F 81 C7 6A FF FF FF B0 E9 AA B8 44 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V077b_MATCODE_Softwarenbsp_nbsp_SignByfly_20080313: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 0B 00 00 00 E8 77 00 00 00 61 E9 75 01 00 00 E8 00 00 00 00 58 05 75 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 3A AC 0A C0 74 35 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1C F6 C1 40 75 08 8B C8 2B C0 F3 AA EB D7 8B D6 8B CF 03 F0 E8 7E 00 00 00 03 F8 EB C8 8B C8 F3 A4 75 FC EB C0 C3 E8 00 00 00 00 5F 81 C7 79 FF FF FF B0 E9 AA B8 81 01 00 00 AB 2B FF E8 00 00 00 00 58 05 ED 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 42 8B 30 03 F0 2B F2 8B EE 8B 48 10 2B CD 74 33 8B 50 0C 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V101_MATCODE_Software_20080730: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 ?? ?? ?? ?? 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 B2 02 00 00 AB E8 00 00 00 00 58 05 34 02 00 00 E9 24 02 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V071a_V075b_MATCODE_Software_20080310: PEiD\r\n{\r\n strings:\r\n $a = { 57 56 53 51 52 55 E8 10 00 00 00 E8 7A 00 00 00 5D 5A 59 5B 5E 5F E9 84 01 00 00 E8 00 00 00 00 58 05 84 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 AC 0A C0 74 37 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1E F6 C1 40 75 0A 8B C8 2B C0 F3 AA 75 FC EB D9 8B D6 8B CF 03 F0 E8 8F 00 00 00 03 F8 EB CA 8B C8 F3 A4 75 FC EB C2 C3 E8 00 00 00 00 5F 81 C7 71 FF FF FF B0 E9 AA B8 9A 01 00 00 AB 2B FF E8 00 00 00 00 58 05 FE 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 53 8B 30 03 F0 2B F2 8B EE 8B C2 8B 45 3C 03 C5 8B 48 34 2B CD 74 3D E8 00 00 00 00 58 05 DD 00 00 00 8B 10 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V077b_MATCODE_Software_20080313: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 0B 00 00 00 E8 77 00 00 00 61 E9 75 01 00 00 E8 00 00 00 00 58 05 75 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 3A AC 0A C0 74 35 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1C F6 C1 40 75 08 8B C8 2B C0 F3 AA EB D7 8B D6 8B CF 03 F0 E8 7E 00 00 00 03 F8 EB C8 8B C8 F3 A4 75 FC EB C0 C3 E8 00 00 00 00 5F 81 C7 79 FF FF FF B0 E9 AA B8 81 01 00 00 AB 2B FF E8 00 00 00 00 58 05 ED 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 42 8B 30 03 F0 2B F2 8B EE 8B 48 10 2B CD 74 33 8B 50 0C 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V107_V12X_MATCODE_Software_20080730: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 9E 02 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 9A 02 00 00 AB E8 00 00 00 00 58 05 1C 02 00 00 E9 0C 02 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V101_MATCODE_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 05 ?? ?? ?? ?? 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 B2 02 00 00 AB E8 00 00 00 00 58 05 34 02 00 00 E9 24 02 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 106,
"key": "yara_detect_mew",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Mew",
"rule": "rule Mew_11_SE_v12_Eng_Northfox_: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_V10_Eng_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v10_Northfox_additional: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_12: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_02_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_12_additional: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MEW_11_SE_11_Northfox_additional: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Mew_501_NorthFox_HCC: PEiD\r\n{\r\n strings:\r\n $a = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D }\r\n $b = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PseudoSigner_02_MEW_11_SE_10: PEiD\r\n{\r\n strings:\r\n $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_v10_Eng_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? ?? FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12_NorthfoxHCC_additional: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_11_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Mew_11_SE_v12_Eng_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_packer_v10_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?0 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_by_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_additional: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Mew_11_SE_v12_Eng_Northfox_additional: PEiD\r\n{\r\n strings:\r\n $a = { 06 1E 52 B8 ?? ?? 1E CD 21 86 E0 3D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12_NorthfoxHCC: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_MEW_11_SE_10: PEiD\r\n{\r\n strings:\r\n $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_MEW_11_SE_10: PEiD\r\n{\r\n strings:\r\n $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_5_10_Northfox_additional: PEiD\r\n{\r\n strings:\r\n $a = { BE 48 01 ?? ?? ?? ?? ?? 95 A5 33 C0 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC }\r\n $b = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MEW_5_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { BE ?? ?? ?? ?? AD 91 AD 93 53 AD 96 56 5F AC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v10_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C ?0 }\r\n $b = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Mew_501_NorthFox_HCC_additional: PEiD\r\n{\r\n strings:\r\n $a = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_by_Northfox_additional: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_exe_coder_10_Northfox_HCC: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_v10_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_Northfox_HCC: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C }\r\n $b = { E9 ?? ?? ?? FF 0C ?0 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MEW_11_SE_v12_additional: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_exe_coder_10_Northfox_HCC_additional: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_10_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_5_10_Northfox: PEiD\r\n{\r\n strings:\r\n $a = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_v10_Eng_Northfox_additional: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? ?? FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_Northfox_HCC_additional: PEiD\r\n{\r\n strings:\r\n $a = { E9 ?? ?? ?? FF 0C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
}
]
}
