DefenderYara/VirTool/BAT/Obfuscator/VirTool_BAT_Obfuscator_AA.yar


rule VirTool_BAT_Obfuscator_AA{
	meta:
		description = "VirTool:BAT/Obfuscator.AA,SIGNATURE_TYPE_PEHSTR_EXT,64 00 03 00 05 00 00 "
		
	strings :
		$a_03_0 = {fe 01 16 fe 01 fe 0e ?? 01 fe 0c ?? 01 2d ?? 00 14 } //1
		$a_01_1 = {02 11 05 02 11 04 17 59 91 9c 20 } //1
		$a_01_2 = {02 11 06 02 11 05 17 59 91 9c 20 } //1
		$a_01_3 = {02 11 07 02 11 06 17 59 91 9c 20 } //1
		$a_01_4 = {04 1f 19 64 04 1d 62 60 10 02 } //1 ἄ搙ᴄ恢Ȑ
	condition:
		((#a_03_0  & 1)*1+(#a_01_1  & 1)*1+(#a_01_2  & 1)*1+(#a_01_3  & 1)*1+(#a_01_4  & 1)*1) >=3
 
}
init 2024-02-05 06:12:47 -08:00
			`rule VirTool_BAT_Obfuscator_AA{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "VirTool:BAT/Obfuscator.AA,SIGNATURE_TYPE_PEHSTR_EXT,64 00 03 00 05 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
update like regex pattern strings 2024-07-09 05:28:14 -07:00			`$a_03_0 = {fe 01 16 fe 01 fe 0e ?? 01 fe 0c ?? 01 2d ?? 00 14 } //1`
fix condition 2024-07-06 23:13:08 -07:00			`$a_01_1 = {02 11 05 02 11 04 17 59 91 9c 20 } //1`
			`$a_01_2 = {02 11 06 02 11 05 17 59 91 9c 20 } //1`
			`$a_01_3 = {02 11 07 02 11 06 17 59 91 9c 20 } //1`
			`$a_01_4 = {04 1f 19 64 04 1d 62 60 10 02 } //1 ἄ搙ᴄ恢Ȑ`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_03_0 & 1)1+(#a_01_1 & 1)1+(#a_01_2 & 1)1+(#a_01_3 & 1)1+(#a_01_4 & 1)*1) >=3`
init 2024-02-05 06:12:47 -08:00
			`}`