askthedragon
commented
6 years ago can you give me a test yara rule? I thought we supported imphash in 1.3.2
Open dewiestr opened 6 years ago
askthedragon
commented
6 years ago can you give me a test yara rule? I thought we supported imphash in 1.3.2
dewiestr
commented
6 years ago the rule in question was this one from the Loki project:
rule KHRAT_Malware { meta: description = "Detects an Imphash of KHRAT malware" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" date = "2017-08-31" hash1 = "53e27fd13f26462a58fa5587ecd244cab4da23aa80cf0ed6eb5ee9f9de2688c1" condition: uint16(0) == 0x5a4d and filesize < 100KB and pe.imphash() == "6a8478ad861f98f8428a042f74de1944" }
When trying to load the Loki Yara rule set, I've noticed that they will not load because of the unsupported imphash value, potentially because the cb-yara-connector is based on an older yara version.
init: ERROR: /usr/share/cb/integrations/yara/loki/yara/apt_khrat.yar(21): invalid field name "imphash"