Merge pull request #3 from wesinator/peid-yara

YARA rule cleanup
malice-plugins · Dec 4, 2018 · 1972b7b · 1972b7b
2 parents f2a3e7d + 0bedca3
commit 1972b7b
Show file tree

Hide file tree

Showing 9 changed files with 1,524 additions and 22 deletions.
diff --git a/rules/JPEG_EXIF_Contains_eval.yara b/rules/JPEG_EXIF_Contains_eval.yara
diff --git a/rules/contains_pe_file.yara b/rules/contains_pe_file.yara
diff --git a/rules/contains_vbe_file.yara b/rules/contains_vbe_file.yara
diff --git a/rules/embedded.yar b/rules/embedded.yar
diff --git a/rules/maldoc.yara b/rules/maldoc.yara
diff --git a/rules/pe_file_pyinstaller.yara b/rules/pe_file_pyinstaller.yara
diff --git a/rules/peid-userdb-rules-with-pe-module.yara b/rules/peid-userdb-rules-with-pe-module.yara
@@ -1519,7 +1519,8 @@ rule PEiD_00137_Armadillo_v1_60a_
         $a at pe.entry_point
 }
 
-rule PEiD_00138_Armadillo_v1_71_
+// Disabled due to false positives
+/*rule PEiD_00138_Armadillo_v1_71_
 {
     meta:
         description = "[Armadillo v1.71]"
@@ -1528,7 +1529,7 @@ rule PEiD_00138_Armadillo_v1_71_
         $a = {55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1}
     condition:
         $a
-}
+}*/
 
 rule PEiD_00139_Armadillo_v1_72___v1_73_
 {
@@ -7308,7 +7309,7 @@ rule PEiD_00663_ExeTools_v2_1_Encruptor_by_DISMEMBER_
 rule PEiD_00664_EXE______________Liuli_
 {
     meta:
-        description = "[EXE�ļ��ϲ��� -> Liuli]"
+        description = "[EXE文件合并器 -> Liuli]"
         ep_only = "false"
     strings:
         $a = {E8 53 03 00 00 8B F0 56 56 E8 98 03 00 00 8B C8}
@@ -7715,7 +7716,7 @@ rule PEiD_00700_EZIP_v1_0_
 rule PEiD_00701_E___________________
 {
     meta:
-        description = "[E�εش� -> �ºڷ��]"
+        description = "[E游地带 -> 月黑风高]"
         ep_only = "true"
     strings:
         $a = {55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 0F 31 8B D8 0F 31 8B D0 2B D3 C1 EA 10 B8 ?? ?? ?? ?? 0F 6E C0 B8 ?? ?? ?? ?? 0F 6E C8 0F F5 C1 0F 7E C0 0F 77 03 C2 ?? ?? ?? ?? ?? FF E0}
@@ -8331,7 +8332,7 @@ rule PEiD_00756_FreePascal_2_0_0_Win32_____Berczi_Gabor__Pierre_Muller___Peter_V
 rule PEiD_00757_FreePascal_2_0_0_Win32_____B_rczi_G_bor__Pierre_Muller___Peter_Vreman__
 {
     meta:
-        description = "[FreePascal 2.0.0 Win32 -> (B�rczi G�bor, Pierre Muller & Peter Vreman)]"
+        description = "[FreePascal 2.0.0 Win32 -> (B閞czi G醔or, Pierre Muller & Peter Vreman)]"
         ep_only = "true"
     strings:
         $a = {C6 05 00 80 40 00 01 E8 74 00 00 00 C6 05 00 80 40 00 00 E8 68 00 00 00 50 E8 00 00 00 00 FF 25 D8 A1 40 00 90 90 90 90 90 90 90 90 90 90 90 90 55 89 E5 83 EC 04 89 5D FC E8 92 00 00 00 E8 ED 00 00 00 89 C3 B9 ?? 70 40 00 89 DA B8 00 00 00 00 E8 0A 01 00 00 E8 C5 01 00 00 89 D8 E8 3E 02 00 00 E8 B9 01 00 00 E8 54 02 00 00 8B 5D FC C9 C3 8D 76 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 E5 C6 05 10 80 40 00 00 E8 D1 03 00 00 6A 00 64 FF 35 00 00 00 00 89 E0 A3 ?? 70 40 00 55 31 ED 89 E0 A3 20 80 40 00 66 8C D5 89 2D 30 80 40 00 E8 B9 03 00 00 31 ED E8 72 FF FF FF 5D E8 BC 03 00 00 C9 C3 00 00 00 00 00 00 00 00 00 00 55 89 E5 83 EC 08 E8 15 04 00 00 A1 ?? 70 40 00 89 45 F8 B8 01 00 00 00 89 45 FC 3B 45 F8 7F 2A FF 4D FC 90 FF 45 FC 8B 45 FC 83 3C C5 ?? 70 40 00 00 74 09 8B 04 C5 ?? 70 40}
@@ -16306,7 +16307,7 @@ rule PEiD_01481_PCrypt_v3_51_
 rule PEiD_01482_PcShare____________v4_0_____________
 {
     meta:
-        description = "[PcShare �ļ������� v4.0 -> �޿ɷ���]"
+        description = "[PcShare 文件捆绑器 v4.0 -> 无可非议]"
         ep_only = "true"
     strings:
         $a = {55 8B EC 6A FF 68 90 34 40 00 68 B6 28 40 00 64 A1}
@@ -22411,7 +22412,7 @@ rule PEiD_02036_SDProtect____Randy_Li_
 rule PEiD_02037_SDProtect________________Randy_Li_
 {
     meta:
-        description = "[SDProtect(����������) -> Randy Li]"
+        description = "[SDProtect(软件保护神) -> Randy Li]"
         ep_only = "false"
     strings:
         $a = {55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? 00 00 00}
@@ -27064,7 +27065,7 @@ rule PEiD_02459_Upx_Lock_1_0___1_2____CyberDoom___Team_X___BoB___BobSoft_
 rule PEiD_02460_UPX_SCRAMBLER_3_06_____OnT_oL_
 {
     meta:
-        description = "[UPX-SCRAMBLER 3.06 -> �OnT�oL]"
+        description = "[UPX-SCRAMBLER 3.06 -> ㎡nT畂L]"
         ep_only = "true"
     strings:
         $a = {E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6}
@@ -39142,7 +39143,7 @@ rule PEiD_03557_Zurenava_DOS_Extender_v0_45__v0_49_
 rule PEiD_03558_______EXE______________________________
 {
     meta:
-        description = "[�ؾ���EXE�ļ������ ��Աר�� -> �¾��]"
+        description = "[藏鲸阁EXE文件捆绑机 会员专版 -> 陈经韬]"
         ep_only = "true"
     strings:
         $a = {55 8B EC 83 C4 E4 53 56 57 33 C0 89 45 E4 89 45}
@@ -39153,7 +39154,7 @@ rule PEiD_03558_______EXE______________________________
 rule PEiD_03559_____EXE___________v1_0_________
 {
     meta:
-        description = "[����EXE�ļ������� v1.0 -> ����]"
+        description = "[教主EXE文件捆绑器 v1.0 -> 教主]"
         ep_only = "true"
     strings:
         $a = {55 8B EC 6A FF 68 08 4B 40 00 68 36 3A 40 00 64 A1}
@@ -39164,7 +39165,7 @@ rule PEiD_03559_____EXE___________v1_0_________
 rule PEiD_03560____v1_0____Li_Jianjun_
 {
     meta:
-        description = "[�� v1.0 -> Li-Jianjun]"
+        description = "[绳 v1.0 -> Li-Jianjun]"
         ep_only = "true"
     strings:
         $a = {60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44}
@@ -39175,7 +39176,7 @@ rule PEiD_03560____v1_0____Li_Jianjun_
 rule PEiD_03561____________v1_0_________
 {
     meta:
-        description = "[�ļ������� v1.0 -> ����]"
+        description = "[文件捆绑器 v1.0 -> 许云]"
         ep_only = "true"
     strings:
         $a = {64 A1 00 00 00 00 55 89 E5 6A FF 68 1C 30 40 00}
@@ -39186,7 +39187,7 @@ rule PEiD_03561____________v1_0_________
 rule PEiD_03562_____EXE__________yy66_
 {
     meta:
-        description = "[����EXE�ϲ��� -> yy66]"
+        description = "[心奇EXE合并器 -> yy66]"
         ep_only = "true"
     strings:
         $a = {68 78 18 40 00 E8 F0 FF FF FF 00 00 00 00 00 00 30}
@@ -39197,7 +39198,7 @@ rule PEiD_03562_____EXE__________yy66_
 rule PEiD_03563__________2_2b____Shoooo_
 {
     meta:
-        description = "[ܥ��ѹ�� 2.2b -> Shoooo]"
+        description = "[堀北压缩 2.2b -> Shoooo]"
         ep_only = "true"
     strings:
         $a = {68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 11 55 07 8B EC B8 14 80 0E 03 E8 D1 09 00 0A 57 33 D2 FF 75 18 B9 E8 1F DE 16 81 C0 8D BD EE 7F FB F8}
@@ -39208,7 +39209,7 @@ rule PEiD_03563__________2_2b____Shoooo_
 rule PEiD_03564__________2_2b_Anti____xiaohui_
 {
     meta:
-        description = "[ܥ��ѹ�� 2.2b Anti -> xiaohui]"
+        description = "[堀北压缩 2.2b Anti -> xiaohui]"
         ep_only = "true"
     strings:
         $a = {EB F4 11 55 07 8B EC B8 14 80 0E 03 E8 D1 09 00 0A 57 33 D2 FF 75 18 B9 E8 1F DE 16 81 C0 8D BD EE 7F FB F8}

diff --git a/rules/rats.yar b/rules/rats.yar