[clamav-users] Keymarble Yara rule?

[Al Varnell]

I don't quite understand why you think it might not detect it. 

Text strings are not required to have an even number of digits. The hex equivalent to that string would be: {62 63 39 62 37 35 61 33 31 31 37 37 35 38 37 32 34 35 33 30 35 63 64 34 31 38 62 38 64 66 37 38 36 35 32 64 31 63 30 33 65 39 64 61 30 63 66 63 39 31 30 64 36 64 33 38 65 65 34 31 39 31 64 34 30}. As long as the string appears in a file, it should match.

I'd have to have the actual sample file in order to say anything more about it.

-Al-

On Sun, Aug 12, 2018 at 04:56 AM, Alessandro Vesely wrote:
> I'd be curious to know if NCCIC's Yara rule would detect it, because of:
> 
>    strings:
>        // This is a "text" string, although it looks like a hex dump
>        // (except for having an odd number of digits)
>        $n = "bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40"
> 
> (Recall that hex strings in Yara require curly braces, for example:
>        $h = {bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d400}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180812/1e8f192c/attachment.htm>