Skip to content

Commit

Permalink
Merge pull request #764 from avast/improvement-bero-detection
Browse files Browse the repository at this point in the history
The improved detection of BeRo EXE Packer.
  • Loading branch information
s3rvac authored May 5, 2020
2 parents 54eb8be + 2e4cdb2 commit 7afd224
Showing 1 changed file with 23 additions and 0 deletions.
23 changes: 23 additions & 0 deletions support/yara_patterns/tools/pe/x86/packers.yara
Original file line number Diff line number Diff line change
Expand Up @@ -3730,6 +3730,29 @@ rule beroexepacker_100_lzma_02 {
$1 at pe.entry_point
}

private rule beroexepacker_uv_prologue {
strings:
$1 = { 60 FC B9 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? F3 A4 }
$2 = { 60 E8 00 00 00 00 }
$3 = { 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? }
$4 = { 60 C8 94 0C 00 60 }
condition:
for any of them : ( $ in (pe.entry_point .. pe.entry_point + 11))
}

rule beroexepacker_uv_01 {
meta:
tool = "P"
name = "BeRoEXEPacker"
strings:
$1 = { 5E 81 C6 A7 00 00 00 BF ?? ?? ?? ?? 57 FC B2 80 33 DB A4 B3 02 E8 71 00 00 00 73 F6 33 C9 E8 68 00 00 00 73 1C 33 C0 E8 5F 00 00 00 73 23 B3 02 41 B0 10 E8 53 00 00 00 12 C0 73 }
$2 = { B9 04 00 00 00 2B CE 81 FE ?? ?? ?? ?? 77 1E AC 04 18 2C 02 72 0D 3C 25 75 ED 8A 06 24 F0 3C 80 75 E5 46 8D 3C 0E 29 3E 83 C6 04 EB DA }
$3 = { AD 89 45 FC 33 C0 F7 D0 89 45 F8 F7 D0 B4 08 B9 23 03 00 00 8D BD 6C F3 FF FF F3 AB BF ?? ?? ?? ?? E9 AC 00 00 00 }
$4 = { B9 ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 8B FB FC F3 A4 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 B8 ?? ?? ?? ?? FF D0 }
condition:
beroexepacker_uv_prologue and 1 of them
}

rule bitarts {
meta:
tool = "P"
Expand Down

0 comments on commit 7afd224

Please sign in to comment.