[clamav-users] Keymarble Yara rule?

[Alessandro Vesely]

On Sat 11/Aug/2018 23:11:07 +0200 Al Varnell wrote: 

> Here's the VirusTotal page on this file
> <https://www.virustotal.com/#/file/e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09/detection>
> and it does show that ClamAV detects it as Win.Trojan.Agent-6641267-0
> which was just added yesterday

Thanks a lot!  That solves my doubt.  Yet, I'd be curious to know if NCCIC's Yara rule would detect it, because of:

    strings:
        // This is a "text" string, although it looks like a hex dump
        // (except for having an odd number of digits)
        $n = "bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40"

(Recall that hex strings in Yara require curly braces, for example:
        $h = {bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d400}
)


Best
Ale