can match on a function with the numbers: 0x88888888 and 0x1001. the former seems likely to be seen in optimized arithmetic implementations, and 0x1001 seems like a reasonable enum or error constant.
Examples
this is definitely not PLUGX: f9b962d6668a3813695b5c8dab533d6ecbcb2cef5c5fad6726637d735f6dd33b
Possible improvements
make the command ID or block something like four or more:
Summary
https://github.com/mandiant/capa-rules/blob/master/malware-family/plugx/match-known-plugx-module.yml
can match on a function with the numbers: 0x88888888 and 0x1001. the former seems likely to be seen in optimized arithmetic implementations, and 0x1001 seems like a reasonable enum or error constant.
Examples
this is definitely not PLUGX: f9b962d6668a3813695b5c8dab533d6ecbcb2cef5c5fad6726637d735f6dd33b
Possible improvements
make the command ID
orblock something likefour or more:Additional context