Today faced a different problem when using Yara. Task is to find some file based on different rules and then check if it is matching with few known MD5 IOCs. Looks simple, so define the constant, then create the condition and after finding bit on the internet, found following can be defined in Yara to look after MD5 file hashes
hash.md5(0, filesize) == “XXXXXXXXXXXXXXXXXXXXXXXXXXX”So, as example
import “hash”
rule find_hash {
meta:
description = “hash matching"
condition:
IsPE and
filesize < 350KB and
hash.md5(0, filesize) == “XXXXXXX”
}should work. 1st received few errors. But found a better method and with vast option if you are having virustotal API.
import "vt"
rule find
{
meta:
author = "Krish"
description = "XXX payload"
strings:
$s1 = "XXXX"
fullword ascii$s2 = "XXXX"
fullword ascii
condition:
uint16(0) == 0x5a4d and ($mutex or (all of ($ua*) and 2 of them) or 6 of ($s*)) and
vt.metadata.md5 == "XXXXX" or
vt.metadata.md5 == "XXXXX"A lot more filters can be used as well. FYI https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt